[
https://issues.apache.org/jira/browse/WW-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13782886#comment-13782886
]
Lukasz Lenart commented on WW-4214:
-----------------------------------
You shouldn't depend on Struts internals and right now token name is random -
http://struts.apache.org/development/2.x/docs/s2-010.html
> Rename of struts token attribute name
> -------------------------------------
>
> Key: WW-4214
> URL: https://issues.apache.org/jira/browse/WW-4214
> Project: Struts 2
> Issue Type: Improvement
> Components: Other
> Affects Versions: 2.3.15.1, 2.3.15.2
> Reporter: mahendran
> Priority: Critical
> Labels: struts.token, token
> Fix For: 2.3.17
>
>
> we are using struts 2.0.5, and migrating to 2.3.15.1 to get the security
> patches.
> During that time we noticed, the default token attribute name is changed from
> 'struts.token' to 'token'. Also this information is not published in change
> logs.
> This change impacts the application uses the custom token interceptor, where
> application get the token value from request using
> request.getParameter("struts.token");
> I request to provide a constant value to keep the default token name to
> maintain struts.xml file.
> This provides the generic approach to define the token attribute name during
> the implementation level.
> otherwise this is painful to change the token name at each jsp pages.
> currently we are using <s:token/> the generated token name is struts.token
> The same code generates the token name as 'token' in struts 2.3.15.1
> there are two options left to us.
> 1. change the <s:token/> to <s:token name="struts.token"/>
> 2. keep the old version of token.class in 2.3.15.1
> The better approach is
> create a constant to maintain the token name at struts.xml.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
