Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5.18
-
None
Description
Under WebSphere 8.5, the SAX parser sometimes create multiple text elements to represent the value of the "allowed-methods" tag found in the struts.xml configuration file. This happens when the text is read in chunks as stated here: https://docs.oracle.com/javase/8/docs/api/org/xml/sax/ContentHandler.html#characters-char:A-int-int-.
This case is not handled in class XmlConfigurationProvider, which only reads the first child of the org.w3c.dom.Node returned by the parser (see https://github.com/apache/struts/blob/struts-2-5-x/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java#L879).
This means that with this configuration:
<allowed-methods>method1,method2</allowed-methods>
The node instance almost always contains a single child [ "method1,method2" ], but randomly the node instance can contain two children: [ "method1,me", "thod2" ]. As only the first child is considered, the retrieved text is truncated and the configuration doesn't work.
It happens randomly and cannot be reproduced easily, but we can see in the XmlConfigurationProvider class that this case has been taken into account for the "result" tag:
<result>something</result>
See: https://github.com/apache/struts/blob/struts-2-5-x/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java#L767 where all node children of type Node.TEXT_NODE are concatenated to retrieve the text value, so even if the SAX parser returns multiple chunks, the word is correctly reconstructed.
As a workaround I created a custom configuration provider that overrides StrutsXmlConfigurationProvider and redefines the method "buildAllowedMethods" in order to parse all children of the node object, as done in method "buildResults". Note that the same problem applies for "global-allowed-methods" as the XmlConfigurationProvider also considers the first child only.