[
https://issues.apache.org/jira/browse/WW-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-4323:
------------------------------
Description:
The ability to accept params purely by implementing ParamNameAware is broken.
Relates to WW-3866 which is when this feature was added for version 2.3.5
The commit that breaks this feature is:
https://github.com/apache/struts/commit/4e98aaaa1b08cc37374d06e77cf78000d98c5ff0
Description:
Prior to this change/2.3.16.1 it was quite convenient to define what parameters
my action should accept, by implementing
ParameterNameAware#acceptableParameterName. With this change, there is the
additional requirement that the parameter names must also satisfy
acceptableName(name).
In the ParametersInterceptor javadoc, it says: "if you wish to apply a global
rule that isn't implemented in your action, then you could extend this
interceptor and override the {@link #acceptableName(String)} method." So this
isn't suitable for customizing a single action.
Looking more carefully at the code, another alternative to defining what
parameters my action can accept, looks to be via populating the
ParametersInterceptor's field acceptParams. Apparently this could be done in
the interceptor stack from what I have read here:
http://struts.apache.org/release/2.3.x/docs/parameters-interceptor.html
By forcing one to populate acceptParams, and also implement
ParameterNameAware#acceptableParameterName it becomes quite difficult to add
custom behavior. I understand people should fully understand what they are
doing due to the security risks involved, but it is probably safer to define
the behavior in a single place.
I'd greatly appreciate your help understanding how to adapt to this change. In
the meantime, I'll have to continue using 2.3.15.3
Thanks
was:
The ability to accept params purely by implementing ParamNameAware is broken.
Relates to https://issues.apache.org/jira/browse/WW-3866 which is when this
feature was added for version 2.3.5
The commit that breaks this feature is:
https://github.com/apache/struts/commit/4e98aaaa1b08cc37374d06e77cf78000d98c5ff0
Description:
Prior to this change/2.3.16.1 it was quite convenient to define what parameters
my action should accept, by implementing
ParameterNameAware#acceptableParameterName. With this change, there is the
additional requirement that the parameter names must also satisfy
acceptableName(name).
In the ParametersInterceptor javadoc, it says: "if you wish to apply a global
rule that isn't implemented in your action, then you could extend this
interceptor and override the {@link #acceptableName(String)} method." So this
isn't suitable for customizing a single action.
Looking more carefully at the code, another alternative to defining what
parameters my action can accept, looks to be via populating the
ParametersInterceptor's field acceptParams. Apparently this could be done in
the interceptor stack from what I have read here:
http://struts.apache.org/release/2.3.x/docs/parameters-interceptor.html
By forcing one to populate acceptParams, and also implement
ParameterNameAware#acceptableParameterName it becomes quite difficult to add
custom behavior. I understand people should fully understand what they are
doing due to the security risks involved, but it is probably safer to define
the behavior in a single place.
I'd greatly appreciate your help understanding how to adapt to this change. In
the meantime, I'll have to continue using 2.3.15.3
Thanks
> Ability to accept params purely by implementing ParamNameAware is broken
> ------------------------------------------------------------------------
>
> Key: WW-4323
> URL: https://issues.apache.org/jira/browse/WW-4323
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.16.1
> Environment: struts2 version 2.3.16.1
> Reporter: Kyle Braak
> Priority: Major
> Fix For: 6.1.0
>
>
> The ability to accept params purely by implementing ParamNameAware is broken.
> Relates to WW-3866 which is when this feature was added for version 2.3.5
> The commit that breaks this feature is:
> https://github.com/apache/struts/commit/4e98aaaa1b08cc37374d06e77cf78000d98c5ff0
> Description:
> Prior to this change/2.3.16.1 it was quite convenient to define what
> parameters my action should accept, by implementing
> ParameterNameAware#acceptableParameterName. With this change, there is the
> additional requirement that the parameter names must also satisfy
> acceptableName(name).
> In the ParametersInterceptor javadoc, it says: "if you wish to apply a global
> rule that isn't implemented in your action, then you could extend this
> interceptor and override the {@link #acceptableName(String)} method." So this
> isn't suitable for customizing a single action.
> Looking more carefully at the code, another alternative to defining what
> parameters my action can accept, looks to be via populating the
> ParametersInterceptor's field acceptParams. Apparently this could be done in
> the interceptor stack from what I have read here:
> http://struts.apache.org/release/2.3.x/docs/parameters-interceptor.html
> By forcing one to populate acceptParams, and also implement
> ParameterNameAware#acceptableParameterName it becomes quite difficult to add
> custom behavior. I understand people should fully understand what they are
> doing due to the security risks involved, but it is probably safer to define
> the behavior in a single place.
> I'd greatly appreciate your help understanding how to adapt to this change.
> In the meantime, I'll have to continue using 2.3.15.3
> Thanks
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
