Re: [S2] Going nuts with s:set
Roger Varley wrote: Hi I have this fragment of .jsp code s:iterator value=order.details status=status s:set name=indexValue value=#status.index scope=request/ s:text name=index/ s:property value=#status.index/ s:text name=variable/ s:property value=#indexValue/ !-- Other Stuff here -- /s:iterator When this runs I see the text Index and the value of #status.index followed by the text variable but the value of #indexValue is not displayed. What am I doing wrong? I *still* don't have my head wrapped around when '#' is needed; have you tried s:property value=#indexValue/? L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Passing a bean (out of an iteration) to an action
Balsi wrote: hi all, Wonder if you can help me on that one: I have an iteration over a collection of beans in my jsp site. I itererate on the list and generate a table with a row for each bean. The first attribute of the table is an index (its the primary key of the record in a database) now id like to do the following: I like to display the id as a link and if the user clicks on it i want to open a new site with all the beans information displayed. Is there a possibility to pass a certain bean with that link? I would like to prevent passing all the attributes over the url... Pass a bean? No. But you don't have to pass all the attributes, either: just pass the bean's id. Then, you can re-fetch the bean/object from the database using the passed id. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
struts 2.0 migration
hello every one: I am new to struts but I have a collection of examples and tutorials (I believe for struts 1). I have been reading through these tutorial and now that I am about to start some thing, I found that struts 2.0 is totally different. For example, there's no struts-html.tld in struts 2.0. In fact there's no any tag lib found. Now, the questions, why is that?? can I use the tutorials for struts 2.0 ? how can I get the missing *.tld files? Thank you in advance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Struts2 and spring2 fails, adding RequestContextFilter/Listener doesnt work
Hi im currently evaluating s2 and now trying to get the scope attr work in s2 and spring2. Tried all in the previous post http://www.nabble.com/Struts2-and-spring2-fails%2C-adding-RequestContextFilter-Listener-doesnt-work.-tf2872182.html#a8031133 scope post And i still got the same exception. now i got: web.xml listener listener-classorg.springframework.web.context.ContextLoaderListener/listener-class /listener !-- the plugin -- listener listener-classorg.springframework.web.context.request.RequestContextListener/listener-class /listener!-- for the scope attr -- and struts.xml constant name=struts.objectFactory value=spring / i wonder if my jars dependencys are incorrect? currently i include theese ones: spring-beans-2.0.6 spring-context-2.0.6 spring-core-2.0.6 struts2-spring-plugin-2.0.6 and running s2 2.0.6 core When running the test action (the action is spring controlled, and injected by otherbeans) it works but is it under a web scope ? Exception snippet output: [10:39:21,353 DEBUG [XmlConfigurationProvider.debug] Action verification cause org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'hellospring': Scope 'session' is not active for the current thread; consider defining a scoped proxy for this bean if you intend to refer to it from a singleton; nested exception is java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web reque st? If you are actually operating within a web request and still receive this message,your code is pr obably running outside of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListen er or RequestContextFilter to expose the current request.] please help me out :) thanks Regards Rille -- View this message in context: http://www.nabble.com/Struts2-and-spring2-fails%2C-adding-RequestContextFilter-Listener-doesnt-work-tf3407245.html#a9491159 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts 2.0.6 and Validation
Now it works. Thanks a lot. @ExpressionValidator(expression=(searchParam.keywords != '') (searchParam.location != ''), message=Need keywords and location.) I think there were several problems. First of all my OGNL syntax. I believe the documentation regarding this topic is a little poor. I would like to see more real world examples. The other essential piece of information I was missing was : If validation fails the framework will try to bring you back to the input result. You don't appear to have one; this will cause a problem. I was suspecting something like this, but did not know that the result in case of an validation error is input. I think the onlines guides for annotations should definitely have examples for this. Anyway, thanks for the help. --Hardy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to submit multiple selection?
I am using struts2, and I've been thinking for this questing for days. [s:checkbox] seems won't work. Because it only renders boolean value. Can anyone help? Alex Wibowo wrote: are you using struts 1 ? if so, have a look at html:multibox. basically you will need a collection in your action form (something like ListString selectedIds = new ArrayListString()). for struts 2, i havent had time to check it yet.. just migrated to Struts 2 a couple days ago :P On 3/14/07, xushaoxun [EMAIL PROTECTED] wrote: For example, i want to get the ids of the selected messages in the forum and delete the selected messages. (Suppose i am the admin). how to achieve this? seems won't work. -- View this message in context: http://www.nabble.com/How-to-submit-multiple-selection--tf3401936.html#a9473724 Sent from the Struts - User mailing list archive at Nabble.com. -- Best regards, WiB --- -- View this message in context: http://www.nabble.com/How-to-submit-multiple-selection--tf3401936.html#a9492402 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
--- Marco from Balboa [EMAIL PROTECTED] wrote: I tried following the documentation where they instruct to place the name of the Spring bean in class attribute for the action definition in the struts.xml. I assume this is what you are doing as well, correct? No :( I wasn't doing that, and when I do I also get the ctor log debug msg. Sorry!!! I guess I've never noticed this because so far I've never had explicit ctors in my Actions. Just out of curiosity, why do you? Couldn't this verification be done wihtout actually instatiating the bean and only examining the metadata Probably. more simply skipped and allow for the problem to surface when the action is actually called (maybe via a configuration parameter)? I suppose you could create a JIRA for this. d. Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: struts 2.0 migration
--- [EMAIL PROTECTED] wrote: I am new to struts but I have a collection of examples and tutorials (I believe for struts 1). I have been reading through these tutorial and now that I am about to start some thing, I found that struts 2.0 is totally different. [...] can I use the tutorials for struts 2.0 ? I think you've answered your own question. For example, there's no struts-html.tld in struts 2.0. In fact there's no any tag lib found. Now, the questions, why is that?? The S2 TLD file is contained in the S2 core JAR. d. Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to submit multiple selection?
--- xushaoxun [EMAIL PROTECTED] wrote: I am using struts2, and I've been thinking for this questing for days. [s:checkbox] seems won't work. Because it only renders boolean value. Try using the fieldValue attribute of s:checkbox.../ For example, if I use: s:checkbox name=user.id fieldValue=%{user.id}/ it renders as: input type=checkbox name=user.id value=42 checked=checked id=confirmTest_user_id/ input type=hidden name=__checkbox_user.id value=42/ d. Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Fwd: Re: How to change the return of an action ?
Forwarded to user list. --- Jonatas Gustavo Rodrigues wrote: It s ok, but if the return of an action method could be an object, it can provides an implementation like View Handler of JSF. The default handler could be the Struts one, but we could extend or change this code. http://cwiki.apache.org/WW/jsf-plugin.html (I don't know anything about JSF, so I have no idea if it does what you're talking about.) I guess in my opinion returning something other than a String from an Action makes testing, debugging, and configuration more difficult. My idea of (part of) the command pattern (XWork) is to allow trivial mapping from a result to the representation of that result. *That* is the most flexible place to implement something like what you're talking about. As soon as I'm returning a complex object from an Action I am tied to whatever it is I'm returning (a Tapestry component, a Swing dialog box, whatever). To eliminate that coupling, I return something built-in to the language. Now I can test easily and trivially reconfigure how that result will be represented in a running system. Can we replace the StrutsDefaultInvoker ? That I don't know. d. Food fight? Enjoy some healthy debate in the Yahoo! Answers Food Drink QA. http://answers.yahoo.com/dir/?link=listsid=396545367 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [S2] Going nuts with s:set
--- Laurie Harper [EMAIL PROTECTED] wrote: Roger Varley wrote: s:property value=#indexValue/ have you tried s:property value=#indexValue/? I'll bet he did ;) s:iterator value={1, 2, 3, 4, 5} status=status id=val s:set name=idx value=#status.index/ li s:property value=#idx/ - s:property value=#val/ /li /s:iterator d. It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [S2] Going nuts with s:set
Or... s:set name=idx value=#status.index scope=request/ [...] s:property value=#request.idx/ Which is actually what you asked. d. Looking for earth-friendly autos? Browse Top Cars by Green Rating at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [s2] Datetimepicker not working on non-English?
