There is no other way - you must wait for new release (hope soon) or write custom action mapper.
Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ 2013/10/2 Markus Fischer <markus.fisc...@knipp.de>: > Hi everyone, > > I have just upgraded a web application from Struts 2.3.15.1 to Struts > 2.3.15.2 (running on Tomcat 7.0.27). Now, for any button using the > "action:" prefix as described in S2-018, the action mapping does not > working anymore. I.e., Backward Compatibility for the "action:" prefix > is not given, at least not in my use case. > > Example: Clicking the following button... > >> <button type="submit" name="action:createsubmit" >> id="..." value="..." class="...">Create</button> > > ...yields this 404 report: >> HTTP Status 404 - /my-server/user/createsubmit.action >> >> type: Status report >> >> message: /my-server/user/createsubmit.action >> >> description: The requested resource (/my-server/user/createsubmit.action) is >> not available. >> >> Apache Tomcat/7.0.27 > > while with Struts 2.3.15.1 this was working okay. (I'm attaching the > struts.xml section for reference, although it's obvious that that must > be okay since it hasn't unchanged for the update.) > > Is there a way to fix this other than to write a custom ActionMapper as > proposed in the Security Bulletin for S2-018 (see link below)? > > Any advice muchly appreciated, since I would like to get the securtiy > threat out of the way. > > Markus > > http://struts.apache.org/release/2.3.x/docs/s2-018.html > > > struts.xml: > <package name="usermanagement" extends="my-server" namespace="/user" > strict-method-invocation="true"> > > <action name="createsubmit" method="createsubmit" > class="de.knipp.telnic.nsp.web.action.user.UserAction"> > <result name="success" type="freemarker"> > /user/create_success.ftl > </result> > <result name="error" type="freemarker"> > /user/create.ftl > </result> > <result name="input" type="freemarker"> > /user/create.ftl > </result> > <result name="noaccess" type="freemarker"> > /user/error.ftl > </result> > </action> > </package> <!-- end of package usermanagement --> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org