[ https://issues.apache.org/jira/browse/WW-4469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart resolved WW-4469. ------------------------------- Resolution: Won't Fix > Avoid sending Struts text in HTTP Response Headers > -------------------------------------------------- > > Key: WW-4469 > URL: https://issues.apache.org/jira/browse/WW-4469 > Project: Struts 2 > Issue Type: Improvement > Affects Versions: 2.3.20 > Environment: Ubuntu 14.04 LST Server x64, JDK 8_31 > Reporter: NZa > Fix For: 2.3.25 > > > In ticket WW-4085 a default-action-ref name was introduces which works fine > in order to avoid messages like "There is no Action mapped for namespace > [/config-browser] and action name [] associated with context path > [/struts2-javatemplate].": > {code:xml} > <package name="/" extends="struts-default"> > <default-action-ref name="HelloWorld" /> > <action name="HelloWorld"> > <result type="redirectAction"> > <param name="actionName">HelloWorld</param> > <param name="namespace">example</param> > </result> > </action> > </package> > {code} > It is possible to also get messages like this: > There is no Action mapped for namespace [/references/asdasd] and action name > [asdasd] associated with context path []. > Assuming we have the following configuration (this is in our example the one > and only package): > {code:xml} > <package name="root" extends="struts-default" namespace="/"> > <default-action-ref name="HelloWorld" /> > <action name="HelloWorld"> > <result type="redirectAction"> > <param name="actionName">HelloWorld</param> > <param name="namespace">example</param> > </result> > </action> > </package> > {code} > Case 1: http://localhost:8080/asdasd > This works as expected, our default-action-ref "HelloWorld" is called. > Case 2: http://localhost:8080/asdasd/asdasdasd > This works as expected, our default-action-ref "HelloWorld" is called. > Case 3: http://localhost:8080/asdasd/asdasdasd/asdasd and so on > Like Case 2... > Case 2 and 3 will have a HTTP 404 response with the Struts error message. > I believe it is a good idea to have something that is called by the > Dispatcher in case namespace + action is not found. > Improvement 1: > Don't write typical Struts messages like "There is no Action mapped for > namespace [/references/asdasd] and action name [asdasd] associated with > context path []." into HTTP Header response fields if in PROD mode (it allows > hackers to assume that the server is based on Struts, obfuscation is > better...) > Improvement 2: > Allow maybe something like <default-not-found-action-ref name="Http404" /> > similar to ticket WW-4085 to be in sync. > I believe that the current workaround is something like this (which should > also be documented better): > {code:xml} > <struts> > <unknown-handler-stack> > <unknown-handler-ref name="MyUnknownHandler1" /> > <unknown-handler-ref name="MyUnknownHandler2" /> > </unknown-handler-stack> > </struts> > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)