[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17839004#comment-17839004 ] Erica Kane commented on WW-5400: It seemed the simplest way, this is a parameter in struts.xml. We have never injected any beans there, only via Spring. But if there is a better way, and it's compatible with those of us who Spring to do the wiring, please go ahead. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5141) Support for JEE 9+
[ https://issues.apache.org/jira/browse/WW-5141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17838394#comment-17838394 ] Erica Kane commented on WW-5141: Hi, I wanted to check in on this, as Spring 5 and Spring Security 5 are both end of life on August 31. Spring 6 requires the new jakarta namespace. We use both Spring and Struts, which is probably not uncommon. > Support for JEE 9+ > --- > > Key: WW-5141 > URL: https://issues.apache.org/jira/browse/WW-5141 > Project: Struts 2 > Issue Type: New Feature > Components: Core >Reporter: Daniel Le Berre >Priority: Major > Labels: M1 > Fix For: 7.0.0 > > Attachments: pom.xml > > Time Spent: 9h 40m > Remaining Estimate: 0h > > JEE 9 breaks the JEE API by replacing javax domain by jakarta. > Tomcat 10 implements some specifications of JEE 9. > Struts 2.5 has some dependencies with the javax servlet API. > Struts would require some changes to run on Tomcat 10+. > Is there any plan to support JEE 9+ in the future? > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837280#comment-17837280 ] Erica Kane commented on WW-5400: [~lukaszlenart] I've made the requested code changes. Please see my comments regarding the injection option. You know that better than I do for Struts, I just want to be sure that the default settings class name is treated as a String parameter into the interceptor. My code was designed to make that clear. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835911#comment-17835911 ] Erica Kane commented on WW-5400: Also the documentation should be updated, once live, or no one will know how to use this. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835910#comment-17835910 ] Erica Kane commented on WW-5400: [~lukaszlenart] I have submitted a pull request for my changes (username eschulma). Enjoy! > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17830732#comment-17830732 ] Erica Kane commented on WW-5400: Hi Lukasz, yes, our version is live in production. I am on spring break -- hope to revise for submission to you in mid-April. On Sun, 24 Mar 2024 08:05:00 + (UTC) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824535#comment-17824535 ] Erica Kane commented on WW-5400: I already wrote this for our company, so I will go ahead and make a pull request. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824059#comment-17824059 ] Erica Kane commented on WW-5400: The addCspHeaders is singular, which is good. But I still don't want to put a custom CspSettings in separately for each and every action in my app. Would it make sense for me to add a parameter defaultCspSettingsClass that could be set at the stack level? If you approve, I am willing to make a pull request for that. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5084) Content Security Policy support
[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824030#comment-17824030 ] Erica Kane commented on WW-5084: I think to disable the CSP interceptor the earlier comment should reference `cspInterceptor` not `coepInterceptor`? > Content Security Policy support > --- > > Key: WW-5084 > URL: https://issues.apache.org/jira/browse/WW-5084 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors, Core Tags >Affects Versions: 6.0.0 >Reporter: Santiago Diaz >Priority: Major > Fix For: 6.0.0 > > Time Spent: 5.5h > Remaining Estimate: 0h > > We'd like to add built-in Content Security Policy support to Struts2 to > provide a major security mechanism that developers can use to protect against > common Cross-Site Scripting vulnerabilities. Developers will have the ability > to enable CSP in report-only or enforcement mode. > We will provide an out of the box tag that can be used by developers to > use/import scripts in their web applications, so that these will > automatically get nonces that are compatible with their Content Security > policies. > Finally, we will provide a built-in handler for CSP violation reports that > will be used to collect and provide textual explanations of these reports. > This endpoint will be used by developers to debug CSP violations and locate > pieces of code that need to be refactored to support strong policies. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824024#comment-17824024 ] Erica Kane commented on WW-5400: Lukasz I will certainly give that a try. I interpreted `addCspHeaders` as actually adding an additional HTTP header, which would not be the desired behavior. Perhaps that assumption was incorrect. I will test it. But even if that works – forcing every single action in my app to implement this interface is hardly desirable. I use `base-uri` on every page. And there are many, many other CSP headers that are valuable. I believe that what I would be looking for is a way to replace the `DefaultCspSettings` class at an app-wide level, and I did not see that in the source code. If there is a way to do it please let me know! > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (WW-5400) CSP interceptor only allows very limited configuration