Can you file a ticket with some more details on your environment (at least the language)? regards musachy On 3/15/07, Petr Blahos [EMAIL PROTECTED] wrote: If the field used by the datetimepicker is of type Date, there shouldn't be a problem, if it is an string, the displayFormat will be used to try to parse the date. This is what I, sort of, expected. However, the field used in showcase--CRUD *IS* java.util.Date and it does not work. (Tried in Firefox2 and MSIE 6) By the way if you have some feedback on a better way to do this, now it is a good time (for 2.1.x) Best regards,, Petr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hey you! Would you help me to carry the stone? Pink Floyd
Re: Is it possible to get Struts' FilterDispatcher to serve up static files
Take the static content out of .jar, doesn't help the performance? I know that taking the template directory out of jar helps a lot at performance when rendering ui. Doesn't it heppen the same with static content? best, Felipe Musachy Barroso wrote: I don't think so, if you set it to false, I think you will have to unzip all the dojo, and templates stuff into that folder, which is not desirable (unless you want to use your own version of Dojo) musachy On 2/28/07, Tim Azzopardi [EMAIL PROTECTED] wrote: I think that the struts2 FAQ is here http://struts.apache.org/2.0.6/docs/faqs.html I couldn't find anything relevant (after 3 mins). But in http://struts.apache.org/2.x/docs/strutsproperties.html i saw this: ### Used by FilterDispatcher ### If true then Struts serves static content from inside its jar. ### If false then the static content must be available at context_path/struts struts.serve.static=true which might help? Musachy Barroso wrote: Is there a FAQ for S2 somewhere? musachy On 2/27/07, Musachy Barroso [EMAIL PROTECTED] wrote: Quoting the doc: Common static content that is needed by the framework (JavaScript and CSS files, etc.) is served automatically by the FilterDispatcher filter. Any request starting with /struts/ denotes that static content is required, and then mapping the value after /struts/ to common packages in Struts 2 and, optionally in the application's class path. By default, the following packages are searched: - org.apache.struts2.static - template Additional packages can be specified by providing a comma separated list to the configuration parameter named packages (configured in web.xml for the FilterDispatcher filter). When specifying additional static content, you should be careful not to expose sensitive configuration information ( i.e. database password). //I haven't used it myself :) musachy On 2/27/07, mraible [EMAIL PROTECTED] wrote: I'm using *.html as my default extension, which causes a whole host of issues with Dojo. Regardless, I want to fight through it and see if I can come up with a solution. I noticed that FilterDispatcher allows you to serve up static files from the classpath. Is it possible to configure this same filter so it can serve up static .html files from a static directory in my webapp root? Thanks, Matt -- View this message in context: http://www.nabble.com/Is-it-possible-to-get-Struts%27-FilterDispatcher-to-serve-up-static-files-tf3304172.html#a9191128 Sent from the Struts - User mailing list archive at Nabble.com . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hey you! Would you help me to carry the stone? Pink Floyd -- Hey you! Would you help me to carry the stone? Pink Floyd -- View this message in context: http://www.nabble.com/Is-it-possible-to-get-Struts%27-FilterDispatcher-to-serve-up-static-files-tf3304172.html#a9199939 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hey you! Would you help me to carry the stone? Pink Floyd -- View this message in context: http://www.nabble.com/Is-it-possible-to-get-Struts%27-FilterDispatcher-to-serve-up-static-files-tf3304172.html#a9493802 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
Spring generally requires that the no-arg constructor be accessible. It ought to be unless you explicitly override it in your class and mark it private. The only time I care about the instantiation of beans at startup is during development, where a quick application restart is helpful. When I am working on a piece of functionality, particularly one that involves interaction between the actions and the gui, I find myself restarting the application fairly frequently. In my case, I have connections to multiple databases and some other very expensive resources that I am allowing Spring to create and inject into the action objects. It would be a great timesaver during development if only the stuff that I am using gets instantiated. It looks like your are correct and my only alternatives are to submit at JIRA or try to fix it myself. Any other ideas out there? Thanks, Marco Dave Newton-4 wrote: --- Marco from Balboa [EMAIL PROTECTED] wrote: I tried following the documentation where they instruct to place the name of the Spring bean in class attribute for the action definition in the struts.xml. I assume this is what you are doing as well, correct? No :( I wasn't doing that, and when I do I also get the ctor log debug msg. Sorry!!! I guess I've never noticed this because so far I've never had explicit ctors in my Actions. Just out of curiosity, why do you? Couldn't this verification be done wihtout actually instatiating the bean and only examining the metadata Probably. more simply skipped and allow for the problem to surface when the action is actually called (maybe via a configuration parameter)? I suppose you could create a JIRA for this. d. Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Lazy-loading-actions-in-Struts-2-tf3404803.html#a9494446 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
--- Marco from Balboa wrote: In my case, I have connections to multiple databases and some other very expensive resources that I am allowing Spring to create and inject into the action objects. Do you need to define them (the actions) in the context file? For instance, I am (currently) autowiring by name, so I currently don't have any action classes defined in any of my Spring context files. d. No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [S2] Going nuts with s:set
s:set name=idx value=#status.index scope=request/ [...] s:property value=#request.idx/ Which is actually what you asked. Doh! Thanks very much. It was the #request. bit I was missing. I also didn't realise that I could specify the values that s:iterator uses! Are there any in depth tutorials out there or books in the pipline, 'cos I'd never have got that from the Struts2 site. Regards Roger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
Marco you may have a concurrency problem as by the time the action is invoked the DataSource bean *should have been* already created with regards to Spring Beans you can set lazy-init in ApplicationContext.xml to false to both alloc and instantiate the bean straight off bean id=beanid class=fullPackageNameOfClass lazy-init=false property name=dataSource ref=dataSource/ /bean M-- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: Marco from Balboa [EMAIL PROTECTED] To: user@struts.apache.org Sent: Thursday, March 15, 2007 9:28 AM Subject: Re: Lazy loading actions in Struts 2 Spring generally requires that the no-arg constructor be accessible. It ought to be unless you explicitly override it in your class and mark it private. The only time I care about the instantiation of beans at startup is during development, where a quick application restart is helpful. When I am working on a piece of functionality, particularly one that involves interaction between the actions and the gui, I find myself restarting the application fairly frequently. In my case, I have connections to multiple databases and some other very expensive resources that I am allowing Spring to create and inject into the action objects. It would be a great timesaver during development if only the stuff that I am using gets instantiated. It looks like your are correct and my only alternatives are to submit at JIRA or try to fix it myself. Any other ideas out there? Thanks, Marco Dave Newton-4 wrote: --- Marco from Balboa [EMAIL PROTECTED] wrote: I tried following the documentation where they instruct to place the name of the Spring bean in class attribute for the action definition in the struts.xml. I assume this is what you are doing as well, correct? No :( I wasn't doing that, and when I do I also get the ctor log debug msg. Sorry!!! I guess I've never noticed this because so far I've never had explicit ctors in my Actions. Just out of curiosity, why do you? Couldn't this verification be done wihtout actually instatiating the bean and only examining the metadata Probably. more simply skipped and allow for the problem to surface when the action is actually called (maybe via a configuration parameter)? I suppose you could create a JIRA for this. d. Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Lazy-loading-actions-in-Struts-2-tf3404803.html#a9494446 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: initialize java form bean
Ok. Thanks. Will try it out tonight. -Original Message- From: Harring Figueiredo [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 14, 2007 4:26 PM To: Struts Users Mailing List Subject: Re: initialize java form bean Try action name=SomeAction class=com.some.path.to.youAction param name=nameOfAttributeValue you want/param Make sure your action has the method that match accessors for the attribute. In the case above, you need public String setNameOfAttribute(String va){ } Hope this helps. Harring On 3/14/07, Lim Hock-Chai [EMAIL PROTECTED] wrote: is there a way to set a property of a java form bean from struts-config.xml? I try to use set-property and it is not working. -- Sincerely, Harring Figueiredo Sr. Software Engineer Email: [EMAIL PROTECTED] Telephone: 941-256-0600 We never become truly spiritual by sitting down and wishing to become so. You must undertake something so great that you cannot accomplish it unaided. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to session attributes Struts 2.0.6
