Yes I think you should have mappings for all as following order: <filter-mapping> <filter-name>struts-prepare</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter-mapping> <filter-name>MYStrutsPrepareFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter-mapping> <filter-name>struts-execute</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping>
On 7/24/2017 8:19 PM, Deborah White wrote: > It now goes to just a blank page. Do I have an issue in my web.xml? > <filter> > <filter-name>struts-prepare</filter-name> > > <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class> > </filter> > > <filter> > <filter-name>MYStrutsPrepareFilter</filter-name> > <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class> > </filter> > > <filter> > <filter-name>struts-execute</filter-name> > > <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class> > </filter> > <filter-mapping> > <filter-name>MYStrutsPrepareFilter</filter-name> > <url-pattern>/*</url-pattern> > <dispatcher>FORWARD</dispatcher> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> > > -----Original Message----- > From: Yasser Zamani [mailto:yasser.zam...@live.com] > Sent: Saturday, July 22, 2017 2:18 AM > To: Struts Developers List <dev@struts.apache.org> > Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 > to 2.3.32 > > I forgot to say about following block in MYStrutsPrepareFilter.java which is > new and I added recently (so please copy the whole new > MYStrutsPrepareFilter.java) : > > > if(null != actionContext) { > > ValueStack stack = actionContext.getValueStack(); > > stack.setValue("#request['MYUtils']", MYUtils); > > } > > It avoids null pointer exception. > > Please reply back to me the `exception stack trace` if you encounter any. > > IMPORTANT NOTE: > > To keep security, your MYUtils class should return only and only necessary > info (not less not more) in primitive types like string , boolean , int , etc > as much as possible rather than sensitive objects. > For example, following get method wake ups currently fixed security issues: > > public class MYUtils {... > public ActionContext getActionContext() { > return ActionContext.getContext(); > }...} > > > On 7/22/2017 1:27 PM, Yasser Zamani wrote: >> Sorry! My previous code has sent via my mobile which has a few typo >> errors because of issues with copy/pase :( >> >> Now, at my PC, I tested following configuration which works well :) >> >> 1. MYStrutsPrepareFilter.java >> >> ********************************************* >> package me.zamani.yasser.ww_convention.utils; >> >> import java.io.IOException; >> >> import javax.servlet.Filter; >> import javax.servlet.FilterChain; >> import javax.servlet.FilterConfig; >> import javax.servlet.ServletException; import >> javax.servlet.ServletRequest; import javax.servlet.ServletResponse; >> import javax.servlet.http.HttpServletRequest; >> >> import org.apache.struts2.StrutsStatics; import >> com.opensymphony.xwork2.ActionContext; >> import com.opensymphony.xwork2.util.ValueStack; >> >> /** >> * @author zamani >> * >> */ >> public class MYStrutsPrepareFilter implements Filter { >> >> private MYUtils MYUtils; >> >> public void init(FilterConfig filterConfig) throws ServletException { >> MYUtils = new MYUtils(); >> } >> >> public void doFilter(ServletRequest req, ServletResponse res, >> FilterChain chain) >> throws IOException, ServletException { >> >> ActionContext actionContext = ActionContext.getContext(); >> if(null != actionContext) { >> ValueStack stack = actionContext.getValueStack(); >> stack.setValue("#request['MYUtils']", MYUtils); >> } >> >> chain.doFilter(req, res); >> } >> >> public void destroy() { >> MYUtils = null; >> } >> >> >> public class MYUtils { >> public boolean isUserInRole (String user) { >> HttpServletRequest httpsr = ((HttpServletRequest) >> ActionContext.getContext() >> .get(StrutsStatics.HTTP_REQUEST)); >> return httpsr.isUserInRole(user); >> } >> } >> } >> ********************************************************** >> >> 2. web.xml >> >> ********************************************************** >> <filter> >> <filter-name>struts2prepare</filter-name> >> >> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class> >> </filter> >> >> <filter> >> <filter-name>MYStrutsPrepareFilter</filter-name> >> >> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class> >> </filter> >> >> <filter> >> <filter-name>struts2execute</filter-name> >> >> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class> >> </filter> >> >> <filter-mapping> >> <filter-name>struts2prepare</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> >> <filter-mapping> >> <filter-name>MYStrutsPrepareFilter</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> >> <filter-mapping> >> <filter-name>struts2execute</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> ************************************************************** >> >> 