Erica Kane created WW-5400: -- Summary: CSP interceptor only allows very limited configuration Key: WW-5400 URL: https://issues.apache.org/jira/browse/WW-5400 Project: Struts 2 Issue Type: Improvement Components: Core Interceptors Affects Versions: 6.3.0 Reporter: Erica Kane I have been trying to implement CSP on our website. The CSP interceptor provides an elegant solution with the and tags. However, I want to set my own base-uri. And perhaps make some other changes to the CSP headers. But these values are not accessible. Only the report-only and report-uri can be changed. Even if one is willing to work at the Action level and implement a new interface for all of them, I can't change the base-uri. I've seen people on Stack Overflow disable it for this reason. I want to use it, but could someone please explain how to set the base-uri globally? If not, I will likely have to make my own. P.S. I will update the documentation page. Nowhere in the description of the interceptor does it mention the script and link tags, and without those, it is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5141) Support for JEE 9+
[ https://issues.apache.org/jira/browse/WW-5141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17747245#comment-17747245 ] Erica Kane commented on WW-5141: ..and also on Maven Central, albeit a little tricky to find: [https://mvnrepository.com/artifact/org.apache.commons/commons-fileupload2-jakarta] > Support for JEE 9+ > --- > > Key: WW-5141 > URL: https://issues.apache.org/jira/browse/WW-5141 > Project: Struts 2 > Issue Type: New Feature > Components: Core >Reporter: Daniel Le Berre >Priority: Major > Fix For: 7.0.0 > > Attachments: pom.xml > > > JEE 9 breaks the JEE API by replacing javax domain by jakarta. > Tomcat 10 implements some specifications of JEE 9. > Struts 2.5 has some dependencies with the javax servlet API. > Struts would require some changes to run on Tomcat 10+. > Is there any plan to support JEE 9+ in the future? > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5141) Support for JEE 9+
[ https://issues.apache.org/jira/browse/WW-5141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17746542#comment-17746542 ] Erica Kane commented on WW-5141: 2.0.0-M1 of Commons File Upload has been released now: [https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi] > Support for JEE 9+ > --- > > Key: WW-5141 > URL: https://issues.apache.org/jira/browse/WW-5141 > Project: Struts 2 > Issue Type: New Feature > Components: Core >Reporter: Daniel Le Berre >Priority: Major > Fix For: 7.0.0 > > Attachments: pom.xml > > > JEE 9 breaks the JEE API by replacing javax domain by jakarta. > Tomcat 10 implements some specifications of JEE 9. > Struts 2.5 has some dependencies with the javax servlet API. > Struts would require some changes to run on Tomcat 10+. > Is there any plan to support JEE 9+ in the future? > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5141) Support for JEE 9+
[ https://issues.apache.org/jira/browse/WW-5141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17744797#comment-17744797 ] Erica Kane commented on WW-5141: [~rossgreig] as an FYI, we use the latest version of Tomcat 9 with the current version of Struts and do not have any issues. (But Spring 6 is another story, and Spring 5 will be EOL in 2024...) > Support for JEE 9+ > --- > > Key: WW-5141 > URL: https://issues.apache.org/jira/browse/WW-5141 > Project: Struts 2 > Issue Type: New Feature > Components: Core >Reporter: Daniel Le Berre >Priority: Major > Fix For: 7.0.0 > > Attachments: pom.xml > > > JEE 9 breaks the JEE API by replacing javax domain by jakarta. > Tomcat 10 implements some specifications of JEE 9. > Struts 2.5 has some dependencies with the javax servlet API. > Struts would require some changes to run on Tomcat 10+. > Is there any plan to support JEE 9+ in the future? > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5141) Support for JEE 9+
[ https://issues.apache.org/jira/browse/WW-5141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17744781#comment-17744781 ] Erica Kane commented on WW-5141: Glad to hear it. :) We also want to move into the Jakarta namespace. > Support for JEE 9+ > --- > > Key: WW-5141 > URL: https://issues.apache.org/jira/browse/WW-5141 > Project: Struts 2 > Issue Type: New Feature > Components: Core >Reporter: Daniel Le Berre >Priority: Major > Fix For: 7.0.0 > > Attachments: pom.xml > > > JEE 9 breaks the JEE API by replacing javax domain by jakarta. > Tomcat 10 implements some specifications of JEE 9. > Struts 2.5 has some dependencies with the javax servlet API. > Struts would require some changes to run on Tomcat 10+. > Is there any plan to support JEE 9+ in the future? > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5294) s:url tag usage in a public page triggers a warning to not expose JSP pages directly
[
https://issues.apache.org/jira/browse/WW-5294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700615#comment-17700615
]
Erica Kane commented on WW-5294:
Yes, we have quite a few Actions already... :)
I will say that it was very difficult to get the warning. We should have gotten
them on other pages that had {{s:textfield}} out there, which intuitively
strikes me as far more risky. I had an interesting day hunting all the
possibilities down.