Have your action implement SessionAware, and give it a setter of the form: public void setSession(Map session); You can then add things to this map, and they will be added into the session. Then you can access them in your JSP like this: s:property value=#session\['NAME'\]/ See these pages for more details: http://struts.apache.org/2.0.6/docs/how-do-we-get-access-to-the-session.html http://struts.apache.org/2.0.6/docs/application-session-request-objects-in-jsp.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Struts2, JSF, Tiles
In my S2 actions I set the result 'type' = jsf. The instructions do not seem to cover using both JSF and Tiles. How do I integrate Tiles with my Struts2-rendered jsf pages? Do I need to use the packages and instructions from MyFaces to do this? Thanks, Ray Clough -- View this message in context: http://www.nabble.com/Struts2%2C-JSF%2C-Tiles-tf3408745.html#a9496028 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Need Help -Urgent
Sorry dave. I am not getting you. Could you elabrate little more. or give me some examples. On 3/14/07, Dave Newton [EMAIL PROTECTED] wrote: --- Sachin [EMAIL PROTECTED] wrote: yes dave. You are right. Map is containing all the form data. how can i resolve this ? Don't put all the form data in the link? For example, you could use just the saved object's ID and retrieve the object from the DB. d. Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Satheesh.C
Re: Revising user input
Chris; Thanks for the reply - I took the session-based form approach, which worked fine. Another issue - I wish to allow users to modify content to records saved to the database, by loading up the same (or identical ) form referenced below with a saved record and allow for modifications. I do this in an action which retrieves the record from the datastore, saving the record in a request attribute, and displaying the values in the form by setting the value attribute of the html:input tags as follows: html:text property=name value=${modrecord.name}/ The data displays correctly, but when making modifications and passing the result thru validation, when validation fails for any reason the data in the input fields disappear. Is there a (better) way to present data in a form for modification, allow updates and to have validation work without clearing the input fields? Thanks and regards, --Chris [EMAIL PROTECTED] 3/14/2007 12:24:03 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris, Christopher Becker wrote: A simple javascript:back() approach is not feasible (nor desirable) [...] [snip] Could someone provide insight on the best approach to allow for re-display (and re-validation) of form content? Any guidance would be appreciated... thanks! You have three obvious options. I'm sure there are others. 1. Use a session-based form, and then just use a link back to the form display. (Remember to remove the form from the session when you're done, just to keep things tidy). 2. Create a link back to your form display and put every form field value into the URL parameters. Something like: a href=/myform.do?firstName=ChrislastName=Beckergender=M...edit/a 3. Use a form to POST back to the original for display: form action=/myform.do input type=hidden name=firstName value=Chris / input type=hidden name=LastName value=Becker / input type=hidden name=gender value=M / ... input type=submit value=Edit / /form Of course, 2 and 3 Are really the same technique done in different ways. If you have a lot of form elements, you might want to use the form-based solution to avoid URLs that are potentially too long for the server (or just ugly to you). Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+CGi9CaO5/Lv0PARAkDoAKCnFQhqNC5IcYK2tuSh1QsK0zPTBwCgkHyk RfWnYu41HcZaLVaimkPpnkI= =62SA -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
EL expression in html:form action
I'm getting the cannot retrieve mapping for action error when using EL expression in the action attribute of html:form tag. See below. AcctContact.jsp == html:form action=AcctContact${contactType}Action . . . /html:form struts-config.xml == action path=/AcctContactBILAction type=com.factor8th.i5.AcctContactAction name=AcctContactBILForm scope=request validate=true input=/AcctContact.jsp . . . /action Error == == ERROR - ServletException in '/AcctContact.jsp': Cannot retrieve mapping for action /AcctContactAction javax.servlet.ServletException: Cannot retrieve mapping for action /AcctContactAction at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContex tImpl.java:495) at org.apache.jsp.AcctContact_jsp._jspService(AcctContact_jsp.java:245) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:92) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do you provide a Map from the application scope for the list of a s:select
How do you provide a Map from the application scope for the list of a s:select. I keep getting the following error The requested list key 'referenceLookup.idQuestionOptions' could not be resolved as a collection/array/map/enumeration/iterator type. Example: people or people.{name} - [unknown location] __ Ufi Limited Registered in England No. 3980770 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP learndirect Solutions Ltd Registered in England No. 5081669 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP UFI Charitable Trust Registered in England No. 3658378 Registered Charity No. 1081028 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP This email has been scanned by the MessageLabs Email Security System. __
Re: How do you provide a Map from the application scope for the list of a s:select
I do have the same Problem. But my map does not come from app-context. The error is the same: tag 'select', field 'list', name 'country': The requested list key 'countryMap' could not be resolved as a collection/array/map/enumeration/iterator type. Example: people or people. {name} - [unknown location] my action-code: --- code --- public Map getCountryMap() { return Constants.getCountryMap(); } --- code --- my jspx code: --- code --- s:select label=%{getText('profile.country')} name=country headerKey=-1 headerValue=%{getText('profile.selectcountry')} list=countryMap value=countryCode required=true/ --- code --- Am Donnerstag, 15. März 2007 schrieb David Harland: How do you provide a Map from the application scope for the list of a s:select. I keep getting the following error The requested list key 'referenceLookup.idQuestionOptions' could not be resolved as a collection/array/map/enumeration/iterator type. Example: people or people.{name} - [unknown location] __ Ufi Limited Registered in England No. 3980770 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP learndirect Solutions Ltd Registered in England No. 5081669 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP UFI Charitable Trust Registered in England No. 3658378 Registered Charity No. 1081028 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP This email has been scanned by the MessageLabs Email Security System. __ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
Martin, Wouldn't your suggestion ensure that all the action beans and their dependencies (like database connections) get instantiated when the application gets loaded? This is the situation that I am seeking to avoid. If the dependencies are set up right, Spring will make sure that the datasource is instantiated before any other object that depends on it directly or indirectly. I did a crude little experiment. I replaced the implementation of the method verifyAction() in the class XmlConfigurationProvider in the xwork-2.0.1.jar to always return true. This is the method that checks the action classes to verify that the no-arg constructor is available and public. I am now getting the effect that I was looking for. Not very satisfying, but unless there is some other option out there, it will have to do until the code base is updated. Marco Martin Gainty wrote: Marco you may have a concurrency problem as by the time the action is invoked the DataSource bean *should have been* already created with regards to Spring Beans you can set lazy-init in ApplicationContext.xml to false to both alloc and instantiate the bean straight off bean id=beanid class=fullPackageNameOfClass lazy-init=false property name=dataSource ref=dataSource/ /bean M-- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: Marco from Balboa [EMAIL PROTECTED] To: user@struts.apache.org Sent: Thursday, March 15, 2007 9:28 AM Subject: Re: Lazy loading actions in Struts 2 Spring generally requires that the no-arg constructor be accessible. It ought to be unless you explicitly override it in your class and mark it private. The only time I care about the instantiation of beans at startup is during development, where a quick application restart is helpful. When I am working on a piece of functionality, particularly one that involves interaction between the actions and the gui, I find myself restarting the application fairly frequently. In my case, I have connections to multiple databases and some other very expensive resources that I am allowing Spring to create and inject into the action objects. It would be a great timesaver during development if only the stuff that I am using gets instantiated. It looks like your are correct and my only alternatives are to submit at JIRA or try to fix it myself. Any other ideas out there? Thanks, Marco Dave Newton-4 wrote: --- Marco from Balboa [EMAIL PROTECTED] wrote: I tried following the documentation where they instruct to place the name of the Spring bean in class attribute for the action definition in the struts.xml. I assume this is what you are doing as well, correct? No :( I wasn't doing that, and when I do I also get the ctor log debug msg. Sorry!!! I guess I've never noticed this because so far I've never had explicit ctors in my Actions. Just out of curiosity, why do you? Couldn't this verification be done wihtout actually instatiating the bean and only examining the metadata Probably. more simply skipped and allow for the problem to surface when the action is actually called (maybe via a configuration parameter)? I suppose you could create a JIRA for this. d. Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Lazy-loading-actions-in-Struts-2-tf3404803.html#a9494446 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Lazy-loading-actions-in-Struts-2-tf3404803.html#a9497636
Re: Cross site scripting issue
