Yes I think you should have mappings for all as following order:
<filter-mapping>
<filter-name>struts-prepare</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>MYStrutsPrepareFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>struts-execute</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
On 7/24/2017 8:19 PM, Deborah White wrote:
> It now goes to just a blank page. Do I have an issue in my web.xml?
> <filter>
> <filter-name>struts-prepare</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
> <filter-name>MYStrutsPrepareFilter</filter-name>
> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
> <filter-name>struts-execute</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>MYStrutsPrepareFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> -----Original Message-----
> From: Yasser Zamani [mailto:yasser.zam...@live.com]
> Sent: Saturday, July 22, 2017 2:18 AM
> To: Struts Developers List <dev@struts.apache.org>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
> to 2.3.32
>
> I forgot to say about following block in MYStrutsPrepareFilter.java which is
> new and I added recently (so please copy the whole new
> MYStrutsPrepareFilter.java) :
>
> > if(null != actionContext) {
> > ValueStack stack = actionContext.getValueStack();
> > stack.setValue("#request['MYUtils']", MYUtils);
> > }
>
> It avoids null pointer exception.
>
> Please reply back to me the `exception stack trace` if you encounter any.
>
> IMPORTANT NOTE:
>
> To keep security, your MYUtils class should return only and only necessary
> info (not less not more) in primitive types like string , boolean , int , etc
> as much as possible rather than sensitive objects.
> For example, following get method wake ups currently fixed security issues:
>
> public class MYUtils {...
> public ActionContext getActionContext() {
> return ActionContext.getContext();
> }...}
>
>
> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>> Sorry! My previous code has sent via my mobile which has a few typo
>> errors because of issues with copy/pase :(
>>
>> Now, at my PC, I tested following configuration which works well :)
>>
>> 1. MYStrutsPrepareFilter.java
>>
>> *********************************************
>> package me.zamani.yasser.ww_convention.utils;
>>
>> import java.io.IOException;
>>
>> import javax.servlet.Filter;
>> import javax.servlet.FilterChain;
>> import javax.servlet.FilterConfig;
>> import javax.servlet.ServletException; import
>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>> import javax.servlet.http.HttpServletRequest;
>>
>> import org.apache.struts2.StrutsStatics; import
>> com.opensymphony.xwork2.ActionContext;
>> import com.opensymphony.xwork2.util.ValueStack;
>>
>> /**
>> * @author zamani
>> *
>> */
>> public class MYStrutsPrepareFilter implements Filter {
>>
>> private MYUtils MYUtils;
>>
>> public void init(FilterConfig filterConfig) throws ServletException {
>> MYUtils = new MYUtils();
>> }
>>
>> public void doFilter(ServletRequest req, ServletResponse res,
>> FilterChain chain)
>> throws IOException, ServletException {
>>
>> ActionContext actionContext = ActionContext.getContext();
>> if(null != actionContext) {
>> ValueStack stack = actionContext.getValueStack();
>> stack.setValue("#request['MYUtils']", MYUtils);
>> }
>>
>> chain.doFilter(req, res);
>> }
>>
>> public void destroy() {
>> MYUtils = null;
>> }
>>
>>
>> public class MYUtils {
>> public boolean isUserInRole (String user) {
>> HttpServletRequest httpsr = ((HttpServletRequest)
>> ActionContext.getContext()
>> .get(StrutsStatics.HTTP_REQUEST));
>> return httpsr.isUserInRole(user);
>> }
>> }
>> }
>> **********************************************************
>>
>> 2. web.xml
>>
>> **********************************************************
>> <filter>
>> <filter-name>struts2prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>> <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>> <filter-name>struts2execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>struts2prepare</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <filter-mapping>
>> <filter-name>MYStrutsPrepareFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <filter-mapping>
>> <filter-name>struts2execute</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>> **************************************************************
>>
>> 3. hello.jsp
>>
>> **************************************************************
>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>> you are UserAdmin
>> </s:if>
>> <s:else>
>> you are not UserAdmin
>> </s:else>
>> **************************************************************
>>
>> Sincerely Yours,
>> Yasser.
>>
>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>> And the jsp doesn't seem to like this syntax for some reason.
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>> Sent: Friday, July 21, 2017 1:04 PM
>>> To: Struts Developers List <dev@struts.apache.org>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> That is just an example. For your need, in more detail, you should try
>>> something like these:
>>>
>>> 1. Add following method to class MyUtil:
>>>
>>> public boolean isUserInRole (String user) {
>>> HttpServletRequest httpsr = ((HttpServletRequest)
>>> ActionContext.getContext()
>>> .get(StrutsStatics.HTTP_REQUEST)); return
>>> httpsr.isUserInRole (user); }
>>>
>>> 2. Your struts filters in web.xml should looks like:
>>>
>>> <filter>
>>> <filter-name>struts-prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi
>>> lter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>> <filter-name> MYStrutsPrepareFilter</filter-name>
>>> <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>> <filter-name>struts-execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi
>>> lter</filter-class>
>>> </filter>
>>>
>>> 3. Finally find and replace all of
>>>
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> With
>>>
>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>
>>> I think something like these resolve your issue :) please try and let me
>>> know.
