The Apache Struts Security Team has prepared Security Impact Levels
and updated the following Security Bulletins to match the levels. Any
new Security Bulletin will be published with a proper level of the
Security Impact Levels.
Security Impact Levels
https://cwiki.apache.org/confluence/display
Hi,
Where do I need to set permissions in struts to make this works or
perhaps the compile option ?
Also eclipse won't allow me to include the import
java.rmi.RMISecurityManager;
I have included two clients swing client which works and
MessageStore.java struts client, struts log and my
The Apache Struts Security Team would like to announce that a number of
historic Struts Security Bulletins [1] and related CVE database entries
contained incorrect affected release version ranges.
The issue was reported by Christopher Fearon and the Black Duck Research
Team within the Synopsys
2017-12-12 16:22 GMT+01:00 upendar devu :
> could someone please confirm what Jackson databind versions are impacted ?
> we are using 2.7.1 version .
Here is a list [1] of unimpacted versions, which means any other are impacted
[1]
https://github.com/FasterXML/jackson-databind/issues/1599#issuec
could someone please confirm what Jackson databind versions are impacted ?
we are using 2.7.1 version .
On Tue, Dec 12, 2017 at 9:45 AM, Lukasz Lenart
wrote:
> 2017-12-12 15:29 GMT+01:00 Emi :
> > Hello,
> >>
> >> vulnerability exists in a JSON Jackson library and it's registered under
> >> CVE-
2017-12-12 15:29 GMT+01:00 Emi :
> Hello,
>>
>> vulnerability exists in a JSON Jackson library and it's registered under
>> CVE-2017-7525.
>
> I think you mean the following jars right?
>
> (1) jackson-core-2.9.2.jar
> (2) jackson-annotations-2.9.0.jar
> (3) jackson-databind-2.9.2.jar
I didn't ana
Hello,
vulnerability exists in a JSON Jackson library and it's registered under
CVE-2017-7525.
I think you mean the following jars right?
(1) jackson-core-2.9.2.jar
(2) jackson-annotations-2.9.0.jar
(3) jackson-databind-2.9.2.jar
Please read the bulletin [1] and apply possible
solutions. This
Hi,
After further clarification we increased impact of a vulnerability
reported to us and described as S2-055 to High. The vulnerability
exists in a JSON Jackson library and it's registered under
CVE-2017-7525. Please read the bulletin [1] and apply possible
solutions. This vulnerability impacts a
indungswirkung. Aufgrund der leichten Manipulierbarkeit
>> von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas
>> le destinataire prévu, nous te demandons avec bonté que pour satisfair
Musachy Barroso wrote:
The answer to your questions is 42. What in the name of the Flying
Spaghetti Monster are you talking about?
Ramen.
Dave
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional com
ceci
> est interdite. Ce message sert à l'information seulement et n'aura pas
> n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fou
gmail.com
> Date: Mon, 24 Aug 2009 16:22:41 +0530
> Subject: Struts Security
> To: user@struts.apache.org
>
> I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter
> Integaration) define in link below.
> http://wiki.apache.org/struts/HDIV
>
>
I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter
Integaration) define in link below.
http://wiki.apache.org/struts/HDIV
Is there any source or help avaliable for that. In this link there is
integration for Struts 1.3.8. and web application is not downloaded properly
giv
Ditto on Spring Security, very nice for URL auth.
-Original Message-
From: Dale Newfield [mailto:d...@newfield.org]
Sent: Saturday, August 08, 2009 12:02 PM
To: Struts Users Mailing List
Subject: Re: Struts - Security
Kamlesh Koringa wrote:
> - URL encryption (no one can mod
ets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> Date: Sat, 8 Aug 2009 12:01:39 -0400
> From: d...@newfield.org
> To: user@struts.apache.org
> Subject: Re: Struts - Security
>
> Kamlesh Koringa wrote:
> > - URL encrypt
Kamlesh Koringa wrote:
- URL encryption (no one can modify generated URL).
Impossible. You cannot prevent people from requesting URLs your system
does not present to them. You should assume that any parameter that you
accept from a user can be manipulated at will by that user. You can
jum
bligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> From: kamleshkori...@gmail.com
> Date: Sat, 8 Aug 2009 18:37:09 +0530
> Subject: Re: Struts - Security
> To: user@str
galement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> > From: kamleshkori...@gmail.com
> > Date: Sat, 8 Aug 2009 11:22:06 +0530
> > Subject:
lement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> From: kamleshkori...@gmail.com
> Date: Sat, 8 Aug 2009 11:22:06 +0530
> Subject: Struts - Security
> To: user
Hi
I am searching for good security frameworks for Struts2.
I have tried for HDIV http://www.hdiv.org. It is good framework but support
up to Struts 2.0.11 not Struts-2.1.6.
So please help me to find any other framework or any other way to solve
security related issues.
My main concorns are.
- URL
Hi All,
I would like to present to you a new open-source project related with web
application security: HDIV (http://www.hdiv.org). Actually we have been working
on it for 3 years but we have published it recently.
HDIV is a Struts security extension in order to solve most common web
At first glance at your code it looks like you might need to add a
role principal after you've added the user.. But on consideration i
dont think that the user principal is going to be added to the session
in such a way as you can get to the principal using
request.getUserPrincipal() and is user in
Jubin Kuriakose a écrit :
>oh...
>Supposing i did use j_security_check to authenticate. how do i check if the
>user is authenticated at a later stage
>
request.getUserPrincipal() returns a non-null value
>and is it possible to programmitically remove his permission.
>
>
Not really. Once user h
oh...
Supposing i did use j_security_check to authenticate. how do i check if the
user is authenticated at a later stage and is it possible to
programmitically remove his permission.
thnx
On 3/14/06, David Delbecq <[EMAIL PROTECTED]> wrote:
>
> Am sorry but that's not how form based authentificat
Am sorry but that's not how form based authentification works in j2ee.
We you are not authenticated, the container redirects your to
form-login-page
This page must contain a form with 2 fields : j_username and
j_password. The form action MUST be of type POST and the target MUST be
"j_security_che
Hi David
I did do that ...
>
>
> father
> Security
> /father/*
> GET
> POST
>
>
>
> admin
>
>
>
> NONE
>
>
>
>
>
> FORM
>
>
Do it like you would for any servlet. Either apply a security constraint
to struts servlet itself or apply security constraints to url path
(applying a security constraint to /admin/* applies also to
/admin/someStrutsAction.do)
Jubin Kuriakose a écrit :
>Hi all
>Can ayone give me links related to
Hi all
Can ayone give me links related to implemnting security-contraints(from
web.xml) and struts together. I googled without any success.
thnx jubs
Christopher [mailto:[EMAIL PROTECTED]
Sent: Saturday, April 02, 2005 12:20 PM
To: Struts Users Mailing List
Subject: Struts Security
Hi,
At the moment almost all of my CRUD operations are performed (through
service calls) within LookupDispatchAction files; is this considered
good practice within
Hi,
At the moment almost all of my CRUD operations are performed (through
service calls) within LookupDispatchAction files; is this considered
good practice within Struts?
I've noticed that by using LookupDispatchAction files the user has the
ability to save a page offline, modify the nameof the
Cheers for all the advice. I have already implemented JDBCRealm but
have decided to try out the SecurityFilter (as recommended) to see for
myself what it is like and what additional features it offers.
>>>
Unfortunatley I've had a few problems setting up the securityfilter...
To start off with
, January 27, 2005 11:05 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Hi,
I've never used EJB so have no idea what this means, can someone explain
please?
"When SecurityFilter is used, a user's Principal will not
automatically be propagated to EJB calls. If this is a
Also see this article:
http://www.javaworld.com/javaworld/jw-07-2004/jw-0726-security.html
J2EE security: Container versus custom
Choose the appropriate type of security for your application
Summary
This article covers the factors to consider when choosing between custom
security and J2EE standa
On Thu, 27 Jan 2005 11:02:35 -0600, Joe Germuska <[EMAIL PROTECTED]> wrote:
> At 9:46 AM -0600 1/27/05, Jerry Jalenak wrote:
> >Joe -
> >
> >Your comment
> >
> >My main issue with Container Based auth is its inability to support
> >user-initiated login -- it only works by intercepting a request for
At 9:46 AM -0600 1/27/05, Jerry Jalenak wrote:
Joe -
Your comment
My main issue with Container Based auth is its inability to support
user-initiated login -- it only works by intercepting a request for a
normal resource and then challenging for login.
struck a chord with me - it's one of the reason
05 9:32 AM
To: Tim Christopher; Struts Users Mailing List
Subject: Re: Struts Security
At 10:05 AM + 1/27/05, Tim Christopher wrote:
>Hi,
>
>I've never used EJB so have no idea what this means, can someone
>explain please?
>
>"When SecurityFilter is used, a user&
05 9:32 AM
To: Tim Christopher; Struts Users Mailing List
Subject: Re: Struts Security
At 10:05 AM + 1/27/05, Tim Christopher wrote:
>Hi,
>
>I've never used EJB so have no idea what this means, can someone
>explain please?
>
>"When SecurityFilter is used, a user&
At 10:05 AM + 1/27/05, Tim Christopher wrote:
Hi,
I've never used EJB so have no idea what this means, can someone
explain please?
"When SecurityFilter is used, a user's Principal will not
automatically be propagated to EJB calls. If this is a requirement for
your application, you may not be
No coding needed.
