Re: Keeping current locale after logging out

2013-07-31 Thread Lukasz Lenart 
2013/7/31 Antonio Sánchez :
> At logging out, session is invalidated and redirected page is displayed in 
> default language.
>
> Say: default language: Spanish; current language: English; logging out and 
> resulted page is in Spanish, but should be English. .
>
> This is not working (code in action class):
>
> public String closeSession()  {
> Locale currentLocale = ActionContext.getContext().getLocale();
> request.getSession().invalidate();
> ActionContext.getContext().setLocale(currentLocale);
> return SUCCESS;
> }
>
> How to maintain the current language?

Redefine redirect to include request_locale parameter, ie:
${currentLocale}

and add getter to action with closeSession()

public String getCurrentLocale() {
return CURRENT_LOCALE.toString();
}


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Keeping current locale after logging out

2013-07-31 Thread JOSE L MARTINEZ-AVIAL 
The closeSession redirects to a new page? In that case the setLocale is
lost (it only lives during the request) and the new local is picked up from
the browser language, or from the default language you have setup.


2013/7/31 Antonio Sánchez 

> At logging out, session is invalidated and redirected page is displayed in
> default language.
>
> Say: default language: Spanish; current language: English; logging out and
> resulted page is in Spanish, but should be English. .
>
> This is not working (code in action class):
>
> public String closeSession()  {
> Locale currentLocale = ActionContext.getContext().getLocale();
> request.getSession().invalidate();
> ActionContext.getContext().setLocale(currentLocale);
> return SUCCESS;
> }
>
> How to maintain the current language?
>
> Thanks.
>
>
>

Keeping current locale after logging out

2013-07-31 Thread Antonio Sánchez 
At logging out, session is invalidated and redirected page is displayed in 
default language. 

Say: default language: Spanish; current language: English; logging out and 
resulted page is in Spanish, but should be English. . 

This is not working (code in action class):

public String closeSession()  {
Locale currentLocale = ActionContext.getContext().getLocale();
request.getSession().invalidate();
ActionContext.getContext().setLocale(currentLocale);
return SUCCESS;
}

How to maintain the current language?

Thanks.

Re: Translating submit tag

2013-07-31 Thread Antonio Sánchez 
Forgot to say: theme is default.


El Miércoles, 31 de julio de 2013 11:07:42 usted escribió:


Sorry, what do you mean with Submit class?

Use case is simple login. The exception is thrown when the form does not pass 
validation and "results" in "input".

Displayed  is: 

Developer Notification (set struts.devMode to false to disable this message): 
Unexpected Exception caught setting 'entrar' on 'class 
es.juntandolineas.laboratoriostruts2.sesionConS2.control.Sesion: Error setting 
expression 'entrar' with value ['Entrar', ]

Initially I thought there was some problem with a custom interceptor and custom 
interceptor stack, but I get the same using default interceptor stack.

Stacktrace:

jul 31, 2013 10:34:50 AM 
com.opensymphony.xwork2.interceptor.ParametersInterceptor error
SEVERE: Developer Notification (set struts.devMode to false to disable this 
message):
Unexpected Exception caught setting 'entrar' on 'class 
es.juntandolineas.laboratoriostruts2.sesionConS2.control.Sesion: Error setting 
expression 'entrar' with value ['Entrar', ]
Error setting expression 'entrar' with value ['Entrar', ] - [unknown location]
at 
com.opensymphony.xwork2.ognl.OgnlValueStack.handleRuntimeException(OgnlValueStack.java:197)
at 
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:174)
at 
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:318)
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:231)
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:239)
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:252)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:161)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)
at 
org.apache.struts2.dispatcher.Dispa

s:select - option appears with no displayed value w/html brackets

2013-07-31 Thread CRANFORD, CHRIS 
We just discovered that if a Map gets passed to a select-tag 
where the entry's key/value pair are ""/"" that the 
option's value attribute contains "" as one would have expected, but 
the body of the option-tag is empty as seen here



There isn't a clean way to scrub this data to eliminate the HTML-brackets under 
these test cases and was curious whether there was an undocumented way to get 
this to work by setting escape="false" or something of the sorts?  I realize we 
can iterate the map and do a replace before passing it to the select-tag, but 
this isn't ideal for all scenarios because of the business requirements and use 
cases.  The ideal solution is to be able to present "" as a valid 
option in the drop down to accurately map to the customer's stored data.
 
