Re: Struts2 login action class seems to be reused
On 4/23/2018 11:50 PM, Prasanth Pasala wrote: > Get rid of the get methods in LoginAction, is this in /Context2 (application > where the issue is occurring) or /Context1 (which forwards the requests to > /Context2)? > That contexts who forwards request (Context1 I think) but you may do for all to be sure. However, I still prefer rewriting FORWARD with REDIRECT or POSTBACK to prevent future possible issues. > > Yes exactly. The new log shows, your previous contexts actions > (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in > current context because you forward same request which includes previous > context data, then, Struts ChainInterceptor copies data from previous to > current action :S . As currently Struts cannot handle forwarded requests > well, could you please try REDIRECT instead? sendRedirect asks user > browser to continue with a new request. > > Still not sure about the above comment. So the ChainInterceptor is getting > data from an action that occurred before and is not part of current request? Struts has a stack. ChainResult push current action to stack for next action. In next action, ChainInterceptor pops it and copies values. Now you have two actions in stack (I don't know how but seems it's because of forward same request which has previous context1 stack) and ChainInterceptor thinks ChainResult has pushed that and then pops and copies them into current action. Regards. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: bypassing request parameter validation in struts 2.5.14.1
2018-04-23 19:01 GMT+02:00 Rajvinder Pal : > Hi, > > I need to bypass one validation error , which i am getting during appscan > run. > > *Invalid field value for field* XXX > > I have seen com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor > in struts2-core- 2.5.14.1.jar . But it does not have any excludeParams > .Please let me know what else i can do?I have tried the below code in > struts.xml, but it didn't work. > > > accessCode > This isn't a validation error but conversion error, your "accessCode" cannot be converted from string to some default type. Use String instead and everything will be ok. ConversionErrorInterceptor only displays the errors not produce them. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: bypassing request parameter validation in struts 2.5.14.1
Any idea how can i avoid this error for a specific parameter? Regards, Raj On Mon, Apr 23, 2018 at 10:31 PM, Rajvinder Pal wrote: > Hi, > > I need to bypass one validation error , which i am getting during appscan > run. > > *Invalid field value for field* XXX > > I have seen com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor > in struts2-core- 2.5.14.1.jar . But it does not have any excludeParams > .Please let me know what else i can do?I have tried the below code in > struts.xml, but it didn't work. > > > accessCode > > > Thanks, > Raj >
Re: Struts2 login action class seems to be reused
Get rid of the get methods in LoginAction, is this in /Context2 (application where the issue is occurring) or /Context1 (which forwards the requests to /Context2)? Yes exactly. The new log shows, your previous contexts actions (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in current context because you forward same request which includes previous context data, then, Struts ChainInterceptor copies data from previous to current action :S . As currently Struts cannot handle forwarded requests well, could you please try REDIRECT instead? sendRedirect asks user browser to continue with a new request. Still not sure about the above comment. So the ChainInterceptor is getting data from an action that occurred before and is not part of current request? Thanks, Prasanth On 04/23/2018 01:27 PM, Yasser Zamani wrote: > > On 4/23/2018 10:12 PM, Prasanth Pasala wrote: >> The user is inputting username and password in /Context1, if I send a >> redirect they would have to enter username/password again in /Context2. >> > No, you already have them. I think you can use Struts PostbackResult [1] > in /Context1/LoginAction like below: > > /Context2/LoginAction > >> May be for LoginAction in /Context2 I can remove instance variables (so that >> struts doesn't set any values) I will directly access the request object to >> get username and password to validate. > The simpler solution is deleting getUsername and getPassword methods > from LoginAction which disables ChainInterceptor to copies them and > solves this issue! But I'm worry about other issues caused by FORWARD, > so please try replacing all of them as I mentioned above. > > [1] https://struts.apache.org/core-developers/postback-result.html > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 4/23/2018 10:12 PM, Prasanth Pasala wrote: > The user is inputting username and password in /Context1, if I send a > redirect they would have to enter username/password again in /Context2. > No, you already have them. I think you can use Struts PostbackResult [1] in /Context1/LoginAction like below: /Context2/LoginAction > May be for LoginAction in /Context2 I can remove instance variables (so that > struts doesn't set any values) I will directly access the request object to > get username and password to validate. The simpler solution is deleting getUsername and getPassword methods from LoginAction which disables ChainInterceptor to copies them and solves this issue! But I'm worry about other issues caused by FORWARD, so please try replacing all of them as I mentioned above. [1] https://struts.apache.org/core-developers/postback-result.html
Re: Struts2 login action class seems to be reused
