Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4214

Rename of struts token attribute name

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Not A Problem
    • Affects Version/s: 2.3.15.1, 2.3.15.2
    • Fix Version/s: 2.5.8
    • Component/s: Other

      Description

      we are using struts 2.0.5, and migrating to 2.3.15.1 to get the security patches.

      During that time we noticed, the default token attribute name is changed from 'struts.token' to 'token'. Also this information is not published in change logs.

      This change impacts the application uses the custom token interceptor, where application get the token value from request using request.getParameter("struts.token");

      I request to provide a constant value to keep the default token name to maintain struts.xml file.

      This provides the generic approach to define the token attribute name during the implementation level.

      otherwise this is painful to change the token name at each jsp pages.

      currently we are using <s:token/> the generated token name is struts.token

      The same code generates the token name as 'token' in struts 2.3.15.1

      there are two options left to us.

      1. change the <s:token/> to <s:token name="struts.token"/>
      2. keep the old version of token.class in 2.3.15.1

      The better approach is

      create a constant to maintain the token name at struts.xml.

        Activity

        Hide
        lukaszlenart Lukasz Lenart added a comment -

        I have no idea what to do with this

        Show
        lukaszlenart Lukasz Lenart added a comment - I have no idea what to do with this
        Hide
        lukaszlenart Lukasz Lenart added a comment -

        You shouldn't depend on Struts internals and right now token name is random - http://struts.apache.org/development/2.x/docs/s2-010.html

        Show
        lukaszlenart Lukasz Lenart added a comment - You shouldn't depend on Struts internals and right now token name is random - http://struts.apache.org/development/2.x/docs/s2-010.html
        Hide
        mahendranmahesh mahendran added a comment -

        There are possibilities using the struts.token at javascript to make http get requests from the loaded page in the browser.
        while preparing query string for HTTP get requests we need to append the struts,token values.

        Hence we would require a configurable struts.token attribute name.

        Show
        mahendranmahesh mahendran added a comment - There are possibilities using the struts.token at javascript to make http get requests from the loaded page in the browser. while preparing query string for HTTP get requests we need to append the struts,token values. Hence we would require a configurable struts.token attribute name.
        Hide
        lukaszlenart Lukasz Lenart added a comment -

        Maybe instead of using request.getParameter("struts.token") it'd be better to base on TokenHelper class?

        Show
        lukaszlenart Lukasz Lenart added a comment - Maybe instead of using request.getParameter("struts.token") it'd be better to base on TokenHelper class?

          People

          • Assignee:
            lukaszlenart Lukasz Lenart
            Reporter:
            mahendranmahesh mahendran
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development