Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
This should help [1] and you must add these (I cannot find the correct link with exact example for Struts2) permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "*"; permission ognl.OgnlInvokePermission "*"; [1] https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+with+Confluence Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2013/11/26 Fredrik Andersson : > Hello! > > (Hope this is the correct forum for this question) > > > > I get this error in my hello-world-struts2-webapp when I run it in my tomcat > with the catalina.policy. > > (Btw my catalina.policy is edited a bit to match my production env: > http://pastie.org/8510824) > > > > /-- Encapsulated exception \ > java.lang.IllegalAccessException: Method [public void > se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] > cannot be accessed. > at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838) > at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280) > > > > > I found this solution: > > https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ > > > > It suggest that a listener does: > > OgnlRuntime.setSecurityManager(null); > > > > In the doc for OgnlRuntime it says: > > Sets the SecurityManager that OGNL uses to determine permissions for invoking > methods. > > > > But is this really a correct solution to set it to null? > > To me it doesn't sound good to have the securitymanager set to null, what > security holes does that create? > > > > Could this be solved with some extra grants in the catalina.policy-file > instead? > > > > > > Best regards > > Fredrik > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
What is the access modifier of method WelcomeUserAction.setUsername()? Pozdrawiam/Best regards, Damian Błażejewski dblazejewski.com 2013/11/26 Fredrik Andersson > Hello! > > (Hope this is the correct forum for this question) > > > > I get this error in my hello-world-struts2-webapp when I run it in my > tomcat with the catalina.policy. > > (Btw my catalina.policy is edited a bit to match my production env: > http://pastie.org/8510824) > > > > /-- Encapsulated exception \ > java.lang.IllegalAccessException: Method [public void > se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] > cannot be accessed. > at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838) > at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280) > > > > > I found this solution: > > > https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ > > > > It suggest that a listener does: > > OgnlRuntime.setSecurityManager(null); > > > > In the doc for OgnlRuntime it says: > > Sets the SecurityManager that OGNL uses to determine permissions for > invoking methods. > > > > But is this really a correct solution to set it to null? > > To me it doesn't sound good to have the securitymanager set to null, what > security holes does that create? > > > > Could this be solved with some extra grants in the catalina.policy-file > instead? > > > > > > Best regards > > Fredrik >
Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Hello! (Hope this is the correct forum for this question) I get this error in my hello-world-struts2-webapp when I run it in my tomcat with the catalina.policy. (Btw my catalina.policy is edited a bit to match my production env: http://pastie.org/8510824) /-- Encapsulated exception \ java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] cannot be accessed. at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838) at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280) I found this solution: https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ It suggest that a listener does: OgnlRuntime.setSecurityManager(null); In the doc for OgnlRuntime it says: Sets the SecurityManager that OGNL uses to determine permissions for invoking methods. But is this really a correct solution to set it to null? To me it doesn't sound good to have the securitymanager set to null, what security holes does that create? Could this be solved with some extra grants in the catalina.policy-file instead? Best regards Fredrik
Re: Struts 2 Testing Actions
I have managed to sort it out. My project has two maven modules and one
parent pom common for those modules.
Tests are located in on of the submodules.
As turns out, when I add servlet-api and jsp-api dependencies to the parent
pom, the error is present.
However, when I move those two dependencies to the module's pom which tests
are located in, error disappears.
So that problem is solved.
Unfortunately, there is another issue. I have almost given up but my desire
to start automatically testing Struts actions is stronger so I still
struggle :)
I have Spring dependencies in the actions itself. It would be perfect if I
could mock them. But as far as I know I can't but I should provide spring
application context
defining those dependencies.
When I try to extend StrutsJUnit4TestCase in my test I get the following
error:
"Looks like the Spring listener was not configured for your web app! "
When I extend StrutsSpringJUnit4TestCase, I have to provide Spring
dependencies as I said earlier.
Is there any way to mock those Spring dependencies in my Struts action?
Thank you in advance for any advice.
Pozdrawiam/Best regards,
Damian Błażejewski
dblazejewski.com
2013/11/26 Lukasz Lenart
> What Struts version do you use? And can you post source of the test?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2013/11/24 Damian Blazejewski :
> > Hello,
> >
> > I have a problem executing Struts 2 action test case.
> > I get the following error:
> >
> >
> > *Absent Code attribute in method that is not native or abstract in class
> > file javax/servlet/jsp/PageContext *
> > I have no clue what can be wrong.
> >
> > Thank you in advance for your help.
> >
> > Here are my dependencies:
> >
> >
> > junit
> > junit
> > 4.8.2
> > test
> >
> >
> >
> > org.apache.struts
> > struts2-junit-plugin
> > ${struts.version}
> > test
> >
> >
> >
> > org.javassist
> > javassist
> > 3.16.1-GA
> >
> >
> >
> > javax.servlet
> > servlet-api
> > 2.5
> > jar
> > test
> >
> >
> > javax.servlet.jsp
> > jsp-api
> > 2.2
> > jar
> > test
> >
> >
> > Pozdrawiam/Best regards,
> > Damian Błażejewski
> > dblazejewski.com
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>
Re: Sending email on uncought exception problems
The first thought I had was also that this might be better suited on an
interceptor. You'll also have more control over the desired behaviour
since interceptors are more easily testable than JSPs.
Miguel
On Tue, 2013-11-26 at 09:43 -0500, Dave Newton wrote:
> Why not use an interceptor?
>
> Dave
>
>
>
> On Tue, Nov 26, 2013 at 7:44 AM, Lukasz Lichota
> wrote:
>
> > hello,
> >
> > I'd like to run some java code on any uncought exception but so far I
> > cannot find a solution.
> > Under this link I found the exactly same question but I do not know how to
> > apply solution.
> >
> > http://markmail.org/search/?q=global+exception+redirect+list%3Aorg.apache.struts.users%2F#query:global%20exception%20redirect%20list%3Aorg.apache.struts.users%2F+page:1+mid:wmzqlmfqpzd57dhg+state:results
> >
> > Namely if I have
> >
> > then in which class this method should be? Error.jsp is not associated with
> > any action. The author says he has this method in any Action class but for
> > me it doesn't work (how could it work anyway? how error.jsp know about any
> > Action class?
> >
> > I tried also s:action element like that:
> >
> > %{exception}
> >
> > and having java class with method like that:
> > @Action("default-error")
> > public boolean notifyAdmin(Exception exception)
> >
> > but it fails with no error message so I even do not know what is happening
> > (by failing I mean nothing is invoked when rendering the error page)
> >
> > I also found this
> > http://www.mkyong.com/struts/struts-global-custom-exception-example/ but
> > it
> > looks like exception handler was removed in struts 2.0
> >
> > Can you offer any hint?
> >
> > Thanks
> > Lukasz
> >
> > --
> > Notice: This email is confidential and may contain copyright material of
> > Ocado Limited (the "Company"). Opinions and views expressed in this message
> > may not necessarily reflect the opinions and views of the Company.
> >
> > If you are not the intended recipient, please notify us immediately and
> > delete all copies of this message. Please note that it is your
> > responsibility to scan this message for viruses.
> >
> > Company reg. no. 3875000.
> >
> > Ocado Limited
> > Titan Court
> > 3 Bishops Square
> > Hatfield Business Park
> > Hatfield
> > Herts
> > AL10 9NE
> >
>
>
>
Re: Sending email on uncought exception problems
2013/11/26 Lukasz Lichota : > I tried it but it did not work (unless I did something wrong). If any > action is on ValueStack, why should I add it to base class and not to any > random action I pick up? ValueStack is per created per request, so you don't know which action exactly it will be. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Sending email on uncought exception problems
Why not use an interceptor?
Dave
On Tue, Nov 26, 2013 at 7:44 AM, Lukasz Lichota wrote:
> hello,
>
> I'd like to run some java code on any uncought exception but so far I
> cannot find a solution.
> Under this link I found the exactly same question but I do not know how to
> apply solution.
>
> http://markmail.org/search/?q=global+exception+redirect+list%3Aorg.apache.struts.users%2F#query:global%20exception%20redirect%20list%3Aorg.apache.struts.users%2F+page:1+mid:wmzqlmfqpzd57dhg+state:results
>
> Namely if I have
>
> then in which class this method should be? Error.jsp is not associated with
> any action. The author says he has this method in any Action class but for
> me it doesn't work (how could it work anyway? how error.jsp know about any
> Action class?
>
> I tried also s:action element like that:
>
> %{exception}
>
> and having java class with method like that:
> @Action("default-error")
> public boolean notifyAdmin(Exception exception)
>
> but it fails with no error message so I even do not know what is happening
> (by failing I mean nothing is invoked when rendering the error page)
>
> I also found this
> http://www.mkyong.com/struts/struts-global-custom-exception-example/ but
> it
> looks like exception handler was removed in struts 2.0
>
> Can you offer any hint?
>
> Thanks
> Lukasz
>
> --
> Notice: This email is confidential and may contain copyright material of
> Ocado Limited (the "Company"). Opinions and views expressed in this message
> may not necessarily reflect the opinions and views of the Company.
>
> If you are not the intended recipient, please notify us immediately and
> delete all copies of this message. Please note that it is your
> responsibility to scan this message for viruses.
>
> Company reg. no. 3875000.
