Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
I think we should simply implemented what was mentioned in WW-3631 to solve that potential vulnerability Kind regards -- Łukasz Mobile +48 606 323 122 Office +27 11 0838747 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [Struts2] session variable empty in the JSP
I have tried but it did not help.
I have tried also by defining the action as a bean and populating the
context bean in the Spring configuration file (with the Struts Spring
plugin).
But the same error comes.
I guess I will pursue with my solution of redirecting to another action on
the first call.
Thanks,
Samuel
On 27 February 2012 20:13, Gabriel Belingueres belingue...@gmail.comwrote:
You are lacking the aop:scoped-proxy/ in the bean definition. See
the following link:
http://static.springsource.org/spring/docs/3.0.7.RELEASE/spring-framework-reference/html/beans.html#beans-factory-scopes-other-injection
HTH
2012/2/27 Samuel Robert samuelrobert@gmail.com:
I am using Spring:
*bean id=context class=my.bean.SessionBean scope=session/*
In the action:
*@Autowired
private SessionBean context;*
I can manipulate the context object in the action, fill it with a list of
profiles.
In the JSP, tags like the following fail (the first time only):
s:select name=profile id=profile
list=%{#session.context.profiles}/
The application uses Spring Security and Tiles with the struts-tiles
plugin.
The jsp is included via Tiles: result type=tilesmonitor/result
I am testing with Jetty.
The stack trace:
Caused by: tag 'select', field 'list', name 'profile': The requested list
key '%{#session.context.profiles}' could not be resolved as a
collection/array/map/enu
meration/iterator type. Example: people or people.{name} - [unknown
location]
at
org.apache.struts2.components.Component.fieldError(Component.java:237)
at
org.apache.struts2.components.Component.findValue(Component.java:358)
at
org.apache.struts2.components.ListUIBean.evaluateExtraParams(ListUIBean.java:80)
at
org.apache.struts2.components.Select.evaluateExtraParams(Select.java:105)
at
org.apache.struts2.components.UIBean.evaluateParams(UIBean.java:856)
at org.apache.struts2.components.UIBean.end(UIBean.java:510)
at
org.apache.struts2.views.jsp.ComponentTagSupport.doEndTag(ComponentTagSupport.java:42)
at
org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspx_meth_s_select_0(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:367)
at
org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspx_meth_s_form_0(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:313)
at
org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspx_meth_s_if_0(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:262)
at
org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp._jspService(org.apache.jsp.jsp.monitor.inc_005fheader_005fmonitoring_jsp:118)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:109)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:389)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:486)
at
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:380)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
at
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:366)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:99)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:60)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at
How to implement alternate error messages in the Struts validation framework. (Struts 2.0.1.4)
Hello,
I am currently using the Struts2 validation framework for my project. I
have Struts 2.0.14. I have been trying to find a way to display alternate
error message through validator framework.
I tried two things.
1. I added a bundle attribute in the following code in the web.xml but
that did not work. The com.mytest.strings bundle is located in the
WEB-INF\classes folder.
field property=attribute(Number)
depends=required,mask,maxbytelength,nonce
msg name=required *bundle=”com.mytest.strings *
”key=errors.required /
2. Based on the following information from Programming Jakarta
Struts Chapter 11 The Validator Framework
http://books.google.com/books?id=E874l0jaUGQCpg=PA260lpg=PA260dq=change+the+key+values+in+the+validation-rules.xml+if+you+plan+to+use+alternative+messagessource=blots=t5zzY8fSs4sig=wEOspEiq8XsU2su4yD1WlCz8H6whl=ensa=Xei=8_ZLT6TOHoPi0QGB4YiTDgved=0CCIQ6AEwAA#v=onepageq=change%20the%20key%20values%20in%20the%20validation-rules.xml%20if%20you%20plan%20to%20use%20alternative%20messagesf=false
*“You should add these to your application’s resource bundle, or change the
key values in the validation-rules.xml if you plan to use alternative
messages.”*
I have the following code in validator-rules.xml file.
validator name=required
classname=StrutsValidators
method=validateRequired
methodParams=java.lang.Object,
org.apache.commons.validator.ValidatorAction,
org.apache.commons.validator.Field,
org.apache.struts.action.ActionMessages,
javax.servlet.http.HttpServletRequest
msg=errors.required.new/
validator name=mask
classname= StrutsValidators
method=validateMask
methodParams=java.lang.Object,
org.apache.commons.validator.ValidatorAction,
org.apache.commons.validator.Field,
org.apache.struts.action.ActionMessages,
javax.servlet.http.HttpServletRequest
depends=
msg=errors.invalid.new/
I added the following string to a separate bundle but with the same
properties file name. That bundle is located in a different directory.I
updated the values of these two entries in this new properties file.
errors.required.new={0} is required NEW.
errors.invalid.new={0} is not valid NEW.
