[
https://issues.apache.org/jira/browse/WW-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362315#comment-16362315
]
Nate edited comment on WW-4918 at 2/13/18 1:28 PM:
---------------------------------------------------
[~yasser.zamani] I have updated the affects version with the current Struts
version. I have posted below the results of a dir /b *.jar in the lib folder,
although I have removed 2 jars from the list which included the name of our
company, neither of which were used anywhere near our frontend code or you
would know what they did from the name (something related to our product
license and a database abstraction layer).
activation.jar
aopalliance.jar
asm-commons.jar
asm-tree.jar
asm.jar
atlassian-osuser.jar
axis.jar
bndlib.jar
c3p0.jar
cdi-api.jar
classmate.jar
com.springsource.antlr.jar
com.springsource.javax.xml.stream.jar
com.springsource.net.sf.cglib.jar
com.springsource.org.apache.commons.beanutils.jar
com.springsource.org.apache.commons.cli.jar
com.springsource.org.apache.commons.collections.jar
com.springsource.org.apache.commons.io.jar
com.springsource.org.apache.commons.lang.jar
com.springsource.org.apache.commons.net.jar
com.springsource.org.apache.log4j.jar
com.springsource.org.apache.log4j.sub.jar
com.springsource.org.apache.oro.jar
com.springsource.org.apache.velocity.jar
com.springsource.org.apache.xml.resolver.jar
com.springsource.org.xmlpull.jar
commons-codec.jar
commons-compress.jar
commons-dbcp.jar
commons-digester.jar
commons-discovery.jar
commons-fileupload.jar
commons-httpclient.jar
commons-io.jar
commons-lang3.jar
commons-logging.jar
commons-pool.jar
commons-resources.jar
commons-validator.jar
displaytag.jar
dojo13.jar
dojo18.jar
dojo19.jar
dom4j.jar
ezlicrun.jar
freemarker.jar
hibernate-c3p0.jar
hibernate-commons-annotations.jar
hibernate-core.jar
hibernate-entitymanager.jar
hibernate-jpa-2.1-api.jar
hibernate-osgi.jar
hsqldb.jar
httpclient.jar
httpcore.jar
itext.jar
jaasmodules.jar
jackson-annotations.jar
jackson-core-asl.jar
jackson-core.jar
jackson-databind.jar
jackson-jaxrs.jar
jackson-mapper-asl.jar
jackson-mrbean.jar
jackson-smile.jar
jackson-xc.jar
jakarta-unstandard.jar
jandex.jar
jasperreports.jar
javassist.jar
javax.el-api.jar
javax.inject.jar
javax.interceptor-api.jar
jaxb-api.jar
jaxb-impl.jar
jaxb-xjc.jar
jaxrpc-api.jar
jboss-logging.jar
jboss-transaction-api_1.2_spec.jar
jcommon.jar
jdom.jar
jfreechart.jar
jsoup.jar
jstl.jar
log4j-api.jar
mail.jar
mchange-commons-java.jar
ncso.jar
notes.jar
ognl.jar
ojb.jar
ops4j-base-io.jar
ops4j-base-lang.jar
ops4j-base-monitors.jar
ops4j-base-store.jar
ops4j-base-util-property.jar
org.apache.servicemix.bundles.jsch.jar
pax-swissbox-property.jar
pax-url-commons.jar
poi.jar
rome.jar
s2datepicker.jar
saaj-api.jar
slf4j-api.jar
slf4j-log4j12.jar
soap60.jar
spring-aop.jar
spring-asm.jar
spring-beans.jar
spring-context-support.jar
spring-context.jar
spring-core.jar
spring-expression.jar
spring-oxm.jar
spring-test.jar
spring-web.jar
spring-webmvc.jar
standard.jar
stax2-api.jar
struts-layout.jar
struts.jar
struts2-core.jar
struts2-dojo-plugin.jar
struts2-json-plugin.jar
templates.jar
tfs.sdk.jar
tinybundles.jar
truelicense.jar
trueswing.jar
truexml.jar
vt-ldap.jar
woodstox-core-asl.jar
wsdl4j.jar
xercesImpl.jar
xml-apis.jar
xmlrpc.jar
xstream.jar
xwork-core.jar
was (Author: kerkhofs):
[~yasser.zamani] I have updated the affects version with the current Struts
version. I have posted below the results of a dir /b *.jar in the lib folder,
although I have removed 2 jars from the list which included the name of our
company, neither of which were used anywhere near our frontend code (something
related to our product license and a database abstraction layer).
