I forgot to say about following block in MYStrutsPrepareFilter.java
which is new and I added recently (so please copy the whole new
MYStrutsPrepareFilter.java) :
> if(null != actionContext) {
> ValueStack stack = actionContext.getValueStack();
> stack.setValue("#request['MYUtils']", MYUtils);
> }
It avoids null pointer exception.
Please reply back to me the `exception stack trace` if you encounter any.
IMPORTANT NOTE:
To keep security, your MYUtils class should return only and only
necessary info (not less not more) in primitive types like string ,
boolean , int , etc as much as possible rather than sensitive objects.
For example, following get method wake ups currently fixed security issues:
public class MYUtils {...
public ActionContext getActionContext() {
return ActionContext.getContext();
}...}
On 7/22/2017 1:27 PM, Yasser Zamani wrote:
> Sorry! My previous code has sent via my mobile which has a few typo
> errors because of issues with copy/pase :(
>
> Now, at my PC, I tested following configuration which works well :)
>
> 1. MYStrutsPrepareFilter.java
>
> *********************************************
> package me.zamani.yasser.ww_convention.utils;
>
> import java.io.IOException;
>
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> import javax.servlet.FilterConfig;
> import javax.servlet.ServletException;
> import javax.servlet.ServletRequest;
> import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
>
> import org.apache.struts2.StrutsStatics;
> import com.opensymphony.xwork2.ActionContext;
> import com.opensymphony.xwork2.util.ValueStack;
>
> /**
> * @author zamani
> *
> */
> public class MYStrutsPrepareFilter implements Filter {
>
> private MYUtils MYUtils;
>
> public void init(FilterConfig filterConfig) throws ServletException {
> MYUtils = new MYUtils();
> }
>
> public void doFilter(ServletRequest req, ServletResponse res,
> FilterChain chain)
> throws IOException, ServletException {
>
> ActionContext actionContext = ActionContext.getContext();
> if(null != actionContext) {
> ValueStack stack = actionContext.getValueStack();
> stack.setValue("#request['MYUtils']", MYUtils);
> }
>
> chain.doFilter(req, res);
> }
>
> public void destroy() {
> MYUtils = null;
> }
>
>
> public class MYUtils {
> public boolean isUserInRole (String user) {
> HttpServletRequest httpsr = ((HttpServletRequest)
> ActionContext.getContext()
> .get(StrutsStatics.HTTP_REQUEST));
> return httpsr.isUserInRole(user);
> }
> }
> }
> **********************************************************
>
> 2. web.xml
>
> **********************************************************
> <filter>
> <filter-name>struts2prepare</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
> <filter-name>MYStrutsPrepareFilter</filter-name>
>
> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
> <filter-name>struts2execute</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>struts2prepare</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <filter-mapping>
> <filter-name>MYStrutsPrepareFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <filter-mapping>
> <filter-name>struts2execute</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> **************************************************************
>
> 3. hello.jsp
>
> **************************************************************
> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
> you are UserAdmin
> </s:if>
> <s:else>
> you are not UserAdmin
> </s:else>
> **************************************************************
>
> Sincerely Yours,
> Yasser.
>
> On 7/22/2017 2:56 AM, Deborah White wrote:
>> And the jsp doesn't seem to like this syntax for some reason.
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>> Sent: Friday, July 21, 2017 1:04 PM
>> To: Struts Developers List <dev@struts.apache.org>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>> to 2.3.32
>>
>> That is just an example. For your need, in more detail, you should try
>> something like these:
>>
>> 1. Add following method to class MyUtil:
>>
>> public boolean isUserInRole (String user) {
>> HttpServletRequest httpsr = ((HttpServletRequest)
>> ActionContext.getContext()
>> .get(StrutsStatics.HTTP_REQUEST)); return
>> httpsr.isUserInRole (user); }
>>
>> 2. Your struts filters in web.xml should looks like:
>>
>> <filter>
>> <filter-name>struts-prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>> <filter-name> MYStrutsPrepareFilter</filter-name>
>> <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>> <filter-name>struts-execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
>> </filter>
>>
>> 3. Finally find and replace all of
>>
>> <s:if test='request.isUserInRole("UserAdmin")' >
>>
>> With
>>
>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>
>> I think something like these resolve your issue :) please try and let me
>> know.
>>
>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>
>>> This is what I currently have in my jsp:
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> Where would I put
>>> "#request['MYUtils'].requestURI?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>> Sent: Friday, July 21, 2017 10:53 AM
>>> To: Struts Developers List <dev@struts.apache.org>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> You are welcome :) In this solution, by ognl, you only access the MyUtil
>>> object and you add what you need from excluded packages into MyUtil class
>>> as java getters. While MyUtil is not in excluded packages, so, you can get
>>> what you need from excluded packages via ognl then it.