>
> Ocado Limited
> Titan Court
> 3 Bishops Square
> Hatfield Business Park
> Hatfield
> Herts
> AL10 9NE
>
--
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton
b: Bucky Bits
so: Dave Newton
Re: Sending email on uncought exception problems
On 26 November 2013 15:29, Lukasz Lenart wrote: > > Any action is always available on ValueStack, so you must add > notifyAdmin(exception) to the base action class. > > I tried it but it did not work (unless I did something wrong). If any action is on ValueStack, why should I add it to base class and not to any random action I pick up? Thanks Lukasz -- Notice: This email is confidential and may contain copyright material of Ocado Limited (the "Company"). Opinions and views expressed in this message may not necessarily reflect the opinions and views of the Company. If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses. Company reg. no. 3875000. Ocado Limited Titan Court 3 Bishops Square Hatfield Business Park Hatfield Herts AL10 9NE
Re: Sending email on uncought exception problems
2013/11/26 Lukasz Lichota :
> hello,
>
> I'd like to run some java code on any uncought exception but so far I
> cannot find a solution.
> Under this link I found the exactly same question but I do not know how to
> apply solution.
> http://markmail.org/search/?q=global+exception+redirect+list%3Aorg.apache.struts.users%2F#query:global%20exception%20redirect%20list%3Aorg.apache.struts.users%2F+page:1+mid:wmzqlmfqpzd57dhg+state:results
>
> Namely if I have
>
> then in which class this method should be? Error.jsp is not associated with
> any action. The author says he has this method in any Action class but for
> me it doesn't work (how could it work anyway? how error.jsp know about any
> Action class?
>
> I tried also s:action element like that:
>
> %{exception}
>
> and having java class with method like that:
> @Action("default-error")
> public boolean notifyAdmin(Exception exception)
>
> but it fails with no error message so I even do not know what is happening
> (by failing I mean nothing is invoked when rendering the error page)
>
> I also found this
> http://www.mkyong.com/struts/struts-global-custom-exception-example/ but it
> looks like exception handler was removed in struts 2.0
>
> Can you offer any hint?
Any action is always available on ValueStack, so you must add
notifyAdmin(exception) to the base action class.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
Sending email on uncought exception problems
hello,
I'd like to run some java code on any uncought exception but so far I
cannot find a solution.
Under this link I found the exactly same question but I do not know how to
apply solution.
http://markmail.org/search/?q=global+exception+redirect+list%3Aorg.apache.struts.users%2F#query:global%20exception%20redirect%20list%3Aorg.apache.struts.users%2F+page:1+mid:wmzqlmfqpzd57dhg+state:results
Namely if I have
then in which class this method should be? Error.jsp is not associated with
any action. The author says he has this method in any Action class but for
me it doesn't work (how could it work anyway? how error.jsp know about any
Action class?
I tried also s:action element like that:
%{exception}
and having java class with method like that:
@Action("default-error")
public boolean notifyAdmin(Exception exception)
but it fails with no error message so I even do not know what is happening
(by failing I mean nothing is invoked when rendering the error page)
I also found this
http://www.mkyong.com/struts/struts-global-custom-exception-example/ but it
looks like exception handler was removed in struts 2.0
Can you offer any hint?
Thanks
Lukasz
--
Notice: This email is confidential and may contain copyright material of
Ocado Limited (the "Company"). Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the Company.
If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.
Company reg. no. 3875000.
Ocado Limited
Titan Court
3 Bishops Square
Hatfield Business Park
Hatfield
Herts
AL10 9NE
Re: security impact after enabling back the "action:" prefix in Struts 2.3.15.3
Picking up on this topic, I noticed that disabling this feature will break any JSPs where you've set the action in the tag instead of the tag. This is particularly problematic in situations where for some reason you have one form with two submit tags, since the submit is the only place where you can distinguish the actions. This can also be related with a similar situation in s2-019, where the disabling of the DMI makes the method="" parameter of the tags unusable. I've learnt that this will be better handled in a future version of struts, so my assumption is that the normal behaviour will return in both situations on a future non-security release - hopefully the next one! Maybe someone from the dev team can share their input with us? Kind regards, Miguel Almeida On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote: > Dear Struts2 mailing list, > > i have the following question(s)/ i need the following advice: > by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to: > http://struts.apache.org/release/2.3.x/docs/s2-018 > for security reasons, > but i need to set it back to true(i.e. the > struts.mapper.action.prefix.enabled) because my actions do not work > after the library update and if i decide to go another way to solve this > issue, i need to do a lot of refactoring on my code; > So my question is: > if i enable the "action:" prefix, does it mean that, i automatically > compromise/expose my application to the security issues discussed in > s2-16, s2-17 and s2-18? > Is there a workaround for my scenario, that i can enable the prefix, but > still maintain the security level of my application considering the > enumerated above issues?(can i achieve better results if i tweak > properly the struts.mapper.action.prefix.crossNamespaces) > > many thanks for your opinions and support! > > Best, > > krassen
