Re: referrer url
request.getHeader(referer) -Max On Tue, 2004-03-23 at 03:52, MOHAN RADHAKRISHNAN wrote: Hi I am trying to get the referrer URL using JSTL or JSP. Is there a way ? I have a link in an email that hits an action. So in order to identify the action was hit from the email link I appended a parameter to the URL. Now I want to do something if the action was hit from the email link. Any thoughts. Mohan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Max Cooper [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Recommend file upload progress bar
See the thread File-Upload: Progress-Bar that has been going on over the last few days. -Max - Original Message - From: Frank Burns [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 1:57 AM Subject: Recommend file upload progress bar I have a requirement to display a progress bar while performing file uploads. I've found several frameworks that provide this functionality. However, can you recommend an existing *best* solution -- preferably off-the-shelf -- for use with Struts? Thanks, Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: File-Upload: Progress-Bar
A simpler solution that may still meet your needs might be to use an animated GIF on a pop-up just to give the user some feedback that the upload is still in progress and that they should be patient. You could setup something like this: The HTML form with upload file input element has a hidden field with some UUID generated by the Action. The UUID is just some unique ID to avoid having two upload forms with the same ID. For instance, the session-id or perhaps session-id+current_time would work fine for a UUID. Have the javascript onSubmit for the form pop-up a window, where the content of that window will be /uploadStatus.do?UUID=234344. Your /uploadStatus.do action will look for the UUID and forward to a JSP with the animated GIF in it if that file has not completed uploading. That JSP will have a meta-refresh in it that will refresh the content of the pop-up every few seconds. The form submit with the file upload input element will be uploading the file for a while. When it finishes, it will indicate that the file upload with UUID=234344 has completed to some server-side upload-tracking subsystem. Then it will forward or redirect to whatever page the user should see when the upload completes. The pop-up status window will refresh itself within a second or two, and the /uploadStatus.do action will determine that the upload for the file with UUID=234344 has completed (by checking with the server-side upload-tracking subsystem). It will then forward to a JSP that closes the pop-up window or shows a message that the upload has completed. This isn't a progress bar, but it should be easier to implement. You could even use a fast-cycling animated GIF that looks like a progress bar (but doesn't really relate to the actual % progress) if that would satisfy your UI design requirements. -Max - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:31 AM Subject: File-Upload: Progress-Bar Hello everybody! I'm up to the task to implement a progress bar for File-Uploads, cause the files that are uploaded to my Webapp can be quite large. Well as usual this problem is not easily solved on the HTTP-Browser upload side. I'm using Struts here so I'm also using the commons/FileUpload. I was planning to do it that way that I assign a unique number to every session's-upload and keep the current status of an upload in a singleton for access. In an additional frame (with refresh) I would like to show the progress bar. My question: Has anybody done something like this with Struts before and can give me some little advise? Or more specific: Is it possible to first get the complete filesize from the FormFiles and the do the real Upload during the Action (keeping track of the read bytes) Thx for every help!! ___ Tim Adler, Abt. SDA1 Adress Management Solutions AZ | Direct Carl-Bertelsmann Straße 161s D-33311 Gütersloh Tel.: 05241/ 80 - 89574 [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security framework!!!
David, I think it is unusual to design the security system such that you must switch identities to meet your requirements. It may be worth rethinking your security system design so that a user will remain who they are, but be allowed to access resources that fall under their responsibility. As a generic example, it is customary for a user who is a system administrator to be able to change the password for any user in the system. The administrator does not actually switch their identity in the process, but rather they are granted access to do the password change by virtue of having some kind of sysadmin role. I realize that your business domain is more complex than that, but I think it would be useful to think about it in terms of a user having access to things without having to switch their identity. Since you can't use simple system-wide roles like admin due to the structure of responsibilities dictated by your business domain (client can add and edit their employees, but not the employees of another client), you have to do something special. One option is to map (flatten) the complex domain to a flat set of roles. For example, client Bob has role client1234.client, where client1234 is the client that Bob is a client for. You might also have roles like admin, reseller33, customer128, client1234.employee, etc. The numbers in in the role names are the id of the entity they represent. This requires programmatic security in a sense, since you will need to determine what role to check for at runtime. But you will still be able to use the J2EE standard request.isUserInRole() call to determine membership for the currently authenticated user. Another option is to do thoroughly programmatic security, where you still use container-managed security for authentication (is this Bob?) and write code to do the authorization (Bob wants to edit a user account in the context of the client with id = 1234, is Bob allowed to do that?) without mapping it to a role name. Perhaps your realm could create Principal objects such that the application code can ask the Principal if they can do something. Bob will very likely have other responsibilties (the same stuff the employees do) that you might wish to control with a single role client1234.employee. In that case, Bob would have both the client1234.client and client1234.employee roles. Alternately, you could identify a set of roles that would allow a user to do that stuff: client1234.employee, client1234.client, customer128, reseller33, etc. where client1234 is under the customer128 account, which in turn is under the reseller33 account. If Bob had any of those roles, he would be allowed to do employee stuff in the context of client1234. A single user can have an unlimited number of roles, and you