Nate created WW-4918:
------------------------

             Summary: buttons with name="method:METHODNAME" sometimes ignore 
global-allowed-methods defined in struts.xml
                 Key: WW-4918
                 URL: https://issues.apache.org/jira/browse/WW-4918
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
            Reporter: Nate


I have the following action (slightly edited to remove identifying info):

<action name="userEdit" class="struts2package.actions.user.UserEditAction">
 <interceptor-ref name="defaultStack">
 <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters and 
the resetSelectedVersion parameter-->
 <param 
name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
 <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
 </interceptor-ref>
 <interceptor-ref name="token">
 <param name="excludeMethods">input,back,refresh,cancel,browse</param>
 </interceptor-ref>
 <interceptor-ref name="struts2ActionErrorInterceptor"/>
 <interceptor-ref name="struts1ErrorMessageInterceptor"/>
 <result name="input">/jsp/user/userEdit.jsp</result>
 <result name="error" type="redirectAction">
 <param name="actionName">displayUserEdit.action</param>
 </result>
 <result name="redirectToUserOverview" type="redirectAction">
 <param name="actionName">userOverviewRetained.action</param>
 <param name="globalInfo">info.transaction_success</param>
 </result>
 <result name="success">/jsp/user/userEdit.jsp</result>
 <result name="back" type="redirect">${backUrl}</result>
 </action>

And the following global allowed methods:

<global-allowed-methods>update,execute</global-allowed-methods>

And these buttons:

 

<div class="buttonRow">
<%-- The 'Save' button --%>
 <input value="Save"
 type="submit" class="button" name="method:update" />

<%-- The 'Refresh' button --%>
 <input value="Refresh"
 type="submit" class="button" name="method:refresh"
 id="refreshButton" />

<%-- The 'Back' button --%>
 <input value=Back"
 type="submit" class="button" name="method:back" />
 </div>

 

As you can see, the update method is defined in the global-allowed-actions 
list, but the refresh and back methods aren't. However, what happens is that 
the update button with the update method works and updates the user, the 
refresh action shows the "method is not allowed" error screen and doesn't 
update the user(both as expected since update is defined in the allowed methods 
and refresh isn't), but the back button DOES actually work even though it's not 
explicitly defined in the global-allowed-methods section.

 

I'm trying to understand why out of 2 methods both not defined as 
allowed-methods, one is correctly blocked  as "not allowed" while the other is 
still allowed through. If I add ",refresh" to the global-allowed-methods and 
restart tomcat, the refresh button ends up working afterwards as expected, and 
the back button stays functional. I don't use the plugin that adds the Allowed 
Methods annotation, and this same situation also happens when using s:submits 
with method="back" defined, even if there is already a method defined on the 
action entry in struts.xml.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to