Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
I think we should simply implemented what was mentioned in WW-3631 to solve that potential vulnerability Kind regards -- Łukasz Mobile +48 606 323 122 Office +27 11 0838747 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [Struts2] session variable empty in the JSP
I have tried but it did not help. I have tried also by defining the action as a bean and populating the context bean in the Spring configuration file (with the Struts Spring plugin). But the same error comes. I guess I will pursue with my solution of redirecting to another action on the first call. Thanks, Samuel On 27 February 2012 20:13, Gabriel Belingueres belingue...@gmail.comwrote: You are lacking the aop:scoped-proxy/ in the bean definition. See the following link: http://static.springsource.org/spring/docs/3.0.7.RELEASE/spring-framework-reference/html/beans.html#beans-factory-scopes-other-injection HTH 2012/2/27 Samuel Robert samuelrobert@gmail.com: I am using Spring: *bean id=context class=my.bean.SessionBean scope=session/* In the action: *@Autowired private SessionBean context;* I can manipulate the context object in the action, fill it with a list of profiles. In the JSP, tags like the following fail (the first time only): s:select name=profile id=profile list=%{#session.context.profiles}/ The application uses Spring Security and Tiles with the struts-tiles plugin. The jsp is included via Tiles: result type=tilesmonitor/result I am testing with Jetty. The stack trace: Caused by: tag 'select', field 'list', name 'profile': The requested list key '%{#session.context.profiles}' could not be resolved as a collection/array/map/enu meration/iterator type. Example: people or people.{name} - [unknown location] at org.apache.struts2.components.Component.fieldError(Component.java:237) at org.apache.struts2.components.Component.findValue(Component.java:358) at org.apache.struts2.components.ListUIBean.evaluateExtraParams(ListUIBean.java:80) at org.apache.struts2.components.Select.evaluateExtraParams(Select.java:105) at org.apache.struts2.components.UIBean.evaluateParams(UIBean.java:856) at org.apache.struts2.components.UIBean.end(UIBean.java:510) at org.apache.struts2.views.jsp.ComponentTagSupport.doEndTag(ComponentTagSupport.java:42) at org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspx_meth_s_select_0(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:367) at org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspx_meth_s_form_0(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:313) at org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspx_meth_s_if_0(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:262) at org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspService(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:118) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:109) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:389) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:486) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:380) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:366) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:99) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:60) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at
How to implement alternate error messages in the Struts validation framework. (Struts 2.0.1.4)
Hello, I am currently using the Struts2 validation framework for my project. I have Struts 2.0.14. I have been trying to find a way to display alternate error message through validator framework. I tried two things. 1. I added a bundle attribute in the following code in the web.xml but that did not work. The com.mytest.strings bundle is located in the WEB-INF\classes folder. field property=attribute(Number) depends=required,mask,maxbytelength,nonce msg name=required *bundle=”com.mytest.strings * ”key=errors.required / 2. Based on the following information from Programming Jakarta Struts Chapter 11 The Validator Framework http://books.google.com/books?id=E874l0jaUGQCpg=PA260lpg=PA260dq=change+the+key+values+in+the+validation-rules.xml+if+you+plan+to+use+alternative+messagessource=blots=t5zzY8fSs4sig=wEOspEiq8XsU2su4yD1WlCz8H6whl=ensa=Xei=8_ZLT6TOHoPi0QGB4YiTDgved=0CCIQ6AEwAA#v=onepageq=change%20the%20key%20values%20in%20the%20validation-rules.xml%20if%20you%20plan%20to%20use%20alternative%20messagesf=false *“You should add these to your application’s resource bundle, or change the key values in the validation-rules.xml if you plan to use alternative messages.”* I have the following code in validator-rules.xml file. validator name=required classname=StrutsValidators method=validateRequired methodParams=java.lang.Object, org.apache.commons.validator.ValidatorAction, org.apache.commons.validator.Field, org.apache.struts.action.ActionMessages, javax.servlet.http.HttpServletRequest msg=errors.required.new/ validator name=mask classname= StrutsValidators method=validateMask methodParams=java.lang.Object, org.apache.commons.validator.ValidatorAction, org.apache.commons.validator.Field, org.apache.struts.action.ActionMessages, javax.servlet.http.HttpServletRequest depends= msg=errors.invalid.new/ I added the following string to a separate bundle but with the same properties file name. That bundle is located in a different directory.I updated the values of these two entries in this new properties file. errors.required.new={0} is required NEW. errors.invalid.new={0} is not valid NEW. My validation.xml file looks like this: field property=attribute(Number) depends=required,mask,maxbytelength,nonce msg name=required key=errors.required / msg name=maxbytelength key=errors.maxlength / var var-namemaxbytelength/var-name var-value32/var-value /var var var-nameform/var-name var-valueInfo/var-value /var msg name=mask key=errors.invalid / arg0 key=label.Number / var var-namemask/var-name var-value^[0-9\-() ]*$/var-value /var /field When I ran my test I still see the standard error messages such as the ones listed below displayed on the UI. It appears that the validation framework still reads from the default bundle. However, all other labels on the same UI can read from the customized properties file. errors.required.new={0} is required. errors.invalid.new={0} is not valid. Is this a Struts issue? If not, what is the right way to implement alternate validation message in this case? Thanks a lot.