The two LoginAction classes below are from the same context (/Context2). Context1 LoginAction would have a different package name. The issue occurs when a user is requesting /Context2 directly rather than when the request is forwarded, if the request is forwarded from /Context1 it would have the username and password in the request and those seems to be working fine. The issue is when there are requests forwarded from /Context1 with username and password and later on there is a GET request to /Context2 LoginAction (no username/password in request, so should display login page). Now some how struts is using data from the old forwarded requests (sent from Context1) for a request made directly to Context2. The user is inputting username and password in /Context1, if I send a redirect they would have to enter username/password again in /Context2. May be for LoginAction in /Context2 I can remove instance variables (so that struts doesn't set any values) I will directly access the request object to get username and password to validate. Thanks, Prasanth On 04/23/2018 12:31 PM, Yasser Zamani wrote: > > On 4/23/2018 8:04 PM, Prasanth Pasala wrote: >> Found this one also but for almost all, the root size was 3. Below one was >> anomaly. >> Root Size: 4 >> Result: null >> Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d >> Object: com.nqadmin.webaccess.LoginAction@7f716c46 >> Object: com.nqadmin.webaccess.LoginAction@35224c2f >> >> Also found that the issue doesn't come up if I am logging in only to the >> second website (/context2). The issue only comes up if there are users >> logging in via context1, whose login request is >> forwarded to context2. > Yes exactly. The new log shows, your previous contexts actions > (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in > current context because you forward same request which includes previous > context data, then, Struts ChainInterceptor copies data from previous to > current action :S . As currently Struts cannot handle forwarded requests > well, could you please try REDIRECT instead? sendRedirect asks user > browser to continue with a new request. > > Regards. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 4/23/2018 8:04 PM, Prasanth Pasala wrote: > Found this one also but for almost all, the root size was 3. Below one was > anomaly. > Root Size: 4 > Result: null > Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d > Object: com.nqadmin.webaccess.LoginAction@7f716c46 > Object: com.nqadmin.webaccess.LoginAction@35224c2f > > Also found that the issue doesn't come up if I am logging in only to the > second website (/context2). The issue only comes up if there are users > logging in via context1, whose login request is > forwarded to context2. Yes exactly. The new log shows, your previous contexts actions (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in current context because you forward same request which includes previous context data, then, Struts ChainInterceptor copies data from previous to current action :S . As currently Struts cannot handle forwarded requests well, could you please try REDIRECT instead? sendRedirect asks user browser to continue with a new request. Regards.
bypassing request parameter validation in struts 2.5.14.1
Hi, I need to bypass one validation error , which i am getting during appscan run. *Invalid field value for field* XXX I have seen com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor in struts2-core- 2.5.14.1.jar . But it does not have any excludeParams .Please let me know what else i can do?I have tried the below code in struts.xml, but it didn't work. accessCode Thanks, Raj
Re: Struts2 login action class seems to be reused
Found this one also but for almost all, the root size was 3. Below one was anomaly. Root Size: 4 Result: null Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d Object: com.nqadmin.webaccess.LoginAction@7f716c46 Object: com.nqadmin.webaccess.LoginAction@35224c2f Also found that the issue doesn't come up if I am logging in only to the second website (/context2). The issue only comes up if there are users logging in via context1, whose login request is forwarded to context2. Since it have been a while including the details of how our setup works. Context 2 & Context 3 are two websites and depending on user type they have to login to one or the other. To make it easy for the user we have Context1 where we allow users to login this site checks the database and determines which site they need to be logging into and forwards the login request to Context2 or Context3. We have users who would login to the right context and some who utilize Context1 to login. Thanks, Prasanth On 04/23/2018 09:42 AM, Prasanth Pasala wrote: > Below is the result of the new logging. > > Root Size: 3 > Result: null > Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d > Object: com.xx.webaccess.LoginAction@40c80ce8 > > Thanks, > Prasanth > > On 04/21/2018 05:09 AM, Yasser Zamani wrote: >> On 4/19/2018 4:39 PM, Prasanth Pasala wrote: >>> There is a index.jsp which is defined as default page in web.xml it just >>> forwards the request to Login.action. There is no chaining of actions in >>> struts itself. We do have a LoginFilter which verifies >>> if a user is logged in. >>> >> So maybe there is a bug with chain interceptor! Could you please use >> following code in your action setUsername method (save it's log in a >> private string field in your action). Then print it when your action >> data are not consistent with request params. >> >> String log = ""; >> ActionInvocation invocation= ActionContext.getActionInvocation(); >> ValueStack stack = invocation.getStack(); >> CompoundRoot root = stack.getRoot(); >> log += "Root Size: " + root.size(); >> Result result = invocation.getResult(); >> log += "\r\nResult: " + result; >> List list = new ArrayList(root); >> list.remove(0); >> Collections.reverse(list); >> for (Object object : list) { >> log += "\r\nObject: " + object; >> } >> this.log = log; //saves for possible future use >> >> Thanks! >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
Below is the result of the new logging. Root Size: 3 Result: null Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d Object: com.xx.webaccess.LoginAction@40c80ce8 Thanks, Prasanth On 04/21/2018 05:09 AM, Yasser Zamani wrote: > > On 4/19/2018 4:39 PM, Prasanth Pasala wrote: >> There is a index.jsp which is defined as default page in web.xml it just >> forwards the request to Login.action. There is no chaining of actions in >> struts itself. We do have a LoginFilter which verifies >> if a user is logged in. >> > So maybe there is a bug with chain interceptor! Could you please use > following code in your action setUsername method (save it's log in a > private string field in your action). Then print it when your action > data are not consistent with request params. > > String log = ""; > ActionInvocation invocation= ActionContext.getActionInvocation(); > ValueStack stack = invocation.getStack(); > CompoundRoot root = stack.getRoot(); > log += "Root Size: " + root.size(); > Result result = invocation.getResult(); > log += "\r\nResult: " + result; > List list = new ArrayList(root); > list.remove(0); > Collections.reverse(list); > for (Object object : list) { > log += "\r\nObject: " + object; > } > this.log = log; //saves for possible future use > > Thanks! > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org