Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4469

Avoid sending Struts text in HTTP Response Headers

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Won't Fix
    • 2.3.20
    • 2.3.28
    • None
    • None

    • Ubuntu 14.04 LST Server x64, JDK 8_31

    Description

      In ticket WW-4085 a default-action-ref name was introduces which works fine in order to avoid messages like "There is no Action mapped for namespace [/config-browser] and action name [] associated with context path [/struts2-javatemplate].": 

      <package name="/" extends="struts-default">

        <default-action-ref name="HelloWorld" />

        <action name="HelloWorld">
            <result type="redirectAction">
                <param name="actionName">HelloWorld</param>
                <param name="namespace">example</param>
            </result>
        </action>
    </package>

      It is possible to also get messages like this:

      There is no Action mapped for namespace [/references/asdasd] and action name [asdasd] associated with context path [].

      Assuming we have the following configuration (this is in our example the one and only package): 

      <package name="root" extends="struts-default" namespace="/">

        <default-action-ref name="HelloWorld" />

        <action name="HelloWorld">
            <result type="redirectAction">
                <param name="actionName">HelloWorld</param>
                <param name="namespace">example</param>
            </result>
        </action>
    </package>

      Case 1: http://localhost:8080/asdasd
      This works as expected, our default-action-ref "HelloWorld" is called.

      Case 2: http://localhost:8080/asdasd/asdasdasd
      This works as expected, our default-action-ref "HelloWorld" is called.

      Case 3: http://localhost:8080/asdasd/asdasdasd/asdasd and so on
      Like Case 2...

      Case 2 and 3 will have a HTTP 404 response with the Struts error message.

      I believe it is a good idea to have something that is called by the Dispatcher in case namespace + action is not found.

      Improvement 1:
      Don't write typical Struts messages like "There is no Action mapped for namespace [/references/asdasd] and action name [asdasd] associated with context path []." into HTTP Header response fields if in PROD mode (it allows hackers to assume that the server is based on Struts, obfuscation is better...)

      Improvement 2:
      Allow maybe something like <default-not-found-action-ref name="Http404" /> similar to ticket WW-4085 to be in sync.

      I believe that the current workaround is something like this (which should also be documented better):

      <struts>
    <unknown-handler-stack>
        <unknown-handler-ref name="MyUnknownHandler1" />
        <unknown-handler-ref name="MyUnknownHandler2" />
    </unknown-handler-stack>
</struts>

      Attachments

        Activity

          People

            Unassigned Unassigned
            nabi NZa
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: