Re: Security issues with Struts

>>I believe Struts have provide a basic mechanism to resolve >>the problems associated with the multiple submits. But when >>considering this in a security issue context, we might have rooms >>to enhance the mechanism - here is my little thoughts: >> >>1) Since the transaction token is visible by

Re: Security issues with Struts

Marcel Kruzel wrote: > Thanx for so many replies! > > Precisely! the transactionToken does help if You > want to detect multiple THE SAME submits. But this is not > our issue here. If the second submit contains different values, > the session scoped form bean will get populated > before I am able

Re: Help Required - Gnrk

Most inquiries regarding how to use Struts should be posted to the USER list. See http://www.tuxedo.org/~esr/faqs/smart-questions.html for more about the best way to ask questions on an open source mailing list. The best advice is to review the list archives to get a feel for how things are

DO NOT REPLY [Bug 10400] New: - Solution for When using new xalan and xerces2, struts is not able to parse struts-config.xml

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

DO NOT REPLY [Bug 10380] - DynaActionFormClass not serializable

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

DO NOT REPLY [Bug 10322] - Problems with LookupDispatchAction and other locals

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

DO NOT REPLY [Bug 10388] - ServletException: Multipart data doesn't start with boundary (when calling form.validate() in Action)

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

cvs commit: jakarta-struts/src/share/org/apache/struts/tiles/xmlDefinition XmlParser.java

cedric 2002/07/02 05:59:31 Modified:src/share/org/apache/struts/tiles/xmlDefinition XmlParser.java Log: Add tiles-config DTD new registration place for the digester DTDs lookup. Extra place is "/org/apache/struts/resources/tiles-config.dtd" Revision

Re: RE: FormBeans ... as an Interface.

You state: > The ActionForm contains a *proposed* > state change to the model or one of > its beans. As Web developers, it's > our job to confirm that the state > change is reasonable (validate the > input) and ~then~ update the model. Using a value object would be a standard way of handling

ActionForm initialization

I've read several topics debating this. These discussiosn leave the issue ambiguous. I've written couple of notes in "struts-user," but received no response. This makes me think it's an architectural issue, perhaps best addressed in this forum. What I want to be able to do is described in my to

Re: FormBeans ... as an Interface.

If you can design your ActionForms to share the same property names (or "protocol") as your data transfer objects, then it does become very easy for an application to develop a standard, automatic way to populate the DTO from the ActionForm properties. But since this is "pretty easy", there just

Re: ActionForm initialization

The general workflow is for all requests to go through an Action before they go out to a JavaServer Page. Any objects that need to be initialized should be initialized by the Action, and then forwarded out to the page. If the ActionForm is part of the Action's mapping, then the controller will ins

cvs commit: jakarta-struts/doc/userGuide release-notes.xml preface.xml

husted 2002/07/02 08:12:07 Modified:doc/userGuide release-notes.xml preface.xml Log: Routine updates. Revision ChangesPath 1.4 +104 -91 jakarta-struts/doc/userGuide/release-notes.xml Index: release-notes.xml ===

Re: ActionForm initialization

Thank you for your thorough response. Point of clarification: I'm talking about having the data available to some form found in the view being forwarded to. This is not the form being passed *to* the action. In other words, the Action sees the query data from the URL that got us to the action.

RE: ActionForm initialization

If you're using a value object for your data already, why not store a reference to that in the request, so that the view can use that to populate the form? The view doesn't have to be populated from a form bean - any old bean (or beans) will do. The property names, though, should match so that the

Re: ActionForm initialization

If the scope object uses the same protocol (method names) as the ActionForm, then it can be passed to the view directly. The tags all work through reflection. All they care about is that the method names match. So you can populate the form with one class, but submit it to an Action that uses an Ac

DO NOT REPLY [Bug 10380] - DynaActionFormClass not serializable

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

Re: RE: FormBeans ... as an Interface.

Thanks for the nice reply. I wouldn't think of it as Struts dictating the structure of the value object. In practice, when a user is editing something, the thing almost always corresponds to an object. That's the way the objects were modeled in the first place -- by doing use-case analysis, et

DO NOT REPLY [Bug 10400] - Solution for When using new xalan and xerces2, struts is not able to parse struts-config.xml

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

Re: FormBeans ... as an Interface.

In Struts 1.1 this can be avoid by using DynaActionForms or map-backed ActionForms. This makes the ActionForms much easier to maintain (or even maintenance-free), without causing the type-conflicts and validation issues that are endemic once you starting trying to autopopulate a conventional valu

Re: RE: FormBeans ... as an Interface.

(I'm not proposing autopopulating anything -- the Action has to fetch the value object anyway. I just want to reference it directly using syntax like valueObject.name from my form tags... This *avoids* aupopulating or having to synchronize any object since the ActionForm just references the val

Re: RE: FormBeans ... as an Interface.

At 4:03 PM -0400 2002/07/02, [EMAIL PROTECTED] wrote: >(I'm not proposing autopopulating anything -- the Action has to >fetch the value object anyway. I just want to reference it directly >using syntax like valueObject.name from my form tags... This >*avoids* aupopulating or having to synchroni

Ant build struts 1.1b failed

Hi, I got the following error messages when I download the struts 1.1b src and modified build.properties and build.xml. From the error, it looks like that xalan.jar is not included in the classpath so that the class is not found. But I have double checked and have added after all the places

Re: Security issues with Struts

On Tue, 2 Jul 2002, Marcel Kruzel wrote: > Date: Tue, 02 Jul 2002 10:14:05 +0200 > From: Marcel Kruzel <[EMAIL PROTECTED]> > Reply-To: Struts Developers List <[EMAIL PROTECTED]> > To: Struts Developers List <[EMAIL PROTECTED]> > Subject: Re: Security issues with Struts > > >>I believe Struts ha

Re: Ant build struts 1.1b failed

Offhand, it looks like you don't have Xalan in your $ANT_HOME/lib directory, of that you're trying to mix in a Xalan from a different version (Ant 1.4 ships with the parser from JAXP/1.1, and you should use the Xalan from the same release versus something later). Craig On Tue, 2 Jul 2002, Yibin

DO NOT REPLY [Bug 10322] - Problems with LookupDispatchAction and other locals

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

DO NOT REPLY [Bug 10322] - Problems with LookupDispatchAction and other locals

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_b

[OFF-TOPIC] JSP 2.0 and Tiles

I spent some time skimming through the JSP 2.0 draft spec. (Close to 400 pages! It makes my head spin... I may not know what I'm talking about.) It seems to me the new "Simple Tag Extension + Jsp Fragment" is Tiles on steroid. Is my impression close enough to the reality? Or I'm completely off?