Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-2052

Don't set result jsp file in request parameter on redirect after POST

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0.8
    • 2.0.10, 2.1.0
    • Plugin - Portlet
    • None

    • JBoss Portal 2.6.0-CR3

    Description

      I have a form with method=POST.

      After sending the form, Struts2 does a redirect after POST (which is fine), but the URL used for redirecting now contains the paramater location whose value is the full path of the JSP file, eg:

      http://localhost:8080/portal/portal/default/MyPortletTutorial/MyPortletWindow?action=2&objectId=&struts.portlet.mode=view&location=%2FWEB-INF%2Fpages%2Fview%2FhelloWorld.jsp&struts.portlet.eventAction=true&struts.portlet.action=renderDirect

      It's not a bug but the jsp file's name is a kind of "secret" information which I don't want to disclose to everybody.
      Additionally this could be a security problem because now you can use the location property for selecting a JSP (I'm not quiete sure if this is a problem, but it doesn't sound comfortable ).

      Attachments

        Activity

          People

            nilsga Nils-Helge Garli
            hubertg Hubert Grininger
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: