Joseph Wolschon created WW-5194:
-----------------------------------
Summary: UIBean.evaluateParams() throws an IllegalStateException
when getting the nonce out of a session that has been invalidated.
Key: WW-5194
URL: https://issues.apache.org/jira/browse/WW-5194
Project: Struts 2
Issue Type: Bug
Components: Core
Affects Versions: 6.0.0
Reporter: Joseph Wolschon
h2. Summary
UIBean.evaluateParams() grabs the nonce out of the session without first
checking that it exists, causing an IllegalStateException to be thrown if the
session has been invalidated. This breaks our use case where we invalidate a
session, but still want to use ActionError to convey information to the user.
It doesn't appear that this change relates to removing double evaluations, so I
would consider this a regression.
h2. Triage
This was introduced when [refactoring to fix double
evaluations|https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caL900]:
{noformat}
Object nonceValue = session != null ? session.get("nonce") : null;
if (nonceValue != null){
addParameter("nonce", nonceValue.toString());
}{noformat}
The previous previous revision first checks that the key exists before
attempting to pull it out:
{noformat}
if (session.containsKey("nonce")) {
String nonceValue = session.get("nonce").toString();
addParameter("nonce", nonceValue);
}
{noformat}
h2. Proposed Fix
Revert to the previous revision and first check that the session contains the
nonce before getting it from the session.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