> s:url tag usage in a public page triggers a warning to not expose JSP pages
> directly
> -
>
> Key: WW-5294
> URL: https://issues.apache.org/jira/browse/WW-5294
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 6.1.2
> Environment: Ubuntu 20, Java 8, Tomcat 9
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.2.0
>
>
> I have a number of public pages that use the {{}} tags with no issues.
> But one page uses an {{}} tag, and every time it is visited I get a
> warning on our logs the Action invocation context is null, and that JSP pages
> should not be exposed directly. This is an informational page only, and I
> can't think why the URL tag is unsafe to use while the a tag is safe. I am
> assuming this is a bug, but of course if there is an issue with the URL tag
> on a public page I would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5294) s:url tag usage in a public page triggers a warning to not expose JSP pages directly
[
https://issues.apache.org/jira/browse/WW-5294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699779#comment-17699779
]
Erica Kane commented on WW-5294:
I'm going to close this. I was able to trigger the warning on s:a as well (the
bulk of our usage, fortunately, is in a protected fragment). I can see why
having Struts tags on a publicly accessible JSP page is bad.
> s:url tag usage in a public page triggers a warning to not expose JSP pages
> directly
> -
>
> Key: WW-5294
> URL: https://issues.apache.org/jira/browse/WW-5294
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 6.1.2
> Environment: Ubuntu 20, Java 8, Tomcat 9
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.2.0
>
>
> I have a number of public pages that use the {{}} tags with no issues.
> But one page uses an {{}} tag, and every time it is visited I get a
> warning on our logs the Action invocation context is null, and that JSP pages
> should not be exposed directly. This is an informational page only, and I
> can't think why the URL tag is unsafe to use while the a tag is safe. I am
> assuming this is a bug, but of course if there is an issue with the URL tag
> on a public page I would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Closed] (WW-5294) s:url tag usage in a public page triggers a warning to not expose JSP pages directly
[
https://issues.apache.org/jira/browse/WW-5294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Erica Kane closed WW-5294.
--
Resolution: Won't Fix
Both s:a and s:url trigger the warning, as they should.
> s:url tag usage in a public page triggers a warning to not expose JSP pages
> directly
> -
>
> Key: WW-5294
> URL: https://issues.apache.org/jira/browse/WW-5294
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 6.1.2
> Environment: Ubuntu 20, Java 8, Tomcat 9
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.2.0
>
>
> I have a number of public pages that use the {{}} tags with no issues.
> But one page uses an {{}} tag, and every time it is visited I get a
> warning on our logs the Action invocation context is null, and that JSP pages
> should not be exposed directly. This is an informational page only, and I
> can't think why the URL tag is unsafe to use while the a tag is safe. I am
> assuming this is a bug, but of course if there is an issue with the URL tag
> on a public page I would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5294) s:url tag usage in a public page triggers a warning to not expose JSP pages directly
[
https://issues.apache.org/jira/browse/WW-5294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699718#comment-17699718
]
Erica Kane commented on WW-5294:
I want to make sure I'm understanding this correctly, because this has
significant implications for us.