activation.jar
aopalliance.jar
asm-commons.jar
asm-tree.jar
asm.jar
atlassian-osuser.jar
axis.jar
bndlib.jar
c3p0.jar
cdi-api.jar
classmate.jar
com.springsource.antlr.jar
com.springsource.javax.xml.stream.jar
com.springsource.net.sf.cglib.jar
com.springsource.org.apache.commons.beanutils.jar
com.springsource.org.apache.commons.cli.jar
com.springsource.org.apache.commons.collections.jar
com.springsource.org.apache.commons.io.jar
com.springsource.org.apache.commons.lang.jar
com.springsource.org.apache.commons.net.jar
com.springsource.org.apache.log4j.jar
com.springsource.org.apache.log4j.sub.jar
com.springsource.org.apache.oro.jar
com.springsource.org.apache.velocity.jar
com.springsource.org.apache.xml.resolver.jar
com.springsource.org.xmlpull.jar
commons-codec.jar
commons-compress.jar
commons-dbcp.jar
commons-digester.jar
commons-discovery.jar
commons-fileupload.jar
commons-httpclient.jar
commons-io.jar
commons-lang3.jar
commons-logging.jar
commons-pool.jar
commons-resources.jar
commons-validator.jar
displaytag.jar
dojo13.jar
dojo18.jar
dojo19.jar
dom4j.jar
ezlicrun.jar
freemarker.jar
hibernate-c3p0.jar
hibernate-commons-annotations.jar
hibernate-core.jar
hibernate-entitymanager.jar
hibernate-jpa-2.1-api.jar
hibernate-osgi.jar
hsqldb.jar
httpclient.jar
httpcore.jar
itext.jar
jaasmodules.jar
jackson-annotations.jar
jackson-core-asl.jar
jackson-core.jar
jackson-databind.jar
jackson-jaxrs.jar
jackson-mapper-asl.jar
jackson-mrbean.jar
jackson-smile.jar
jackson-xc.jar
jakarta-unstandard.jar
jandex.jar
jasperreports.jar
javassist.jar
javax.el-api.jar
javax.inject.jar
javax.interceptor-api.jar
jaxb-api.jar
jaxb-impl.jar
jaxb-xjc.jar
jaxrpc-api.jar
jboss-logging.jar
jboss-transaction-api_1.2_spec.jar
jcommon.jar
jdom.jar
jfreechart.jar
jsoup.jar
jstl.jar
log4j-api.jar
mail.jar
mchange-commons-java.jar
ncso.jar
notes.jar
ognl.jar
ojb.jar
ops4j-base-io.jar
ops4j-base-lang.jar
ops4j-base-monitors.jar
ops4j-base-store.jar
ops4j-base-util-property.jar
org.apache.servicemix.bundles.jsch.jar
pax-swissbox-property.jar
pax-url-commons.jar
poi.jar
rome.jar
s2datepicker.jar
saaj-api.jar
slf4j-api.jar
slf4j-log4j12.jar
soap60.jar
spring-aop.jar
spring-asm.jar
spring-beans.jar
spring-context-support.jar
spring-context.jar
spring-core.jar
spring-expression.jar
spring-oxm.jar
spring-test.jar
spring-web.jar
spring-webmvc.jar
standard.jar
stax2-api.jar
struts-layout.jar
struts.jar
struts2-core.jar
struts2-dojo-plugin.jar
struts2-json-plugin.jar
templates.jar
tfs.sdk.jar
tinybundles.jar
truelicense.jar
trueswing.jar
truexml.jar
vt-ldap.jar
woodstox-core-asl.jar
wsdl4j.jar
xercesImpl.jar
xml-apis.jar
xmlrpc.jar
xstream.jar
xwork-core.jar
> buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods
> defined in struts.xml
> ---------------------------------------------------------------------------------------------------
>
> Key: WW-4918
> URL: https://issues.apache.org/jira/browse/WW-4918
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.5.14.1
> Reporter: Nate
> Priority: Major
>
> I have the following action (slightly edited to remove identifying info):
> {code:xml}
> <action name="userEdit" class="struts2package.actions.user.UserEditAction">
> <interceptor-ref name="defaultStack">
> <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters
> and the resetSelectedVersion parameter-->
> <param
> name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
> <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
> </interceptor-ref>
> <interceptor-ref name="token">
> <param name="excludeMethods">input,back,refresh,cancel,browse</param>
> </interceptor-ref>
> <interceptor-ref name="struts2ActionErrorInterceptor"/>
> <interceptor-ref name="struts1ErrorMessageInterceptor"/>
> <result name="input">/jsp/user/userEdit.jsp</result>
> <result name="error" type="redirectAction">
> <param name="actionName">displayUserEdit.action</param>
> </result>
> <result name="redirectToUserOverview" type="redirectAction">
> <param name="actionName">userOverviewRetained.action</param>
> <param name="globalInfo">info.transaction_success</param>
> </result>
> <result name="success">/jsp/user/userEdit.jsp</result>
> <result name="back" type="redirect">${backUrl}</result>
> </action>
> {code}
> And the following global allowed methods:
> {code:xml}
> <global-allowed-methods>update,execute</global-allowed-methods>
> {code}
> And these buttons:
>
> {code:xml}
> <div class="buttonRow">
> <%-- The 'Save' button --%>
> <input value="Save"
> type="submit" class="button" name="method:update" />
> <%-- The 'Refresh' button --%>
> <input value="Refresh"
> type="submit" class="button" name="method:refresh"
> id="refreshButton" />
> <%-- The 'Back' button --%>
> <input value=Back"
> type="submit" class="button" name="method:back" />
> </div>
> {code}
>
> As you can see, the update method is defined in the global-allowed-actions
> list, but the refresh and back methods aren't. However, what happens is that
> the update button with the update method works and updates the user, the
> refresh action shows the "method is not allowed" error screen and doesn't
> update the user(both as expected since update is defined in the allowed
> methods and refresh isn't), but the back button DOES actually work even
> though it's not explicitly defined in the global-allowed-methods section.
>
> I'm trying to understand why out of 2 methods both not defined as
> allowed-methods, one is correctly blocked as "not allowed" while the other
> is still allowed through. If I add ",refresh" to the global-allowed-methods
> and restart tomcat, the refresh button ends up working afterwards as
> expected, and the back button stays functional. I don't use the plugin that
> adds the Allowed Methods annotation, and this same situation also happens
> when using s:submits with method="back" defined, even if there is already a
> method defined on the action entry in struts.xml.
> Update: I have done some more testing, and it appears that another action
> with similar definition but a different method (method:delete on an
> AntDeleteAction) also works without having to explicitly define delete on the
> global allowed methods list.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