rapsy wrote: I am trying to find a best solution to prevent Cross site scripting attacks. Aren't we all. The best suggestion I've found is in the first comment on http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html Basically the suggestion is to Tagsoup parse into XHTML in order to filter and allow through only safe content. White lists are much safer than black lists. That is basically what I've implemented, but it's still not enough, as I mention in the last comment there. Any suggestions on that next step? Doing this correctly means ensuring that my whitelists are accurate and safe. For example, it seems nice to allow style attributes, but is that safe? In order to allow css, maybe class attributes should be allowed, but are id attributes necessary? Don't I then have to worry about using any of those ajax without javascript .js libraries? Because of those are there specific class attribute values I should disallow? It is clear that this filter is insufficient. For example, I want to allow links, so href must be allowed in a/ tags, but clearly I don't want to allow that to be used as a way to trigger javascript so I must explicitly check the content of this attribute. That brings us right back to an ad-hoc collection of unescapeHtml/indexOf searches (for script, eval, etc.). This seems sloppy and unless carefully maintained likely to lead to XSS vulnerabilities for my users... Is there an obvious next step that I'm missing? Does anyone have available a table of safe tag/attribute combinations? This seems like someplace where I'd rather trust someone with more knowledge/experience than myself. Have only black-hats focused on this problem? Seems ripe ground for a good open-source (white-hat) tool... -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do you provide a Map from the application scope for the list of a s:select
--- Piero Sartini wrote: return Constants.getCountryMap(); What does Constants.getCountryMap() return? I've never seen any issues populating an s:select.../ from a map. d. The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
I think a worthwhile enhancement would be the ability to enable/disable the verify action behavior in struts.properties/struts.xml. Please file a JIRA ticket. Thanks, Don On 3/15/07, Marco from Balboa [EMAIL PROTECTED] wrote: Martin, Wouldn't your suggestion ensure that all the action beans and their dependencies (like database connections) get instantiated when the application gets loaded? This is the situation that I am seeking to avoid. If the dependencies are set up right, Spring will make sure that the datasource is instantiated before any other object that depends on it directly or indirectly. I did a crude little experiment. I replaced the implementation of the method verifyAction() in the class XmlConfigurationProvider in the xwork-2.0.1.jar to always return true. This is the method that checks the action classes to verify that the no-arg constructor is available and public. I am now getting the effect that I was looking for. Not very satisfying, but unless there is some other option out there, it will have to do until the code base is updated. Marco Martin Gainty wrote: Marco you may have a concurrency problem as by the time the action is invoked the DataSource bean *should have been* already created with regards to Spring Beans you can set lazy-init in ApplicationContext.xml to false to both alloc and instantiate the bean straight off bean id=beanid class=fullPackageNameOfClass lazy-init=false property name=dataSource ref=dataSource/ /bean M-- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: Marco from Balboa [EMAIL PROTECTED] To: user@struts.apache.org Sent: Thursday, March 15, 2007 9:28 AM Subject: Re: Lazy loading actions in Struts 2 Spring generally requires that the no-arg constructor be accessible. It ought to be unless you explicitly override it in your class and mark it private. The only time I care about the instantiation of beans at startup is during development, where a quick application restart is helpful. When I am working on a piece of functionality, particularly one that involves interaction between the actions and the gui, I find myself restarting the application fairly frequently. In my case, I have connections to multiple databases and some other very expensive resources that I am allowing Spring to create and inject into the action objects. It would be a great timesaver during development if only the stuff that I am using gets instantiated. It looks like your are correct and my only alternatives are to submit at JIRA or try to fix it myself. Any other ideas out there? Thanks, Marco Dave Newton-4 wrote: --- Marco from Balboa [EMAIL PROTECTED] wrote: I tried following the documentation where they instruct to place the name of the Spring bean in class attribute for the action definition in the struts.xml. I assume this is what you are doing as well, correct? No :( I wasn't doing that, and when I do I also get the ctor log debug msg. Sorry!!! I guess I've never noticed this because so far I've never had explicit ctors in my Actions. Just out of curiosity, why do you? Couldn't this verification be done wihtout actually instatiating the bean and only examining the metadata Probably. more simply skipped and allow for the problem to surface when the action is actually called (maybe via a configuration parameter)? I suppose you could create a JIRA for this. d. Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Lazy-loading-actions-in-Struts-2-tf3404803.html#a9494446 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe,
Session Management
All, I have couple of questions while designing a web app using struts. My application uses Httpsession variables. 1. How do we handle a user from opening duplicate sessions ? Like if a user is already logged in, if he/she tries to login again, system should mention that user is already logegd in. How do we do that ? 2. Also, back buttons. Back buttons shoudlnt display anything [like no data] should appear when user clicks back button How to handle these two situations ? Need suggestions. Thanks, Maya - Don't be flakey. Get Yahoo! Mail for Mobile and always stay connected to friends.
RE: How do you provide a Map from the application scope for the list of a s:select
We are running struts 1 and 2 in parallel. Struts 1 is putting the Map into application scope. A jsp running in struts 2 using struts 2 tags is trying to use this map to populate a select. Do I have to copy the map into the action for it to work. That seems a bit of a waste of time -Original Message- From: David Harland [mailto:[EMAIL PROTECTED] Sent: 15 March 2007 15:17 To: user@struts.apache.org Subject: How do you provide a Map from the application scope for the list of a s:select How do you provide a Map from the application scope for the list of a s:select. I keep getting the following error The requested list key 'referenceLookup.idQuestionOptions' could not be resolved as a collection/array/map/enumeration/iterator type. Example: people or people.{name} - [unknown location] __ Ufi Limited Registered in England No. 3980770 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP learndirect Solutions Ltd Registered in England No. 5081669 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP UFI Charitable Trust Registered in England No. 3658378 Registered Charity No. 1081028 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP This email has been scanned by the MessageLabs Email Security System. __ - -- ML {UFI} __ Ufi Limited Registered in England No. 3980770 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP learndirect Solutions Ltd Registered in England No. 5081669 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP UFI Charitable Trust Registered in England No. 3658378 Registered Charity No. 1081028 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP This email has been scanned by the MessageLabs Email Security System. __ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do you provide a Map from the application scope for the list of a s:select
Am Donnerstag, 15. März 2007 schrieb Dave Newton: --- Piero Sartini wrote: return Constants.getCountryMap(); What does Constants.getCountryMap() return? the map looks like: {de=de, it=it, en=en} - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do you provide a Map from the application scope for the list of a s:select
--- Piero Sartini [EMAIL PROTECTED] wrote: Am Donnerstag, 15. März 2007 schrieb Dave Newton: --- Piero Sartini wrote: return Constants.getCountryMap(); What does Constants.getCountryMap() return? the map looks like: {de=de, it=it, en=en} No, I want the actual code for the map's construction and retrieval method, because so far I have no idea why it wouldn't work. d. TV dinner still cooling? Check out Tonight's Picks on Yahoo! TV. http://tv.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do you provide a Map from the application scope for the list of a s:select
--- David Harland [EMAIL PROTECTED] wrote: We are running struts 1 and 2 in parallel. Same webapp I assume? Struts 1 is putting the Map into application scope. A jsp running in struts 2 using struts 2 tags is trying to use this map to populate a select. How is it trying to load the map? I missed your JSP fragment. If you are using OGNL to retrieve the map the map needs to be on the OGNL stack, otherwise you could try prefixing the key with the scope you expect it to be in, like #application.theKey d. Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL expression in html:form action
Lim Hock-Chai wrote: I'm getting the cannot retrieve mapping for action error when using EL expression in the action attribute of html:form tag. See below. AcctContact.jsp == html:form action=AcctContact${contactType}Action .. . . /html:form struts-config.xml == action path=/AcctContactBILAction type=com.factor8th.i5.AcctContactAction name=AcctContactBILForm scope=request validate=true input=/AcctContact.jsp .. . . /action Error == == ERROR - ServletException in '/AcctContact.jsp': Cannot retrieve mapping for action /AcctContactAction javax.servlet.ServletException: Cannot retrieve mapping for action /AcctContactAction at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContex tImpl.java:495) at org.apache.jsp.AcctContact_jsp._jspService(AcctContact_jsp.java:245) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:92) So contactType is empty or undefined, no? So it's not looking for the mapping you've defined, AcctContactBILAction. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Management
