I have a use case, where it is no option to muddle with headers. The
headers are dynamically controlled by the App.
So I really would need an option to remove any well-intentioned, but not
wanted headers. This seems not easily possible with the added CSP in 6.x
version.
Any chance that such an option would be added? I would prefer to do
without defining my own struts-default.xml.
---
COEP Interceptor
https://struts.apache.org/core-developers/coep-interceptor
Can be disabled
<interceptor-ref name="defaultStack">
<param name="coepInterceptor.disabled">true</param>
</interceptor-ref>
---
COOP Interceptor
https://struts.apache.org/core-developers/coop-interceptor
Has no option to be disabled. The only option would be:
<interceptor-ref name="defaultStack">
<param name="coopInterceptor.mode">unsafe-none</param>
</interceptor-ref>
This still adds a header
Cross-Origin-Opener-Policy: unsafe-none
--
Fetch Metadata Interceptor
https://struts.apache.org/core-developers/fetch-metadata-interceptor
Has no option to be disabled. Only knows
<interceptor-ref name="defaultStack">
<param
name="fetchMetadata.exemptedPaths">/path1,/path2,/path3</param>
</interceptor-ref>
Am 30.08.22 um 16:43 schrieb i...@flyingfischer.ch:
Thanks Łukasz
Any chance to disable this on domain basis, or even totally? I fear
coopInterceptor.exemptedPaths will not be sufficiant in my case.
Best regards
Markus
Am 30.08.22 um 16:22 schrieb Łukasz Lenart:
CSP was added in 6.x version
https://struts.apache.org/core-developers/coop-interceptor
https://struts.apache.org/core-developers/coop-interceptor
https://struts.apache.org/core-developers/fetch-metadata-interceptor
W dniu wt., 30.08.2022 o 15:54 i...@flyingfischer.ch
<i...@flyingfischer.ch>
napisał(a):
It looks like an cross-site issue: The error does only appear, when the
request is called from a third party domain. When called from a
subdomain of the main domain, the error does not appear.
Regards
Markus
Am 30.08.22 um 15:35 schrieb i...@flyingfischer.ch:
I am puzzled, calling the same request on the console works:
curl -i -X OPTIONS https://domain/context/mypath?url=urlEncodedUrl
HTTP/1.1 302
Cache-control: no-cache, no-store
Pragma: no-cache
Expires: -1
Vary: Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,Sec-Fetch-User
Cross-Origin-Embedder-Policy-Report-Only: require-corp
Cross-Origin-Opener-Policy: same-origin
Location: /context/otherpath?url=urlEncodedUrl
Content-Language: de-CH
Content-Length: 0
Date: Tue, 30 Aug 2022 13:23:17 GMT
Server: Apache
I need to meditate...
Regards
Markus
Am 30.08.22 um 14:41 schrieb i...@flyingfischer.ch:
The action and the result actually do exist as redirectAction
<result name="resultName" type="redirectAction">
<param name="actionName">otherpath</param>
<param name="url">${url}</param>
</result>
This works:
GET /context/mypath?url=urlEncodedUrl HTTP/1.1"
This fails:
OPTIONS /context/mypath?url=urlEncodedUrl HTTP/1.1" 404
But yes, strange that OPTIONS returns 404, while WARN
org.apache.struts2.dispatcher.Dispatcher returns 403.
Regards
Markus
Am 30.08.22 um 14:32 schrieb Yasser Zamani:
Thanks. I see "...and result 403..." so looks like the underlying
action has responded with 403 i.e. forbidden and you haven't defined
such result for this action in struts.xml? wdyt?
On 8/29/2022 8:32 PM, i...@flyingfischer.ch wrote:
Hi Yasser
sure.
Regards
Markus
29-08-2022 16:12:47.8 WARN org.apache.struts2.dispatcher.Dispatcher
- Could not find action or result:
/context/mypath?url=urlEncodedUrl
No result defined for action ch.xx.xx.xx and result 403 - action -
file:/xx/xx/xx/apache-tomcat-8.5.81/webapps/context/WEB-INF/classes/struts.xml:223:65
at
com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:366)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:280)
at
org.apache.struts2.interceptor.CoopInterceptor.intercept(CoopInterceptor.java:57)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.CoepInterceptor.intercept(CoepInterceptor.java:56)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:143)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:146)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:146)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:202)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:133)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:89)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:242)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:101)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:142)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:161)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:175)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.csp.CspInterceptor.intercept(CspInterceptor.java:46)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:140)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:209)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:229)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:196)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
util.CachingHeadersInterceptor.intercept(CachingHeadersInterceptor.java:28)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
com.googlecode.sslplugin.interceptors.SSLInterceptor.intercept(SSLInterceptor.java:128)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
util.HostwwwInterceptor.intercept(HostwwwInterceptor.java:37)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
at
org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:48)
at
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:630)
at
org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79)
at
org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:140)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:367)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:639)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:882)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2078)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
Am 29.08.22 um 17:39 schrieb Yasser Zamani:
Hi Markus,
I see corresponding codes in Struts:
if (devMode) {
LOG.error("Could not find action or result: {}",
uri, e);
} else if (LOG.isWarnEnabled()) {
LOG.warn("Could not find action or result: {}",
uri, e);
}
so it seems you should also have the exception e stack trace
logged. Could you please share it as well? I guess you might
affected by [1] but honestly hard to say how. So the stack trace
could help a lot.