Maven repository and struts2-jquery-plugin
Hi, please point me to a maven repo with the latest jq-plugin release I only have this link on google code: http://code.google.com/p/struts2-jquery/downloads/detail?name=struts2-jquery-plugin-3.2.1.jar Thanks! cheers - Mounir - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Maven repository and struts2-jquery-plugin
jQuery Plugin is available from Central http://code.google.com/p/struts2-jquery/wiki/FAQ#How_can_I_use_the_Plugin_from_Maven? Regards -- Łukasz Mobile +48 606 323 122 Office +27 11 0838747 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
Lukasz - I agree with you, but until a new version of Struts 2 is released that includes a fix for this vulnerability, I'd like to tell Struts 2 developers what to do when implementing the SessionAware interface to mitigate the vulnerability. If you could look over what I wrote in the initial post and provide any feedback on that I'd certainly appreciate your comments. -- View this message in context: http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5523338.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
struts2-jquery-plugin: form submit returns twice the submit and textfield
Here's a simple enough example of how to use the sj:a tag available in the struts2-jquery plugin (v 3.2.1) http://www.weinfreund.de/struts2-jquery-showcase/index.action Well what I get though is somehow mysterious (to me). The first time when I call the action [1] given by its URL http://localhost:8080/myApp/test/me I get the correct server response, that is - a line saying Echo: Hello me! - underneath it a textfield containig the phrase Hello me ! - followed by a submit button This is what it looks like: Before: http://i40.tinypic.com/vf8782.jpg Nice. But after I submit the form the textfield and the submit button get somehow mysteriously duplicated! (but not the Echo:... textline) So there's still the initial textfield with the updated Hello + whatever-you-typed-in phrase but yet another textfield and yet another submit button. The only difference I can tell between the initial and the duplicated textfield is that the latter never gets a refresh. It always contains the initial Hello me ! phrase. This is how it looks like after the submit: After: http://i41.tinypic.com/2ji44j.jpg Maybe someone can tell what I'm missing here. Thanks! [1] http://pastebin.com/Wq0Ek1H4 http://pastebin.com/Wq0Ek1H4(Action class) [2] http://pastebin.com/6yF2xwu4 (jsp) [1] ACTION class package xxx.actions.yyy; import org.apache.log4j.Logger; import org.apache.struts2.convention.annotation.Action; import org.apache.struts2.convention.annotation.Actions; import org.apache.struts2.convention.annotation.Namespace; import org.apache.struts2.convention.annotation.Result; import com.opensymphony.xwork2.ActionSupport; @Namespace(/test) public class HelloWorldAction extends ActionSupport { public String getYourName() {return yourName; } public void setYourName(String value) {this.yourName = value;} @Actions({ @Action(value={yourName}, results={@Result(location = test.jsp)}), @Action(value=put, results={@Result(location = test.jsp)}) }) public String execute() { yourName = Hello + yourName + !; logger.debug(execute: + yourName); return SUCCESS; } private static final long serialVersionUID = 1L; private String yourName; private static Logger logger = Logger.getLogger(HelloWorldAction.class); } [2] (jsp) -- %@ taglib prefix=s uri=/struts-tags % %@ taglib prefix=sj uri=/struts-jquery-tags% html head sj:head/ /head body div id=formResult pEcho : ${yourName}/p /div s:form id=form action=put s:textfield id=echo name=yourName/ /s:form sj:a id=ajaxformlink formIds=form targets=formResult indicator=indicator button=true buttonIcon=ui-icon-gear Submit form here /sj:a img id=indicator src=images/indicator.gif alt=Loading... style=display:none/ /body /html
Re: struts2-jquery-plugin: form submit returns twice the submit and textfield
You update the div with the same jsp as the form, so you're adding the page to itself. d. (pardon brevity and typos, on cell) On Feb 28, 2012 6:44 PM, Mounir Benzid m...@meetingmasters.de wrote: Here's a simple enough example of how to use the sj:a tag available in the struts2-jquery plugin (v 3.2.1) http://www.weinfreund.de/**struts2-jquery-showcase/index.**actionhttp://www.weinfreund.de/struts2-jquery-showcase/index.action Well what I get though is somehow mysterious (to me). The first time when I call the action [1] given by its URL http://localhost:8080/myApp/**test/mehttp://localhost:8080/myApp/test/me I get the correct server response, that is - a line saying Echo: Hello me! - underneath it a textfield containig the phrase Hello me ! - followed by a submit button This is what it looks like: Before: http://i40.tinypic.com/vf8782.