[ 
https://issues.apache.org/jira/browse/WW-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362315#comment-16362315
 ] 

Nate edited comment on WW-4918 at 2/13/18 1:29 PM:
---------------------------------------------------

[~yasser.zamani] I have updated the affects version with the Struts version I'm 
using. I have posted below the results of a dir /b *.jar in the lib folder, 
although I have removed 2 jars from the list which included the name of our 
company, neither of which were used anywhere near our frontend code or you 
would know what they did from the name (something related to our product 
license and a database abstraction layer).

activation.jar
 aopalliance.jar
 asm-commons.jar
 asm-tree.jar
 asm.jar
 atlassian-osuser.jar
 axis.jar
 bndlib.jar
 c3p0.jar
 cdi-api.jar
 classmate.jar
 com.springsource.antlr.jar
 com.springsource.javax.xml.stream.jar
 com.springsource.net.sf.cglib.jar
 com.springsource.org.apache.commons.beanutils.jar
 com.springsource.org.apache.commons.cli.jar
 com.springsource.org.apache.commons.collections.jar
 com.springsource.org.apache.commons.io.jar
 com.springsource.org.apache.commons.lang.jar
 com.springsource.org.apache.commons.net.jar
 com.springsource.org.apache.log4j.jar
 com.springsource.org.apache.log4j.sub.jar
 com.springsource.org.apache.oro.jar
 com.springsource.org.apache.velocity.jar
 com.springsource.org.apache.xml.resolver.jar
 com.springsource.org.xmlpull.jar
 commons-codec.jar
 commons-compress.jar
 commons-dbcp.jar
 commons-digester.jar
 commons-discovery.jar
 commons-fileupload.jar
 commons-httpclient.jar
 commons-io.jar
 commons-lang3.jar
 commons-logging.jar
 commons-pool.jar
 commons-resources.jar
 commons-validator.jar
 displaytag.jar
 dojo13.jar
 dojo18.jar
 dojo19.jar
 dom4j.jar
 ezlicrun.jar
 freemarker.jar
 hibernate-c3p0.jar
 hibernate-commons-annotations.jar
 hibernate-core.jar
 hibernate-entitymanager.jar
 hibernate-jpa-2.1-api.jar
 hibernate-osgi.jar
 hsqldb.jar
 httpclient.jar
 httpcore.jar
 itext.jar
 jaasmodules.jar
 jackson-annotations.jar
 jackson-core-asl.jar
 jackson-core.jar
 jackson-databind.jar
 jackson-jaxrs.jar
 jackson-mapper-asl.jar
 jackson-mrbean.jar
 jackson-smile.jar
 jackson-xc.jar
 jakarta-unstandard.jar
 jandex.jar
 jasperreports.jar
 javassist.jar
 javax.el-api.jar
 javax.inject.jar
 javax.interceptor-api.jar
 jaxb-api.jar
 jaxb-impl.jar
 jaxb-xjc.jar
 jaxrpc-api.jar
 jboss-logging.jar
 jboss-transaction-api_1.2_spec.jar
 jcommon.jar
 jdom.jar
 jfreechart.jar
 jsoup.jar
 jstl.jar
 log4j-api.jar
 mail.jar
 mchange-commons-java.jar
 ncso.jar
 notes.jar
 ognl.jar
 ojb.jar
 ops4j-base-io.jar
 ops4j-base-lang.jar
 ops4j-base-monitors.jar
 ops4j-base-store.jar
 ops4j-base-util-property.jar
 org.apache.servicemix.bundles.jsch.jar
 pax-swissbox-property.jar
 pax-url-commons.jar
 poi.jar
 rome.jar
 s2datepicker.jar
 saaj-api.jar
 slf4j-api.jar
 slf4j-log4j12.jar
 soap60.jar
 spring-aop.jar
 spring-asm.jar
 spring-beans.jar
 spring-context-support.jar
 spring-context.jar
 spring-core.jar
 spring-expression.jar
 spring-oxm.jar
 spring-test.jar
 spring-web.jar
 spring-webmvc.jar
 standard.jar
 stax2-api.jar
 struts-layout.jar
 struts.jar
 struts2-core.jar
 struts2-dojo-plugin.jar
 struts2-json-plugin.jar
 templates.jar
 tfs.sdk.jar
 tinybundles.jar
 truelicense.jar
 trueswing.jar
 truexml.jar
 vt-ldap.jar
 woodstox-core-asl.jar
 wsdl4j.jar
 xercesImpl.jar
 xml-apis.jar
 xmlrpc.jar
 xstream.jar
 xwork-core.jar


