[
https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914052&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914052
]
ASF GitHub Bot logged work on WW-5408:
--------------------------------------
Author: ASF GitHub Bot
Created on: 11/Apr/24 00:33
Start Date: 11/Apr/24 00:33
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #912:
URL: https://github.com/apache/struts/pull/912#discussion_r1560203638
##########
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##########
@@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration
buildRuntimeConfiguration() throws C
boolean appendNamedParameters = Boolean.parseBoolean(
container.getInstance(String.class,
StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS)
);
+ boolean fallbackToEmptyNamespace = Boolean.parseBoolean(
+ Optional.ofNullable(container.getInstance(String.class,
StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true")
Review Comment:
@jefferyxhy and I just discussed this one and one of the drawbacks of
putting it in `default.properties` is that it isn't read by unit tests and
causes a bunch of test failures, as the unit tests will default to `false`. To
get around this we could additionally add the constant to
`StrutsDefaultConfigurationProvider` as well as `default.properties`.
I'm personally not too fussed. In the past I've deliberately made constants
default to false to try sidestep this issue. Let us know know what you would
prefer
Issue Time Tracking
-------------------
Worklog Id: (was: 914052)
Time Spent: 1h 10m (was: 1h)
> Add option to NOT fallback to empty namespace when unresolved
> -------------------------------------------------------------
>
> Key: WW-5408
> URL: https://issues.apache.org/jira/browse/WW-5408
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Currently, when a namespace cannot be resolved from a request URL, it falls
> back to the empty namespace.
> This effectively allows all Actions which are defined for the empty namespace
> to be accessed from an infinite number of endpoints.
> For example, you may have an Action defined in the empty namespace, intended
> for access at:
> {{www.domain.com/login.action}}
> However, due to the current fallback behaviour, this Action can actually be
> accessed at any non-resolving namespace, eg.:
> {{www.domain.com/what/about/this/login.action}}
> This behaviour is not usually beneficial and could lead to bugs if a
> developer only expects their Action to be accessible at a very specific URL.
> Many developers may not be aware of these Action resolving quirks of Struts.
> As far as I can tell, there is not currently an option to prevent this
> behaviour, so I propose we add one.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