**jpghttp://i40.tinypic.com/vf8782.jpg Nice. But after I submit the form the textfield and the submit button get somehow mysteriously duplicated! (but not the Echo:... textline) So there's still the initial textfield with the updated Hello + whatever-you-typed-in phrase but yet another textfield and yet another submit button. The only difference I can tell between the initial and the duplicated textfield is that the latter never gets a refresh. It always contains the initial Hello me ! phrase. This is how it looks like after the submit: After: http://i41.tinypic.com/2ji44j.**jpghttp://i41.tinypic.com/2ji44j.jpg Maybe someone can tell what I'm missing here. Thanks! [1] http://pastebin.com/Wq0Ek1H4 http://pastebin.com/Wq0Ek1H4**(Action class) [2] http://pastebin.com/6yF2xwu4 (jsp) --**--** --**--** --**-- [1] ACTION class package xxx.actions.yyy; import org.apache.log4j.Logger; import org.apache.struts2.convention.**annotation.Action; import org.apache.struts2.convention.**annotation.Actions; import org.apache.struts2.convention.**annotation.Namespace; import org.apache.struts2.convention.**annotation.Result; import com.opensymphony.xwork2.**ActionSupport; @Namespace(/test) public class HelloWorldAction extends ActionSupport { public String getYourName() {return yourName; } public void setYourName(String value) {this.yourName = value;} @Actions({ @Action(value={yourName}, results={@Result(location = test.jsp)}), @Action(value=put, results={@Result(location = test.jsp)}) }) public String execute() { yourName = Hello + yourName + !; logger.debug(execute: + yourName); return SUCCESS; } private static final long serialVersionUID = 1L; private String yourName; private static Logger logger = Logger.getLogger(** HelloWorldAction.class); } [2] (jsp) --**--** --** %@ taglib prefix=s uri=/struts-tags % %@ taglib prefix=sj uri=/struts-jquery-tags% html head sj:head/ /head body div id=formResult pEcho : ${yourName}/p /div s:form id=form action=put s:textfield id=echo name=yourName/ /s:form sj:a id=ajaxformlink formIds=form targets=formResult indicator=indicator button=true buttonIcon=ui-icon-gear Submit form here /sj:a img id=indicator src=images/indicator.gif alt=Loading... style=display:none/ /body /html
Re: Struts, spring integration while using struts annotations
check this http://struts.apache.org/2.0.8/docs/spring-plugin.html you can use spring along with the annotation in the convention-plugin such as @Action, etc On Tue, Feb 28, 2012 at 6:01 PM, Puneet Babbar 2 pbabb...@sapient.comwrote: Hi, I am using struts annotations with my applications, I need to add spring's support to my application. I am not able to find any content on how to use the beans(the struts action classes) initialized using spring as my action when I am using struts annotations? Regards Puneet
RE: Struts, spring integration while using struts annotations
Thanks for replying to my post, I have already checked that link but still no clue as to how to make spring plugin work with the convention plugin. Suppose I have an Action - @Action(/login-page) public class LoginPage extends ActionSupport { public LoginPage(){ } public String execute(){ return SUCCESS; } } I have added spring plugin to my application and have added the following bean definition in my applicationContext.xml bean id=login-page class=com.test.login.LoginPage / I debugged the application - Now when I load my application and send a request for the login-page action, I see that the action is being created 2 times 1)When applicationContext is read when the application comes up. 2)When the request is sent for this action, struts creates another instance and this instance is used to service the request. So basically, I am not able to get the action object I have created using spring to be used by struts to process the requests when using convention plugin The Struts spring integration works fine when I used the normal struts.xml approach(not using convention plugin) Now can you help me out? Regards Puneet -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Wednesday, February 29, 2012 12:16 PM To: Struts Users Mailing List Subject: Re: Struts, spring integration while using struts annotations check this http://struts.apache.org/2.0.8/docs/spring-plugin.html you can use spring along with the annotation in the convention-plugin such as @Action, etc On Tue, Feb 28, 2012 at 6:01 PM, Puneet Babbar 2 pbabb...@sapient.comwrote: Hi, I am using struts annotations with my applications, I need to add spring's support to my application. I am not able to find any content on how to use the beans(the struts action classes) initialized using spring as my action when I am using struts annotations? Regards Puneet - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org