was (Author: kerkhofs):
[~yasser.zamani] I have updated the affects version with the current Struts 
version. I have posted below the results of a dir /b *.jar in the lib folder, 
although I have removed 2 jars from the list which included the name of our 
company, neither of which were used anywhere near our frontend code or you 
would know what they did from the name (something related to our product 
license and a database abstraction layer).

activation.jar
 aopalliance.jar
 asm-commons.jar
 asm-tree.jar
 asm.jar
 atlassian-osuser.jar
 axis.jar
 bndlib.jar
 c3p0.jar
 cdi-api.jar
 classmate.jar
 com.springsource.antlr.jar
 com.springsource.javax.xml.stream.jar
 com.springsource.net.sf.cglib.jar
 com.springsource.org.apache.commons.beanutils.jar
 com.springsource.org.apache.commons.cli.jar
 com.springsource.org.apache.commons.collections.jar
 com.springsource.org.apache.commons.io.jar
 com.springsource.org.apache.commons.lang.jar
 com.springsource.org.apache.commons.net.jar
 com.springsource.org.apache.log4j.jar
 com.springsource.org.apache.log4j.sub.jar
 com.springsource.org.apache.oro.jar
 com.springsource.org.apache.velocity.jar
 com.springsource.org.apache.xml.resolver.jar
 com.springsource.org.xmlpull.jar
 commons-codec.jar
 commons-compress.jar
 commons-dbcp.jar
 commons-digester.jar
 commons-discovery.jar
 commons-fileupload.jar
 commons-httpclient.jar
 commons-io.jar
 commons-lang3.jar
 commons-logging.jar
 commons-pool.jar
 commons-resources.jar
 commons-validator.jar
 displaytag.jar
 dojo13.jar
 dojo18.jar
 dojo19.jar
 dom4j.jar
 ezlicrun.jar
 freemarker.jar
 hibernate-c3p0.jar
 hibernate-commons-annotations.jar
 hibernate-core.jar
 hibernate-entitymanager.jar
 hibernate-jpa-2.1-api.jar
 hibernate-osgi.jar
 hsqldb.jar
 httpclient.jar
 httpcore.jar
 itext.jar
 jaasmodules.jar
 jackson-annotations.jar
 jackson-core-asl.jar
 jackson-core.jar
 jackson-databind.jar
 jackson-jaxrs.jar
 jackson-mapper-asl.jar
 jackson-mrbean.jar
 jackson-smile.jar
 jackson-xc.jar
 jakarta-unstandard.jar
 jandex.jar
 jasperreports.jar
 javassist.jar
 javax.el-api.jar
 javax.inject.jar
 javax.interceptor-api.jar
 jaxb-api.jar
 jaxb-impl.jar
 jaxb-xjc.jar
 jaxrpc-api.jar
 jboss-logging.jar
 jboss-transaction-api_1.2_spec.jar
 jcommon.jar
 jdom.jar
 jfreechart.jar
 jsoup.jar
 jstl.jar
 log4j-api.jar
 mail.jar
 mchange-commons-java.jar
 ncso.jar
 notes.jar
 ognl.jar
 ojb.jar
 ops4j-base-io.jar
 ops4j-base-lang.jar
 ops4j-base-monitors.jar
 ops4j-base-store.jar
 ops4j-base-util-property.jar
 org.apache.servicemix.bundles.jsch.jar
 pax-swissbox-property.jar
 pax-url-commons.jar
 poi.jar
 rome.jar
 s2datepicker.jar
 saaj-api.jar
 slf4j-api.jar
 slf4j-log4j12.jar
 soap60.jar
 spring-aop.jar
 spring-asm.jar
 spring-beans.jar
 spring-context-support.jar
 spring-context.jar
 spring-core.jar
 spring-expression.jar
 spring-oxm.jar
 spring-test.jar
 spring-web.jar
 spring-webmvc.jar
 standard.jar
 stax2-api.jar
 struts-layout.jar
 struts.jar
 struts2-core.jar
 struts2-dojo-plugin.jar
 struts2-json-plugin.jar
 templates.jar
 tfs.sdk.jar
 tinybundles.jar
 truelicense.jar
 trueswing.jar
 truexml.jar
 vt-ldap.jar
 woodstox-core-asl.jar
 wsdl4j.jar
 xercesImpl.jar
 xml-apis.jar
 xmlrpc.jar
 xstream.jar
 xwork-core.jar

> buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods 
> defined in struts.xml
> ---------------------------------------------------------------------------------------------------
>
>                 Key: WW-4918
>                 URL: https://issues.apache.org/jira/browse/WW-4918
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.5.14.1
>            Reporter: Nate
>            Priority: Major
>
> I have the following action (slightly edited to remove identifying info):
> {code:xml}
> <action name="userEdit" class="struts2package.actions.user.UserEditAction">
>  <interceptor-ref name="defaultStack">
>  <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters 
> and the resetSelectedVersion parameter-->
>  <param 
> name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
>  <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
>  </interceptor-ref>
>  <interceptor-ref name="token">
>  <param name="excludeMethods">input,back,refresh,cancel,browse</param>
>  </interceptor-ref>
>  <interceptor-ref name="struts2ActionErrorInterceptor"/>
>  <interceptor-ref name="struts1ErrorMessageInterceptor"/>
>  <result name="input">/jsp/user/userEdit.jsp</result>
>  <result name="error" type="redirectAction">
>  <param name="actionName">displayUserEdit.action</param>
>  </result>
>  <result name="redirectToUserOverview" type="redirectAction">
>  <param name="actionName">userOverviewRetained.action</param>
>  <param name="globalInfo">info.transaction_success</param>
>  </result>
>  <result name="success">/jsp/user/userEdit.jsp</result>
>  <result name="back" type="redirect">${backUrl}</result>
>  </action>
> {code}
> And the following global allowed methods:
> {code:xml}
> <global-allowed-methods>update,execute</global-allowed-methods>
> {code}
> And these buttons:
>  
> {code:xml}
> <div class="buttonRow">
>  <%-- The 'Save' button --%>
>  <input value="Save"
>  type="submit" class="button" name="method:update" />
> <%-- The 'Refresh' button --%>
>  <input value="Refresh"
>  type="submit" class="button" name="method:refresh"
>  id="refreshButton" />
> <%-- The 'Back' button --%>
>  <input value=Back"
>  type="submit" class="button" name="method:back" />
>  </div>
> {code}
>  
> As you can see, the update method is defined in the global-allowed-actions 
> list, but the refresh and back methods aren't. However, what happens is that 
> the update button with the update method works and updates the user, the 
> refresh action shows the "method is not allowed" error screen and doesn't 
> update the user(both as expected since update is defined in the allowed 
> methods and refresh isn't), but the back button DOES actually work even 
> though it's not explicitly defined in the global-allowed-methods section.
>  
> I'm trying to understand why out of 2 methods both not defined as 
> allowed-methods, one is correctly blocked  as "not allowed" while the other 
> is still allowed through. If I add ",refresh" to the global-allowed-methods 
> and restart tomcat, the refresh button ends up working afterwards as 
> expected, and the back button stays functional. I don't use the plugin that 
> adds the Allowed Methods annotation, and this same situation also happens 
> when using s:submits with method="back" defined, even if there is already a 
> method defined on the action entry in struts.xml.
> Update: I have done some more testing, and it appears that another action 
> with similar definition but a different method (method:delete on an 
> AntDeleteAction) also works without having to explicitly define delete on the 
> global allowed methods list.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to