Potential Forms Security Issue
Hi, Using Struts 2.1.8, I just ran into a security issue in my application configuration which was a bit difficult to diagnose and turned out to be due to a struts feature which unexpectedly bypassed my security configuration. As with many systems, I am using a web filter security mechanism (Spring security) to filter all requests and forwards. On one of my struts pages I have a form with a submit button who's action differs from that on the form. Such as: s:form theme=simple action=*unsecured* s:submit key=button.exit action=*secured*/ /s:form The default form action is unsecured. The button's action is secured. When the form is submitted, the request url is the one provided by the form of course (/*unsecured.action*). This is permitted access by the security framework. However, in order to allow multiple submit urls for a single action, struts submits the following request parameter (action:secured=Exit) which results in an internal mapping to a the *secured *struts mapping (the one for the secured action) which struts executes by proxy, bypassing any REQUEST/FORWARD security configurations. If forms are developed this way, the result is that user that had permissions for the unsecured form action but not the secured submit action, now gains access to the secured action. Though not a bug, I can imagine that this unexpected behavior can catch many developers out and can be difficult to diagnose. It also requires that security considerations be handled (or at least considered) in the jsp, which seems to break proper separation of concerns (especially for security configuration). - Eric
Re: Any Work on HTML5 compliant Tags
Maurizio, Video tag was an example picked by me and yes by that all i mean is is it not better that we have something a simple tag to display video in any application instead we are making our dependecny on thrird party plugin like Flash etc Though HTML5 sepc are still in middle way but they have some good specification with respect to how the future web rich component will come up. On Fri, Nov 26, 2010 at 11:18 PM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: I can't figure out what you're talking about, Perhaps an example is a better way to understand. To come straight to the point, let's just take for example video tag: According to w3c (http://www.w3.org/TR/html5/video.html#video) it should have the following attributes (aside the global ones): src poster preload autoplay loop controls width height In which of them should struts come into play? Could you please give me a brief example? 2010/11/26 shekher awasthi shekher.awas...@gmail.com: for video tag i think since every rich application have some video component and for that one has to fall back to some third party solutions is it nt good to have some tag for such requirement so that we don't have to fall back to other solution On Fri, Nov 26, 2010 at 8:39 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: 2010/11/25 Dave Newton davelnew...@gmail.com: Same way they do now: by getting values from business logic. I totally agree about new input element and I'm willing to contribute in any way. But why would a struts video tag be useful? otherwise I think there was a struts implementation for img tag. -- Maurizio Cucchiara - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: Potential Forms Security Issue
2010/12/8 Obinna obi...@gmail.com: Though not a bug, I can imagine that this unexpected behavior can catch many developers out and can be difficult to diagnose. It also requires that security considerations be handled (or at least considered) in the jsp, which seems to break proper separation of concerns (especially for security configuration). You can always create an interceptor to check user's privileges. My thought is that it will be very hard to implement such logic in Struts2 as you're using external filter that has nothing to do with Struts2 itself. That siad the best option is a dedicated interceptor that can cooperate with implemented security mechanism - in this case Spring Security. Maybe we should provide some example or so, but if you can help, I appreciate that! Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ Kapituła Javarsovia 2010 http://javarsovia.pl - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
struts 1.1 -old Error message on the previous submission has been added to current error message
Hi All I am a sr web developer working on struts , my issue is that the old Error message on the previous submission has been added to current error message and been displayed to Jsp , my form bean is in session scope , i am using the validate method for doing this validation, anybody having any idea about why the err msg adding with the previous requst submission err msg ? this is my code actionErrors.add(actionErrors.GLOBAL_MESSAGE, new ActionMessage(errors.SummaryForm.actioPlanDesc.NoOfCharInvalid)); -- View this message in context: http://old.nabble.com/struts-1.1--old-Error-message-on-the-previous-submission-has-been-added-to-current-error-message-tp30403854p30403854.html Sent from the Struts - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: Potential Forms Security Issue
Please, do not waste reviewers time directing public discussion to security@ lists at the ASF. The developers who would resolve any such issue reside at their respective dev@ lists. If you want to point out an undisclosed, undiscussed issue, then the appropriate security@ list would be the place to do so. And in general, DO NOT crosspost between public and private lists. It is one, or the other. - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: struts 1.1 -old Error message on the previous submission has been added to current error message
Please ask questions about using the framework on the user list: http://struts.apache.org/mail.html -- Martin Cooper On Wed, Dec 8, 2010 at 1:42 AM, ela-chennai ela.technoc...@gmail.com wrote: Hi All I am a sr web developer working on struts , my issue is that the old Error message on the previous submission has been added to current error message and been displayed to Jsp , my form bean is in session scope , i am using the validate method for doing this validation, anybody having any idea about why the err msg adding with the previous requst submission err msg ? this is my code actionErrors.add(actionErrors.GLOBAL_MESSAGE, new ActionMessage(errors.SummaryForm.actioPlanDesc.NoOfCharInvalid)); -- View this message in context: http://old.nabble.com/struts-1.1--old-Error-message-on-the-previous-submission-has-been-added-to-current-error-message-tp30403854p30403854.html Sent from the Struts - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org