Re: Unable to Find FreeMarker Template in Struts 2.3.16.2

[bphill...@ku.edu]

John:

   You may want to use git clone to get our updated Struts 2 example
projects:  git clone http://git.apache.org/struts-examples.git 

   In the example projects is one for Struts 2 Themes that shows how the
customized .ftl files are under src/main/resources (in specific folders) and
also the addition of a theme.properties file.

   There is also an updated tutorial on Struts 2 custom themes: 
http://struts.apache.org/release/2.3.x/docs/struts-2-themes.html

Hope this helps you.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Unable-to-Find-FreeMarker-Template-in-Struts-2-3-16-2-tp5715856p5715869.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Problem with tutorial

[bphill...@ku.edu]

Michel:

   Are you using the tutorial code provided at
https://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2examples or are
you coding the example yourself?

   If you are coding the example yourself you may want to compare your code
and files to the example code checked out from the subversion repository
above.

  I just checked that the example code for the using tags tutorial works
correctly under Tomcat 7.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Problem-with-tutorial-tp5714733p5714735.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Struts 2 Examples Updated

[bphill...@ku.edu]

I updated the Struts 2 examples to test using the new release (2.3.15.3).  I
also fixed those examples that were still using name="expression" for regex
XML validation.

You can checkout these examples from Subversion at: 
https://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2examples 





--
View this message in context: 
http://struts.1045723.n5.nabble.com/Struts-2-Examples-Updated-tp5714519.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: 2 files register.jsp in trunk/struts2examples/message_resource

[bphill...@ku.edu]

Thank you for letting us know.  I deleted the register.jsp that was under
src/main/resources...

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/2-files-register-jsp-in-trunk-struts2examples-message-resource-tp5714503p5714510.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: [ANNOUNCEMENT] Struts2-JSR303-Validation-Plugin available

[bphill...@ku.edu]

Umesh:

   Here is the link to the blog entry I wrote:

  
http://www.brucephillips.name/blog/index.cfm/2013/10/29/New-Struts-2-Plugin-For-JSR-303-Bean-Validation

   Please let me know if I need to make any changes.

   Thanks again for all the work you put into creating this plugin.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/ANNOUNCEMENT-Struts2-JSR303-Validation-Plugin-available-tp5714414p5714498.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: [ANNOUNCEMENT] Struts2-JSR303-Validation-Plugin available

[bphill...@ku.edu]

Umesh:

Does the JSR303 Validation Plugin work with Struts 2 XML validation?

In my example project the validation plugin is working but the XML
validation I have is not being executed.

See:  http://www.stfm.org/test/jsr303_validation.zip 

Besides the validation annotations applied to the model class - I also
have XML validation setup (regex to check format of the phone number and
OGNL expression to ensure the that at least one car model is checked).  The
model class annotations are being enforced but not the XML validations.

Bruce

 



--
View this message in context: 
http://struts.1045723.n5.nabble.com/ANNOUNCEMENT-Struts2-JSR303-Validation-Plugin-available-tp5714414p5714464.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: [ANNOUNCEMENT] Struts2-JSR303-Validation-Plugin available

[bphill...@ku.edu]

Works now - thank you for the help and for creating a very useful plugin.  

Would you mind if I wrote an article about how to use this plugin for my
blog (http://www.brucephillips.name/blog)?

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/ANNOUNCEMENT-Struts2-JSR303-Validation-Plugin-available-tp5714414p5714436.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: [ANNOUNCEMENT] Struts2-JSR303-Validation-Plugin available

[bphill...@ku.edu]

I've modified one of my form processing example applications to include this
plugin.  It is not working as it allows you to not enter a value for first
name even though I've annotated it with @Size(min=5).

I double-checked that I'm following all the steps you listed in your
ReadMe.md file at GitHub but it very possible I missed something.

Could you look over this project: 
http://www.stfm.org/test/jsr303_validation.zip (unzip it - it's Maven
project) and let me know what I've not done correctly.