Regards,
Yasser
[1]
https://github.com/apache/struts/commit/1c2b491a27b48a0b064b991a6cef63db5e6cb28b
On 8/29/2022 5:22 PM, i...@flyingfischer.ch wrote:
If I see this correctly, this happens only with OPTIONS and HEAD
requests....
Am 29.08.22 um 14:09 schrieb i...@flyingfischer.ch:
After removing commons-digester3-3.2 and leaving
commons-digester-2.1 only, I still get the Warnings/Errors in
production:
WARN org.apache.struts2.dispatcher.Dispatcher - Could not find
action or result: /context/mypath?url=urlEncodedUrl
Seems to be a new issue in Struts6 and not really related to
commons-digester? Unfortunately I cannot reproduce the issue
straightforward. I just see the error in the log. Calling the
path directly does not cause the issue. May there be a
connection with a not present session?
Markus
Am 29.08.22 um 11:36 schrieb i...@flyingfischer.ch:
Removing commons-digester-2.1 gives:
java.lang.NoClassDefFoundError:
org/apache/commons/digester/Rule
I am able to remove commons-digester3-3.2: the application does
start.
I will replace the application in production and check, if the
Warnings/Errors from org.apache.struts2.dispatcher.Dispatcher
disappear.
Regards
Markus
Am 29.08.22 um 10:19 schrieb Lukasz Lenart:
Could you exclude commons-digester in the Tiles plugin?
Regards
Łukasz
pon., 29 sie 2022 o 10:11 i...@flyingfischer.ch
<i...@flyingfischer.ch> napisał(a):
hmm, in production I see from time to time:
WARN org.apache.struts2.dispatcher.Dispatcher - Could not
find action or
result: /context/mypath?url=urlEncodedUrl
The action exists and the result also, as redirectAction
<result name="resultName" type="redirectAction">
<param name="actionName">otherpath</param>
<param name="url">${url}</param>
</result>
This behaviour seems to be new. I cannot reproduce it
consistently, but
there seems to be thrown an error in
org.apache.struts2.dispatcher.Dispatcher, somewhere between
these lines:
try {
String actionNamespace =
mapping.getNamespace();
String actionName = mapping.getName();
String actionMethod = mapping.getMethod();
LOG.trace("Processing action, namespace: {},
name: {},
method: {}", actionNamespace, actionName, actionMethod);
ActionProxy proxy =
prepareActionProxy(extraContext,
actionNamespace, actionName, actionMethod);
request.setAttribute(ServletActionContext.STRUTS_VALUESTACK_KEY,
proxy.getInvocation().getStack());
// if the ActionMapping says to go straight to
a result, do it!
if (mapping.getResult() != null) {
Result result = mapping.getResult();
result.execute(proxy.getInvocation());
} else {
proxy.execute();
}
// If there was a previous value stack then
set
it back
onto the request
if (!nullStack) {
request.setAttribute(ServletActionContext.STRUTS_VALUESTACK_KEY,
stack);
}
} catch (ConfigurationException e) {
logConfigurationException(request, e);
sendError(request, response,
HttpServletResponse.SC_NOT_FOUND, e);
}
The artifacts contains two version of commons-digester:
commons-digester-2.1
commons-digester3-3.2
Any idea, what is causing this warning, which seems to be
rather an error?
Best Markus
Am 27.08.22 um 12:28 schrieb i...@flyingfischer.ch:
Works fine here. Tested with tiles-plugin.
Best regards
Markus
Am 25.08.22 um 07:52 schrieb Lukasz Lenart:
Hello,
This is the first patch version of Struts 6.x series.
Please take the
time and test the bits - any help is appreciated. Please
report any
problems you will spot.
Here are the changes from the previous 6.0.0 version:
https://github.com/apache/struts/releases/tag/STRUTS_6_0_2
Staging Maven repo
https://repository.apache.org/content/groups/staging/
Standalone artifacts
https://dist.apache.org/repos/dist/dev/struts/6.0.2/
Release notes
https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.0.2
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
--
(mobile)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