maya, Once a user is logged in session variables are set and your user interface should not display login option...but if you hit back button on browser you will see login option in that case use saveToken now to allow duplicate form submission Back buttons display thing because form contains it you need to reset it Regards -Original Message- From: Maya menon [mailto:[EMAIL PROTECTED] Sent: 15 March 2007 16:43 To: user@struts.apache.org Subject: Session Management All, I have couple of questions while designing a web app using struts. My application uses Httpsession variables. 1. How do we handle a user from opening duplicate sessions ? Like if a user is already logged in, if he/she tries to login again, system should mention that user is already logegd in. How do we do that ? 2. Also, back buttons. Back buttons shoudlnt display anything [like no data] should appear when user clicks back button How to handle these two situations ? Need suggestions. Thanks, Maya - Don't be flakey. Get Yahoo! Mail for Mobile and always stay connected to friends. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do you provide a Map from the application scope for the list of a s:select
Thanks thats working a dream I tried that before just forgot the # It is nearly friday ;) -Original Message- From: Dave Newton [mailto:[EMAIL PROTECTED] Sent: 15 March 2007 16:58 To: Struts Users Mailing List Subject: RE: How do you provide a Map from the application scope for the list of a s:select --- David Harland [EMAIL PROTECTED] wrote: We are running struts 1 and 2 in parallel. Same webapp I assume? Struts 1 is putting the Map into application scope. A jsp running in struts 2 using struts 2 tags is trying to use this map to populate a select. How is it trying to load the map? I missed your JSP fragment. If you are using OGNL to retrieve the map the map needs to be on the OGNL stack, otherwise you could try prefixing the key with the scope you expect it to be in, like #application.theKey d. Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - -- ML {UFI} __ Ufi Limited Registered in England No. 3980770 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP learndirect Solutions Ltd Registered in England No. 5081669 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP UFI Charitable Trust Registered in England No. 3658378 Registered Charity No. 1081028 Registered Office: Dearing House, 1 Young Street, Sheffield, S1 4UP This email has been scanned by the MessageLabs Email Security System. __ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Re: EL expression in html:form action
I'm pretty sure that contactType was not empty. It was showing BIL on the screen. contactType is created using jstl's core tag c:set with request scope. I just wonder if EL expression is allowed in html:form's action attribute. Has anybody done this before? -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Laurie Harper Sent: Thursday, March 15, 2007 12:00 PM To: user@struts.apache.org Subject: Re: EL expression in html:form action Lim Hock-Chai wrote: I'm getting the cannot retrieve mapping for action error when using EL expression in the action attribute of html:form tag. See below. AcctContact.jsp == html:form action=AcctContact${contactType}Action .. . . /html:form struts-config.xml == action path=/AcctContactBILAction type=com.factor8th.i5.AcctContactAction name=AcctContactBILForm scope=request validate=true input=/AcctContact.jsp .. . . /action Error == == == == ERROR - ServletException in '/AcctContact.jsp': Cannot retrieve mapping for action /AcctContactAction javax.servlet.ServletException: Cannot retrieve mapping for action /AcctContactAction at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageCont ex tImpl.java:495) at org.apache.jsp.AcctContact_jsp._jspService(AcctContact_jsp.java:245) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:92) So contactType is empty or undefined, no? So it's not looking for the mapping you've defined, AcctContactBILAction. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Lazy loading actions in Struts 2
Don, I agree. I think it would be even nicer if the verify action procedure did its job without actually instantiating the actions. This is the way it works when Spring is not being used to instantiate actions. The regular ObjectFactory (as opposed to the SpringObjectFactory), simply tries to load the class specified in the configuration file. There is no action object creation involved. Granted that it ought be be more complicated to do the verification for Spring objects, but hopefully there is enough metadata available that you could do it. I will enter a JIRA ticket. Marco Don Brown wrote: I think a worthwhile enhancement would be the ability to enable/disable the verify action behavior in struts.properties/struts.xml. Please file a JIRA ticket. Thanks, Don On 3/15/07, Marco from Balboa [EMAIL PROTECTED] wrote: Martin, Wouldn't your suggestion ensure that all the action beans and their dependencies (like database connections) get instantiated when the application gets loaded? This is the situation that I am seeking to avoid. If the dependencies are set up right, Spring will make sure that the datasource is instantiated before any other object that depends on it directly or indirectly. I did a crude little experiment. I replaced the implementation of the method verifyAction() in the class XmlConfigurationProvider in the xwork-2.0.1.jar to always return true. This is the method that checks the action classes to verify that the no-arg constructor is available and public. I am now getting the effect that I was looking for. Not very satisfying, but unless there is some other option out there, it will have to do until the code base is updated. Marco Martin Gainty wrote: Marco you may have a concurrency problem as by the time the action is invoked the DataSource bean *should have been* already created with regards to Spring Beans you can set lazy-init in ApplicationContext.xml to false to both alloc and instantiate the bean straight off bean id=beanid class=fullPackageNameOfClass lazy-init=false property name=dataSource ref=dataSource/ /bean M-- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: Marco from Balboa [EMAIL PROTECTED] To: user@struts.apache.org Sent: Thursday, March 15, 2007 9:28 AM Subject: Re: Lazy loading actions in Struts 2 Spring generally requires that the no-arg constructor be accessible. It ought to be unless you explicitly override it in your class and mark it private. The only time I care about the instantiation of beans at startup is during development, where a quick application restart is helpful. When I am working on a piece of functionality, particularly one that involves interaction between the actions and the gui, I find myself restarting the application fairly frequently. In my case, I have connections to multiple databases and some other very expensive resources that I am allowing Spring to create and inject into the action objects. It would be a great timesaver during development if only the stuff that I am using gets instantiated. It looks like your are correct and my only alternatives are to submit at JIRA or try to fix it myself. Any other ideas out there? Thanks, Marco Dave Newton-4 wrote: --- Marco from Balboa [EMAIL PROTECTED] wrote: I tried following the documentation where they instruct to place the name of the Spring bean in class attribute for the action definition in the struts.xml. I assume this is what you are doing as well, correct? No :( I wasn't doing that, and when I do I also get the ctor log debug msg. Sorry!!! I guess I've never noticed this because so far I've never had explicit ctors in my Actions. Just out of curiosity, why do you? Couldn't this verification be done wihtout actually instatiating the bean and only examining the metadata Probably. more simply skipped and allow for the problem to surface when the action is actually called (maybe via a configuration
Re: How do you provide a Map from the application scope for the list of a s:select
It just testing-code and does not make much sense. but here we go. I had a list before .. so the map is constructed from the list. --- code --- public static ListString countryCodes = new ArrayListString( Arrays.asList( de, en, it )); public static MapString,String countryMap = null; public static Map getCountryMap() { if (countryMap == null) { countryMap = new HashMapString,String(); for (String s : countryCodes) { countryMap.put(s,s); } } return countryMap; } --- code --- Am Donnerstag, 15. März 2007 schrieb Dave Newton: --- Piero Sartini [EMAIL PROTECTED] wrote: Am Donnerstag, 15. März 2007 schrieb Dave Newton: --- Piero Sartini wrote: return Constants.getCountryMap(); What does Constants.getCountryMap() return? the map looks like: {de=de, it=it, en=en} No, I want the actual code for the map's construction and retrieval method, because so far I have no idea why it wouldn't work. d. ___ _ TV dinner still cooling? Check out Tonight's Picks on Yahoo! TV. http://tv.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do you provide a Map from the application scope for the list of a s:select
--- Piero Sartini [EMAIL PROTECTED] wrote: --- code --- Are you sure you are using the right Action to reach the JSP? I cannot duplicate the problem with identical code. (I am not using JSPX, although I'm not sure that would matter.) d. Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Patch for ajax/remoteforms/AjaxRemoteForm (Ajax example from Struts-showcase)
Hello All I think this error occurs is a result of the 1)ajax/remoteforms/AjaxRemoteForm folder name not being parsed because folder parsing patch wasnt installed in this Struts2 distro 2)there is no AjaxRemoteForm class to be found anywhere and is mapped this way via struts-ajax.xml action name=AjaxRemoteForm class=org.apache.struts2.showcase.ajax.AjaxTestAction result/ajax/AjaxResult3.jsp/result /action whre both the jsp is on classpath and AjaxTestAction is on classpath With regards to deploying Struts2 (specifically Ajax controls) I found this error while referencing AjaxRemoteForm There is no Action mapped for action name ajax/remoteforms/AjaxRemoteForm. so is the patch for folder parsing available? Thanks, M- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire.
