Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4469

Avoid sending Struts text in HTTP Response Headers

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.3.20
    • Fix Version/s: 2.3.28
    • Component/s: None
    • Labels:
      None
    • Environment:

      Ubuntu 14.04 LST Server x64, JDK 8_31

      Description

      In ticket WW-4085 a default-action-ref name was introduces which works fine in order to avoid messages like "There is no Action mapped for namespace [/config-browser] and action name [] associated with context path [/struts2-javatemplate].":

      <package name="/" extends="struts-default">
      
              <default-action-ref name="HelloWorld" />
      
              <action name="HelloWorld">
                  <result type="redirectAction">
                      <param name="actionName">HelloWorld</param>
                      <param name="namespace">example</param>
                  </result>
              </action>
          </package>
      

      It is possible to also get messages like this:

      There is no Action mapped for namespace [/references/asdasd] and action name [asdasd] associated with context path [].

      Assuming we have the following configuration (this is in our example the one and only package):

      <package name="root" extends="struts-default" namespace="/">
      
              <default-action-ref name="HelloWorld" />
      
              <action name="HelloWorld">
                  <result type="redirectAction">
                      <param name="actionName">HelloWorld</param>
                      <param name="namespace">example</param>
                  </result>
              </action>
          </package>
      

      Case 1: http://localhost:8080/asdasd
      This works as expected, our default-action-ref "HelloWorld" is called.

      Case 2: http://localhost:8080/asdasd/asdasdasd
      This works as expected, our default-action-ref "HelloWorld" is called.

      Case 3: http://localhost:8080/asdasd/asdasdasd/asdasd and so on
      Like Case 2...

      Case 2 and 3 will have a HTTP 404 response with the Struts error message.

      I believe it is a good idea to have something that is called by the Dispatcher in case namespace + action is not found.

      Improvement 1:
      Don't write typical Struts messages like "There is no Action mapped for namespace [/references/asdasd] and action name [asdasd] associated with context path []." into HTTP Header response fields if in PROD mode (it allows hackers to assume that the server is based on Struts, obfuscation is better...)

      Improvement 2:
      Allow maybe something like <default-not-found-action-ref name="Http404" /> similar to ticket WW-4085 to be in sync.

      I believe that the current workaround is something like this (which should also be documented better):

      <struts>
          <unknown-handler-stack>
              <unknown-handler-ref name="MyUnknownHandler1" />
              <unknown-handler-ref name="MyUnknownHandler2" />
          </unknown-handler-stack>
      </struts>
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nabi NZa
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: