It now goes to just a blank page. Do I have an issue in my web.xml? <filter> <filter-name>struts-prepare</filter-name> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class> </filter>
<filter> <filter-name>MYStrutsPrepareFilter</filter-name> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class> </filter> <filter> <filter-name>struts-execute</filter-name> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class> </filter> <filter-mapping> <filter-name>MYStrutsPrepareFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping> -----Original Message----- From: Yasser Zamani [mailto:yasser.zam...@live.com] Sent: Saturday, July 22, 2017 2:18 AM To: Struts Developers List <dev@struts.apache.org> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32 I forgot to say about following block in MYStrutsPrepareFilter.java which is new and I added recently (so please copy the whole new MYStrutsPrepareFilter.java) : > if(null != actionContext) { > ValueStack stack = actionContext.getValueStack(); > stack.setValue("#request['MYUtils']", MYUtils); > } It avoids null pointer exception. Please reply back to me the `exception stack trace` if you encounter any. IMPORTANT NOTE: To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects. For example, following get method wake ups currently fixed security issues: public class MYUtils {... public ActionContext getActionContext() { return ActionContext.getContext(); }...} On 7/22/2017 1:27 PM, Yasser Zamani wrote: > Sorry! My previous code has sent via my mobile which has a few typo > errors because of issues with copy/pase :( > > Now, at my PC, I tested following configuration which works well :) > > 1. MYStrutsPrepareFilter.java > > ********************************************* > package me.zamani.yasser.ww_convention.utils; > > import java.io.IOException; > > import javax.servlet.Filter; > import javax.servlet.FilterChain; > import javax.servlet.FilterConfig; > import javax.servlet.ServletException; import > javax.servlet.ServletRequest; import javax.servlet.ServletResponse; > import javax.servlet.http.HttpServletRequest; > > import org.apache.struts2.StrutsStatics; import > com.opensymphony.xwork2.ActionContext; > import com.opensymphony.xwork2.util.ValueStack; > > /** > * @author zamani > * > */ > public class MYStrutsPrepareFilter implements Filter { > > private MYUtils MYUtils; > > public void init(FilterConfig filterConfig) throws ServletException { > MYUtils = new MYUtils(); > } > > public void doFilter(ServletRequest req, ServletResponse res, > FilterChain chain) > throws IOException, ServletException { > > ActionContext actionContext = ActionContext.getContext(); > if(null != actionContext) { > ValueStack stack = actionContext.getValueStack(); > stack.setValue("#request['MYUtils']", MYUtils); > } > > chain.doFilter(req, res); > } > > public void destroy() { > MYUtils = null; > } > > > public class MYUtils { > public boolean isUserInRole (String user) { > HttpServletRequest httpsr = ((HttpServletRequest) > ActionContext.getContext() > .get(StrutsStatics.HTTP_REQUEST)); > return httpsr.isUserInRole(user); > } > } > } > ********************************************************** > > 2. web.xml > > ********************************************************** > <filter> > <filter-name>struts2prepare</filter-name> > > <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class> > </filter> > > <filter> > <filter-name>MYStrutsPrepareFilter</filter-name> > > <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class> > </filter> > > <filter> > <filter-name>struts2execute</filter-name> > > <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class> > </filter> > > <filter-mapping> > <filter-name>struts2prepare</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>MYStrutsPrepareFilter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>struts2execute</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > ************************************************************** > > 3. hello.jsp > > ************************************************************** > <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'> > you are UserAdmin > </s:if> > <s:else> > you are not UserAdmin > </s:else> > ************************************************************** > > Sincerely Yours, > Yasser. > > On 7/22/2017 2:56 AM, Deborah White wrote: >> And the jsp doesn't seem to like this syntax for some reason. >> >> -----Original Message----- >> From: Yasser Zamani [mailto:yasser.zam...@live.com] >> Sent: Friday, July 21, 2017 1:04 PM >> To: Struts Developers List <dev@struts.apache.org> >> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >> 2.3.16.3 to 2.3.32 >> >> That is just an example. For your need, in more detail, you should try >> something like these: >> >> 1. Add following method to class MyUtil: >> >> public boolean isUserInRole (String user) { >> HttpServletRequest httpsr = ((HttpServletRequest) >> ActionContext.getContext() >> .get(StrutsStatics.HTTP_REQUEST)); return >> httpsr.isUserInRole (user); } >> >> 2. Your struts filters in web.xml should looks like: >> >> <filter> >> <filter-name>struts-prepare</filter-name> >> >> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi >> lter</filter-class> >> </filter> >> >> <filter> >> <filter-name> MYStrutsPrepareFilter</filter-name> >> <filter-class>my.package. MYStrutsPrepareFilter</filter-class> >> </filter> >> >> <filter> >> <filter-name>struts-execute</filter-name> >> >> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi >> lter</filter-class> >> </filter> >> >> 3. Finally find and replace all of >> >> <s:if test='request.isUserInRole("UserAdmin")' > >> >> With >> >> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' > >> >> I think something like these resolve your issue :) please try and let me >> know. >> >> Deborah White <deborah.wh...@doj.ca.gov> نوشت: >> >>> This is what I currently have in my jsp: >>> <s:if test='request.isUserInRole("UserAdmin")' > >>> >>> Where would I put >>> "#request['MYUtils'].requestURI? >>> >>> -----Original Message----- >>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>> Sent: Friday, July 21, 2017 10:53 AM >>> To: Struts Developers List <dev@struts.apache.org> >>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>> 2.3.16.3 to 2.3.32 >>> >>> You are welcome :) In this solution, by ognl, you only access the MyUtil >>> object and you add what you need from excluded packages into MyUtil class >>> as java getters. While MyUtil is not in excluded packages, so, you can get >>> what you need from excluded packages via ognl then it. >>> >>> Deborah White <deborah.wh...@doj.ca.gov> نوشت: >>> >>>> Sorry, as I said I'm new. Will this allow access to the excluded packages >>>> (ognl)? >>>> >>>> -----Original Message----- >>>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>>> Sent: Thursday, July 20, 2017 10:55 PM >>>> To: Struts Developers List <dev@struts.apache.org> >>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>> 2.3.16.3 to 2.3.32 >>>> >>>> Hi there, welcome to dev list :) >>>> >>>> Do you need access to excluded packages in your JSPs? I had similar >>>> issue and you can see my solution at [1]. I did not need to rewrite >>>> any thing and a find/replace did all needed changes. Please review >>>> my solution if also resolves your one. If not, please feel free >>>> continue here for a solution :) >>>> >>>> [1] >>>> https://github.com/apache/struts/pull/125#issuecomment-293608411 >>>> >>>> On 7/21/2017 2:38 AM, Deborah White wrote: >>>>> Please see the content below. Fairly new to Struts and I'm guessing >>>>> someone out there has been through this. Any help would be appreciated. >>>>> >>>>> -----Original Message----- >>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org] >>>>> Sent: Thursday, July 13, 2017 9:32 PM >>>>> To: Deborah White <deborah.wh...@doj.ca.gov> >>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>>> 2.3.16.3 to 2.3.32 >>>>> >>>>> >>>>> [ >>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira. >>>>> >>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160 >>>>> 868 >>>>> 3 >>>>> 2#comment-16086832 ] >>>>> >>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM: >>>>> ------------------------------------------------------------ >>>>> >>>>> The best place to ask such question is to subscribe to the User >>>>> Mailing list as there are more eyes to help you >>>>> http://struts.apache.org/mail.html >>>>> >>>>> And to answer your question: there is no safe way to modify the >>>>> exclusion, I would rather figure out in which expression you use this >>>>> class and move the logic to an action. >>>>> >>>>> >>>>> was (Author: lukaszlenart): >>>>> The best place to ask such question is to subscribe to the User >>>>> Mailing list as there are more eyes to help you >>>>> http://struts.apache.org/mail.html >>>>> >>>>> And to answer your question: there is no safe way to modify the >>>>> exclusion, I would rather figure in which expression you use this class >>>>> and move the logic to an action. >>>>> >>>>>> Migrating Struts 2.3.16.3 to 2.3.32 >>>>>> ----------------------------------- >>>>>> >>>>>> Key: WW-4815 >>>>>> URL: https://issues.apache.org/jira/browse/WW-4815 >>>>>> Project: Struts 2 >>>>>> Issue Type: Temp >>>>>> Components: Core >>>>>> Affects Versions: 2.3.16.3 >>>>>> Reporter: Deborah White >>>>>> Fix For: 2.3.32 >>>>>> >>>>>> >>>>>> I need some assistance and am hoping you can provide some insight. I >>>>>> know this is probably not the place to do this, but I'm not finding >>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the >>>>>> vulnerability. The problem is that the excluded classes in the >>>>>> struts-default.xml are being used by my application and I certainly do >>>>>> not have time to do a rewrite. >>>>>> This is the Warning I get and then my application does not run as it >>>>>> should because it seems it is not forwarding the roles: >>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of >>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or >>>>>> package of member [public boolean >>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] >>>>>> are excluded! >>>>>> I need to know how I can safely modify the struts-default.xml and still >>>>>> have the fix for the vulnerability. Also, if there is something I can >>>>>> instead include in my struts.xml file that would override, that would be >>>>>> better. Thank you. >>>>> >>>>> >>>>> >>>>> -- >>>>> This message was sent by Atlassian JIRA >>>>> (v6.4.14#64029) >>>>> >>>>> >>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>>> confidential and/or legally privileged information. It is solely for the >>>>> use of the intended recipient(s). Unauthorized interception, review, use >>>>> or disclosure is prohibited and may violate applicable laws including the >>>>> Electronic Communications Privacy Act. If you are not the intended >>>>> recipient, please contact the sender and destroy all copies of the >>>>> communication. >>>>> >>>> >>>> ------------------------------------------------------------------- >>>> -- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>>> additional commands, e-mail: dev-h...@struts.apache.org >>>> >>>> >>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>> confidential and/or legally privileged information. It is solely for the >>>> use of the intended recipient(s). Unauthorized interception, review, use >>>> or disclosure is prohibited and may violate applicable laws including the >>>> Electronic Communications Privacy Act. If you are not the intended >>>> recipient, please contact the sender and destroy all copies of the >>>> communication. >>> B >>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK >>> CB [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ ] Z[ >>> ]˘\X K ܙ B B >>> >>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>> confidential and/or legally privileged information. It is solely for the >>> use of the intended recipient(s). Unauthorized interception, review, use or >>> disclosure is prohibited and may violate applicable laws including the >>> Electronic Communications Privacy Act. If you are not the intended >>> recipient, please contact the sender and destroy all copies of the >>> communication. >> >> CONFIDENTIALITY NOTICE: This communication with its contents may contain >> confidential and/or legally privileged information. It is solely for the use >> of the intended recipient(s). Unauthorized interception, review, use or >> disclosure is prohibited and may violate applicable laws including the >> Electronic Communications Privacy Act. If you are not the intended >> recipient, please contact the sender and destroy all copies of the >> communication. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >> additional commands, e-mail: dev-h...@struts.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For > additional commands, e-mail: dev-h...@struts.apache.org > CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org