>
> Hermod
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 27, 2005 6:31 AM
> To: user@struts.apache.org
> Subject: RE: Struts Security
>
> I think the logic:present tag will a
, 2005 6:31 AM
To: user@struts.apache.org
Subject: RE: Struts Security
I think the logic:present tag will allow access to any of the roles
mentioned.
Mohan
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 9:41 AM
To: Struts Users Mailing
I think the logic:present tag will allow access to any of the roles
mentioned.
Mohan
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 9:41 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Just a quick question... What
Just a quick question... What is gained by using code like this:
>>>
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; i?
Or is that a check for all roles: roleA, roleB, and roleG?
Tim
On Wed, 26 Jan 2005 20:27:22 -070
I forgot to mention the reason I did this was because we already had a
security mechanism in place and didn't have the liberty of using realms
on the web or anything like that. It had to be a custom configuration.
Nic Holbrook wrote:
I kind of set our security up before the struts menu was in p
I kind of set our security up before the struts menu was in place. What
I have done that seems to work well so far is extend the Action class
with a SecureAction class that validates the users role before it lets
the user into an action. The execute method actually validates and
calls an abst
>> I then have a number of menu options that should only be made
>> visible to users with certain roles;
>
> Try Struts menu.
I have looked at the Struts Menu ( http://struts-menu.sourceforge.net/
) and I think I'll probably give it a go!
Does anyone else here have any experience using the Struts
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am designing a web application using Struts, which will run using
> Tomcat. The system will have upwards of 1000 users, with each user
> having any number of around 10 possible roles.
>
> I'm currently thi
Tim Christopher wrote:
Hi,
I am designing a web application using Struts, which will run using
Tomcat. The system will have upwards of 1000 users, with each user
having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat
Sounds good
xml file
to set t
Hi,
I am designing a web application using Struts, which will run using
Tomcat. The system will have upwards of 1000 users, with each user
having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat xml file
to set the roles for each of the users, t
On Wed, 19 Jan 2005 21:54:48 +0900, Sylvain ~ <[EMAIL PROTECTED]> wrote:
> I'm working on a simple application which requires very simple
> security as given there is only 3 kind of users : anonymous, users and
> admin.
>
> For portability issues, I don't want to use Tomcat's security system.
Tom
In part for the reason you specified, where the response has already
been committed in tiles, I prefer to move that kind of logic back
into the pre-view stages of request processing.
In Struts 1.2.x, you could extend the TilesRequestProcessor and
change the implementation of "processRoles" so t
On Wed, 19 Jan 2005 21:54:48 +0900, Sylvain ~ <[EMAIL PROTECTED]> wrote:
> I'm working on a simple application which requires very simple
> security as given there is only 3 kind of users : anonymous, users and
> admin.
>
> For portability issues, I don't want to use Tomcat's security system.
Ple
I'm working on a simple application which requires very simple
security as given there is only 3 kind of users : anonymous, users and
admin.
For portability issues, I don't want to use Tomcat's security system.
I think using JAAS or securityFilter for a such simple application
would create more p
Craig McClanahan wrote:
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statement
TED]> wrote:
>
>
> > -Original Message-
> > From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 11, 2004 10:32 AM
> > To: 'Struts Users Mailing List'
> > Subject: RE: Struts security/validation
> >
> >
well.
As for the XML/SOAP calls, using the serializer to create the character
entities would be good.
Thanks
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:50 AM
To: Struts Users Mailing List
Subject: Re: Struts
to data base you need
to convert it to be "l like he''s idea".
Hope this helps.
-Original Message-
From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 1:32 PM
To: 'Struts Users Mailing List'
Subject: RE: Struts security/validation
I h
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
> I had a similar problem, which I discovered when one of my users tried to
> enter a street address containing an apostrophe. Since I use apostrophes to
> delineate my text strings in my SQL statements, this caused a data
> -Original Message-
> From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 10:32 AM
> To: 'Struts Users Mailing List'
> Subject: RE: Struts security/validation
>
>
> I had a similar problem, which I discovered when one
Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm
> -Original Message-
> From: Craig McClanahan [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 10:21 AM
> To: Struts Users Mailing List
> Subject: Re: Struts security/validation
>
>
> On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
> <[EMAI
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against "Cross site
> scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special
> -Original Message-
> From: James Adams [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 6:45 AM
> To: Struts Users Mailing List
> Subject: Struts security/validation
>
>
> Hello all,
>
> I'm in the process of trying to secure my struts
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against "Cross site
> scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special
Hello all,
I'm in the process of trying to secure my struts application against "Cross site
scripting", "SQL injection" style attacks.
One of the things I'm doing to prevent this is trying to restrict special characters
(;.<>(){}...etc) getting beyond the validator.
At the moment I'm using the
64 matches
Mail list logo