Thank you,

Bruce Phillips




--
View this message in context: 
http://struts.1045723.n5.nabble.com/ANNOUNCEMENT-Struts2-JSR303-Validation-Plugin-available-tp5714414p5714434.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: About S2-019, is it safe to re-enable DMI ?

[bphill...@ku.edu]

"Ok, but i mean how is it possible to not use DMI "with struts convention
plugin". 
We prefer the convention over configuration approch. "

I don't believe DMI is required to use the Struts Convention plugin.

For example see the annotations tutorial in the Struts 2 examples (the link
I sent you earlier).  I was able to run that example app with Struts
2.3.15.2.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/About-S2-019-is-it-safe-to-re-enable-DMI-tp5714046p5714067.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: About S2-019, is it safe to re-enable DMI ?

[bphill...@ku.edu]

"If not, how is it possible to not use DMI ? "

See - http://struts.apache.org/release/2.3.x/docs/getting-started.html - the
tutorial on using Wildcard Method Selection may be helpful.

Using the ! (bang) operator and dynamic method invocation is a security
problem.  See: 
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation



--
View this message in context: 
http://struts.1045723.n5.nabble.com/About-S2-019-is-it-safe-to-re-enable-DMI-tp5714046p5714060.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: How to Mock getText("customerLabel") method in junit?

[bphill...@ku.edu]

You may want to checkout this tutorial and the example code that goes with
it:

  http://struts.apache.org/release/2.3.x/docs/unit-testing.html 





--
View this message in context: 
http://struts.1045723.n5.nabble.com/How-to-Mock-getText-customerLabel-method-in-junit-tp5713562p5713597.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Actions now require INPUT result after installing struts2-spring plugin

[bphill...@ku.edu]

David:

  We have a Struts - Spring example application at
https://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2examples/

  I recently tested this example application, which uses Struts 2 version
2.3.15, and did not encounter the issue you report.  In the example there is
a save action that does not define a result of type input but everything
works correctly.

  You may also want to consult this tutorial: 
http://struts.apache.org/release/2.3.x/docs/spring-and-struts-2.html (note
the location of the example application cited in the tutorial is now in the
above svn repository).

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Actions-now-require-INPUT-result-after-installing-struts2-spring-plugin-tp5713233p5713242.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: New Warn Log Messages When Using Struts 2.3.8

[bphill...@ku.edu]

I added a tutorial on how to exclude parameters from being processed to
https://cwiki.apache.org/confluence/display/WW/Getting+Started 

Where should I added this information to the Core Developer's Guide at
https://cwiki.apache.org/confluence/display/WW/Guides?  

Could it go somewhere under the Configuration section - may be its own
sub-bullet (Exclude Parameters) under Configuration Elements?

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/New-Warn-Log-Messages-When-Using-Struts-2-3-8-tp5711523p5711554.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: New Warn Log Messages When Using Struts 2.3.8

[bphill...@ku.edu]

Lukasz (and anyone else):

   Please look over this article:  
http://www.brucephillips.name/blog/index.cfm/2012/12/31/Struts-2-How-To-Exclude-Parameters-From-Being-Processed-By-The-Framework

  

   Let me know if anything needs to be added/changed.

   I'll then create a tutorial article at
http://struts.apache.org/2.3.8/docs/getting-started.html about how to
exclude parameters from being processed and also add information about this
to http://struts.apache.org/2.3.8/docs/core-developers-guide.html.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/New-Warn-Log-Messages-When-Using-Struts-2-3-8-tp5711523p5711544.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: New Warn Log Messages When Using Struts 2.3.8

[bphill...@ku.edu]

Lukasz:

   Thank you for the reply.  I did test with devMode = false and the WARN
and ERROR log messages are not written to the log.  Since in production we
have devMode = false set this isn't a big issue for us.

   It was just a bit confusing to see those log message during development
and I wanted to ensure there wasn't something new with release 2.3.8 we
needed to do in our code.

