Yes I think you should have mappings for all as following order:

      <filter-mapping>
          <filter-name>struts-prepare</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
          <filter-name>MYStrutsPrepareFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
          <filter-name>struts-execute</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>


On 7/24/2017 8:19 PM, Deborah White wrote:
> It now goes to just a blank page.  Do I have an issue in my web.xml?
> <filter>
>     <filter-name>struts-prepare</filter-name>
>     
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>MYStrutsPrepareFilter</filter-name>
>     <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>struts-execute</filter-name>
>     
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
> </filter>
>     <filter-mapping>
>         <filter-name>MYStrutsPrepareFilter</filter-name>
>         <url-pattern>/*</url-pattern>
>         <dispatcher>FORWARD</dispatcher>
>         <dispatcher>REQUEST</dispatcher>
>     </filter-mapping>
>
> -----Original Message-----
> From: Yasser Zamani [mailto:yasser.zam...@live.com]
> Sent: Saturday, July 22, 2017 2:18 AM
> To: Struts Developers List <dev@struts.apache.org>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 
> to 2.3.32
>
> I forgot to say about following block in MYStrutsPrepareFilter.java which is 
> new and I added recently (so please copy the whole new
> MYStrutsPrepareFilter.java) :
>
>  >              if(null != actionContext) {
>  >                      ValueStack stack = actionContext.getValueStack();
>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>  >              }
>
> It avoids null pointer exception.
>
> Please reply back to me the `exception stack trace` if you encounter any.
>
> IMPORTANT NOTE:
>
> To keep security, your MYUtils class should return only and only necessary 
> info (not less not more) in primitive types like string , boolean , int , etc 
> as much as possible rather than sensitive objects.
> For example, following get method wake ups currently fixed security issues:
>
>                 public class MYUtils {...
> public ActionContext getActionContext() {
>                         return ActionContext.getContext();
>                 }...}
>
>
> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>> Sorry! My previous code has sent via my mobile which has a few typo
>> errors because of issues with copy/pase :(
>>
>> Now, at my PC, I tested following configuration which works well :)
>>
>> 1. MYStrutsPrepareFilter.java
>>
>> *********************************************
>> package me.zamani.yasser.ww_convention.utils;
>>
>> import java.io.IOException;
>>
>> import javax.servlet.Filter;
>> import javax.servlet.FilterChain;
>> import javax.servlet.FilterConfig;
>> import javax.servlet.ServletException; import
>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>> import javax.servlet.http.HttpServletRequest;
>>
>> import org.apache.struts2.StrutsStatics; import
>> com.opensymphony.xwork2.ActionContext;
>> import com.opensymphony.xwork2.util.ValueStack;
>>
>> /**
>>   * @author zamani
>>   *
>>   */
>> public class MYStrutsPrepareFilter implements Filter {
>>
>>       private MYUtils MYUtils;
>>
>>       public void init(FilterConfig filterConfig) throws ServletException {
>>               MYUtils = new MYUtils();
>>       }
>>
>>       public void doFilter(ServletRequest req, ServletResponse res,
>> FilterChain chain)
>>                       throws IOException, ServletException {
>>
>>               ActionContext actionContext = ActionContext.getContext();
>>               if(null != actionContext) {
>>                       ValueStack stack = actionContext.getValueStack();
>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>               }
>>
>>               chain.doFilter(req, res);
>>       }
>>
>>       public void destroy() {
>>               MYUtils = null;
>>       }
>>
>>
>>       public class MYUtils {
>>               public boolean isUserInRole (String user) {
>>                       HttpServletRequest httpsr = ((HttpServletRequest)
>> ActionContext.getContext()
>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>                       return httpsr.isUserInRole(user);
>>               }
>>       }
>> }
>> **********************************************************
>>
>> 2. web.xml
>>
>> **********************************************************
>>      <filter>
>>          <filter-name>struts2prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>      </filter>
>>
>>      <filter>
>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>      </filter>
>>
>>      <filter>
>>          <filter-name>struts2execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>      </filter>
>>
>>      <filter-mapping>
>>          <filter-name>struts2prepare</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>>
>>      <filter-mapping>
>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>>
>>      <filter-mapping>
>>          <filter-name>struts2execute</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>> **************************************************************
>>
>> 3. hello.jsp
>>
>> **************************************************************
>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>      you are UserAdmin
>>      </s:if>
>>      <s:else>
>>      you are not UserAdmin
>>      </s:else>
>> **************************************************************
>>
>> Sincerely Yours,
>> Yasser.
>>
>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>> And the jsp doesn't seem to like this syntax for some reason.
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>> Sent: Friday, July 21, 2017 1:04 PM
>>> To: Struts Developers List <dev@struts.apache.org>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> That is just an example. For your need, in more detail, you should try 
>>> something like these:
>>>
>>> 1. Add following method to class MyUtil:
>>>
>>>                 public boolean isUserInRole (String user) {                 
>>>     HttpServletRequest httpsr = ((HttpServletRequest) 
>>> ActionContext.getContext()                                    
>>> .get(StrutsStatics.HTTP_REQUEST));                      return 
>>> httpsr.isUserInRole (user);              }
>>>
>>> 2. Your struts filters in web.xml should looks like:
>>>
>>> <filter>
>>>     <filter-name>struts-prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi
>>> lter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>struts-execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi
>>> lter</filter-class>
>>> </filter>
>>>
>>> 3. Finally find and replace all of
>>>
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> With