Thanks
Chris


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Issue with parameters with Struts 2.3.15.1

2013-07-31 Thread Thim Anneessens 

  
  
Hi Struts users,

I am having problems migrating from version 2.3.1.2 to version
2.3.15.1. This upgrade seems pretty important as it fixes a known
security issue. 

The problem I am having is the that apparently, I can no longer
check if a property has been given to my Struts component (using
s:component and s:param)  by testing that the value associated to
the parameter key in the "parameters" is equal to null.

Test
This is the code of the component that I call:
Param items

Radom param name







Here is the call to the component:



  And here is the produced output (without html marking)

Param items

java.lang.Object		#Output of 


Radom param name		


java.lang.Object		#Output of 


java.lang.Object@3c0e5477	#Output of 


java.lang.Object@3c0e5477	#Output of  (the second one)


java.lang.Object@e91824	#Output of 


test#Output of 


Note: test is a property of the action that should return
the "test" string. OK. I

Environment

  Java 6
  
  struts-javatemplate-plugin (same version as struts)
  JRebel
  Tomcat (restarted and cleaned), Eclipse(restarted &
project recompiled)
  

Analysis

  Action properties are acting as before (I've checked with the
debugger, and the non existence of an action property result in
a null value)
  
  The Component "parameters" object will always return a value
(even if it is an object)
  
  By using the debugger, we can see that accessing an unexisting
"parameters" key will result in the creation of this
"parameters" key and its association to an object of type
Object.
  2 unexisting "parameters" key will result in the association
of 2 distinct objects of type Object. (as illustrated in the
output of the Test)
  

What I have tried

I hope I provided enough information and that you will be able to
tell me what I do wrong, how I could get out of this mess or that
there is a bug ;).

Best regards, and thanks to the Team for all the good work,

-- 
  
 Thim Anneessens 
  IT Department

Re: Apple sec breach.. Struts?

2013-07-31 Thread Paul Benedict 
I'll voice my personal opinion.

No matter what framework you choose (Struts, MyFaces, Tapestry, etc.), it
is the responsibility of all IT shops to do a security vulnerability
assessment before first releasing to production and after each update. That
is "Security 101" because there are multitude of attack vectors that can be
exploited through any inadvertent mistake here and there. Sometimes the
mistake will be in your code, sometimes it will be in third party
dependencies, but you own the final product so you must take responsibility
for the entire product.

Did a company like Apple, who sits on billions of cash, do that? I don't
know. I hope they did because that would be performing due diligence. They
are not poor by any means. I'll hope for the best here.

Lastly, it cannot be ignored that Struts is a free product built by
volunteers. The work done here is long, arduous, and passionate -- and on a
budget of $0. There is no money coming in to fund anything expensive.
Unlike some other Apache projects where corporations (like IBM) are funding
development, no one is funding Struts. You get the best that volunteers can
do without them receiving a dime. The obvious implication is that you, who
consume volunteer work for free, must take the product "as is" and do your
part of making sure your application is secure.

PS: If you find a security vulnerability in Struts, please privately report
it to secur...@apache.org so it can be fixed.

Cheers,
Paul

RE: Apple sec breach.. Struts?

2013-07-31 Thread Martin Gainty 
Frans
 
if you want to throw darts at Frameworks Im amazed that nobody mentioned the 
vulnerability from Struts Ajax Framework Rival 
"IceFaces IntervalRenderer not supporting isUserInRole() "
 
https://www.owasp.org/index.php/Java_Server_Faces

(you can integrate ACEGI but that's an afterthought)

J2EE Containers usually front-end their app with a redirect to Apache w/mod_ssl 
(or possibly SingleSignOnPortal)
The most basic Java Security (JSSE) would implement Java Key Exchange with the 
user  supplied key 

once JSSE Handshake is completed the authenticated User (selected from ADS, 
LDAP  or other NameServer) is assigned predefined Roles 
(consequent access would be granted or denied by testing if isUserInRole())

Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
> Date: Wed, 31 Jul 2013 14:10:23 +0100
> Subject: Re: Apple sec breach.. Struts?
> From: gkogk...@tcd.ie
> To: user@struts.apache.org
> 
> Hi Vicky,
> 
> the .action by itself in the Urls is a good hint. Furthermore, if you check
> the html source you'll probably find struts written somewhere e.g., dojodivs
> Antonios
> 
> 
> On 31 July 2013 14:04, vicky b  wrote:
> 
> > I browsed through apple site  i could not find any clue that it was made in
> > struts,  can you please let me know how did the hacker recognized that it
> > was developed in struts, secondly how could he exactly hiek , sorry if this
> > is out of scope for  this forum
> >
> >
> > On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura  wrote:
> >
> > > Any apple guy here?
> > >
> > > I.just want to.know.how.struts.use there.
> > >
> > > I just know they use .action means struts apps.
> > > On Jul 31, 2013 7:22 PM, "Christian Grobmeier" 
> > > wrote:
> > >
> > > > I read that. I don't think we should do anything.
> > > >
> > > > The blog post is speculative. Nobody from Apple did tell us if it was
> > > > really a Struts problem or not. If it is, then well, we can't do
> > > > anything. This doesn't make Struts a dangerous framework at all, it
> > > > just highlights you should update when your framework provider
> > > > recommends it. It also highlights we are taking security issues
> > > > serious.
> > > >
> > > > Also it should be mentioned that no company (to my knowledge) is in
> > > > any way supporting the development of Struts. Apple got a lot of
> > > > money, they could fund the development of the framework of their
> > > > choice. At least they should be able to roll out new security patches.
> > > >
> > > > Maybe others think different, but except with continuing to improve
> > > > struts, we cannot do anything bout it.
> > > >
> > > >
> > > > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura 
> > > wrote:
> > > > > Anyone read this?
> > > > >
> > > > > http://java.dzone.com/articles/was-struts-responsible-apples
> > > > >
> > > > > How we handle this?
> > > > >
> > > > > F
> > > >
> > > >
> > > >
> > > > --
> > > > http://www.grobmeier.de
> > > > https://www.timeandbill.de
> > > >
> > > > -
> > > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > > > For additional commands, e-mail: user-h...@struts.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > *Thanks & Regards
> >  Vickyb
> >
> > *
> >

Re: Apple sec breach.. Struts?

2013-07-31 Thread Dale Newfield 
On Jul 31, 2013, at 9:25 AM, Dave Newton  wrote:
> I'm not convinced OGNL itself is the issue, but
> rather its unfettered access into internals. An intermediate, sandbox-y
> layer might resolve that.

It's only partially what data ognl can fetch/modify, it's also what it can do.  
System.exit() is clearly something undesirable to execute unexpectedly 
(although probably less harmful than other actions).

-Dale
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Apple sec breach.. Struts?

2013-07-31 Thread Dave Newton 
The blog post is speculative, but the Hacker News post was by Patrick
Lightbody, a WW founder. I'm not convinced OGNL itself is the issue, but
rather its unfettered access into internals. An intermediate, sandbox-y
layer might resolve that.

Dave
 On Jul 31, 2013 8:22 AM, "Christian Grobmeier"  wrote:

> I read that. I don't think we should do anything.
>
> The blog post is speculative. Nobody from Apple did tell us if it was
> really a Struts problem or not. If it is, then well, we can't do
> anything. This doesn't make Struts a dangerous framework at all, it
> just highlights you should update when your framework provider
> recommends it. It also highlights we are taking security issues
> serious.
>
> Also it should be mentioned that no company (to my knowledge) is in
> any way supporting the development of Struts. Apple got a lot of
> money, they could fund the development of the framework of their
> choice. At least they should be able to roll out new security patches.
>
> Maybe others think different, but except with continuing to improve
> struts, we cannot do anything bout it.
>
>
> On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura  wrote:
> > Anyone read this?
> >
> > http://java.dzone.com/articles/was-struts-responsible-apples
> >
> > How we handle this?
> >
> > F
>
>
>
> --
> http://www.grobmeier.de
> https://www.timeandbill.de
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: Apple sec breach.. Struts?