   Is there somewhere in the Struts 2 online documentation that discusses
the excludeParams and why a developer may want to exclude a parameter from
being appended to the action?  I looked through the topics listed here: 
http://struts.apache.org/2.3.8/docs/core-developers-guide.html but did not
find any information.

   If we need to write up some documentation on excluding parameters I'd be
happy to do that if you can let me know where to get more information about
this feature.  I could also add an example to the tutorials I created here: 
http://struts.apache.org/2.3.8/docs/getting-started.html.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/New-Warn-Log-Messages-When-Using-Struts-2-3-8-tp5711523p5711538.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

New Warn Log Messages When Using Struts 2.3.8

[bphill...@ku.edu]

I'm reviewing Struts 2.3.8 and noticed that in the log there are new
WARN-level messages that were not there in release 2.3.4.1.

For example:


Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.carModels] is not on the excludeParams list
of patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.email] is not on the excludeParams list of
patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.firstName] is not on the excludeParams list
of patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.gender] is not on the excludeParams list of
patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.lastName] is not on the excludeParams list of
patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.over21] is not on the excludeParams list of
patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.phoneNumber] is not on the excludeParams list
of patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.residency] is not on the excludeParams list
of patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [personBean.sport] is not on the excludeParams list of
patterns and will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger warn
WARNING: Parameter [submit] is not on the excludeParams list of patterns and
will be appended to action!
Dec 28, 2012 2:01:43 PM
com.opensymphony.xwork2.util.logging.commons.CommonsLogger error
SEVERE: Developer Notification (set struts.devMode to false to disable this
message):
Unexpected Exception caught setting 'submit' on 'class
org.apache.struts.edit.action.EditAction: Error setting expression 'submit'
with value ['Save Changes', ]

Is there something I should do in my code/settings in response to the
WARNING: Parameter ... messages?  In production we usually log at the WARN
level for dependent artifacts.

Bruce 





--
View this message in context: 
http://struts.1045723.n5.nabble.com/New-Warn-Log-Messages-When-Using-Struts-2-3-8-tp5711523.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Updated Struts 2 Ant Examples

[bphill...@ku.edu]

I updated the Struts 2 basic and hello world Ant examples at
http://struts.apache.org/2.3.4.1/docs/getting-started.html to include the
latest Struts 2 version and other required jars.  

I noticed that sometime after version 2.3.3 Struts 2 no longer needs
commons-lang 2.X but just needs commons-lang3.

As I get time I'll work on updating the other Ant examples to use the latest
jars and Struts version.  The Maven examples are not as out of date and also
are much easier for end users to update by just changing the struts2-core
version number in pom.xml.

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Updated-Struts-2-Ant-Examples-tp5710592.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2Builder 0.5.0 has been released - now with support for Oracle, Sybase, and MS SQL Server

[bphill...@ku.edu]

I'm not a big fan of code generators, but I gave Struts2Builder a try.  It
worked well generating a complete Struts 2 CRUD web application.  I used on
Mac OS 10.8.1 and with MySQL.

One change I would recommend is that in the dependencies you instruct the
user to add to pom.xml I think you've got an old version number for the
spring-aop.

Also why cannot the maven compiler settings be set to generate Java 1.6
instead of Java 1.5?

Lastly, is it possible in this version to only use some of the columns in a
table for generating the Java classes?  I sometimes need to use existing
tables that have dozens of columns but I only need a few of those columns to
create/populate the state of my Java object (just to read from the table -
there is no update/create back to the table)?

Bruce



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Struts2Builder-0-5-0-has-been-released-now-with-support-for-Oracle-Sybase-and-MS-SQL-Server-tp5710530p5710540.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: simplest web program with struts

[bphill...@ku.edu]

See the Struts tutorials here: 
http://struts.apache.org/2.3.4/docs/getting-started.html 

--
View this message in context: 
http://struts.1045723.n5.nabble.com/simplest-web-program-with-struts-tp5709961p5709962.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It

[bphill...@ku.edu]

Lukasz:

Good idea on letting struts 2 developers know that instead of implementing
the ParameterNameAware interface that they can change the  excludeParams
value as part of the package setup.  