>>>
>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>
>>> I think something like these resolve your issue :) please try and let me 
>>> know.
>>>
>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>
>>>> This is what I currently have in my jsp:
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> Where would I put
>>>> "#request['MYUtils'].requestURI?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>> To: Struts Developers List <dev@struts.apache.org>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil 
>>>> object and you add what you need from excluded packages into MyUtil class 
>>>> as java getters. While MyUtil is not in excluded packages, so, you can get 
>>>> what you need from excluded packages via ognl then it.
>>>>
>>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>>
>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded 
>>>>> packages (ognl)?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>> To: Struts Developers List <dev@struts.apache.org>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> Hi there, welcome to dev list :)
>>>>>
>>>>> Do you need access to excluded packages in your JSPs? I had similar
>>>>> issue and you can see my solution at [1]. I did not need to rewrite
>>>>> any thing and a find/replace did all needed changes. Please review
>>>>> my solution if also resolves your one. If not, please feel free
>>>>> continue here for a solution :)
>>>>>
>>>>> [1]
>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>
>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing 
>>>>>> someone out there has been through this.  Any help would be appreciated.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org]
>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>> To: Deborah White <deborah.wh...@doj.ca.gov>
>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>>
>>>>>>     [
>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>
>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160
>>>>>> 868
>>>>>> 3
>>>>>> 2#comment-16086832 ]
>>>>>>
>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>> ------------------------------------------------------------
>>>>>>
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the 
>>>>>> exclusion, I would rather figure out in which expression you use this 
>>>>>> class and move the logic to an action.
>>>>>>
>>>>>>
>>>>>> was (Author: lukaszlenart):
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the 
>>>>>> exclusion, I would rather figure in which expression you use this class 
>>>>>> and move the logic to an action.
>>>>>>
>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>> -----------------------------------
>>>>>>>
>>>>>>>                 Key: WW-4815
>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>             Project: Struts 2
>>>>>>>          Issue Type: Temp
>>>>>>>          Components: Core
>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>            Reporter: Deborah White
>>>>>>>             Fix For: 2.3.32
>>>>>>>
>>>>>>>
>>>>>>> I need some assistance and am hoping you can provide some insight.  I 
>>>>>>> know this is probably not the place to do this, but I'm not finding 
>>>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the 
>>>>>>> vulnerability.  The problem is that the excluded classes in the 
>>>>>>> struts-default.xml are being used by my application and I certainly do 
>>>>>>> not have time to do a rewrite.
>>>>>>> This is the Warning I get and then my application does not run as it 
>>>>>>> should because it seems it is not forwarding the roles:
>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of 
>>>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or 
>>>>>>> package of member [public boolean 
>>>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
>>>>>>>  are excluded!
>>>>>>> I need to know how I can safely modify the struts-default.xml and still 
>>>>>>> have the fix for the vulnerability.  Also, if there is something I can 
>>>>>>> instead include in my struts.xml file that would override, that would 
>>>>>>> be better.  Thank you.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message was sent by Atlassian JIRA
>>>>>> (v6.4.14#64029)
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
>>>>>> confidential and/or legally privileged information. It is solely for the 
>>>>>> use of the intended recipient(s). Unauthorized interception, review, use 
>>>>>> or disclosure is prohibited and may violate applicable laws including 
>>>>>> the Electronic Communications Privacy Act. If you are not the intended 
>>>>>> recipient, please contact the sender and destroy all copies of the 
>>>>>> communication.
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
>>>>> confidential and/or legally privileged information. It is solely for the 
>>>>> use of the intended recipient(s). Unauthorized interception, review, use 
>>>>> or disclosure is prohibited and may violate applicable laws including the 
>>>>> Electronic Communications Privacy Act. If you are not the intended 
>>>>> recipient, please contact the sender and destroy all copies of the 
>>>>> communication.
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>> CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[
>>>> ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
>>>> confidential and/or legally privileged information. It is solely for the 
>>>> use of the intended recipient(s). Unauthorized interception, review, use 
>>>> or disclosure is prohibited and may violate applicable laws including the 
>>>> Electronic Communications Privacy Act. If you are not the intended 
>>>> recipient, please contact the sender and destroy all copies of the 
>>>> communication.
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
>>> confidential and/or legally privileged information. It is solely for the 
>>> use of the intended recipient(s). Unauthorized interception, review, use or 
>>> disclosure is prohibited and may violate applicable laws including the 
>>> Electronic Communications Privacy Act. If you are not the intended 
>>> recipient, please contact the sender and destroy all copies of the 
>>> communication.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>> additional commands, e-mail: dev-h...@struts.apache.org
>>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
> confidential and/or legally privileged information. It is solely for the use 
> of the intended recipient(s). Unauthorized interception, review, use or 
> disclosure is prohibited and may violate applicable laws including the 
> Electronic Communications Privacy Act. If you are not the intended recipient, 
> please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>

Reply via email to