Picking up on this topic, I noticed that disabling this feature will break any JSPs where you've set the action in the <s:submit> tag instead of the <s:form> tag.
This is particularly problematic in situations where for some reason you have one form with two submit tags, since the submit is the only place where you can distinguish the actions. This can also be related with a similar situation in s2-019, where the disabling of the DMI makes the method="" parameter of the tags unusable. I've learnt that this will be better handled in a future version of struts, so my assumption is that the normal behaviour will return in both situations on a future non-security release - hopefully the next one! Maybe someone from the dev team can share their input with us? Kind regards, Miguel Almeida On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote: > Dear Struts2 mailing list, > > i have the following question(s)/ i need the following advice: > by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to: > http://struts.apache.org/release/2.3.x/docs/s2-018 > for security reasons, > but i need to set it back to true(i.e. the > struts.mapper.action.prefix.enabled) because my actions do not work > after the library update and if i decide to go another way to solve this > issue, i need to do a lot of refactoring on my code; > So my question is: > if i enable the "action:" prefix, does it mean that, i automatically > compromise/expose my application to the security issues discussed in > s2-16, s2-17 and s2-18? > Is there a workaround for my scenario, that i can enable the prefix, but > still maintain the security level of my application considering the > enumerated above issues?(can i achieve better results if i tweak > properly the struts.mapper.action.prefix.crossNamespaces) > > many thanks for your opinions and support! > > Best, > > krassen
