/struts/webconsole.html is still working after setting Struts2 devMode=false

Question

I set the following configuration parameters in struts.xml:

<constant name="struts.devMode" value="false" />
<constant name="struts.configuration.xml.reload" value="true" />
<constant name="struts.i18n.reload" value="false" />

and in struts.properties: struts.devMode=false

Still the webconsole.html page is loading. How to resolve this issue?

Answer 1

The devMode property has nothing to do with webconsole, it only does these things:

• When enabled, Struts 2 will reload your resource bundles on every request (meaning you can change your .properties files, save them, and see the changes reflected on the next request).
• It will also reload your xml configuration files (struts.xml), your validation files, and so on, on every request. This is useful for testing or fine-tuning your configuration without having to redeploy your application every time.
• And thirdly, perhaps the setting which is less widely known, and therefore a source of much confusion: it will raise the level of debug or normally ignorable problems to errors. For example: when you submit a field which cannot be set on an action 'someUnknownField', it will normally be ignored. However, when you're in development mode, an exception will be thrown, telling you an invalid field was submitted. This is very useful for debugging or testing large forms, but can also be confusing if you're relying on parameters in your request that are not set on the action, but which you are using directly in your view layer (warning: bad practice, you should always validate input from the web).

I am assuming you are coming from here, My advice is: you should not even deploy this component on a production machine.

Answer 2

Simply write following lines inside <struts> tag.

<constant name="struts.action.excludePattern" value="/struts/webconsole.html" />

Answer 3

The webconsole.html will be displayed even if you set devMode parameters to false, and even if the debugging interceptor is not in the interceptor packages at all!

The struts 2 webconsole.html is displayed because struts loads it as an static resource. Please have a look at DefaultStaticContentLoader

By examining the loaded webconsole.html I find that it will not work, even if you try to fix it by some JavaScript changes, the DebuggingInterceptor will not accept any data from this page if the struts is not in the devMod.

The @RajeevRanjan works fine. Just add:

<constant name="struts.action.excludePattern" value="/struts/webconsole.html"/>

If you want nothing to be accessed you must add the css and js which is used by this interceptor

<constant name="struts.action.excludePattern" value="/struts/webconsole.css"/>
<constant name="struts.action.excludePattern" value="/struts/webconsole.js"/>

I think this should/could be fixed please see https://issues.apache.org/jira/browse/WW-4601.

Answer 4

When we set dev-mode to be false, so client cannot inject anythings via webconsole.html. By the way, this webconsole.html page stills exist so we can hidden them by set security-constraint in web.xml to avoid access to this file

<security-constraint>
  <web-resource-collection>
    <web-resource-name>OGNLconsole</web-resource-name>
    <url-pattern>*/struts/webconsole.*</url-pattern>
  </web-resource-collection>
</security-constraint>