If I have a page that only uses s:url and s:a tags to provide links to other
pages, but has no active functionality itself and is never the target of an
action, using those tags is dangerous? And if that's the case, why do I only
see the warning for s:url tags and not for s:a tags? Is s:a safe, but not s:url?
If both tags are dangerous, then this should be a bug report about *not* having
a warning for the s:a tag on public pages. We have far more of those and
replacing them would be a bit of a headache. Obviously I will do it if there is
a security issue.
I did see the link about never exposing JSP files directly but it isn't clear
{_}why{_}.
> s:url tag usage in a public page triggers a warning to not expose JSP pages
> directly
> -
>
> Key: WW-5294
> URL: https://issues.apache.org/jira/browse/WW-5294
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 6.1.2
> Environment: Ubuntu 20, Java 8, Tomcat 9
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.2.0
>
>
> I have a number of public pages that use the {{}} tags with no issues.
> But one page uses an {{}} tag, and every time it is visited I get a
> warning on our logs the Action invocation context is null, and that JSP pages
> should not be exposed directly. This is an informational page only, and I
> can't think why the URL tag is unsafe to use while the a tag is safe. I am
> assuming this is a bug, but of course if there is an issue with the URL tag
> on a public page I would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5294) s:url tag usage in a public page triggers a warning to not expose JSP pages directly
[
https://issues.apache.org/jira/browse/WW-5294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699672#comment-17699672
]
Erica Kane commented on WW-5294:
No, it is not. There is no reason it should, as it is essentially a static page.
> s:url tag usage in a public page triggers a warning to not expose JSP pages
> directly
> -
>
> Key: WW-5294
> URL: https://issues.apache.org/jira/browse/WW-5294
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 6.1.2
> Environment: Ubuntu 20, Java 8, Tomcat 9
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.2.0
>
>
> I have a number of public pages that use the {{}} tags with no issues.
> But one page uses an {{}} tag, and every time it is visited I get a
> warning on our logs the Action invocation context is null, and that JSP pages
> should not be exposed directly. This is an informational page only, and I
> can't think why the URL tag is unsafe to use while the a tag is safe. I am
> assuming this is a bug, but of course if there is an issue with the URL tag
> on a public page I would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5177) Support testing with JUnit 5
[
https://issues.apache.org/jira/browse/WW-5177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699625#comment-17699625
]
Erica Kane commented on WW-5177:
It requires Java 8.
> Support testing with JUnit 5
>
>
> Key: WW-5177
> URL: https://issues.apache.org/jira/browse/WW-5177
> Project: Struts 2
> Issue Type: New Feature
> Components: Plugin - JUnit
>Reporter: Ganapati
>Priority: Major
> Labels: features
> Fix For: 7.0.0
>
>
> Hi Team,
>
> Currently, struts2-junit-plugin supports testing of Spring based struts
> actions with on JUnit 4 and 3 using {{StrutsSpringTestCase}} and
> {{StrutsSpringJUnit4TestCase}}. The request is to add support for JUnit 5
> with something similar to {{StrutsSpringJUnit5TestCase}}. I understand that
> we can run JUnit 4 tests using {{junit-vintage-engine}} but in our case we
> need to combine with other JUnit 5 based extensions - some custom and some
> already available - Spring, Testcontainers, etc.
>
> There is no issue in the current issues list to support this. Can I know if
> there is any plan to support the same? I am happy to make contribution if
> some one can guide me.
> ---
> For POC purposes, I created parallels to {{XWorkJUnit4TestCase}},
> {{StrutsJUnit4TestCase}}, and {{StrutsSpringJUnit4TestCase}} with much of the
> code remaining same. I was able to run tests using Spring's {{ExtendWith}}
> with a workaround and the workaround needs to be fixed properly.
