[
https://issues.apache.org/jira/browse/WW-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362387#comment-16362387
]
Yasser Zamani commented on WW-4918:
-----------------------------------
Does your package extend {{struts-default}} package? It seems Struts has some
default allowed methods at [this file
link|https://github.com/apache/struts/blob/def4adacd6eb2e6a298cbb0ab59ed4dceda98248/core/src/main/resources/struts-default.xml#L393]
(execute,input,back,cancel,browse,save,delete,list,index). And also it seems
when you define new ones in your package, Struts does not replace them, but add
your new ones to current allowed methods as a collection. Please see also [this
link|https://struts.apache.org/core-developers/action-configuration.html#strict-method-invocation]
which says you can even set these via annotation on package level (in
package-info.java).
> buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods
> defined in struts.xml
> ---------------------------------------------------------------------------------------------------
>
> Key: WW-4918
> URL: https://issues.apache.org/jira/browse/WW-4918
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.5.14.1
> Reporter: Nate
> Priority: Major
>
> I have the following action (slightly edited to remove identifying info):
> {code:xml}
> <action name="userEdit" class="struts2package.actions.user.UserEditAction">
> <interceptor-ref name="defaultStack">
> <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters
> and the resetSelectedVersion parameter-->
> <param
> name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
> <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
> </interceptor-ref>
> <interceptor-ref name="token">
> <param name="excludeMethods">input,back,refresh,cancel,browse</param>
> </interceptor-ref>
> <interceptor-ref name="struts2ActionErrorInterceptor"/>
> <interceptor-ref name="struts1ErrorMessageInterceptor"/>
> <result name="input">/jsp/user/userEdit.jsp</result>
> <result name="error" type="redirectAction">
> <param name="actionName">displayUserEdit.action</param>
> </result>
> <result name="redirectToUserOverview" type="redirectAction">
> <param name="actionName">userOverviewRetained.action</param>
> <param name="globalInfo">info.transaction_success</param>
> </result>
> <result name="success">/jsp/user/userEdit.jsp</result>
> <result name="back" type="redirect">${backUrl}</result>
> </action>
> {code}
> And the following global allowed methods:
> {code:xml}
> <global-allowed-methods>update,execute</global-allowed-methods>
> {code}
> And these buttons:
>
> {code:xml}
> <div class="buttonRow">
> <%-- The 'Save' button --%>
> <input value="Save"
> type="submit" class="button" name="method:update" />
> <%-- The 'Refresh' button --%>
> <input value="Refresh"
> type="submit" class="button" name="method:refresh"
> id="refreshButton" />
> <%-- The 'Back' button --%>
> <input value=Back"
> type="submit" class="button" name="method:back" />
> </div>
> {code}
>
> As you can see, the update method is defined in the global-allowed-actions
> list, but the refresh and back methods aren't. However, what happens is that
> the update button with the update method works and updates the user, the
> refresh action shows the "method is not allowed" error screen and doesn't
> update the user(both as expected since update is defined in the allowed
> methods and refresh isn't), but the back button DOES actually work even
> though it's not explicitly defined in the global-allowed-methods section.
>
> I'm trying to understand why out of 2 methods both not defined as
> allowed-methods, one is correctly blocked as "not allowed" while the other
> is still allowed through. If I add ",refresh" to the global-allowed-methods
> and restart tomcat, the refresh button ends up working afterwards as
> expected, and the back button stays functional. I don't use the plugin that
> adds the Allowed Methods annotation, and this same situation also happens
> when using s:submits with method="back" defined, even if there is already a
> method defined on the action entry in struts.xml.
> Update: I have done some more testing, and it appears that another action
> with similar definition but a different method (method:delete on an
> AntDeleteAction) also works without having to explicitly define delete on the
> global allowed methods list.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
