Re: [ANN] Struts 2.3.15.2 GA release available - security fix

[Emi Lu <emilu () encs concordia ca>]

Good morning,

Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:


(1) jsp:
<s:form
   name    = "loginForm"
   namespace= "/Login"
   action   = "ProcessLoginAction"
   method   = "post"
   theme="simple"
>

<s:submit value="Login"
          theme="simple"
          action="loginProcessLoginAction" />   --- never call 
loginProcessLoginAction



(2) struts.xml
<package name="Login" namespace="/Login" extends="tiles-default">
<action name="*ProcessLoginAction"  method="{1}" class="ProcessLoginAction">
  <result name="success"   type="tiles">main_menu</result>
  <result name="ajax_check" >
  /WEB-INF/pages/errorinfo/ajax_error_check.jsp
  </result>
</action>


(3) ProcessLoginAction.java
   public String login() throws Exception
   {
      try
      {
        ......
      }catch(Exception e)
      {
         log.error("login Error: " + e.getMessage());
         log.error(e);
         this.addActionError("login Error: " + e.getMessage());
      }
      return "success";
   }


The problem is that "loginProcessLoginAction in jsp page" is never be 
called.

Could you help?
Thanks,
Emi



On 09/21/2013 12:06 PM, Lukasz Lenart wrote:
> The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
> available as a "General Availability" release.The GA designation is
> our highest quality grade.
>
> Apache Struts 2 is an elegant, extensible framework for creating
> enterprise-ready Java web applications. The framework is designed to
> streamline the full development cycle, from building, to deploying, to
> maintaining applications over time.
>
> This release includes important security fixes:
> - S2-018 - Broken Access Control Vulnerability in Apache Struts2
> - S2-019 - Dynamic Method Invocation disabled by default
>
> All developers are strongly advised to update existing Struts 2
> applications to Struts 2.3.15.2
>
> Struts 2.3.15.2 is available in a full distribution, or as separate
> library, source, example and documentation distributions, from the
> releases page.
> * http://struts.apache.org/download.cgi#struts23152
>
> The release is also available from the central Maven repository under
> Group ID "org.apache.struts".
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions:
> * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
> * Java 2 Standard Platform Edition (J2SE) 5
>
> The release notes are available online at:
> * http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.appropriate, file a tracking
> ticket:
> * https://issues.apache.org/jira/browse/WW
>
>
> - The Apache Struts group.
>
>
> Regards