[
https://issues.apache.org/jira/browse/WW-5194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joseph Wolschon updated WW-5194:
--------------------------------
Description:
h2. Summary
UIBean.evaluateParams() grabs the nonce out of the session without first
checking that it exists, causing an IllegalStateException to be thrown if the
session has been invalidated. This breaks our use case where we invalidate a
session, but still want to use ActionError to convey information to the user.
It doesn't appear that this change relates to removing double evaluations, so I
would consider this a regression.
h2. Triage
This was introduced when [refactoring to fix double
evaluations|https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caL900]:
{noformat}
Object nonceValue = session != null ? session.get("nonce") : null;
if (nonceValue != null){
addParameter("nonce", nonceValue.toString());
}{noformat}
The previous previous revision first checks that the key exists before
attempting to pull it out:
{noformat}
if (session.containsKey("nonce")) {
String nonceValue = session.get("nonce").toString();
addParameter("nonce", nonceValue);
}
{noformat}
was:
h2. Summary
UIBean.evaluateParams() grabs the nonce out of the session without first
checking that it exists, causing an IllegalStateException to be thrown if the
session has been invalidated. This breaks our use case where we invalidate a
session, but still want to use ActionError to convey information to the user.
It doesn't appear that this change relates to removing double evaluations, so I
would consider this a regression.
h2. Triage
This was introduced when [refactoring to fix double
evaluations|https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caL900]:
{noformat}
Object nonceValue = session != null ? session.get("nonce") : null;
if (nonceValue != null){
addParameter("nonce", nonceValue.toString());
}{noformat}
The previous previous revision first checks that the key exists before
attempting to pull it out:
{noformat}
if (session.containsKey("nonce")) {
String nonceValue = session.get("nonce").toString();
addParameter("nonce", nonceValue);
}
{noformat}
h2. Proposed Fix
Revert to the previous revision and first check that the session contains the
nonce before getting it from the session.
> UIBean.evaluateParams() throws an IllegalStateException when getting the
> nonce out of a session that has been invalidated.
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: WW-5194
> URL: https://issues.apache.org/jira/browse/WW-5194
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 6.0.0
> Reporter: Joseph Wolschon
> Assignee: Yasser Zamani
> Priority: Minor
> Labels: UIBean
> Fix For: 6.0.1
>
>
> h2. Summary
> UIBean.evaluateParams() grabs the nonce out of the session without first
> checking that it exists, causing an IllegalStateException to be thrown if the
> session has been invalidated. This breaks our use case where we invalidate a
> session, but still want to use ActionError to convey information to the user.
> It doesn't appear that this change relates to removing double evaluations, so
> I would consider this a regression.
> h2. Triage
> This was introduced when [refactoring to fix double
> evaluations|https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caL900]:
> {noformat}
> Object nonceValue = session != null ? session.get("nonce") : null;
> if (nonceValue != null){
> addParameter("nonce", nonceValue.toString());
> }{noformat}
> The previous previous revision first checks that the key exists before
> attempting to pull it out:
> {noformat}
> if (session.containsKey("nonce")) {
> String nonceValue = session.get("nonce").toString();
> addParameter("nonce", nonceValue);
> }
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