>
> Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (WW-5294) s:url tag usage in a public page triggers a warning to not expose JSP pages directly
Erica Kane created WW-5294:
--
Summary: s:url tag usage in a public page triggers a warning to
not expose JSP pages directly
Key: WW-5294
URL: https://issues.apache.org/jira/browse/WW-5294
Project: Struts 2
Issue Type: Bug
Affects Versions: 6.1.2
Environment: Ubuntu 20, Java 8, Tomcat 9
Reporter: Erica Kane
I have a number of public pages that use the {{}} tags with no issues. But
one page uses an {{}} tag, and every time it is visited I get a warning
on our logs the Action invocation context is null, and that JSP pages should
not be exposed directly. This is an informational page only, and I can't think
why the URL tag is unsafe to use while the a tag is safe. I am assuming this is
a bug, but of course if there is an issue with the URL tag on a public page I
would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (WW-5177) Support testing with JUnit 5
[
https://issues.apache.org/jira/browse/WW-5177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699615#comment-17699615
]
Erica Kane edited comment on WW-5177 at 3/13/23 12:48 PM:
--
As someone with a similar issue, I can get classes that extend
`StrutsSpringJUnit4TestCase` to work on JUnit 5 by calling the JUnit 4 `Before`
method on it within the JUnit 5 `BeforeEach` method. It's certainly not ideal.
was (Author: ekane):
As someone with a similar issue, I can get classes that extend
`StrutsSpringJUnit4TestCase` to work on JUnit 5 by calling the JUnit 4 `Before`
method on it within the JUnit 5 `BeforeEach` method. It's certainly not ideal.
> Support testing with JUnit 5
>
>
> Key: WW-5177
> URL: https://issues.apache.org/jira/browse/WW-5177
> Project: Struts 2
> Issue Type: New Feature
> Components: Plugin - JUnit
>Reporter: Ganapati
>Priority: Major
> Labels: features
> Fix For: 7.0.0
>
>
> Hi Team,
>
> Currently, struts2-junit-plugin supports testing of Spring based struts
> actions with on JUnit 4 and 3 using {{StrutsSpringTestCase}} and
> {{StrutsSpringJUnit4TestCase}}. The request is to add support for JUnit 5
> with something similar to {{StrutsSpringJUnit5TestCase}}. I understand that
> we can run JUnit 4 tests using {{junit-vintage-engine}} but in our case we
> need to combine with other JUnit 5 based extensions - some custom and some
> already available - Spring, Testcontainers, etc.
>
> There is no issue in the current issues list to support this. Can I know if
> there is any plan to support the same? I am happy to make contribution if
> some one can guide me.
> ---
> For POC purposes, I created parallels to {{XWorkJUnit4TestCase}},
> {{StrutsJUnit4TestCase}}, and {{StrutsSpringJUnit4TestCase}} with much of the
> code remaining same. I was able to run tests using Spring's {{ExtendWith}}
> with a workaround and the workaround needs to be fixed properly.
>
> Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5177) Support testing with JUnit 5
[
https://issues.apache.org/jira/browse/WW-5177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699615#comment-17699615
]
Erica Kane commented on WW-5177:
As someone with a similar issue, I can get classes that extend
`StrutsSpringJUnit4TestCase` to work on JUnit 5 by calling the JUnit 4 `Before`
method on it within the JUnit 5 `BeforeEach` method. It's certainly not ideal.
> Support testing with JUnit 5
>
>
> Key: WW-5177
> URL: https://issues.apache.org/jira/browse/WW-5177
> Project: Struts 2
> Issue Type: New Feature
> Components: Plugin - JUnit
>Reporter: Ganapati
>Priority: Major
> Labels: features
> Fix For: 7.0.0
>
>
> Hi Team,
>
> Currently, struts2-junit-plugin supports testing of Spring based struts
> actions with on JUnit 4 and 3 using {{StrutsSpringTestCase}} and
> {{StrutsSpringJUnit4TestCase}}. The request is to add support for JUnit 5
> with something similar to {{StrutsSpringJUnit5TestCase}}. I understand that
> we can run JUnit 4 tests using {{junit-vintage-engine}} but in our case we
> need to combine with other JUnit 5 based extensions - some custom and some
> already available - Spring, Testcontainers, etc.
>
> There is no issue in the current issues list to support this. Can I know if
> there is any plan to support the same? I am happy to make contribution if
> some one can guide me.
> ---
> For POC purposes, I created parallels to {{XWorkJUnit4TestCase}},
> {{StrutsJUnit4TestCase}}, and {{StrutsSpringJUnit4TestCase}} with much of the
> code remaining same. I was able to run tests using Spring's {{ExtendWith}}
> with a workaround and the workaround needs to be fixed properly.