2013-07-31 Thread Eric Reed 
You can't rely on anyone's code for security, not a .jar, not struts, not 
anything.

To guarantee security you need to go through every single entry point and fuzz 
it yourself. This is a major pain and headache and only .001% of devs do this 
but don't blame the developers that are providing a free framework.  

This seems like a pretty easy exploit and I would upgrade any applications open 
on the net.


>>> Antonios Gkogkakis  7/31/2013 9:10 AM >>>
Hi Vicky,

the .action by itself in the Urls is a good hint. Furthermore, if you check
the html source you'll probably find struts written somewhere e.g., dojodivs
Antonios


On 31 July 2013 14:04, vicky b  wrote:

> I browsed through apple site  i could not find any clue that it was made in
> struts,  can you please let me know how did the hacker recognized that it
> was developed in struts, secondly how could he exactly hiek , sorry if this
> is out of scope for  this forum
>
>
> On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura  wrote:
>
> > Any apple guy here?
> >
> > I.just want to.know.how.struts.use there.
> >
> > I just know they use .action means struts apps.
> > On Jul 31, 2013 7:22 PM, "Christian Grobmeier" 
> > wrote:
> >
> > > I read that. I don't think we should do anything.
> > >
> > > The blog post is speculative. Nobody from Apple did tell us if it was
> > > really a Struts problem or not. If it is, then well, we can't do
> > > anything. This doesn't make Struts a dangerous framework at all, it
> > > just highlights you should update when your framework provider
> > > recommends it. It also highlights we are taking security issues
> > > serious.
> > >
> > > Also it should be mentioned that no company (to my knowledge) is in
> > > any way supporting the development of Struts. Apple got a lot of
> > > money, they could fund the development of the framework of their
> > > choice. At least they should be able to roll out new security patches.
> > >
> > > Maybe others think different, but except with continuing to improve
> > > struts, we cannot do anything bout it.
> > >
> > >
> > > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura 
> > wrote:
> > > > Anyone read this?
> > > >
> > > > http://java.dzone.com/articles/was-struts-responsible-apples 
> > > >
> > > > How we handle this?
> > > >
> > > > F
> > >
> > >
> > >
> > > --
> > > http://www.grobmeier.de 
> > > https://www.timeandbill.de 
> > >
> > > -
> > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org 
> > > For additional commands, e-mail: user-h...@struts.apache.org 
> > >
> > >
> >
>
>
>
> --
> *Thanks & Regards
>  Vickyb
>
> *
>


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Apple sec breach.. Struts?

2013-07-31 Thread vicky b 
I read through the blog i confused at this statement

"n Struts 2 before 2.3.15.1 the information following "action:",
"redirect:" or "redirectAction:" is not properly sanitized. Since said
information will be evaluated as OGNL expression against the value stack,
this introduces the possibility to inject server side code"'

  it would be helpful for me if some code explain , thanks in advance.


On Wed, Jul 31, 2013 at 6:40 PM, Antonios Gkogkakis  wrote:

> Hi Vicky,
>
> the .action by itself in the Urls is a good hint. Furthermore, if you check
> the html source you'll probably find struts written somewhere e.g.,
> dojodivs
> Antonios
>
>
> On 31 July 2013 14:04, vicky b  wrote:
>
> > I browsed through apple site  i could not find any clue that it was made
> in
> > struts,  can you please let me know how did the hacker recognized that it
> > was developed in struts, secondly how could he exactly hiek , sorry if
> this
> > is out of scope for  this forum
> >
> >
> > On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura 
> wrote:
> >
> > > Any apple guy here?
> > >
> > > I.just want to.know.how.struts.use there.
> > >
> > > I just know they use .action means struts apps.
> > > On Jul 31, 2013 7:22 PM, "Christian Grobmeier" 
> > > wrote:
> > >
> > > > I read that. I don't think we should do anything.
> > > >
> > > > The blog post is speculative. Nobody from Apple did tell us if it was
> > > > really a Struts problem or not. If it is, then well, we can't do
> > > > anything. This doesn't make Struts a dangerous framework at all, it
> > > > just highlights you should update when your framework provider
> > > > recommends it. It also highlights we are taking security issues
> > > > serious.
> > > >
> > > > Also it should be mentioned that no company (to my knowledge) is in
> > > > any way supporting the development of Struts. Apple got a lot of
> > > > money, they could fund the development of the framework of their
> > > > choice. At least they should be able to roll out new security
> patches.
> > > >
> > > > Maybe others think different, but except with continuing to improve
> > > > struts, we cannot do anything bout it.
> > > >
> > > >
> > > > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura 
> > > wrote:
> > > > > Anyone read this?
> > > > >
> > > > > http://java.dzone.com/articles/was-struts-responsible-apples
> > > > >
> > > > > How we handle this?
> > > > >
> > > > > F
> > > >
> > > >
> > > >
> > > > --
> > > > http://www.grobmeier.de
> > > > https://www.timeandbill.de
> > > >
> > > > -
> > > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > > > For additional commands, e-mail: user-h...@struts.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > *Thanks & Regards
> >  Vickyb
> >
> > *
> >
>