3. hello.jsp >> >> ************************************************************** >> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'> >> you are UserAdmin >> </s:if> >> <s:else> >> you are not UserAdmin >> </s:else> >> ************************************************************** >> >> Sincerely Yours, >> Yasser. >> >> On 7/22/2017 2:56 AM, Deborah White wrote: >>> And the jsp doesn't seem to like this syntax for some reason. >>> >>> -----Original Message----- >>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>> Sent: Friday, July 21, 2017 1:04 PM >>> To: Struts Developers List <dev@struts.apache.org> >>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>> 2.3.16.3 to 2.3.32 >>> >>> That is just an example. For your need, in more detail, you should try >>> something like these: >>> >>> 1. Add following method to class MyUtil: >>> >>> public boolean isUserInRole (String user) { >>> HttpServletRequest httpsr = ((HttpServletRequest) >>> ActionContext.getContext() >>> .get(StrutsStatics.HTTP_REQUEST)); return >>> httpsr.isUserInRole (user); } >>> >>> 2. Your struts filters in web.xml should looks like: >>> >>> <filter> >>> <filter-name>struts-prepare</filter-name> >>> >>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi >>> lter</filter-class> >>> </filter> >>> >>> <filter> >>> <filter-name> MYStrutsPrepareFilter</filter-name> >>> <filter-class>my.package. MYStrutsPrepareFilter</filter-class> >>> </filter> >>> >>> <filter> >>> <filter-name>struts-execute</filter-name> >>> >>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi >>> lter</filter-class> >>> </filter> >>> >>> 3. Finally find and replace all of >>> >>> <s:if test='request.isUserInRole("UserAdmin")' > >>> >>> With >>> >>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' > >>> >>> I think something like these resolve your issue :) please try and let me >>> know. >>> >>> Deborah White <deborah.wh...@doj.ca.gov> نوشت: >>> >>>> This is what I currently have in my jsp: >>>> <s:if test='request.isUserInRole("UserAdmin")' > >>>> >>>> Where would I put >>>> "#request['MYUtils'].requestURI? >>>> >>>> -----Original Message----- >>>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>>> Sent: Friday, July 21, 2017 10:53 AM >>>> To: Struts Developers List <dev@struts.apache.org> >>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>> 2.3.16.3 to 2.3.32 >>>> >>>> You are welcome :) In this solution, by ognl, you only access the MyUtil >>>> object and you add what you need from excluded packages into MyUtil class >>>> as java getters. While MyUtil is not in excluded packages, so, you can get >>>> what you need from excluded packages via ognl then it. >>>> >>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت: >>>> >>>>> Sorry, as I said I'm new. Will this allow access to the excluded >>>>> packages (ognl)? >>>>> >>>>> -----Original Message----- >>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>>>> Sent: Thursday, July 20, 2017 10:55 PM >>>>> To: Struts Developers List <dev@struts.apache.org> >>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>>> 2.3.16.3 to 2.3.32 >>>>> >>>>> Hi there, welcome to dev list :) >>>>> >>>>> Do you need access to excluded packages in your JSPs? I had similar >>>>> issue and you can see my solution at [1]. I did not need to rewrite >>>>> any thing and a find/replace did all needed changes. Please review >>>>> my solution if also resolves your one. If not, please feel free >>>>> continue here for a solution :) >>>>> >>>>> [1] >>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411 >>>>> >>>>> On 7/21/2017 2:38 AM, Deborah White wrote: >>>>>> Please see the content below. Fairly new to Struts and I'm guessing >>>>>> someone out there has been through this. Any help would be appreciated. >>>>>> >>>>>> -----Original Message----- >>>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org] >>>>>> Sent: Thursday, July 13, 2017 9:32 PM >>>>>> To: Deborah White <deborah.wh...@doj.ca.gov> >>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>>>> 2.3.16.3 to 2.3.32 >>>>>> >>>>>> >>>>>> [ >>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira. >>>>>> >>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160 >>>>>> 868 >>>>>> 3 >>>>>> 2#comment-16086832 ] >>>>>> >>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM: >>>>>> ------------------------------------------------------------ >>>>>> >>>>>> The best place to ask such question is to subscribe to the User >>>>>> Mailing list as there are more eyes to help you >>>>>> http://struts.apache.org/mail.html >>>>>> >>>>>> And to answer your question: there is no safe way to modify the >>>>>> exclusion, I would rather figure out in which expression you use this >>>>>> class and move the logic to an action. >>>>>> >>>>>> >>>>>> was (Author: lukaszlenart): >>>>>> The