lukaszlenart opened a new pull request, #1592:
URL: https://github.com/apache/struts/pull/1592
## Summary
- Fix `DefaultActionProxy.resolveMethod()` to only set
`methodSpecified=false` when defaulting to `"execute"`, not when the method is
resolved from `ActionConfig` (including wildcard substitutions like
`method="{1}"`)
- Update `ActionProxy.isMethodSpecified()` Javadoc to reflect corrected
semantics
- Add unit tests for `isMethodSpecified()` covering explicit,
config-resolved, wildcard, and default cases
Fixes [WW-5535](https://issues.apache.org/jira/browse/WW-5535)
## Problem
For wildcard actions like `<action name="example-*" method="do{1}">`,
`DefaultActionProxy.resolveMethod()` unconditionally set `methodSpecified =
false` when the method wasn't passed explicitly from the URL. This included
methods resolved from `ActionConfig` after wildcard substitution. As a result,
`HttpMethodInterceptor` would skip method-level `@HttpPost`/`@HttpGet`
annotation checks and fall back to class-level annotations — undermining
security validation.
## Fix
Moved `methodSpecified = false` inside the inner `if` block that defaults to
`"execute"`, so it only triggers for the true default case. Methods resolved
from config (including wildcard-substituted values) now correctly report
`isMethodSpecified() == true`.
## Test plan
- [x] `DefaultActionProxyTest` — 4 new tests for `isMethodSpecified()`
semantics (explicit, config, wildcard, default)
- [x] `HttpMethodInterceptorTest` — 3 new tests verifying method-level
annotation checks with wildcard-resolved methods
- [x] All existing tests pass unchanged
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
