Re: Allowing only POST for form submittal ????
Hi Jason, I've heard of Get, Post, Put and Delete, but what are Head, Options and Trave? Jason Lea wrote: Hi Shane, I guess it is so they can have one servlet method per HTTP method The spec includes doGet(), doPost(), doPut(), doDelete(), doHead(), doOptions(), doTrave() HTTP/1.0 has doGet, doPut, doHead. HTTP/1.1 adds the others. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Allowing only POST for form submittal ????
Jason, That makes since about the user (hacker) recreating the form on POSTing. Why the original separation in the Servlet then, any ideas? I would do the check at the top of the action. It seems more flexible than having to put your form actions in a certain area. Thanks. BTW, SecurityFilter is running smoothly :-) -Original Message- From: Jason Lea [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 6:21 PM To: Struts Users Mailing List Subject: Re: Allowing only POST for form submittal Hi Shane, I don't think it really matters. Say you have a hidden field containing an id in your form that is posted back to an action. A user could copy that page to their hard disk, modify the field and then submit it. They would still be POSTing so your action would be happy. You still need to verify the id is ok, or user has permission to access that id. If you had some reason to only allow POSTs then you might be able to check in the action, or I think you can do that with a security contraint in web.xml: allow only POSTs /postonly/*.do GET no-member-role This basically means if someone tries to use GET (eg a normal request to the action) they would have to be a member of the role 'no-member-role'. Since we won't have anyone in this role, nobody can use GET for these actions. All other methods are allowed. -- Jason Lea Bailey, Shane C. wrote: > > > > > I have worked with Struts at a few different companies now and I noticed > none of them try > > to do any checks to see that only POST methods can successfully make it to > Actions > > which handle forms submittals. Struts allows GETs and POSTs to make it to > every Action > > so it seems like this would be something to think about (or maybe not, that > is one reason > > I am asking). > > > > So I guess I have a few questions then: > > > > 1.Shouldn't I worry about (and defend against) which request methods > types (GET, POST, etc.) can make it to which actions? > 2.If so, does Struts have a built in mechanism like path="/whatever" requestMethod="POST"> or if not > 3.Should I be doing something like this at the top of my execute() > method: > > if( ! "POST" == request.getMethod() ){ return > mapping.findForward("failure"); } for Actions which should require a POST > only > > > > > > With #1 I mean should it matter if someone can go to the URL field in the > browser and type in all the field / value pairs for a form > > and hit enter (I am thinking it does matter) compared to HAVING to do a POST > for it to succeed? > > > > I am just thinking back to the Servlet programming days when you put the > form submittal handling code in the doPost() and the > > other code in the doGet() methods. > > > > Any thoughts on this? > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Allowing only POST for form submittal ????
Thought trave couldn't be right. I was just worried whether they would open up more possibilities for crackers, especially since I've list the methods in my web.xml so: LinkLibrary Application /secure/* DELETE GET POST PUT and I just based this on the web.xml from the struts example app years ago. Anyway, I guess it's time to remove the list of http-methods. Thanks Adam Jason Lea wrote: Adam Hardy wrote: Hi Jason, I've heard of Get, Post, Put and Delete, but what are Head, Options and Trave? Oops, should be Trace. as to what they do... Servlet Spec 2.3, 2.1.2 says: The doHead method in HttpServlet is a specialized form of the doGet method that returns only the headers produced by the doGet method. The doOptions method responds with which HTTP methods are supported by the servlet. The doTrace method generates a response containing all instances of the headers sent in the TRACE request. The RFC gives some more details: http://www.ietf.org/rfc/rfc2616.txt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Allowing only POST for form submittal ????
Adam Hardy wrote: Hi Jason, I've heard of Get, Post, Put and Delete, but what are Head, Options and Trave? Oops, should be Trace. as to what they do... Servlet Spec 2.3, 2.1.2 says: The doHead method in HttpServlet is a specialized form of the doGet method that returns only the headers produced by the doGet method. The doOptions method responds with which HTTP methods are supported by the servlet. The doTrace method generates a response containing all instances of the headers sent in the TRACE request. The RFC gives some more details: http://www.ietf.org/rfc/rfc2616.txt -- Jason Lea Jason Lea wrote: Hi Shane, I guess it is so they can have one servlet method per HTTP method The spec includes doGet(), doPost(), doPut(), doDelete(), doHead(), doOptions(), doTrave() HTTP/1.0 has doGet, doPut, doHead. HTTP/1.1 adds the others. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Allowing only POST for form submittal ????
Hi Shane, I guess it is so they can have one servlet method per HTTP method The spec includes doGet(), doPost(), doPut(), doDelete(), doHead(), doOptions(), doTrave() HTTP/1.0 has doGet, doPut, doHead. HTTP/1.1 adds the others. -- Jason Lea Bailey, Shane C. wrote: Jason, That makes since about the user (hacker) recreating the form on POSTing. Why the original separation in the Servlet then, any ideas? I would do the check at the top of the action. It seems more flexible than having to put your form actions in a certain area. Thanks. BTW, SecurityFilter is running smoothly :-) -Original Message- From: Jason Lea [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 6:21 PM To: Struts Users Mailing List Subject: Re: Allowing only POST for form submittal Hi Shane, I don't think it really matters. Say you have a hidden field containing an id in your form that is posted back to an action. A user could copy that page to their hard disk, modify the field and then submit it. They would still be POSTing so your action would be happy. You still need to verify the id is ok, or user has permission to access that id. If you had some reason to only allow POSTs then you might be able to check in the action, or I think you can do that with a security contraint in web.xml: allow only POSTs /postonly/*.do GET no-member-role This basically means if someone tries to use GET (eg a normal request to the action) they would have to be a member of the role 'no-member-role'. Since we won't have anyone in this role, nobody can use GET for these actions. All other methods are allowed. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Allowing only POST for form submittal ????
Hi Shane, I don't think it really matters. Say you have a hidden field containing an id in your form that is posted back to an action. A user could copy that page to their hard disk, modify the field and then submit it. They would still be POSTing so your action would be happy. You still need to verify the id is ok, or user has permission to access that id. If you had some reason to only allow POSTs then you might be able to check in the action, or I think you can do that with a security contraint in web.xml: allow only POSTs /postonly/*.do GET no-member-role This basically means if someone tries to use GET (eg a normal request to the action) they would have to be a member of the role 'no-member-role'. Since we won't have anyone in this role, nobody can use GET for these actions. All other methods are allowed. -- Jason Lea Bailey, Shane C. wrote: I have worked with Struts at a few different companies now and I noticed none of them try to do any checks to see that only POST methods can successfully make it to Actions which handle forms submittals. Struts allows GETs and POSTs to make it to every Action so it seems like this would be something to think about (or maybe not, that is one reason I am asking). So I guess I have a few questions then: 1. Shouldn't I worry about (and defend against) which request methods types (GET, POST, etc.) can make it to which actions? 2. If so, does Struts have a built in mechanism like path="/whatever" requestMethod="POST"> or if not 3. Should I be doing something like this at the top of my execute() method: if( ! "POST" == request.getMethod() ){ return mapping.findForward("failure"); } for Actions which should require a POST only With #1 I mean should it matter if someone can go to the URL field in the browser and type in all the field / value pairs for a form and hit enter (I am thinking it does matter) compared to HAVING to do a POST for it to succeed? I am just thinking back to the Servlet programming days when you put the form submittal handling code in the doPost() and the other code in the doGet() methods. Any thoughts on this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]