best place to ask such question is to subscribe to the User >>>>>> Mailing list as there are more eyes to help you >>>>>> http://struts.apache.org/mail.html >>>>>> >>>>>> And to answer your question: there is no safe way to modify the >>>>>> exclusion, I would rather figure in which expression you use this class >>>>>> and move the logic to an action. >>>>>> >>>>>>> Migrating Struts 2.3.16.3 to 2.3.32 >>>>>>> ----------------------------------- >>>>>>> >>>>>>> Key: WW-4815 >>>>>>> URL: https://issues.apache.org/jira/browse/WW-4815 >>>>>>> Project: Struts 2 >>>>>>> Issue Type: Temp >>>>>>> Components: Core >>>>>>> Affects Versions: 2.3.16.3 >>>>>>> Reporter: Deborah White >>>>>>> Fix For: 2.3.32 >>>>>>> >>>>>>> >>>>>>> I need some assistance and am hoping you can provide some insight. I >>>>>>> know this is probably not the place to do this, but I'm not finding >>>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the >>>>>>> vulnerability. The problem is that the excluded classes in the >>>>>>> struts-default.xml are being used by my application and I certainly do >>>>>>> not have time to do a rewrite. >>>>>>> This is the Warning I get and then my application does not run as it >>>>>>> should because it seems it is not forwarding the roles: >>>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of >>>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or >>>>>>> package of member [public boolean >>>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] >>>>>>> are excluded! >>>>>>> I need to know how I can safely modify the struts-default.xml and still >>>>>>> have the fix for the vulnerability. Also, if there is something I can >>>>>>> instead include in my struts.xml file that would override, that would >>>>>>> be better. Thank you. >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> This message was sent by Atlassian JIRA >>>>>> (v6.4.14#64029) >>>>>> >>>>>> >>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>>>> confidential and/or legally privileged information. It is solely for the >>>>>> use of the intended recipient(s). Unauthorized interception, review, use >>>>>> or disclosure is prohibited and may violate applicable laws including >>>>>> the Electronic Communications Privacy Act. If you are not the intended >>>>>> recipient, please contact the sender and destroy all copies of the >>>>>> communication. >>>>>> >>>>> >>>>> ------------------------------------------------------------------- >>>>> -- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>>>> additional commands, e-mail: dev-h...@struts.apache.org >>>>> >>>>> >>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>>> confidential and/or legally privileged information. It is solely for the >>>>> use of the intended recipient(s). Unauthorized interception, review, use >>>>> or disclosure is prohibited and may violate applicable laws including the >>>>> Electronic Communications Privacy Act. If you are not the intended >>>>> recipient, please contact the sender and destroy all copies of the >>>>> communication. >>>> B >>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK >>>> CB [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ ] Z[ >>>> ]˘\X K ܙ B B >>>> >>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>> confidential and/or legally privileged information. It is solely for the >>>> use of the intended recipient(s). Unauthorized interception, review, use >>>> or disclosure is prohibited and may violate applicable laws including the >>>> Electronic Communications Privacy Act. If you are not the intended >>>> recipient, please contact the sender and destroy all copies of the >>>> communication. >>> >>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>> confidential and/or legally privileged information. It is solely for the >>> use of the intended recipient(s). Unauthorized interception, review, use or >>> disclosure is prohibited and may violate applicable laws including the >>> Electronic Communications Privacy Act. If you are not the intended >>> recipient, please contact the sender and destroy all copies of the >>> communication. >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>> additional commands, e-mail: dev-h...@struts.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >> additional commands, e-mail: dev-h...@struts.apache.org >> > > CONFIDENTIALITY NOTICE: This communication with its contents may contain > confidential and/or legally privileged information. It is solely for the use > of the intended recipient(s). Unauthorized interception, review, use or > disclosure is prohibited and may violate applicable laws including the > Electronic Communications Privacy Act. If you are not the intended recipient, > please contact the sender and destroy all copies of the communication. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org >