So I'll add to my code example:







 
true
ERROR

dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*






and include in the tutorial text both options.

Thanks for the help.


--
View this message in context: 
http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5525787.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It

[bphill...@ku.edu]

Lukasz - I agree with you, but until a new version of Struts 2 is released
that includes a fix for this vulnerability, I'd like to tell Struts 2
developers what to do when implementing the SessionAware interface to
mitigate the vulnerability.

If you could look over what I wrote in the initial post and provide any
feedback on that I'd certainly appreciate your comments.

--
View this message in context: 
http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5523338.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It

[bphill...@ku.edu]

I appreciate your comments, but what I'd like to accomplish is what
instructions should we provide in our tutorial on using the SessionAware
interface in order to best mitigate the security vulnerabilities introduced
when using SessionAware given how the Struts 2 framework works today.

I don't think using only immutable objects in the session reduces the
vulnerability.  String is immutable, but as I understand the security
vulnerability of using SessionAware, a hacker could change the String value
I've stored in the session.

When using SessionAware what do experienced Struts 2 developers do to reduce
as much as possible the vulnerability identified in my original post?  I'd
like to include these practices in the SessionAware tutorial.

Thank you for the feedback.



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5519824.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts 2 Portlet Plugin 2.3.1.2 Breaks Using Struts For Both A Portlet and Standalone Web App

[bphill...@ku.edu]

I created this JIRA issue:
https://issues.apache.org/jira/browse/WW-3763
https://issues.apache.org/jira/browse/WW-3763  


Bruce

--
View this message in context: 
http://struts.1045723.n5.nabble.com/Struts-2-Portlet-Plugin-2-3-1-2-Breaks-Using-Struts-For-Both-A-Portlet-and-Standalone-Web-App-tp5502757p5505036.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Struts 2 Portlet Plugin 2.3.1.2 Breaks Using Struts For Both A Portlet and Standalone Web App

[bphill...@ku.edu]

I've got a few Struts application where I use the Struts 2 portlet plugin to
create a portlet and still have a standalone web application.

This worked fine through Struts 2 portlet plugin version 2.2.1.1.  For an
example of this download and unzip this Eclipse/Maven project

http://code.google.com/p/struts2-examples/downloads/detail?name=Struts2CRUDPortletExample_Finish.zip

 (read the README.txt file for how to build/deploy).

I tried to upgrade this project to use Struts version 2.3.1.2 (both core and
portlet plugin).  The portlet works fine.  But now when trying to load an
action for the standalone version (an action defined in package
extends="struts-default") I get the following exception:

Struts Problem Report

Struts has detected an unhandled exception:
Messages:   

java.lang.reflect.InvocationTargetException
java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
java.lang.RuntimeException: java.lang.RuntimeException:
java.lang.reflect.InvocationTargetException
java.lang.RuntimeException: java.lang.RuntimeException:
java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
An exception occurred processing JSP page /jsp/employees.jsp at line 5
2: <%@ taglib prefix="s" uri="/struts-tags" %> 3: 4: 5: 6: 7: 8: Stacktrace:

File:   org/apache/struts2/portlet/context/PortletActionContext.java
Line number:225
Stacktraces
org.apache.jasper.JasperException: An exception occurred processing JSP page
/jsp/employees.jsp at line 5 2: <%@ taglib prefix="s" uri="/struts-tags" %>
3: 4: 5: 6: 7: 8: Stacktrace:

Did something change in the Struts 2 Portlet Plugin code from version
2.2.1.1 to 2.3.1.2 that might be causing this problem? 

If needed I can submit a JIRA issue.