>>>
>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>
>>>> Sorry, as I said I'm new. Will this allow access to the excluded packages
>>>> (ognl)?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>> To: Struts Developers List <dev@struts.apache.org>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> Hi there, welcome to dev list :)
>>>>
>>>> Do you need access to excluded packages in your JSPs? I had similar
>>>> issue and you can see my solution at [1]. I did not need to rewrite
>>>> any thing and a find/replace did all needed changes. Please review my
>>>> solution if also resolves your one. If not, please feel free continue
>>>> here for a solution :)
>>>>
>>>> [1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>
>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>> Please see the content below. Fairly new to Struts and I'm guessing
>>>>> someone out there has been through this. Any help would be appreciated.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org]
>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>> To: Deborah White <deborah.wh...@doj.ca.gov>
>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>>>> to 2.3.32
>>>>>
>>>>>
>>>>> [
>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>
>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160868
>>>>> 3
>>>>> 2#comment-16086832 ]
>>>>>
>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>> ------------------------------------------------------------
>>>>>
>>>>> The best place to ask such question is to subscribe to the User
>>>>> Mailing list as there are more eyes to help you
>>>>> http://struts.apache.org/mail.html
>>>>>
>>>>> And to answer your question: there is no safe way to modify the
>>>>> exclusion, I would rather figure out in which expression you use this
>>>>> class and move the logic to an action.
>>>>>
>>>>>
>>>>> was (Author: lukaszlenart):
>>>>> The best place to ask such question is to subscribe to the User
>>>>> Mailing list as there are more eyes to help you
>>>>> http://struts.apache.org/mail.html
>>>>>
>>>>> And to answer your question: there is no safe way to modify the
>>>>> exclusion, I would rather figure in which expression you use this class
>>>>> and move the logic to an action.
>>>>>
>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>> -----------------------------------
>>>>>>
>>>>>> Key: WW-4815
>>>>>> URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>> Project: Struts 2
>>>>>> Issue Type: Temp
>>>>>> Components: Core
>>>>>> Affects Versions: 2.3.16.3
>>>>>> Reporter: Deborah White
>>>>>> Fix For: 2.3.32
>>>>>>
>>>>>>
>>>>>> I need some assistance and am hoping you can provide some insight. I
>>>>>> know this is probably not the place to do this, but I'm not finding
>>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the
>>>>>> vulnerability. The problem is that the excluded classes in the
>>>>>> struts-default.xml are being used by my application and I certainly do
>>>>>> not have time to do a rewrite.
>>>>>> This is the Warning I get and then my application does not run as it
>>>>>> should because it seems it is not forwarding the roles:
>>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of
>>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or
>>>>>> package of member [public boolean
>>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
>>>>>> are excluded!
>>>>>> I need to know how I can safely modify the struts-default.xml and still
>>>>>> have the fix for the vulnerability. Also, if there is something I can
>>>>>> instead include in my struts.xml file that would override, that would be
>>>>>> better. Thank you.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was sent by Atlassian JIRA
>>>>> (v6.4.14#64029)
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>>> confidential and/or legally privileged information. It is solely for the
>>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>>> or disclosure is prohibited and may violate applicable laws including the
>>>>> Electronic Communications Privacy Act. If you are not the intended
>>>>> recipient, please contact the sender and destroy all copies of the
>>>>> communication.
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>> confidential and/or legally privileged information. It is solely for the
>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>> or disclosure is prohibited and may violate applicable laws including the
>>>> Electronic Communications Privacy Act. If you are not the intended
>>>> recipient, please contact the sender and destroy all copies of the
>>>> communication.
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>>> [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ ] Z[ ]˘\X K
>>> ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>> confidential and/or legally privileged information. It is solely for the
>>> use of the intended recipient(s). Unauthorized interception, review, use or
>>> disclosure is prohibited and may violate applicable laws including the
>>> Electronic Communications Privacy Act. If you are not the intended
>>> recipient, please contact the sender and destroy all copies of the
>>> communication.
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>> confidential and/or legally privileged information. It is solely for the use
>> of the intended recipient(s). Unauthorized interception, review, use or
>> disclosure is prohibited and may violate applicable laws including the
>> Electronic Communications Privacy Act. If you are not the intended
>> recipient, please contact the sender and destroy all copies of the
>> communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>> For additional commands, e-mail: dev-h...@struts.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