-- 
*Thanks & Regards
 Vickyb

*

Re: Apple sec breach.. Struts?

2013-07-31 Thread Antonios Gkogkakis 
Hi Vicky,

the .action by itself in the Urls is a good hint. Furthermore, if you check
the html source you'll probably find struts written somewhere e.g., dojodivs
Antonios


On 31 July 2013 14:04, vicky b  wrote:

> I browsed through apple site  i could not find any clue that it was made in
> struts,  can you please let me know how did the hacker recognized that it
> was developed in struts, secondly how could he exactly hiek , sorry if this
> is out of scope for  this forum
>
>
> On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura  wrote:
>
> > Any apple guy here?
> >
> > I.just want to.know.how.struts.use there.
> >
> > I just know they use .action means struts apps.
> > On Jul 31, 2013 7:22 PM, "Christian Grobmeier" 
> > wrote:
> >
> > > I read that. I don't think we should do anything.
> > >
> > > The blog post is speculative. Nobody from Apple did tell us if it was
> > > really a Struts problem or not. If it is, then well, we can't do
> > > anything. This doesn't make Struts a dangerous framework at all, it
> > > just highlights you should update when your framework provider
> > > recommends it. It also highlights we are taking security issues
> > > serious.
> > >
> > > Also it should be mentioned that no company (to my knowledge) is in
> > > any way supporting the development of Struts. Apple got a lot of
> > > money, they could fund the development of the framework of their
> > > choice. At least they should be able to roll out new security patches.
> > >
> > > Maybe others think different, but except with continuing to improve
> > > struts, we cannot do anything bout it.
> > >
> > >
> > > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura 
> > wrote:
> > > > Anyone read this?
> > > >
> > > > http://java.dzone.com/articles/was-struts-responsible-apples
> > > >
> > > > How we handle this?
> > > >
> > > > F
> > >
> > >
> > >
> > > --
> > > http://www.grobmeier.de
> > > https://www.timeandbill.de
> > >
> > > -
> > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > > For additional commands, e-mail: user-h...@struts.apache.org
> > >
> > >
> >
>
>
>
> --
> *Thanks & Regards
>  Vickyb
>
> *
>

Re: Apple sec breach.. Struts?

2013-07-31 Thread vicky b 
I browsed through apple site  i could not find any clue that it was made in
struts,  can you please let me know how did the hacker recognized that it
was developed in struts, secondly how could he exactly hiek , sorry if this
is out of scope for  this forum


On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura  wrote:

> Any apple guy here?
>
> I.just want to.know.how.struts.use there.
>
> I just know they use .action means struts apps.
> On Jul 31, 2013 7:22 PM, "Christian Grobmeier" 
> wrote:
>
> > I read that. I don't think we should do anything.
> >
> > The blog post is speculative. Nobody from Apple did tell us if it was
> > really a Struts problem or not. If it is, then well, we can't do
> > anything. This doesn't make Struts a dangerous framework at all, it
> > just highlights you should update when your framework provider
> > recommends it. It also highlights we are taking security issues
> > serious.
> >
> > Also it should be mentioned that no company (to my knowledge) is in
> > any way supporting the development of Struts. Apple got a lot of
> > money, they could fund the development of the framework of their
> > choice. At least they should be able to roll out new security patches.
> >
> > Maybe others think different, but except with continuing to improve
> > struts, we cannot do anything bout it.
> >
> >
> > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura 
> wrote:
> > > Anyone read this?
> > >
> > > http://java.dzone.com/articles/was-struts-responsible-apples
> > >
> > > How we handle this?
> > >
> > > F
> >
> >
> >
> > --
> > http://www.grobmeier.de
> > https://www.timeandbill.de
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > For additional commands, e-mail: user-h...@struts.apache.org
> >
> >
>



-- 
*Thanks & Regards
 Vickyb

*

Re: Apple sec breach.. Struts?

