Re: Only call actions from certain forms
Andy Sykes wrote: Cheers for the suggestions - I guess I was just looking for a sanity check from the list. It seems reasonable to me--the functionality *could* be wrapped up in an interceptor, which might be marginally cleaner, but it's one of those judgment calls that in real life I probably wouldn't care much about. The reasoning behind wanting to do this is my users are somewhat curious, and are prone to poking. I'd prefer for them to not see blank pages, stack traces, or otherwise! Darn users... this is a pretty typical requirement and is one of the reason workflow engines came about; they can handle simple cases like this as well as disallowing jumps into the middle of multi-step processes etc. Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Only call actions from certain forms
Actually, having an interceptor makes some sense in this case. How can interceptors short circuit the stack and action to return a result code? The ideal situation here would be that the protector interceptor is above the validation interceptor, checks for the form token, and chucks an error result code, protecting the validators from null parameters and so on. I can't see anything in the documentation about achieving this - the ActionInvocation javadoc suggests that ActionInvocation.setResultCode() will not short-circuit the stack, and that the action's own result code will override the interceptor-set result. Andy. On 24 Jan 2009, at 17:56, Dave Newton wrote: Andy Sykes wrote: Cheers for the suggestions - I guess I was just looking for a sanity check from the list. It seems reasonable to me--the functionality *could* be wrapped up in an interceptor, which might be marginally cleaner, but it's one of those judgment calls that in real life I probably wouldn't care much about. The reasoning behind wanting to do this is my users are somewhat curious, and are prone to poking. I'd prefer for them to not see blank pages, stack traces, or otherwise! Darn users... this is a pretty typical requirement and is one of the reason workflow engines came about; they can handle simple cases like this as well as disallowing jumps into the middle of multi-step processes etc. Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Only call actions from certain forms
On Saturday 24 January 2009 20:17:49 Andy Sykes wrote: Actually, having an interceptor makes some sense in this case. How can interceptors short circuit the stack and action to return a result code? The ideal situation here would be that the protector interceptor is above the validation interceptor, checks for the form token, and chucks an error result code, protecting the validators from null parameters and so on. Well, the invoke method returns a string indicating which result to dispatch to. Take a look at a few of the other interceptors to see. For instance, if validation fails, the validation interceptor returns input. I can't see anything in the documentation about achieving this - the ActionInvocation javadoc suggests that ActionInvocation.setResultCode() will not short-circuit the stack, and that the action's own result code will override the interceptor-set result. When an interceptor calls invocation.invoke() it either moves to the next interceptor, or calls the method, depending on where it is in the stack. It fairly intuitive. -- Wes Wannemacher Author - Struts 2 In Practice Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more http://www.manning.com/wannemacher - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Only call actions from certain forms
Doh. I was being very stupid - I looked in the XWork source and realised it's really straightforward. I'm blaming this one of lack of sleep :) Cheers, Andy. On 25 Jan 2009, at 01:25, Wes Wannemacher wrote: On Saturday 24 January 2009 20:17:49 Andy Sykes wrote: Actually, having an interceptor makes some sense in this case. How can interceptors short circuit the stack and action to return a result code? The ideal situation here would be that the protector interceptor is above the validation interceptor, checks for the form token, and chucks an error result code, protecting the validators from null parameters and so on. Well, the invoke method returns a string indicating which result to dispatch to. Take a look at a few of the other interceptors to see. For instance, if validation fails, the validation interceptor returns input. I can't see anything in the documentation about achieving this - the ActionInvocation javadoc suggests that ActionInvocation.setResultCode() will not short-circuit the stack, and that the action's own result code will override the interceptor-set result. When an interceptor calls invocation.invoke() it either moves to the next interceptor, or calls the method, depending on where it is in the stack. It fairly intuitive. -- Wes Wannemacher Author - Struts 2 In Practice Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more http://www.manning.com/wannemacher - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Only call actions from certain forms
Hi all, My forms all submit to a different action than that which renders the pages. Is there a recommended way to prevent/mitigate the effect of users directly calling the actions (via their URL) that forms are submitted to? In this case, the actions' fields are null, which is somewhat irritating in an action method that has associated validation.. Andy. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Only call actions from certain forms
