[
https://issues.apache.org/jira/browse/WW-4601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367220#comment-15367220
]
Lukasz Lenart commented on WW-4601:
-----------------------------------
[~montri.m] yes, you can hide it, just implement your own
{{StaticContentLoader}} like this
{code:java}
public class MyStaticContentLoader extends DefaultStaticContentLoader {
@Override
protected String getAdditionalPackages() {
return "org.apache.struts2.static template static");
}
}
{code}
and then in {{struts.xml}}
{code:xml}
<bean type="org.apache.struts2.dispatcher.StaticContentLoader"
class="MyStaticContentLoader" name="myLoader" />
<constant name="struts.staticContentLoader" value="myLoader" />
{code}
all is here https://struts.apache.org/docs/static-content.html
> webconsole can always be accessed
> ---------------------------------
>
> Key: WW-4601
> URL: https://issues.apache.org/jira/browse/WW-4601
> Project: Struts 2
> Issue Type: Bug
> Reporter: Alireza Fattahi
> Assignee: Lukasz Lenart
> Fix For: 2.3.31, 2.5.3
>
>
> It is possible that you get the webconsole.html in dev without having debug
> in the stack trace
> I found that you can access /stuts/webconsole.html to see this html. For
> example (thanks jgeppert! ) :
> {code}
> http://struts.jgeppert.com/struts2-jquery-showcase/struts/webconsole.html
> {code}
> I wonder if this should be fixed and if this can be used for attackers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