Re: Patch for ajax/remoteforms/AjaxRemoteForm (Ajax example from Struts-showcase)
Hi Martin I'm not sure which patch you are referring to, do you know the jira ticket number? regards musachy On 3/15/07, Martin Gainty [EMAIL PROTECTED] wrote: Hello All I think this error occurs is a result of the 1)ajax/remoteforms/AjaxRemoteForm folder name not being parsed because folder parsing patch wasnt installed in this Struts2 distro 2)there is no AjaxRemoteForm class to be found anywhere and is mapped this way via struts-ajax.xml action name=AjaxRemoteForm class= org.apache.struts2.showcase.ajax.AjaxTestAction result/ajax/AjaxResult3.jsp/result /action whre both the jsp is on classpath and AjaxTestAction is on classpath With regards to deploying Struts2 (specifically Ajax controls) I found this error while referencing AjaxRemoteForm There is no Action mapped for action name ajax/remoteforms/AjaxRemoteForm. so is the patch for folder parsing available? Thanks, M- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. -- Hey you! Would you help me to carry the stone? Pink Floyd
Java-JSP data sharing mechanisms
When it comes to sharing values between Java and JSP, I see the following conventions used 1. %foo 2. $foo 3. #foo 4. foo Is there a one-stop grid that identifies what each of these symbols represent and if/when they are even necessary? I read about OGNL and how prefixing attributes that are to be retrieved from the OG may *not* require a special symbol at all. I understand JSTL and the four scopes 1. page 2. request 3. session 4. application What is the interplay between stashing objects using Java code and subsequent retrieval fromJSP? Can Java code interact with OGNL? Are things automatically added/removed from the OG? This is different enough from Stuts 1 that it causes confusion. -- Scott [EMAIL PROTECTED]
Re: Cross site scripting issue
I'm currently working on this problem for a website I'm building. I found this: on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow + n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus| + blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv + escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\ + W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| + [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=. + *\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she + ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f + older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|(?:(?:body + \b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[ + |script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne + rhtml)|[EMAIL PROTECTED])\b) from a mod_security list archive and am using it as a starting point. I did a couple of searches on myspace security and got a bunch of good leads. I figure they have the most current experience with this. Especially helpful in identifying harmful javascript patterns was the explanation of the myspace samy worm. Good insight. I figure I'll keep modifying regular expressions that are kept in one central class until I can't slip anything through. I know other people are working on this stuff too, they'd have to be. Be nice to share some discoveries guys :) Here is an events filter I did this mornin: /* * events: whitspace eventname = ' javascript ' * * If no ' or , then goto last ) before */ private final static String XSS_EVENTS_FILTER = \\s*(on(abort|activate|afterprint|afterupdate))|+ (onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload))|+ (on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|+ (ondata(available|setchanged|setcomplete))|+ (on(dblclick|deactivate))|+ (ondrag|(ondrag(end|enter|leave|over|start)))|+ (on(drop|error|errorupdate|filterchange))|+ (onfocus|(onfocus(in|out)))|+ (on(help|deactivate))|+ (onkey(down|press|up))|+ (on(layoutcomplete|load|losecapture))|+ (on(layoutcomplete|load|losecapture))|+ (onmouse(down|enter|leave|move|out|over|up|wheel|move))|+ (onmove|(onmove(end|start)))|+ (on(page|paste|propertychange|readystatechange|reset|resize))|+ (onresize(end|start))|+ (onrow(enter|exit|delete|sdelete|inserted|sinserted))|+ (on(scroll|select|selectionchange|selectstart|submit|unload))+ \\s*=\\s*((\'.*\')|(\.*\)|(.*\\(.*(;|))); I the user is trying to slip js in using whitespace instead of quotes, it defaults to stripping everything including the end of tag Better me than them! -Joe Dale Newfield wrote: rapsy wrote: I am trying to find a best solution to prevent Cross site scripting attacks. Aren't we all. The best suggestion I've found is in the first comment on http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html Basically the suggestion is to Tagsoup parse into XHTML in order to filter and allow through only safe content. White lists are much safer than black lists. That is basically what I've implemented, but it's still not enough, as I mention in the last comment there. Any suggestions on that next step? Doing this correctly means ensuring that my whitelists are accurate and safe. For example, it seems nice to allow style attributes, but is that safe? In order to allow css, maybe class attributes should be allowed, but are id attributes necessary? Don't I then have to worry about using any of those ajax without javascript .js libraries? Because of those are there specific class attribute values I should disallow? It is clear that this filter is insufficient. For example, I want to allow links, so href must be allowed in a/ tags, but clearly I don't want to allow that to be used as a way to
Re: Cross site scripting issue
Sorry, just noticed a problem in that events filter. (;|) in the end should be just in case multiple statements. It's a work in progress :) -Joe Joseph McGranaghan wrote: I'm currently working on this problem for a website I'm building. I found this: on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow + n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus| + blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv + escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\ + W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| + [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=. + *\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she + ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f + older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|(?:(?:body + \b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[ + |script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne + rhtml)|[EMAIL PROTECTED])\b) from a mod_security list archive and am using it as a starting point. I did a couple of searches on myspace security and got a bunch of good leads. I figure they have the most current experience with this. Especially helpful in identifying harmful javascript patterns was the explanation of the myspace samy worm. Good insight. I figure I'll keep modifying regular expressions that are kept in one central class until I can't slip anything through. I know other people are working on this stuff too, they'd have to be. Be nice to share some discoveries guys :) Here is an events filter I did this mornin: /* * events: whitspace eventname = ' javascript ' * * If no ' or , then goto last ) before */ private final static String XSS_EVENTS_FILTER = \\s*(on(abort|activate|afterprint|afterupdate))|+ (onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload))|+ (on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|+ (ondata(available|setchanged|setcomplete))|+ (on(dblclick|deactivate))|+ (ondrag|(ondrag(end|enter|leave|over|start)))|+ (on(drop|error|errorupdate|filterchange))|+ (onfocus|(onfocus(in|out)))|+ (on(help|deactivate))|+ (onkey(down|press|up))|+ (on(layoutcomplete|load|losecapture))|+ (on(layoutcomplete|load|losecapture))|+ (onmouse(down|enter|leave|move|out|over|up|wheel|move))|+ (onmove|(onmove(end|start)))|+ (on(page|paste|propertychange|readystatechange|reset|resize))|+ (onresize(end|start))|+ (onrow(enter|exit|delete|sdelete|inserted|sinserted))|+ (on(scroll|select|selectionchange|selectstart|submit|unload))+ \\s*=\\s*((\'.*\')|(\.*\)|(.*\\(.*(;|))); I the user is trying to slip js in using whitespace instead of quotes, it defaults to stripping everything including the end of tag Better me than them! -Joe Dale Newfield wrote: rapsy wrote: I am trying to find a best solution to prevent Cross site scripting attacks. Aren't we all. The best suggestion I've found is in the first comment on http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html Basically the suggestion is to Tagsoup parse into XHTML in order to filter and allow through only safe content. White lists are much safer than black lists. That is basically what I've implemented, but it's still not enough, as I mention in the last comment there. Any suggestions on that next step? Doing this correctly means ensuring that my whitelists are accurate and safe. For example, it seems nice to allow style attributes, but is that safe? In order to allow css, maybe class attributes should be allowed, but are id attributes necessary? Don't I then have to worry about using any of those ajax without javascript .js libraries? Because of those are there specific class attribute values I should
RE: Cross site scripting issue
That looks interesting, can I add that to my toolking? One question thought, it is regexp pattern right? So I assume it's evaluated for every request that comes into the system, is not it kind of performance load on the system? But I guess that is the only way to fight XSS. -Original Message- From: Joseph McGranaghan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 4:46 PM To: Struts Users Mailing List Subject: Re: Cross site scripting issue Sorry, just noticed a problem in that events filter. (;|) in the end should be just in case multiple statements. It's a work in progress :) -Joe Joseph McGranaghan wrote: I'm currently working on this problem for a website I'm building. I found this: on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow + n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus| + blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv + escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\ + W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| + [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=. + *\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she + ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f + older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|(?:(?:body + \b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[ + |script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne + rhtml)|[EMAIL PROTECTED])\b) from a mod_security list archive and am using it as a starting point. I did a couple of searches on myspace security and got a bunch of good leads. I figure they have the most current experience with this. Especially helpful in identifying harmful javascript patterns was the explanation of the myspace samy worm. Good insight. I figure I'll keep modifying regular expressions that are kept in one central class until I can't slip anything through. I know other people are working on this stuff too, they'd have to be. Be nice to share some discoveries guys :) Here is an events filter I did this mornin: /* * events: whitspace eventname = ' javascript ' * * If no ' or , then goto last ) before */ private final static String XSS_EVENTS_FILTER = \\s*(on(abort|activate|afterprint|afterupdate))|+ (onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload) )|+ (on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|+ (ondata(available|setchanged|setcomplete))|+ (on(dblclick|deactivate))|+ (ondrag|(ondrag(end|enter|leave|over|start)))|+ (on(drop|error|errorupdate|filterchange))|+ (onfocus|(onfocus(in|out)))|+ (on(help|deactivate))|+ (onkey(down|press|up))|+ (on(layoutcomplete|load|losecapture))|+ (on(layoutcomplete|load|losecapture))|+ (onmouse(down|enter|leave|move|out|over|up|wheel|move))|+ (onmove|(onmove(end|start)))|+ (on(page|paste|propertychange|readystatechange|reset|resize))|+ (onresize(end|start))|+ (onrow(enter|exit|delete|sdelete|inserted|sinserted))|+ (on(scroll|select|selectionchange|selectstart|submit|unload))+ \\s*=\\s*((\'.*\')|(\.*\)|(.*\\(.*(;|))); I the user is trying to slip js in using whitespace instead of quotes, it defaults to stripping everything including the end of tag Better me than them! -Joe Dale Newfield wrote: rapsy wrote: I am trying to find a best solution to prevent Cross site scripting attacks. Aren't we all. The best suggestion I've found is in the first comment on http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html Basically the suggestion is to Tagsoup parse into XHTML in order to filter and allow through only safe content. White lists are much safer than black lists. That