I can think of 2 security implementations: 1)Portlets (Jetspeed or Plumtree comes to mind) 2)implement either JNDI/JDBC/or MemoryRealm http://tomcat.apache.org/tomcat-4.1-doc/catalina/funcspecs/fs-memory-realm.html HTH Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. From: a.sy...@ucl.ac.uk To: user@struts.apache.org Subject: Only call actions from certain forms Date: Fri, 23 Jan 2009 23:19:34 + Hi all, My forms all submit to a different action than that which renders the pages. Is there a recommended way to prevent/mitigate the effect of users directly calling the actions (via their URL) that forms are submitted to? In this case, the actions' fields are null, which is somewhat irritating in an action method that has associated validation.. Andy. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org _ Windows Live™: E-mail. Chat. Share. Get more ways to connect. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_012009
Re: Only call actions from certain forms
Martin, I could be reading his question wrong, but I think he is trying to limit POSTs/GETs of his actions so that they only come from the JSPs that he intends. This is a harder problem than it seems. My gut response was to tell him to check out HDIV, but I'm not sure whether that is built-in functionality they advertise. If this were a requirement for me, I'd look into writing an interceptor that checks the HTTP_REFERER and USER_AGENT, but even that is not going to be a full-proof solution. I think the nature of HTTP is that you can't fully enforce it. Another solution would be to try to generate a random token that your form retrieves via AJAX and sets to a hidden field. Then, validate the token in your method before proceeding. This would take care of most use-cases, but it might introduce other problems (users with noscript). What is the purpose of tying the OP's users directly to the forms? Is it a security concern, or is there another reason? -- Wes Wannemacher Author - Struts 2 In Practice Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more http://www.manning.com/wannemacher On Friday 23 January 2009 21:23:09 Martin Gainty wrote: I can think of 2 security implementations: 1)Portlets (Jetspeed or Plumtree comes to mind) 2)implement either JNDI/JDBC/or MemoryRealm http://tomcat.apache.org/tomcat-4.1-doc/catalina/funcspecs/fs-memory-realm. html HTH Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. From: a.sy...@ucl.ac.uk To: user@struts.apache.org Subject: Only call actions from certain forms Date: Fri, 23 Jan 2009 23:19:34 + Hi all, My forms all submit to a different action than that which renders the pages. Is there a recommended way to prevent/mitigate the effect of users directly calling the actions (via their URL) that forms are submitted to? In this case, the actions' fields are null, which is somewhat irritating in an action method that has associated validation.. Andy. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org _ Windows Live™: E-mail. Chat. Share. Get more ways to connect. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_012009 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Only call actions from certain forms
Andy Sykes wrote: My forms all submit to a different action than that which renders the pages. Is there a recommended way to prevent/mitigate the effect of users directly calling the actions (via their URL) that forms are submitted to? In this case, the actions' fields are null, which is somewhat irritating in an action method that has associated validation.. The simplest solution, although somewhat hacky, might be to just check for a hidden form token in the action's validate method. If it's not there, it wasn't reached from the form. If it is, call super.validate() which will run any XML/annotation-based validation. Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Only call actions from certain forms
Hi all, Cheers for the suggestions - I guess I was just looking for a sanity check from the list. My current method (almost exactly the same as below) is to check a choice form field for null in the validateXXX() method - this is the case when you call the action without POST from a form. If null, I can return INPUT from the validation method (which, interestingly enough, lets me set the return type as String, and have it honoured as a valid result - I thought void was the only valid validateXXX result type). The input result kicks the user to the form they should've used. Job done. I'm not using XML or annotation validators - 95% of my validation is more complex than those allow. The reasoning behind wanting to do this is my users are somewhat curious, and are prone to poking. I'd prefer for them to not see blank pages, stack traces, or otherwise! Andy. On 24 Jan 2009, at 02:52, Dave Newton wrote: Andy Sykes wrote: My forms all submit to a different action than that which renders the pages. Is there a recommended way to prevent/mitigate the effect of users directly calling the actions (via their URL) that forms are submitted to? In this case, the actions' fields are null, which is somewhat irritating in an action method that has associated validation.. The simplest solution, although somewhat hacky, might be to just check for a hidden form token in the action's validate method. If it's not there, it wasn't reached from the form. If it is, call super.validate() which will run any XML/annotation-based validation. Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