My validation.xml file looks like this:
field property=attribute(Number)
depends=required,mask,maxbytelength,nonce
msg name=required key=errors.required /
msg name=maxbytelength key=errors.maxlength /
var
var-namemaxbytelength/var-name
var-value32/var-value
/var
var
var-nameform/var-name
var-valueInfo/var-value
/var
msg name=mask key=errors.invalid /
arg0 key=label.Number /
var
var-namemask/var-name
var-value^[0-9\-() ]*$/var-value
/var
/field
When I ran my test I still see the standard error messages such as the ones
listed below displayed on the UI. It appears that the validation framework
still reads from the default bundle. However, all other labels on the same
UI can read from the customized properties file.
errors.required.new={0} is required.
errors.invalid.new={0} is not valid.
Is this a Struts issue? If not, what is the right way to implement
alternate validation message in this case?
Thanks a lot.
Maven repository and struts2-jquery-plugin
Hi, please point me to a maven repo with the latest jq-plugin release I only have this link on google code: http://code.google.com/p/struts2-jquery/downloads/detail?name=struts2-jquery-plugin-3.2.1.jar Thanks! cheers - Mounir - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Maven repository and struts2-jquery-plugin
jQuery Plugin is available from Central http://code.google.com/p/struts2-jquery/wiki/FAQ#How_can_I_use_the_Plugin_from_Maven? Regards -- Łukasz Mobile +48 606 323 122 Office +27 11 0838747 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
Lukasz - I agree with you, but until a new version of Struts 2 is released that includes a fix for this vulnerability, I'd like to tell Struts 2 developers what to do when implementing the SessionAware interface to mitigate the vulnerability. If you could look over what I wrote in the initial post and provide any feedback on that I'd certainly appreciate your comments. -- View this message in context: http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5523338.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
struts2-jquery-plugin: form submit returns twice the submit and textfield
Here's a simple enough example of how to use the sj:a tag available in
the struts2-jquery plugin (v 3.2.1)
http://www.weinfreund.de/struts2-jquery-showcase/index.action
Well what I get though is somehow mysterious (to me).
The first time when I call the action [1] given by its URL
http://localhost:8080/myApp/test/me
I get the correct server response, that is
- a line saying Echo: Hello me!
- underneath it a textfield containig the phrase Hello me !
- followed by a submit button
This is what it looks like:
Before: http://i40.tinypic.com/vf8782.jpg
Nice.
But after I submit the form the textfield and the submit button get
somehow mysteriously duplicated! (but not the Echo:... textline)
So there's still the initial textfield with the updated Hello +
whatever-you-typed-in phrase but yet another textfield and yet another
submit button.
The only difference I can tell between the initial and the duplicated
textfield is that the latter never gets a refresh.
It always contains the initial Hello me ! phrase.
This is how it looks like after the submit:
After: http://i41.tinypic.com/2ji44j.jpg
Maybe someone can tell what I'm missing here.
Thanks!
[1] http://pastebin.com/Wq0Ek1H4 http://pastebin.com/Wq0Ek1H4(Action
class)
[2] http://pastebin.com/6yF2xwu4 (jsp)
[1] ACTION class
package xxx.actions.yyy;
import org.apache.log4j.Logger;
import org.apache.struts2.convention.annotation.Action;
import org.apache.struts2.convention.annotation.Actions;
import org.apache.struts2.convention.annotation.Namespace;
import org.apache.struts2.convention.annotation.Result;
import com.opensymphony.xwork2.ActionSupport;
@Namespace(/test)
public class HelloWorldAction extends ActionSupport {
public String getYourName() {return yourName; }
public void setYourName(String value) {this.yourName = value;}
@Actions({
@Action(value={yourName}, results={@Result(location =
test.jsp)}),
@Action(value=put, results={@Result(location = test.jsp)})
})
public String execute() {
yourName = Hello + yourName + !;
logger.debug(execute: + yourName);
return SUCCESS;
}
private static final long serialVersionUID = 1L;
private String yourName;
private static Logger logger =
Logger.getLogger(HelloWorldAction.class);
}
[2] (jsp)
--
%@ taglib prefix=s uri=/struts-tags %
%@ taglib prefix=sj uri=/struts-jquery-tags%
html
head
sj:head/
/head
body
div id=formResult
pEcho : ${yourName}/p
/div
s:form id=form action=put
s:textfield id=echo name=yourName/
/s:form
sj:a
id=ajaxformlink
formIds=form
targets=formResult
indicator=indicator
button=true
buttonIcon=ui-icon-gear
Submit form here
/sj:a
img id=indicator src=images/indicator.gif alt=Loading...
style=display:none/
/body
/html
Re: struts2-jquery-plugin: form submit returns twice the submit and textfield
You update the div with the same jsp as the form, so you're adding the page
to itself.
d.
(pardon brevity and typos, on cell)
On Feb 28, 2012 6:44 PM, Mounir Benzid m...@meetingmasters.de wrote:
Here's a simple enough example of how to use the sj:a tag available in
the struts2-jquery plugin (v 3.2.1)
http://www.weinfreund.de/**struts2-jquery-showcase/index.**actionhttp://www.weinfreund.de/struts2-jquery-showcase/index.action
Well what I get though is somehow mysterious (to me).