Re: Java-JSP data sharing mechanisms
Stan-- From what I can see use of Object Graph Notational Language allows Regular Expression evaluations plus Lambda Expressions evaluations http://cwiki.apache.org/WW/ognl.html HTH, M-- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: [EMAIL PROTECTED] To: Struts Users Mailing List user@struts.apache.org Sent: Thursday, March 15, 2007 4:04 PM Subject: Java-JSP data sharing mechanisms When it comes to sharing values between Java and JSP, I see the following conventions used 1. %foo 2. $foo 3. #foo 4. foo Is there a one-stop grid that identifies what each of these symbols represent and if/when they are even necessary? I read about OGNL and how prefixing attributes that are to be retrieved from the OG may *not* require a special symbol at all. I understand JSTL and the four scopes 1. page 2. request 3. session 4. application What is the interplay between stashing objects using Java code and subsequent retrieval fromJSP? Can Java code interact with OGNL? Are things automatically added/removed from the OG? This is different enough from Stuts 1 that it causes confusion. -- Scott [EMAIL PROTECTED]
Re: Cross site scripting issue
On 3/15/07, Levan Dvalishvili [EMAIL PROTECTED] wrote: That looks interesting, can I add that to my toolking? One question thought, it is regexp pattern right? So I assume it's evaluated for every request that comes into the system, is not it kind of performance load on the system? But I guess that is the only way to fight XSS. Not really. The best to fight XSS is to care for the output, not for the input. As long as you write out the user input properly you don't have anything to worry about. Basically the whole discussion is useless, its sufficent to encode and properly :-) Leon. -Original Message- From: Joseph McGranaghan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 4:46 PM To: Struts Users Mailing List Subject: Re: Cross site scripting issue Sorry, just noticed a problem in that events filter. (;|) in the end should be just in case multiple statements. It's a work in progress :) -Joe Joseph McGranaghan wrote: I'm currently working on this problem for a website I'm building. I found this: on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow + n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus| + blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv + escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\ + W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| + [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=. + *\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she + ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f + older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|(?:(?:body + \b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[ + |script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne + rhtml)|[EMAIL PROTECTED])\b) from a mod_security list archive and am using it as a starting point. I did a couple of searches on myspace security and got a bunch of good leads. I figure they have the most current experience with this. Especially helpful in identifying harmful javascript patterns was the explanation of the myspace samy worm. Good insight. I figure I'll keep modifying regular expressions that are kept in one central class until I can't slip anything through. I know other people are working on this stuff too, they'd have to be. Be nice to share some discoveries guys :) Here is an events filter I did this mornin: /* * events: whitspace eventname = ' javascript ' * * If no ' or , then goto last ) before */ private final static String XSS_EVENTS_FILTER = \\s*(on(abort|activate|afterprint|afterupdate))|+ (onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload) )|+ (on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|+ (ondata(available|setchanged|setcomplete))|+ (on(dblclick|deactivate))|+ (ondrag|(ondrag(end|enter|leave|over|start)))|+ (on(drop|error|errorupdate|filterchange))|+ (onfocus|(onfocus(in|out)))|+ (on(help|deactivate))|+ (onkey(down|press|up))|+ (on(layoutcomplete|load|losecapture))|+ (on(layoutcomplete|load|losecapture))|+ (onmouse(down|enter|leave|move|out|over|up|wheel|move))|+ (onmove|(onmove(end|start)))|+ (on(page|paste|propertychange|readystatechange|reset|resize))|+ (onresize(end|start))|+ (onrow(enter|exit|delete|sdelete|inserted|sinserted))|+ (on(scroll|select|selectionchange|selectstart|submit|unload))+ \\s*=\\s*((\'.*\')|(\.*\)|(.*\\(.*(;|))); I the user is trying to slip js in using whitespace instead of quotes, it defaults to stripping everything including the end of tag Better me than them! -Joe Dale Newfield wrote: rapsy wrote: I am trying to find a best solution to prevent Cross site scripting attacks. Aren't we all. The best suggestion I've found is in the first comment on http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html Basically the suggestion is to Tagsoup parse into XHTML in order to filter and allow through only safe content. White lists are much safer than black lists. That is basically what I've implemented, but it's still not enough, as I mention in the last comment there. Any suggestions on that next step? Doing this correctly means ensuring that my whitelists are accurate and safe. For example, it seems nice to allow style attributes, but is that safe? In order to allow css, maybe class attributes should be allowed, but are id attributes necessary? Don't I then have to worry about using any of those ajax without javascript .js libraries? Because of those are there specific class attribute values I should disallow? It is clear that this filter is insufficient. For example, I want to allow links, so href must be allowed in a/ tags, but clearly I don't want to allow that to be used as a
Re: Java-JSP data sharing mechanisms
--- [EMAIL PROTECTED] wrote: When it comes to sharing values between Java and JSP, I see the following conventions used 1. %foo 2. $foo 3. #foo 4. foo Is there a one-stop grid that identifies what each of these symbols represent and if/when they are even necessary? I haven't seen one yet, and I'm still a bit fuzzy on it myself. I (sorta) know the following: - Action properties do not need escaping and may be accessed via their name, like: s:property value=anActionVarExposedViaGetter/ or s:textarea name=anotherDifferentProperty/ - Vars defined in the JSP, like: s:iterator list=fooList id=foo s:property value=#foo.propertyOfFoo/ /s:iterator ...although in this case you could also just say : s:property value=propertyOfFoo/ because s:iterator.../ puts each element on the top of the stack. - Things that are put on the OGNL stack by the framework are also available to JSTL via ${...}, the old JSP EL, so you could say: ${anActionProperty} to save time. It has been noted that some people don't like mixing the ELs, but for me this is a big win for JSP readability. - %{} I *think* is just an OGNL EL escape, but I am still pretty lost when it comes to understand when I should/need to use %{} vs. #{}. I'm pretty sure you always need it around, say, a method call. - You left out @, which to be honest I haven't tried for awhile, so it might have changed, but it let(s) you access static vars/methods. 1. page 2. request 3. session 4. application What is the interplay between stashing objects using Java code and subsequent retrieval from JSP? Scoping works the same way; see below. Can Java code interact with OGNL? Yes, the value stack is available to Java code. Are things automatically added/removed from the OG? *Some* things are, like the current Action and maps representing the normal four scopes, so you can access, say, request-scoped vars via #request.varKey, application-scoped vars via #application.varKey, etc. That's all I know so far, and I still find myself throwing various EL variations in some situations until the moon is full and the pixies deem me worthy to run my JSP. Hmm, hopefully most of the stuff I just wrote is right :/ d. We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross site scripting issue
I here this all the time, am I missing something? What if you want the user to be able to input all kinds of markup to be redisplayed: div style=color:#ff000; a href=http://somewhere.com;somewhere/a /div At some point this makes it back into the page so the browser can render it. If this discussion is useless, I am severely misguided and probably wasting time. -Joe At Leon Rosenberg wrote: On 3/15/07, Levan Dvalishvili [EMAIL PROTECTED] wrote: That looks interesting, can I add that to my toolking? One question thought, it is regexp pattern right? So I assume it's evaluated for every request that comes into the system, is not it kind of performance load on the system? But I guess that is the only way to fight XSS. Not really. The best to fight XSS is to care for the output, not for the input. As long as you write out the user input properly you don't have anything to worry about. Basically the whole discussion is useless, its sufficent to encode and properly :-) Leon. -Original Message- From: Joseph McGranaghan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 4:46 PM To: Struts Users Mailing List Subject: Re: Cross site scripting issue Sorry, just noticed a problem in that events filter. (;|) in the end should be just in case multiple statements. It's a work in progress :) -Joe Joseph McGranaghan wrote: I'm currently working on this problem for a website I'm building. I found this: on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow + n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus| + blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv + escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\ + W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| + [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=. + *\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she + ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f + older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|(?:(?:body + \b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[ + |script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne + rhtml)|[EMAIL PROTECTED])\b) from a mod_security list archive and am using it as a starting point. I did a couple of searches on myspace security and got a bunch of good leads. I figure they have the most current experience with this. Especially helpful in identifying harmful javascript patterns was the explanation of the myspace samy worm. Good insight. I figure I'll keep modifying regular expressions that are kept in one central class until I can't slip anything through. I know other people are working on this stuff too, they'd have to be. Be nice to share some discoveries guys :) Here is an events filter I did this mornin: /* * events: whitspace eventname = ' javascript ' * * If no ' or , then goto last ) before */ private final static String XSS_EVENTS_FILTER = \\s*(on(abort|activate|afterprint|afterupdate))|+ (onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload) )|+ (on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|+ (ondata(available|setchanged|setcomplete))|+ (on(dblclick|deactivate))|+ (ondrag|(ondrag(end|enter|leave|over|start)))|+ (on(drop|error|errorupdate|filterchange))|+ (onfocus|(onfocus(in|out)))|+ (on(help|deactivate))|+ (onkey(down|press|up))|+ (on(layoutcomplete|load|losecapture))|+ (on(layoutcomplete|load|losecapture))|+ (onmouse(down|enter|leave|move|out|over|up|wheel|move))|+ (onmove|(onmove(end|start)))|+ (on(page|paste|propertychange|readystatechange|reset|resize))|+ (onresize(end|start))|+ (onrow(enter|exit|delete|sdelete|inserted|sinserted))|+ (on(scroll|select|selectionchange|selectstart|submit|unload))+ \\s*=\\s*((\'.*\')|(\.*\)|(.*\\(.*(;|))); I the user is trying to slip js in using whitespace instead of quotes, it defaults to stripping everything including the end of tag Better me than them! -Joe Dale Newfield wrote: rapsy wrote: I am trying to find a best solution to prevent Cross site scripting attacks. Aren't we all. The best suggestion I've found is in the first comment on http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html Basically the suggestion is to Tagsoup parse into XHTML in order to filter and allow through only safe content. White lists are much safer than black lists. That is basically what I've implemented, but it's still not enough, as I mention in the last comment there. Any suggestions on that next step? Doing this correctly means ensuring that my whitelists are accurate and safe. For example, it seems nice to allow style attributes, but is
Best Practices for reusability?