>>>
>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>
>>>> This is what I currently have in my jsp:
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> Where would I put
>>>> "#request['MYUtils'].requestURI?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>> To: Struts Developers List <dev@struts.apache.org>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil
>>>> object and you add what you need from excluded packages into MyUtil class
>>>> as java getters. While MyUtil is not in excluded packages, so, you can get
>>>> what you need from excluded packages via ognl then it.
>>>>
>>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>>
>>>>> Sorry, as I said I'm new. Will this allow access to the excluded
>>>>> packages (ognl)?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>> To: Struts Developers List <dev@struts.apache.org>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> Hi there, welcome to dev list :)
>>>>>
>>>>> Do you need access to excluded packages in your JSPs? I had similar
>>>>> issue and you can see my solution at [1]. I did not need to rewrite
>>>>> any thing and a find/replace did all needed changes. Please review
>>>>> my solution if also resolves your one. If not, please feel free
>>>>> continue here for a solution :)
>>>>>
>>>>> [1]
>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>
>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>> Please see the content below. Fairly new to Struts and I'm guessing
>>>>>> someone out there has been through this. Any help would be appreciated.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org]
>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>> To: Deborah White <deborah.wh...@doj.ca.gov>
>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>>
>>>>>> [
>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>
>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160
>>>>>> 868
>>>>>> 3
>>>>>> 2#comment-16086832 ]
>>>>>>
>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>> ------------------------------------------------------------
>>>>>>
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the
>>>>>> exclusion, I would rather figure out in which expression you use this
>>>>>> class and move the logic to an action.
>>>>>>
>>>>>>
>>>>>> was (Author: lukaszlenart):
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the
>>>>>> exclusion, I would rather figure in which expression you use this class
>>>>>> and move the logic to an action.
>>>>>>
>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>> -----------------------------------
>>>>>>>
>>>>>>> Key: WW-4815
>>>>>>> URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>> Project: Struts 2
>>>>>>> Issue Type: Temp
>>>>>>> Components: Core
>>>>>>> Affects Versions: 2.3.16.3
>>>>>>> Reporter: Deborah White
>>>>>>> Fix For: 2.3.32
>>>>>>>
>>>>>>>
>>>>>>> I need some assistance and am hoping you can provide some insight. I
>>>>>>> know this is probably not the place to do this, but I'm not finding
>>>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the
>>>>>>> vulnerability. The problem is that the excluded classes in the
>>>>>>> struts-default.xml are being used by my application and I certainly do
>>>>>>> not have time to do a rewrite.
>>>>>>> This is the Warning I get and then my application does not run as it
>>>>>>> should because it seems it is not forwarding the roles:
>>>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of
>>>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or
>>>>>>> package of member [public boolean
>>>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
>>>>>>> are excluded!
>>>>>>> I need to know how I can safely modify the struts-default.xml and still
>>>>>>> have the fix for the vulnerability. Also, if there is something I can
>>>>>>> instead include in my struts.xml file that would override, that would
>>>>>>> be better. Thank you.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message was sent by Atlassian JIRA
>>>>>> (v6.4.14#64029)
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>>>> confidential and/or legally privileged information. It is solely for the
>>>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>>>> or disclosure is prohibited and may violate applicable laws including
>>>>>> the Electronic Communications Privacy Act. If you are not the intended
>>>>>> recipient, please contact the sender and destroy all copies of the
>>>>>> communication.
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>>> confidential and/or legally privileged information. It is solely for the
>>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>>> or disclosure is prohibited and may violate applicable laws including the
>>>>> Electronic Communications Privacy Act. If you are not the intended
>>>>> recipient, please contact the sender and destroy all copies of the
>>>>> communication.
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>> CB [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ ] Z[
>>>> ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>> confidential and/or legally privileged information. It is solely for the
>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>> or disclosure is prohibited and may violate applicable laws including the
>>>> Electronic Communications Privacy Act. If you are not the intended
>>>> recipient, please contact the sender and destroy all copies of the
>>>> communication.
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>> confidential and/or legally privileged information. It is solely for the
>>> use of the intended recipient(s). Unauthorized interception, review, use or
>>> disclosure is prohibited and may violate applicable laws including the
>>> Electronic Communications Privacy Act. If you are not the intended
>>> recipient, please contact the sender and destroy all copies of the
>>> communication.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>> additional commands, e-mail: dev-h...@struts.apache.org
>>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain
> confidential and/or legally privileged information. It is solely for the use
> of the intended recipient(s). Unauthorized interception, review, use or
> disclosure is prohibited and may violate applicable laws including the
> Electronic Communications Privacy Act. If you are not the intended recipient,
> please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
