RE: DispatchAction and Security
I think lookupdispatch is definetly better than dispatch. -Original Message- From: Robert S. Sfeir [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 9:25 PM To: Struts Users Mailing List Subject: Re: DispatchAction and Security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 True, but I can at least control the damage, or so it seems. I know NOTHING of the LookupDispatchAction and my reaction was in response to a comment from Tero, and the explanation in the API, it looked like it could be locked down, but perhaps it's a major misconception. You're right, either way someone malicious will always be able to do something to hurt a webapp, I'm just digging in to make sure that I'm not using DispatchAction and causing myself more grief than needed, which you've adequately answered for me, and am grateful for it. Thanks R Paul McCulloch wrote: | I'm note sure that LookupDispatchAction will enable you to lock things down | any more. If you were to lock down a method by removing the entry from the | MethodMap then nothing would be able to use that method! | | If the user can initiate a call to a method from their browser through a | page you have created, then they will be able to call the same method (with | diferent arguments perhaps) from a page of their own creation. | | With web applications I don't think it is ever safe to trust the browser to | only ever make request that you are expecting. A malicious user will always | be able to make an 'illegal' request to your application. | | Paul | | -Original Message- | From: Robert S. Sfeir [mailto:[EMAIL PROTECTED] | Sent: 14 November 2003 15:17 | To: Struts Users Mailing List | Subject: Re: DispatchAction and Security | | | | | ** | Axios Email Confidentiality Footer | Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet email messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my Company or employer unless otherwise indicated by an authorised representative independent of this message. | WARNING: | While Axios Systems Ltd takes steps to prevent computer viruses from being transmitted via electronic mail attachments we cannot guarantee that attachments do not contain computer virus code. You are therefore strongly advised to undertake anti virus checks prior to accessing the attachment to this electronic mail. Axios Systems Ltd grants no warranties regarding performance use or quality of any attachment and undertakes no liability for loss or damage howsoever caused. | | | Not using LookupDispatchAction, but now that you explain it that way I | can see how LookupDispatchAction can help me lock things down even more. | ~ I hadn't realized that and misunderstood the API docs. | | I think I'll give this a try. | | R | | Paananen, Tero wrote: | | |>So, only methods which you delibaratly implement | |>with the approrpriate sifgnature can be executed | |>via a dispatch action - you shouldn't be | |>concerned. | | | | | | You also have to specify the allowed methods and | | their lookup key in the key method map; see | | getKeyMethodMap(). | | | | -TPP | | | | - | | This email may contain confidential and privileged material for the | sole use of the intended recipient(s). Any review, use, retention, | distribution or disclosure by others is strictly prohibited. If you are | not the intended recipient (or authorized to receive for the recipient), | please contact the sender by reply email and delete all copies of this | message. Also, email is susceptible to data corruption, interception, | tampering, unauthorized amendment and viruses. We only send and receive | emails on the basis that we are not liable for any such corruption, | interception, tampering, amendment or viruses or any consequence thereof. | | | | | | - | | To unsubscribe, e-mail: [EMAIL PROTECTED] | | For additional commands, e-mail: [EMAIL PROTECTED] | | - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** Axios Email Confidentiality Footer Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately.
RE: DispatchAction and Security
How about using LookupDispatch Action in struts 1.1 ? -Original Message- From: Robert S. Sfeir [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 7:45 PM To: Struts Users Mailing List Subject: DispatchAction and Security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Been mucking around with why I'd want to use DispatchActions, and I understand that part, it's advantages and disadvantages, and I've read the many threads explaining all that. My concern is on how the various methods in the actions are called, and how they pertain to security. For example. Say you have a parameter="method" defined, as per the example, and you pass method="addFoo" in the URL or even as a hidden field. Struts will go and look through your action, see that addFoo exists and do the processing. All is fine so far. However what if someone decides to just type in the URL method="getServlet", and getServlet() is a public method in Action, which DispatchAction extends, or decides to type execute (which is not as much of a concern), will using DispatchAction honor the call to getServlet or any other public method in DispatchAction or Action classes? Is there an easy way, besides extending the RequestProcessor (which is not hard of course), to add a value to the parameter passed to the DispatchAction? What I mean is that if I specify method="addFoo", I want to add a string to my parameter value (the one specified for DispatchAction) so before my action is processed and tries to resolve addFoo(), I can add param_ so that it will look for param_addFoo method. ~ If I can do that, then anyone trying to make a call to execute, getServlet or anything like that will cause the process to look for param_execute() or param_getServlet(), both of which don't exist of course, hence locking down the app some more. Perhaps this shouldn't even be a concern? Thanks for any input you can provide. R -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/tONl+cV9vuB27SARArA+AJ9XfLVJhva7pFqptBjhFzdZEI87mACgijpx 5oIZW5PPWb9ufNeoFzMLcYQ= =Yis4 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: validwhen
As I understood, validwhen is only on server side. there will not be any javascript validations. -Original Message- From: sumeet sharma [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 1:08 PM To: [EMAIL PROTECTED] Subject: validwhen Hi, Has any one used validwhen validator rule ? when I am using it is not doing anything its making empty validate javascript methods and no validations are being called . Thanks in advance. cheers, Sumeet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Struts Validator + Cross Locale Validations.
Using Struts validator how can I do cross locale validations? Meaning, I want the validation to be done on one locale, but the error message should be from other locale. Example, The validation should be according to de-DE locale, but the error message should be of en-CA Thanks in Advance, Vara Prasad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
validwhen + struts 1.1
I am currently using struts 1.1. Is there a way I can use the "validwhen" functionality of future coming struts 1.2. Something like I can take only the class files of validwhen and use it along with struts 1.1 can someone detail me on this? Thanks in advance Vara Prasad
RE: i18N tag lib and struts
meaning, do I need to use i18N tag lib at all, when using struts. -Original Message- From: Vara Prasad Reddy [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 6:39 PM To: Struts Users Mailing List Subject: i18N tag lib and struts Hello everybody: How best is i18N taglib useful, along with struts 1.1 - Vara Prasad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
i18N tag lib and struts
Hello everybody: How best is i18N taglib useful, along with struts 1.1 - Vara Prasad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Times Out
Hello everybody: How best is i18N taglib useful, along with struts 1.1 - Vara Prasad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Indexed Properties + Validator + JavaScript
Nick
http://www.mail-archive.com/[EMAIL PROTECTED]/msg19122.html
is this the message you are talking about or something else ?
Vara Prasad
-Original Message-
From: Nicholas L Mohler [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 6:38 PM
To: Struts Users Mailing List
Subject: Re: Indexed Properties + Validator + JavaScript
Hi Vara,
I have implemented client-side validations for indexed properties, but I
have done it through custom validators. Look through the archive for a
thread titled "Validation of Indexed properties". I describe how I
implemented the client side validations for indexed properties.
Nick
"Vara Prasad
Reddy" To: "Struts Users
Mailing List" <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]cc:
bs.net> Subject: Indexed Properties
+ Validator + JavaScript
10/28/2003 07:47
AM
Please respond to
"Struts Users
Mailing List"
The validations for indexed properties are not fired on the client side,
they are fired on the server side only.
Is there a way I can do that on the client side.
I am working on a PO screen with many line items.
Regards
Vara Prasad
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Indexed Properties + Validator + JavaScript
The validations for indexed properties are not fired on the client side, they are fired on the server side only. Is there a way I can do that on the client side. I am working on a PO screen with many line items. Regards Vara Prasad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
