[jira] [Updated] (WW-4172) deleteing

Wed, 07 Aug 2013 11:08:35 -0700 

     [ 
https://issues.apache.org/jira/browse/WW-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jasper Rosenberg updated WW-4172:
---------------------------------

    Description: deleting  (was: Let's say you have the following mappings:

{code:xml}
    <package name="securityTest" namespace="/securitytest" extends="default">
      <action name="secureAction">
        <result>secure.ftl</result>
      </action>
      <action name="insecureAction">
        <result>insecure.ftl</result>
      </action>
    </package>
{code}

Then suppose you are using url pattern based security such as with Spring 
Security, and require login to view secureAction.action:

{code:xml}
<http use-expressions="true">
    <intercept-url pattern="/securitytest/insecureAction.action" 
access="permitAll"/>
    <intercept-url pattern="/securitytest/secureAction.action" 
access="isAuthenticated"/>
    <form-login />
</http>
{code}

Now:
1. http://localhost/securitytest/insecureAction.action
        Shows the insecure content

2. http://localhost/securitytest/secureAction.action
        Requires login before displaying secure content

3. http://localhost/securitytest/insecureAction.action?action:secureAction
        Whoops, there's the secure content without login!

I believe this is only a problem if you are hosting the secure and insecure 
actions in the same namespace.

Obviously, this is not directly a Struts2 issue, but I'm sure that many sites 
are using url based security and Struts2 together.  At the very least, it might 
be good to provide an easy way to disable support for the "action:" parameter 
prefix.  For now I just extended the DefaultActionMapper, and overwrote the 
value of prefixTrie to be empty.
)
    Environment: deleting  (was: Spring Security)
         Labels:   (was: security)
        Summary: deleteing  (was: "action:" parameter prefix can be used to 
access url secured content)
    
> deleteing
> ---------
>
>                 Key: WW-4172
>                 URL: https://issues.apache.org/jira/browse/WW-4172
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Other
>    Affects Versions: 2.3.15.1
>         Environment: deleting
>            Reporter: Jasper Rosenberg
>            Priority: Blocker
>
> deleting

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to