I'm working on a large and complex web application. One of the things that bothers me is a WizardAction with one ActionForm working on multiple JSP pages. All of these JSP pages have hardcoded action URLs that map to struts actions. I'd like to re-use several JSP pages form this wizard in another wizard but it is difficult because of hardcoded action URLs and wizard specific ActionForm being used. Best practices that I have read recommends for clarity and easy maintenance, the strategy for large applications should be to have one-to-one mapping between JSP pages and Action classes. This makes sense and would make it easier to reuse JSP pages in various wizards; however, hardcoded action URLs, correct me if I'm wrong, have to go away. I can think of two ways I could implement wizards that re-use JSP page with a separate Action and Form. 1) By going to re-used JSP page from two or more different JSP pages and subsequently return to the calling JSP page that implements such wizard. But what is the best way to return collected data? 2) By having dynamic action URLs in re-used JSP pages. Not sure about details yet. It also seems that Action Chaining described under this link, http://www.javaworld.com/javaworld/jw-09-2004/jw-0913-struts.html?page=4 , may be helpful as well. Any thoughts or suggestions for implementing wizards with re-usable JSP pages are greatly appreciated! Andre Piwoni -- This email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies. ==
Re: Cross site scripting issue
--- Joseph McGranaghan wrote: [... huge-ass regexp, including...] |c(?:hange|lick)| IANAREW, but... what's with all the weird let's refactor out the first (and/or) last characters of the regexp? This seems like a really slow, really... weird way to deal with XSS. d. Need Mail bonding? Go to the Yahoo! Mail QA for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=listsid=396546091 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross site scripting issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joseph, Joseph McGranaghan wrote: I [hear that worrying about XSS is not worth it] all the time, am I missing something? What if you want the user to be able to input all kinds of markup to be redisplayed: div style=color:#ff000; a href=http://somewhere.com;somewhere/a /div At some point this makes it back into the page so the browser can render it. If this discussion is useless, I am severely misguided and probably wasting time. You have a special case when you /want/ to allow users to use HTML markup. Leon was pointing out that spending a lot of time running all input through an XSS-sanitizer is not worth it. If you /are/ capturing text you will be using that /can/ contain HTML markup, then cleaning it as it comes in is still a mistake. Let's say you have a bug in your cleansing code. In that case, bad stuff gets into your database where it's hard to root out and fix. If you always run normal output through a '' and '' filter, and then always run your HTML output through your XSS cleanser, then you're always okay as long as your XSS cleaner is up-to-date. That is, if you have to make a change to the XSS-cleaner, then all output benefits, instead of having /some/ clean input and some not-so-clean input that you will blindly output at a later time. I agree with Leon: cleaning input is not usually a good idea. Cleaning output is where the real money is -- from a security and maintainability standpoint. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+c979CaO5/Lv0PARAo/+AKCMJIAe42ulV4Wg1dSWwVBLgeAk2wCeNRKF zaXOtvr4eW+dbpR3Va/5ktA= =A+z6 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Re: EL expression in html:form action
It should work OK if you're using the http://struts.apache.org/tags-html-el taglib. -Original Message- From: Lim Hock-Chai [mailto:[EMAIL PROTECTED] Sent: Friday, 16 March 2007 4:08 AM To: Struts Users Mailing List Subject: RE: Re: EL expression in html:form action I'm pretty sure that contactType was not empty. It was showing BIL on the screen. contactType is created using jstl's core tag c:set with request scope. I just wonder if EL expression is allowed in html:form's action attribute. Has anybody done this before? -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Laurie Harper Sent: Thursday, March 15, 2007 12:00 PM To: user@struts.apache.org Subject: Re: EL expression in html:form action Lim Hock-Chai wrote: I'm getting the cannot retrieve mapping for action error when using EL expression in the action attribute of html:form tag. See below. AcctContact.jsp == html:form action=AcctContact${contactType}Action .. . . /html:form struts-config.xml == action path=/AcctContactBILAction type=com.factor8th.i5.AcctContactAction name=AcctContactBILForm scope=request validate=true input=/AcctContact.jsp .. . . /action Error == == == == ERROR - ServletException in '/AcctContact.jsp': Cannot retrieve mapping for action /AcctContactAction javax.servlet.ServletException: Cannot retrieve mapping for action /AcctContactAction at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageCont ex tImpl.java:495) at org.apache.jsp.AcctContact_jsp._jspService(AcctContact_jsp.java:245) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:92) So contactType is empty or undefined, no? So it's not looking for the mapping you've defined, AcctContactBILAction. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to session attributes Struts 2.0.6
Hi, I implemented the following interface org.apache.struts2.interceptor.SessionAware; hence implemented the public void setSession(Map session) method and did add the following attribute session.put(NAME,USER1); and in my jsp I have the following s:property value=#session.NAME/ br It works fine in a normal struts Web Application. But when I did the same in a Portlet Application, the jsp does not print the value. Should I do any additional steps, I was under the impression we can write a portlet as similar to a web application. After that I tried the following RenderRequest req = PortletActionContext.getRenderRequest(); PortletSession session1=req.getPortletSession(); session1.setAttribute(NAME,USER1); but still jsp does not print the session values. Can some one let me know how to proceed ont this. thanks --- Nate Drake [EMAIL PROTECTED] wrote: Have your action implement SessionAware, and give it a setter of the form: public void setSession(Map session); You can then add things to this map, and they will be added into the session. Then you can access them in your JSP like this: s:property value=#session\['NAME'\]/ See these pages for more details: http://struts.apache.org/2.0.6/docs/how-do-we-get-access-to-the-session.html http://struts.apache.org/2.0.6/docs/application-session-request-objects-in-jsp.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Forward a action from one action programmatically in STruts 2.0
Hi, I have a requirement where in the action has to be forwarded based on certain runtime conditions.The destination will be decided only on the runtime. --- if(Input = Case1 ) forward action1 else forward action2. --- Basically i want to acheive a simple forward( requestdispatcher.forward() ) in ActionClass in Struts 2.0. How can we acheive this in Struts 2.0. I dont have any API to acheive this. Any inputs pls? Regards, Arun
Re: Cross site scripting issue
There are two discussions here that are getting convoluted: WHEN to clean and HOW to clean. I still have yet to find a good comprehensive way to do the latter (more below), but right here I'm responding to the former. Christopher Schultz wrote: If you /are/ capturing text you will be using that /can/ contain HTML markup, then cleaning it as it comes in is still a mistake. Let's say you have a bug in your cleansing code. In that case, bad stuff gets into your database where it's hard to root out and fix. If that data is hard to find than you haven't cleanly defined your DB schema. WHEN to do the cleaning is not a question of security and maintainability, but a question of amortizing clock cycles to try to get responses out to browsers as quickly as possible. There is no reason to clean the same piece of text with the same algorithm more than once, so why not do it on the input side? If you find a bug in your cleansing code, then once you change it, re-run it ONCE on all the potentially dangerous text blocks. Those should map directly to columns in your DB. If you can't look at your DB schema and tell me which columns are displayed without escaping their contents, then something is wrong. I agree with Leon: cleaning input is not usually a good idea. Cleaning output is where the real money is -- from a security and maintainability standpoint. I'd be happy to change my mind if you can you suggest any other reason to re-do that work more frequently than changes to the filtering module / data that backs the filtering module? The acknowledgment that said algorithm also needs backing data leads us right back to the question of HOW. I believe all filtering efforts will eventually come down to What tags/attributes are OK? (among other critical questions, like What values for attributes are OK?.) (If you're stuck in the what tags/attributes are NOT OK world then we have need of a different discussion: white lists vs black lists.) So, does anyone have a good list of safe tags/attributes that should be allowed through (assuming the attribute values also pass muster)? For example, here are my (woefully incomplete) lists (plus a crossover table (allowed_xhtml_tag_attribute_map) not shown linking allowable combinations of the two): allowed_xhtml_tag: a b blockquote br cite del div em font h1 h2 h3 h4 h5 h6 i img ins li ol p pre span strong sub sup table td th tr u ul allowed_xhtml_attribute: alt border cite class color href name src style title For example, I already know I need to add caption and tbody to the first table, but I've been delaying more by-hand tweaks in hopes of finding a more systematic way to fill the tables. I've yet to find it. Any suggestions? -Dale Newfield [EMAIL PROTECTED] P.S.: the tagsoup parse suggestion is also good because it guarantees that anything you do reflect back to users is valid XHTML (and so won't screw up other parts of your page with illegally nested/unbalanced tags). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]