[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=913818&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913818
 ]

ASF GitHub Bot logged work on WW-5408:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Apr/24 05:19
            Start Date: 10/Apr/24 05:19
    Worklog Time Spent: 10m 
      Work Description: kusalk commented on code in PR #912:
URL: https://github.com/apache/struts/pull/912#discussion_r1558857753


##########
core/src/main/java/org/apache/struts2/StrutsConstants.java:
##########
@@ -230,6 +230,8 @@ public final class StrutsConstants {
     public static final String STRUTS_XWORKCONVERTER = "struts.xworkConverter";
 
     public static final String STRUTS_ALWAYS_SELECT_FULL_NAMESPACE = 
"struts.mapper.alwaysSelectFullNamespace";
+    /** Disable fallback to empty namespace when request namespace didn't 
match any in action configuration */
+    public static final String STRUTS_DISABLE_EMPTY_NAMESPACE_FALLBACK = 
"struts.disableActionConfigFallbackToEmptyNamespace";

Review Comment:
   Sounds reasonable to me - @jefferyxhy could you please update?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 913818)
    Time Spent: 40m  (was: 0.5h)

> Add option to NOT fallback to empty namespace when unresolved
> -------------------------------------------------------------
>
>                 Key: WW-5408
>                 URL: https://issues.apache.org/jira/browse/WW-5408
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.5.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Currently, when a namespace cannot be resolved from a request URL, it falls 
> back to the empty namespace.
> This effectively allows all Actions which are defined for the empty namespace 
> to be accessed from an infinite number of endpoints.
> For example, you may have an Action defined in the empty namespace, intended 
> for access at:
> {{www.domain.com/login.action}}
> However, due to the current fallback behaviour, this Action can actually be 
> accessed at any non-resolving namespace, eg.:
> {{www.domain.com/what/about/this/login.action}}
> This behaviour is not usually beneficial and could lead to bugs if a 
> developer only expects their Action to be accessible at a very specific URL. 
> Many developers may not be aware of these Action resolving quirks of Struts.
> As far as I can tell, there is not currently an option to prevent this 
> behaviour, so I propose we add one.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)