>
> Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-4900) NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor
[
https://issues.apache.org/jira/browse/WW-4900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16289195#comment-16289195
]
Erica Kane commented on WW-4900:
Glad I could help the security at least. :/
I wrote custom code for my own case, and did not use an interceptor.
Essentially I made a smaller object that went in the session, I agree having a
large unpredictable object in there is a big problem.
> NotSerializableException:
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using
> ExecuteAndWait interceptor
>
>
> Key: WW-4900
> URL: https://issues.apache.org/jira/browse/WW-4900
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 2.5.14.1
>Reporter: Erica Kane
>Assignee: Yasser Zamani
> Fix For: 2.5.15
>
>
> We are running Struts 2.5.14.1 and working on externalizing Tomcat session
> state. This requires Serializable sessions. However, our Action with the
> ExecuteAndWait interceptor fails. Since our original code was quite complex I
> wrote a simpler one below which demonstrates the exact same behavior.
> The simple action is shown here:
> {noformat}
> package com.sentrylink.web.actions;
> import java.util.concurrent.TimeUnit;
> import org.apache.struts2.convention.annotation.InterceptorRef;
> import org.apache.struts2.convention.annotation.InterceptorRefs;
> import org.apache.struts2.convention.annotation.Result;
> import org.apache.struts2.convention.annotation.Results;
> import com.opensymphony.xwork2.ActionSupport;
> @SuppressWarnings("serial")
> @Results({
> @Result(name="wait", location="/"),
> @Result(name=ActionSupport.SUCCESS,
> location="/WEB-INF/content/messagePage.jsp"),
> })
> @InterceptorRefs({
> @InterceptorRef("webStack"),
> @InterceptorRef("execAndWait")
> })
> public class TestExecuteAndWait extends ActionSupport {
> public String execute() throws Exception {
> TimeUnit.SECONDS.sleep(10);
> return SUCCESS;
> }
> }
> {noformat}
> Running this gives
> {noformat}
> WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait
> for session 74CDB9F8D00BBC697030AFC6978E94F6
> java.io.NotSerializableException:
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
> {noformat}
> Removing the ExecuteAndWait interceptor fixes the issue.
> According to [~yasser.zamani] in WW-4873 : I reviewed
> {{ExecuteAndWaitInterceptor}} and seems has this bug when session goes to
> being serialized in middle of an background process.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WW-4900) NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor
[
https://issues.apache.org/jira/browse/WW-4900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16287770#comment-16287770
]
Erica Kane commented on WW-4900:
Hi, after several days of working on this I wanted to make a comment. You will
likely be able to fix the problem with this simple Action quite easily, as it
is similar to a previous issue where the Container was stored unnecessarily and
there is an existing workaround.
However, for more complex Actions this is a harder problem. The Action itself
is stored in session. Even after going through and ensuring that my (real)
Action was Serializable, I ran into problems with Struts interfaces such as
(but not limited to) ServletRequestAware.
> NotSerializableException:
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using
> ExecuteAndWait interceptor
>
>
> Key: WW-4900
> URL: https://issues.apache.org/jira/browse/WW-4900
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 2.5.14.1
>Reporter: Erica Kane
>Assignee: Yasser Zamani
> Fix For: 2.5.15
>
>
> We are running Struts 2.5.14.1 and working on externalizing Tomcat session
> state. This requires Serializable sessions. However, our Action with the
> ExecuteAndWait interceptor fails. Since our original code was quite complex I
> wrote a simpler one below which demonstrates the exact same behavior.
