Struts2 folks,
The Intrinsic Security Working Group (ISWG) at OWASP (http://www.owasp.org) has
been researching what security countermeasures an application architect or
technical lead must plan for when creating a Struts2 application. The result of
this research is a document that we are
Message -
From: SrinivasaReddy [EMAIL PROTECTED]
To: Struts Users Mailing List user@struts.apache.org
Sent: Tuesday, September 19, 2006 9:37 AM
Subject: Web Application Security -- Help needed
HI All..,
I am developing the Application in Struts+Hibernate, it is an Web
Application.I need
HI All..,
I am developing the Application in Struts+Hibernate, it is an Web Application.I
need to apply the security for this applicaiton like
-- If Session Timeout over that should redirect to Login page
-- After login if we copy the url and open it in new browser, that should
redirect to
Users Mailing List
To: Struts Users Mailing List user@struts.apache.org
cc:
Subject:Web Application Security -- Help needed
HI All..,
I am developing the Application in Struts+Hibernate, it is an Web
Application.I need to apply the security
Cheers for all your advice.
I've just tried implementing the JDBCRealm, though unfortunaltly it
does not work. The Log4j error file contains the following:
http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
JAASRealm.java:269 Unexpected error
java.lang.SecurityException: Unable to
Tim,
Have you also updated your web.xml and Tomcat conifgurations?
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 12:05 PM
To: Struts Users Mailing List
Subject: Re: Application Security
Cheers for all your advice.
I've just tried
G. Friedman
[EMAIL PROTECTED] wrote:
Tim,
Have you also updated your web.xml and Tomcat conifgurations?
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 12:05 PM
To: Struts Users Mailing List
Subject: Re: Application Security
, February 08, 2005 5:45 PM
To: Struts Users Mailing List
Subject: Re: Application Security
I managed to solve the first error by reordering the elements within
the server.xml file, however I'm now stuck with the following error
(which occurs when the server is started):
JDBCRealm[Catalina]: Exception
as the connection host/port/URL.
Regards,
David
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 5:45 PM
To: Struts Users Mailing List
Subject: Re: Application Security
I managed to solve the first error by reordering the elements within
: Application Security
I managed to solve the first error by reordering the elements within
the server.xml file, however I'm now stuck with the following error
(which occurs when the server is started):
JDBCRealm[Catalina]: Exception opening database connection
java.sql.SQLException
as the connection host/port/URL.
Regards,
David
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 5:45 PM
To: Struts Users Mailing List
Subject: Re: Application Security
I managed to solve the first error by reordering the elements
Hi,
I've recently discovered that it is not possible to map an action to
j_security_check. Given this situation how is it possible to populate
a form bean with user data, or create a log of any failed login
attempts (bad username / password) if the container takes control of
the entire login
Tim,
The first problem of populating a form bean with user data can be
handled by populating/creating a UserBean using techniques such as a
servlet filter. Alternatively, you can extend the RequestProcessor.
Other techniques that work, but are not as global in nature, are using a
base action.
The forms for container managed security don't have to be plain html - you
can configure in the web.xml custom Logon and Logon Error pages which
can be jsps, not just plain html. I have a custom tag on each of these pages
which writes the fact that a user has arrived at that page to log4j along
: Monday, February 07, 2005 10:02 PM
To: user@struts.apache.org
Subject: Re: Application Security
Tim,
The first problem of populating a form bean with user data
can be handled by populating/creating a UserBean using
techniques such as a servlet filter. Alternatively, you can
extend
: Monday, February 07, 2005 10:02 PM
To: user@struts.apache.org
Subject: Re: Application Security
Tim,
The first problem of populating a form bean with user data
can be handled by populating/creating a UserBean using
techniques such as a servlet filter. Alternatively, you can
extend
What errorthat looks like the normal startup messages of tomcat to
me.
Nathan
On Apr 18, 2004, at 6:15 AM, [EMAIL PROTECTED] wrote:
Hi All,
I have installed Tomcat server on my machine and tried to start it
using startup.bat im getting following error
in the StrutsConfig file, but
I'm not sure.
Please let me know your thoughts. Everyone else is also free to comment.
Regards,
Josh
-Original Message-
From: Joe Germuska [mailto:[EMAIL PROTECTED]
Sent: Friday, April 16, 2004 9:07 AM
To: Struts Users Mailing List
Subject: RE: Struts Application Security
-
From: Josh Holtzman [EMAIL PROTECTED]
To: 'Struts Users Mailing List' [EMAIL PROTECTED]
Sent: Saturday, April 17, 2004 10:41 PM
Subject: RE: Struts Application Security within the Controller Layer
Joe,
Your suggestion sounds interesting, but I'm not sure if I fully understand
it.
Correct
If your container supports servlet 2.3, use a filter. That's really the
best place for a check like that.
Jason
Josh Holtzman wrote:
Hello all,
I'm working on a Struts application that contains 2 modules.
Module 1 (default): a public website.
Module 2: a user and administrative
The way to configure this flexibly for each action would be to define
an extension of ActionMapping that was a bean with whatever config
properties you need (for instance, a role or list of roles permitted
to access the action.) Of course, since each path gets only one
ActionMapping, you may
Josh Holtzman wrote:
Module 2 obviously needs to be secure. To secure Module 2 I intend to build
2 measures into take the following steps: a) Before any action is executed
check that the user is logged in by looking for a User object in the
session. b) check that all connections are via the
22 matches
Mail list logo