Thank You,

Bruce Phillips


--
View this message in context: 
http://struts.1045723.n5.nabble.com/Struts-2-Portlet-Plugin-2-3-1-2-Breaks-Using-Struts-For-Both-A-Portlet-and-Standalone-Web-App-tp5502757p5502757.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Security Vulnerability When Using SessionAware and Best Practice For Mitigating It

[bphill...@ku.edu]

I was researching the SessionAware interface as I'm planning on adding a
tutorial on how to use the HTTP Session object from within a Struts Action
class to the tutorials at:  
https://cwiki.apache.org/confluence/display/WW/Getting+Started
https://cwiki.apache.org/confluence/display/WW/Getting+Started .

I ran across this 
http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html
blog post  and  https://issues.apache.org/jira/browse/WW-3631 Struts 2 JIRA
issue  that discuss a security vulnerability when using SessionAware.

I'd like to include in the tutorial the best practices for mitigating this
vulnerability.  Here is what I think programmers who use SessionAware in
their Action class should do to mitigate this vulnerability:

1.  Do not create a public Map getSession() method in the
Action class

2.  Also implement the ParameterNameAware interface and override its
acceptableParameterName method as follows:

  public boolean acceptableParameterName(String parameterName) {

boolean allowedParameterName = true ;

if ( parameterName.contains("session")  ||
parameterName.contains("request") ) {

allowedParameterName = false ;

} 

return allowedParameterName;
}

I'd certainly appreciate any feedback on best practices to follow when
implementing the SessionAware interface and how to mitigate the security
vulnerability.

Thank You,

Bruce Phillips



--
View this message in context: 
http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5502292.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 Hello world example

[bphill...@ku.edu]

Eren:
  
  Try starting with this tutorial: 
http://struts.apache.org/2.3.1.2/docs/how-to-create-a-struts-2-web-application.html.
 
That tutorial provides more of a "walk-thru" for how to structure a Struts 2
web application.

Bruce

--
View this message in context: 
http://struts.1045723.n5.nabble.com/Struts2-Hello-world-example-tp5324357p5332091.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Problem With Struts 2.3.1 and Testing Struts Portlet

[bphill...@ku.edu]

JIRA issue created:  https://issues.apache.org/jira/browse/WW-3733

Thank you for the assistance.

Bruce

--
View this message in context: 
http://struts.1045723.n5.nabble.com/Problem-With-Struts-2-3-1-and-Testing-Struts-Portlet-tp5103393p5110605.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Problem With Struts 2.3.1 and Testing Struts Portlet

[bphill...@ku.edu]

I'm upgrading a Struts 2 portlet application from 2.2.3.1 to 2.3.1.  A test
of my Action class that extends StrutsSpringTestCase that passed when using
2.2.3.1 now fails when using version 2.3.1.

I've created a simple Struts 2 portlet example application to demonstrate
the issue.  You can download the zipped example here:

  http://www.brucephillips.name/struts/struts2helloworldportlet.zip

Unzip the download.

In a terminal window navigate to the project's root folder.

run mvn clean test

The test will pass.

Open the pom.xml and change the struts.version property to 2.3.1 and save
your change

run mvn clean test

The test will now fail.

Here is part of the error message in the test report:


Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.314 sec
<<< FAILURE!
testExecute(com.struts2.tutorial.action.DefaultActionTest)  Time elapsed:
1.252 sec  <<< ERROR!
Error creating bean with name
'org.apache.struts2.portlet.result.PortletResult': Instantiation of bean
failed; nested exception is
org.springframework.beans.BeanInstantiationException: Could not instantiate
bean class [org.apache.struts2.portlet.result.PortletResult]: Constructor
threw exception; nested exception is java.lang.NullPointerException - action
-
file:/Users/bphillips/eclipse_workspaces/kucard/Struts2HelloWorldPortlet/target/classes/struts.xml:11:74
at
com.opensymphony.xwork2.DefaultActionInvocation.createResult(DefaultActionInvocation.java:224)

I get the same error if the project is using the Struts Spring plugin or
not.

I think the error is in the Struts unit testing framework as I can still run
the project successfully.  For example after updating the struts.version in
pom.xml enter this command in the terminal window:

mvn jetty:run

When you see the message [INFO] Started Jetty Server go to this URL in your
web browser:  http://localhost:8080/struts2helloworldportlet/pluto/index.jsp
and you should see the example portlet.

Bruce





--
View this message in context: 
http://struts.1045723.n5.nabble.com/Problem-With-Struts-2-3-1-and-Testing-Struts-Portlet-tp5103393p5103393.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release

[bphill...@ku.edu]

I think you fixed the issue.

Using the 2.3.2-snapshot with strict-method-invocation="true" in the package
statement I now get a 404 - error with the message being 

 Invalid method: getPassword for action recoverpassword 

and the description being 

 The requested resource (Invalid method: getPassword for action
recoverpassword) is not available

When using the 2.3.1 GA release with strict-method-invocation="true" in the
package statement I was getting a 404 error with the message being:

  No result defined for action
edu.ku.it.si.struts2securityvulnerability.security.action.RecoverPassword
and result user_secrect_password

and the description being:

The requested resource (No result defined for action
edu.ku.it.si.struts2securityvulnerability.security.action.RecoverPassword
and result user_secrect_password) is not available.

The user_secret_password is actually the String being returned from the
getPassword method call.  This was the same result I was getting before
2.3.1.

Thanks for the quick response.  I look forward to getting 2.3.2.

Bruce





--
View this message in context: 
http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5081493.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 + SHIRO, struts action can't get the values from submit page

[bphill...@ku.edu]

Try specifying the Shiro filter nodes before the Struts 2 nodes in your
web.xml.

--
View this message in context: 
http://struts.1045723.n5.nabble.com/Struts2-SHIRO-struts-action-can-t-get-the-values-from-submit-page-tp5065446p5077749.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Dynamic Method Invocation Changes In Struts 2.3.1 Release

[bphill...@ku.edu]

I'd previously 
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
blogged about the security vulnerability  that exists when Struts dynamic
method invocation is not disabled.  I was happy to learn that this
vulnerability was addressed in the 2.3.1 release.

However, after adding the strict-method-invocation="true" to my package
statement a user of my example application is still able to execute any
public method (for example getPassword) of the action class.

I'm following the 
http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
instructions here  that state to add  strict-method-invocation="true" to the
package statement to prevent dynamic method invocation from executing any
method except the method specified in the method attribute of the action.

You can download the example application from my 
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
blog post   to see how I tested the 2.3.1 release and dynamic method
invocation.  See the readme file in the download for instructions on how to
build and deploy the example.

Have I missed some additional configuration that must be done to prevent
dynamic method invocation from allowing the user to execute methods besides
the method specified in the action's method attribute?  

Thank you for the assistance.

--
View this message in context: 
http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: provide Helloworld application in Struts2.0

[bphill...@ku.edu]

You may want to read the tutorials here: 
http://struts.apache.org/2.2.3.1/docs/getting-started.html

There are detailed examples applications that you can download and run in
Tomcat.

--
View this message in context: 
http://struts.1045723.n5.nabble.com/provide-Helloworld-application-in-Struts2-0-tp4988490p4998645.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: NullPointerException Using StrutsSpringTestCase

[bphill...@ku.edu]

StrutsSpringTestCase extends StrutsTestCase which extends another class that
depends on JUnit 3 not JUnit 4.  

So you cannot use JUnit 4 annotations and the SpringJUnit4ClassRunner.

You may find this blog article helpful:

http://www.brucephillips.name/blog/index.cfm/2009/12/2/Using-JUnit-To-Test-A-Struts-2-Action-Class-In-An-Application-That-Also-Uses-Spring

Hopefully in a future version of Struts 2, StrutsTestCase will be updated to
use JUnit 4. 

--
View this message in context: 
http://struts.1045723.n5.nabble.com/NullPointerException-Using-StrutsSpringTestCase-tp3534567p3549698.html
Sent from the Struts - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org