2013-07-31 Thread Frans Thamura 
Any apple guy here?

I.just want to.know.how.struts.use there.

I just know they use .action means struts apps.
On Jul 31, 2013 7:22 PM, "Christian Grobmeier"  wrote:

> I read that. I don't think we should do anything.
>
> The blog post is speculative. Nobody from Apple did tell us if it was
> really a Struts problem or not. If it is, then well, we can't do
> anything. This doesn't make Struts a dangerous framework at all, it
> just highlights you should update when your framework provider
> recommends it. It also highlights we are taking security issues
> serious.
>
> Also it should be mentioned that no company (to my knowledge) is in
> any way supporting the development of Struts. Apple got a lot of
> money, they could fund the development of the framework of their
> choice. At least they should be able to roll out new security patches.
>
> Maybe others think different, but except with continuing to improve
> struts, we cannot do anything bout it.
>
>
> On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura  wrote:
> > Anyone read this?
> >
> > http://java.dzone.com/articles/was-struts-responsible-apples
> >
> > How we handle this?
> >
> > F
>
>
>
> --
> http://www.grobmeier.de
> https://www.timeandbill.de
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: Apple sec breach.. Struts?

2013-07-31 Thread Christian Grobmeier 
I read that. I don't think we should do anything.

The blog post is speculative. Nobody from Apple did tell us if it was
really a Struts problem or not. If it is, then well, we can't do
anything. This doesn't make Struts a dangerous framework at all, it
just highlights you should update when your framework provider
recommends it. It also highlights we are taking security issues
serious.

Also it should be mentioned that no company (to my knowledge) is in
any way supporting the development of Struts. Apple got a lot of
money, they could fund the development of the framework of their
choice. At least they should be able to roll out new security patches.

Maybe others think different, but except with continuing to improve
struts, we cannot do anything bout it.


On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura  wrote:
> Anyone read this?
>
> http://java.dzone.com/articles/was-struts-responsible-apples
>
> How we handle this?
>
> F



-- 
http://www.grobmeier.de
https://www.timeandbill.de

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Apple sec breach.. Struts?

2013-07-31 Thread Frans Thamura 
Anyone read this?

http://java.dzone.com/articles/was-struts-responsible-apples

How we handle this?

F

Re: Translating submit tag

2013-07-31 Thread Antonio Sánchez 
Sorry, what do you mean with Submit class?

Use case is simple login. The exception is thrown when the form does not pass 
validation and "results" in "input".

Displayed  is: 

Developer Notification (set struts.devMode to false to disable this message): 
Unexpected Exception caught setting 'entrar' on 'class 
es.juntandolineas.laboratoriostruts2.sesionConS2.control.Sesion: Error setting 
expression 'entrar' with value ['Entrar', ]

Initially I thought there was some problem with a custom interceptor and custom 
interceptor stack, but I get the same using default interceptor stack.

Stacktrace:

jul 31, 2013 10:34:50 AM 
com.opensymphony.xwork2.interceptor.ParametersInterceptor error
SEVERE: Developer Notification (set struts.devMode to false to disable this 
message):
Unexpected Exception caught setting 'entrar' on 'class 
es.juntandolineas.laboratoriostruts2.sesionConS2.control.Sesion: Error setting 
expression 'entrar' with value ['Entrar', ]
Error setting expression 'entrar' with value ['Entrar', ] - [unknown location]
at 
com.opensymphony.xwork2.ognl.OgnlValueStack.handleRuntimeException(OgnlValueStack.java:197)
at 
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:174)
at 
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:318)
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:231)
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:239)
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:252)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:161)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at 
org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)
at 
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:563)
at 
org.apache.struts2.dispatcher.ng.ExecuteOpe

