[ https://issues.apache.org/jira/browse/WW-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362401#comment-16362401 ]
Nate commented on WW-4918: -------------------------- Yes, our package extends struts-default, as well as json-default. That explains why some methods have to be defined while others aren't. So this actually isn't a bug, it's intended behaviour. > buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods > defined in struts.xml > --------------------------------------------------------------------------------------------------- > > Key: WW-4918 > URL: https://issues.apache.org/jira/browse/WW-4918 > Project: Struts 2 > Issue Type: Bug > Components: Core Actions > Affects Versions: 2.5.14.1 > Reporter: Nate > Priority: Major > > I have the following action (slightly edited to remove identifying info): > {code:xml} > <action name="userEdit" class="struts2package.actions.user.UserEditAction"> > <interceptor-ref name="defaultStack"> > <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters > and the resetSelectedVersion parameter--> > <param > name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param> > <param name="authorizationInterceptor.authorizationRole">globalAdmin</param> > </interceptor-ref> > <interceptor-ref name="token"> > <param name="excludeMethods">input,back,refresh,cancel,browse</param> > </interceptor-ref> > <interceptor-ref name="struts2ActionErrorInterceptor"/> > <interceptor-ref name="struts1ErrorMessageInterceptor"/> > <result name="input">/jsp/user/userEdit.jsp</result> > <result name="error" type="redirectAction"> > <param name="actionName">displayUserEdit.action</param> > </result> > <result name="redirectToUserOverview" type="redirectAction"> > <param name="actionName">userOverviewRetained.action</param> > <param name="globalInfo">info.transaction_success</param> > </result> > <result name="success">/jsp/user/userEdit.jsp</result> > <result name="back" type="redirect">${backUrl}</result> > </action> > {code} > And the following global allowed methods: > {code:xml} > <global-allowed-methods>update,execute</global-allowed-methods> > {code} > And these buttons: > > {code:xml} > <div class="buttonRow"> > <%-- The 'Save' button --%> > <input value="Save" > type="submit" class="button" name="method:update" /> > <%-- The 'Refresh' button --%> > <input value="Refresh" > type="submit" class="button" name="method:refresh" > id="refreshButton" /> > <%-- The 'Back' button --%> > <input value=Back" > type="submit" class="button" name="method:back" /> > </div> > {code} > > As you can see, the update method is defined in the global-allowed-actions > list, but the refresh and back methods aren't. However, what happens is that > the update button with the update method works and updates the user, the > refresh action shows the "method is not allowed" error screen and doesn't > update the user(both as expected since update is defined in the allowed > methods and refresh isn't), but the back button DOES actually work even > though it's not explicitly defined in the global-allowed-methods section. > > I'm trying to understand why out of 2 methods both not defined as > allowed-methods, one is correctly blocked as "not allowed" while the other > is still allowed through. If I add ",refresh" to the global-allowed-methods > and restart tomcat, the refresh button ends up working afterwards as > expected, and the back button stays functional. I don't use the plugin that > adds the Allowed Methods annotation, and this same situation also happens > when using s:submits with method="back" defined, even if there is already a > method defined on the action entry in struts.xml. > Update: I have done some more testing, and it appears that another action > with similar definition but a different method (method:delete on an > AntDeleteAction) also works without having to explicitly define delete on the > global allowed methods list. -- This message was sent by Atlassian JIRA (v7.6.3#76005)