> The simple action is shown here:
> {noformat}
> package com.sentrylink.web.actions;
> import java.util.concurrent.TimeUnit;
> import org.apache.struts2.convention.annotation.InterceptorRef;
> import org.apache.struts2.convention.annotation.InterceptorRefs;
> import org.apache.struts2.convention.annotation.Result;
> import org.apache.struts2.convention.annotation.Results;
> import com.opensymphony.xwork2.ActionSupport;
> @SuppressWarnings("serial")
> @Results({
> @Result(name="wait", location="/"),
> @Result(name=ActionSupport.SUCCESS,
> location="/WEB-INF/content/messagePage.jsp"),
> })
> @InterceptorRefs({
> @InterceptorRef("webStack"),
> @InterceptorRef("execAndWait")
> })
> public class TestExecuteAndWait extends ActionSupport {
> public String execute() throws Exception {
> TimeUnit.SECONDS.sleep(10);
> return SUCCESS;
> }
> }
> {noformat}
> Running this gives
> {noformat}
> WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait
> for session 74CDB9F8D00BBC697030AFC6978E94F6
> java.io.NotSerializableException:
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
> {noformat}
> Removing the ExecuteAndWait interceptor fixes the issue.
> According to [~yasser.zamani] in WW-4873 : I reviewed
> {{ExecuteAndWaitInterceptor}} and seems has this bug when session goes to
> being serialized in middle of an background process.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Created] (WW-4900) NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor
Erica Kane created WW-4900:
--
Summary: NotSerializableException:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using
ExecuteAndWait interceptor
Key: WW-4900
URL: https://issues.apache.org/jira/browse/WW-4900
Project: Struts 2
Issue Type: Bug
Reporter: Erica Kane
We are running Struts 2.5.14.1 and working on externalizing Tomcat session
state. This requires Serializable sessions. However, our Action with the
ExecuteAndWait interceptor fails. Since our original code was quite complex I
wrote a simpler one below which demonstrates the exact same behavior.
The simple action is shown here:
package com.sentrylink.web.actions;
import java.util.concurrent.TimeUnit;
import org.apache.struts2.convention.annotation.InterceptorRef;
import org.apache.struts2.convention.annotation.InterceptorRefs;
import org.apache.struts2.convention.annotation.Result;
import org.apache.struts2.convention.annotation.Results;
import com.opensymphony.xwork2.ActionSupport;
@SuppressWarnings("serial")
@Results({
@Result(name="wait", location="/"),
@Result(name=ActionSupport.SUCCESS,
location="/WEB-INF/content/messagePage.jsp"),
})
@InterceptorRefs({
@InterceptorRef("webStack"),
@InterceptorRef("execAndWait")
})
public class TestExecuteAndWait extends ActionSupport {
public String execute() throws Exception {
TimeUnit.SECONDS.sleep(10);
return SUCCESS;
}
}
Running this gives
WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait for
session 74CDB9F8D00BBC697030AFC6978E94F6
java.io.NotSerializableException:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
Removing the ExecuteAndWait interceptor fixes the issue.
According to [~yasser.zamani] in WW-4873 : I reviewed
{{ExecuteAndWaitInterceptor}} and seems has this bug when session goes to being
serialized in middle of an background process.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WW-4873) NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
[
https://issues.apache.org/jira/browse/WW-4873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16279077#comment-16279077
]
Erica Kane commented on WW-4873:
We are having a very similar issue with the ExecuteAndWait interceptor, which
may be related. It gives us
java.io.NotSerializableException:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
I have extensive details posted at [Stack
Overflow|https://stackoverflow.com/questions/47660913/struts2-notserializableexception-occurs-with-executeandwaitinterceptor].
> NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
> -
>
> Key: WW-4873
> URL: https://issues.apache.org/jira/browse/WW-4873
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 2.5.13
>Reporter: Michael Hum
>Assignee: Yasser Zamani
> Fix For: 2.6
>
>
> We are attempting to test session replication on our websphere servers but
> run into the given error when websphere tries to serialize the session.
> {code}
> [10/18/17 10:33:38:094 EDT] 0335 WASSessionE MTMBuffWrapper getBytes
> write object exception. e= java.io.NotSerializableException:
> org.apache.struts2.dispatcher.StrutsRequestWrapper
> {code}
> It appears the ActionInvocation stores the ActionContext which stores the
> offending property: com.opensymphony.xwork2.dispatcher.HttpServletRequest -->
> StrutsRequestWrapper
> After a little digging we narrowed it down to our use of the
> TokenSessionStoreInterceptor which stores the value in the session and uses
> it to redirect the failed request to the original one. Is this
> intended/expected? Or is there no requirement that the contents in the
> session be serializable - in which case we would have to look to our own
> solution.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