Re: missing action

2013-07-31 Thread Lukasz Lenart 
This is a well know problem with Eclipse - it stop deploying new
version at some point. Try to Clean and Deploy (that how it was in
NetBeans - I don't have Eclipse)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: missing action

2013-07-31 Thread Christian Grobmeier 
I am not familiar with the "Run As" options of the IDE as I use
command line for such tasks, but basically you are expected to create
a war file and deploy it to your container when something changes.
Personally I am using the mvn jetty plugin and Jrebel (when doing open
source work) for that.

Can you check if the class file is actually existent in your container?
Also you try to re-create a war file and see if it works.

Cheers


On Wed, Jul 31, 2013 at 4:10 AM, Tommy Pham  wrote:
> Hi Dave,
>
> I right click on the project > "Run As" > Run on server.   It worked OK
> when for the previous tutorial:
>
> http://struts.apache.org/release/2.3.x/docs/create-struts-2-web-application-using-maven-to-manage-artifacts-and-to-build-the-application.html
>
> Am I supposed to build a war and deploy it that way even though I have
> Tomcat on my dev system?
>
> Thanks,
> Tommy
>
>
> On Tue, Jul 30, 2013 at 6:43 PM, Dave Newton  wrote:
>
>> How are you deploying the app?
>> On Jul 30, 2013 6:28 PM, "Tommy Pham"  wrote:
>>
>> > Hi,
>> >
>> > I'm trying to follow the tutorial:
>> >
>> >
>> http://struts.apache.org/release/2.3.x/docs/hello-world-using-struts-2.html
>> >
>> > to create a Struts 2 application with maven and eclipse but encountering
>> a
>> > 404 error with missing action with this error in the console:
>> >
>> > Jul 30, 2013 3:24:41 PM
>> com.opensymphony.xwork2.util.logging.jdk.JdkLogger
>> > error
>> > SEVERE: Dispatcher initialization failed
>> > Unable to load configuration. - action -
>> >
>> >
>> file:/D:/data/workspace/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/sample_app/WEB-INF/classes/struts.xml:17:80
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:70)
>> > at
>> >
>> >
>> org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:446)
>> > at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:490)
>> > at
>> >
>> >
>> org.apache.struts2.dispatcher.ng.InitOperations.initDispatcher(InitOperations.java:74)
>> > at
>> >
>> >
>> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:57)
>> > at
>> >
>> >
>> org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
>> > at
>> >
>> >
>> org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
>> > at
>> >
>> >
>> org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:107)
>> > at
>> >
>> >
>> org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4746)
>> > at
>> >
>> >
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5399)
>> > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>> > at
>> >
>> >
>> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
>> > at
>> >
>> >
>> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
>> > at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
>> > at java.util.concurrent.FutureTask.run(Unknown Source)
>> > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
>> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>> > at java.lang.Thread.run(Unknown Source)
>> > Caused by: Action class
>> > [org.apache.struts.tutorial.action.HelloWorldAction] not found - action -
>> >
>> >
>> file:/D:/data/workspace/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/sample_app/WEB-INF/classes/struts.xml:17:80
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.verifyAction(XmlConfigurationProvider.java:482)
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.addAction(XmlConfigurationProvider.java:426)
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.addPackage(XmlConfigurationProvider.java:552)
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadPackages(XmlConfigurationProvider.java:292)
>> > at
>> >
>> >
>> org.apache.struts2.config.StrutsXmlConfigurationProvider.loadPackages(StrutsXmlConfigurationProvider.java:112)
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:250)
>> > at
>> >
>> >
>> com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)
>> > ... 17 more
>> >
>> > Jul 30, 2013 3:24:41 PM org.apache.catalina.core.StandardContext
>> > filterStart
>> > SEVERE: Exception starting filter struts2
>> > Unable to load configuration. - action -
>> >
>> >
>> file:/D:/data/workspace/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/sample_app/WEB-INF/classes/struts.xml:17:80
>> > at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:502)
>> > at
>> >
>> >
>> org.apache.struts2.dispatcher.ng.InitOperations.