[
https://issues.apache.org/jira/browse/WW-5238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613079#comment-17613079
]
Daniel Wu commented on WW-5238:
-------------------------------
1. The *_form-processing_* example has the following methods defined, which
are *standard* or *whitelisted* methods.
public String execute() throws Exception {
//call Service class to store personBean's state in database
return SUCCESS;
}
public String cancel() throws Exception {
return SUCCESS;
}
2. The package _basicstruts2_ uses default ({*}no namespace{*}) instead of
specifying a {*}namespace{*}.
<package name="basicstruts2" extends="struts-default">
3. Below is the changes to replicate using the *form-processing* example
>change _Register_ action class methods, and related _struts.xml_ configuration
execute -> execute2
cancel -> cancel2
>change namespace to something other than "/" (ie. "/prod")
>add namespace='/prod' to the url/form tags in the JSPs
>build/deploy
>from main page, click _Register_ link, then click _Cancel_ button
4. Below is the Struts 2 configuration file ({_}*struts.xml*{_}) for the
_*form-processing*_ example. Switching to *_execute2_* and *_cancel2_* breaks
the app for the Struts 2 v6.0.3. However, it works fine for Struts 2 v6.0.0.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.5//EN"
"http://struts.apache.org/dtds/struts-2.5.dtd";>
<struts>
<constant name="struts.devMode" value="true" />
<constant name="struts.enable.DynamicMethodInvocation" value="true"/>
<constant name="struts.mapper.action.prefix.enabled" value="true"/>
<package name="basicstruts2" extends="struts-default"
{*}namespace="/prod"{*}>
<default-action-ref name="index"/>
<!-- If no class attribute is specified the framework will assume
success and
render the result index.jsp -->
<!-- If no name value for the result node is specified the success
value is the default -->
<action name="index">
<result>/WEB-INF/index.jsp</result>
</action>
<!-- If the URL is hello.action then call the execute method of class
HelloWorldAction.
If the result returned by the execute method is success render the
HelloWorld.jsp -->
<action name="hello"
class="org.apache.struts.helloworld.action.HelloWorldAction" method="execute">
<result name="success">/WEB-INF/HelloWorld.jsp</result>
</action>
<action name="register"
class="org.apache.struts.register.action.Register" method="input">
<result name="input">/WEB-INF/register.jsp</result>
</action>
<action name="register-cancel"
class="org.apache.struts.register.action.Register" method="{*}cancel2{*}">
<result type="redirectAction">index</result>
</action>
<action name="register-submit"
class="org.apache.struts.register.action.Register" method="{*}execute2{*}">
<result>/WEB-INF/thankyou.jsp</result>
</action>
</package>
</struts>
> Strict Method Invocation (SMI) too strict or wrong ActionMapping?
> -----------------------------------------------------------------
>
> Key: WW-5238
> URL: https://issues.apache.org/jira/browse/WW-5238
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 6.0.3
> Reporter: Daniel Wu
> Priority: Blocker
> Fix For: 6.1.0
>
> Attachments: ex1.PNG, ex2.PNG, form-processing.png,
> results_after_clicking_add_button.PNG
>
>
> Got the following error (Error No. 2) when trying to create one record. The
> prompt method is not supposed to be invoked for aSbmt1. Before that, the
> aSbmt1 was not accepted (Error No. 1). I tried several ways to try to
> overwrite the regular expression without success. Was something strange
> introduced into the Struts 2 version 6.0.3? Is Strict Method Invocation (SMI)
> in a dead loop? I am surprised at that there is no issue reported for the
> Struts 2 version 6.0.3 yet.
> 1. com.opensymphony.xwork2.interceptor.ParametersInterceptor -
> *{color:#ff0000}Parameter [action:aSbmt1] didn't match accepted
> pattern{color}*
> [[\w+((\.\w+)|(\[\d+])|((\d+))|(['(\w-?|[\u4e00-\u9fa5]{-}?){+}'])|(('(\w{+}{-}?|[\u4e00-\u9fa5]-?)')))*]]!
> See Accepted / Excluded patterns at
> [https://struts.apache.org/security/#accepted--excluded-patterns]
> *{color:#ff0000}2. com.opensymphony.xwork2.config.ConfigurationException:
> Method prompt for action aSbmt1 is not allowed!{color}*
> at
> com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:191)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.factory.StrutsActionProxy.prepare(StrutsActionProxy.java:57)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.factory.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:32)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> com.opensymphony.xwork2.DefaultActionProxyFactory.createActionProxy(DefaultActionProxyFactory.java:60)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.dispatcher.Dispatcher.createActionProxy(Dispatcher.java:673)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.dispatcher.Dispatcher.prepareActionProxy(Dispatcher.java:658)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:621)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:140)
> ~[struts2-core-6.0.3.jar:6.0.3]
> at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78) ~
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