The first time when I call the action [1] given by its URL
http://localhost:8080/myApp/**test/mehttp://localhost:8080/myApp/test/me
I get the correct server response, that is
- a line saying Echo: Hello me!
- underneath it a textfield containig the phrase Hello me !
- followed by a submit button
This is what it looks like:
Before: http://i40.tinypic.com/vf8782.**jpghttp://i40.tinypic.com/vf8782.jpg
Nice.
But after I submit the form the textfield and the submit button get
somehow mysteriously duplicated! (but not the Echo:... textline)
So there's still the initial textfield with the updated Hello +
whatever-you-typed-in phrase but yet another textfield and yet another
submit button.
The only difference I can tell between the initial and the duplicated
textfield is that the latter never gets a refresh.
It always contains the initial Hello me ! phrase.
This is how it looks like after the submit:
After: http://i41.tinypic.com/2ji44j.**jpghttp://i41.tinypic.com/2ji44j.jpg
Maybe someone can tell what I'm missing here.
Thanks!
[1] http://pastebin.com/Wq0Ek1H4 http://pastebin.com/Wq0Ek1H4**(Action
class)
[2] http://pastebin.com/6yF2xwu4 (jsp)
--**--**
--**--**
--**--
[1] ACTION class
package xxx.actions.yyy;
import org.apache.log4j.Logger;
import org.apache.struts2.convention.**annotation.Action;
import org.apache.struts2.convention.**annotation.Actions;
import org.apache.struts2.convention.**annotation.Namespace;
import org.apache.struts2.convention.**annotation.Result;
import com.opensymphony.xwork2.**ActionSupport;
@Namespace(/test)
public class HelloWorldAction extends ActionSupport {
public String getYourName() {return yourName; }
public void setYourName(String value) {this.yourName = value;}
@Actions({
@Action(value={yourName}, results={@Result(location =
test.jsp)}),
@Action(value=put, results={@Result(location = test.jsp)})
})
public String execute() {
yourName = Hello + yourName + !;
logger.debug(execute: + yourName);
return SUCCESS;
}
private static final long serialVersionUID = 1L;
private String yourName;
private static Logger logger = Logger.getLogger(**
HelloWorldAction.class);
}
[2] (jsp)
--**--**
--**
%@ taglib prefix=s uri=/struts-tags %
%@ taglib prefix=sj uri=/struts-jquery-tags%
html
head
sj:head/
/head
body
div id=formResult
pEcho : ${yourName}/p
/div
s:form id=form action=put
s:textfield id=echo name=yourName/
/s:form
sj:a
id=ajaxformlink
formIds=form
targets=formResult
indicator=indicator
button=true
buttonIcon=ui-icon-gear
Submit form here
/sj:a
img id=indicator src=images/indicator.gif alt=Loading...
style=display:none/
/body
/html
Re: Struts, spring integration while using struts annotations
check this http://struts.apache.org/2.0.8/docs/spring-plugin.html you can use spring along with the annotation in the convention-plugin such as @Action, etc On Tue, Feb 28, 2012 at 6:01 PM, Puneet Babbar 2 pbabb...@sapient.comwrote: Hi, I am using struts annotations with my applications, I need to add spring's support to my application. I am not able to find any content on how to use the beans(the struts action classes) initialized using spring as my action when I am using struts annotations? Regards Puneet
RE: Struts, spring integration while using struts annotations
Thanks for replying to my post, I have already checked that link but still no
clue as to how to make spring plugin work with the convention plugin.
Suppose I have an Action -
@Action(/login-page)
public class LoginPage extends ActionSupport {
public LoginPage(){
}
public String execute(){
return SUCCESS;
}
}
I have added spring plugin to my application and have added the following bean
definition in my applicationContext.xml
bean id=login-page class=com.test.login.LoginPage /
I debugged the application -
Now when I load my application and send a request for the login-page action, I
see that the action is being created 2 times
1)When applicationContext is read when the application comes up.
2)When the request is sent for this action, struts creates another instance and
this instance is used to service the request.
So basically, I am not able to get the action object I have created using
spring to be used by struts to process the requests when using convention plugin
The Struts spring integration works fine when I used the normal struts.xml
approach(not using convention plugin)
Now can you help me out?
Regards
Puneet
-Original Message-
From: Steven Yang [mailto:kenshin...@gmail.com]
Sent: Wednesday, February 29, 2012 12:16 PM
To: Struts Users Mailing List
Subject: Re: Struts, spring integration while using struts annotations
check this http://struts.apache.org/2.0.8/docs/spring-plugin.html
you can use spring along with the annotation in the convention-plugin such
as @Action, etc
On Tue, Feb 28, 2012 at 6:01 PM, Puneet Babbar 2 pbabb...@sapient.comwrote:
Hi,
I am using struts annotations with my applications, I need to add spring's
support to my application.
I am not able to find any content on how to use the beans(the struts
action classes) initialized using spring as my action when I am using
struts annotations?
Regards
Puneet
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