can write your own security realm to read that information from a variety of tables in the database. Or write a view in the database for your User_Role join table and use a standard realm. Be aware that you might end up wasting a lot of memory if each user ends up with a ton of roles and your realm loads them all into memory during authentication. I have not done anything with JAAS, so perhaps there is a better solution available using JAAS technology. It would be great to hear from someone that knows of a good JAAS-based solution. David's problem of entity-based (rather than system-wide) responsibilities is a very common one. -Max - Original Message - From: David Friedman [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 5:48 PM Subject: RE: security framework!!! Adam, With my structure, I might have to become a particular reseller, then flip into a customer of his/hers, then become one of their client accounts to look into a reported problem. I worry about login identities for the following reasons: Using a JAAS login, my principal would be fixed (set in stone) for my session. Then, I couldn't be able to use the 'roles' settings inside Struts, Tiles, and JSPs to control content. Without using a JAAS login, I also become unable to use 'roles' in Tiles and JSPs to control content. Without having any theories on how to successfully (and without much alteration to the package[s]) use roles for Struts, Tiles, and JSPs, I'm at a loss how to change my identity/roles If I made a filter to wrapper the Request with a HTTPServletRequestWrapper object then added my own push/pop/depth methods, I see how I could use roles in all of those places. Knowing all of the above gory details, do you (or anyone) have any suggestions on how to make things cleaner while using roles in all of those places with the various levels of control I need to exert (albeit probably rarely switching roles) ? Thanks (to all) for any constructive suggestions, David -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 6:51 PM To: Struts Users Mailing List Subject: Re:
Re: Problem in Deploying
The app probably did not deploy. Consult the server log to figure out why. -Max - Original Message - From: Iwan Soenarto (IT) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 12:18 AM Subject: Problem in Deploying HTTP Status 404 - /StrutsNetBeansSample/TestForm.jsp _ type Status report message /StrutsNetBeansSample/TestForm.jsp description The requested resource (/StrutsNetBeansSample/TestForm.jsp) is not available. _ Apache Tomcat/4.1.29 This is the error I got when I deploy the war file created from netbeans. The app run fine inside netbeans. And the error appear when I deploy in to tomcat. Please help. Newbie Iwan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Off-topic] How to invalidate a session when a context is destroyed?
I would look for a server setting before I wrote code to solve the problem. -Max - Original Message - From: Joao Batistella [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Thursday, March 18, 2004 12:38 PM Subject: [Off-topic] How to invalidate a session when a context is destroyed? Hello. Sorry for the off topic question. I'm using Tomcat and all sessions that I have when the server is up are not destroyed when I shutdown te server. I implemented a ServletContextListener to register when the app is going down and a HttpSessionListener to see when a session is destroyed. For me, Tomcat should destroy all sessions when the server goes down. Is this correct? Is there a way in the ServletContextListener to destroy all active sessions? I couldn't find a way with ServletContext object I have in the method contextDestroyed of my ServletContextListener. Thanks, JP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SV: Form Validation
If the hacker thinks that 7 character passwords may be allowed, they might waste a considerable amount of time trying all 1-to-7 character combinations. If you tell them the minimum is 8 chars, they can save a lot of time by not trying those shorter passwords. Also, if the minimum length is really long (8 chars), the hacker might guess that most people will use a password of that minimum length, and might start trying words that are that length since people would be likely to choose something like that to meet the length requirement while still being memorable. However, if your app allows people to register online, the hacker can probably find out the minimum password length anyway, so validating for min password length on the login page for that kind of app would have little (i.e. hacker is not smart enough to try to register first to find out the minimum password length from the registration form) to no security consequences. -Max - Original Message - From: Christoph Kutzinski [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, March 15, 2004 5:06 AM Subject: Re: SV: Form Validation Joe Hertz wrote: Check the Bugzilla. I believe it works in the html:errors tag, but you won't get a javascript popup. If memory serves, there's a security concern about using minlength in password fields -- basically the logic goes something like, Do you really want to be providing a front end validation that tells a cracker how long his randomly guessed password attempts must be. What should be the problem with this? You are only telling him, how long they must be AT LEAST. Nothing about how long the can be at most. If you would say, it can be dangerous to expose the maxlength of the password to the user then I could understand it. Though lots of sites do exactely this in reality, so it cannot be such a big security danger. greets, Christoph - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cookies And Session Problems
The last user to log into the system has their details available to all other users logged in. Be really specific about you mean here, and give a few details about the deployment environment. - What session information appears to be shared by the users? - Can you demonstrate the session problem in a simple example that does not involve security in any way? One user hits page that puts something in session, second user hits page that puts something in session, first user can see second user's crap on a page that shows contents of the session. Something like that. - If not, are you using container-managed security (as defined in the servlet spec) or something else? - Is there a web server between the users and the app server? -Max - Original Message - From: Ciaran Hanley [EMAIL PROTECTED] To: Struts User Mailing List [EMAIL PROTECTED] Sent: Monday, March 08, 2004 4:48 PM Subject: Cookies And Session Problems Hey, I am writing an app but am having session problems. The last user to log into the system has their details available to all other users logged in. I haven't much of an idea about session control can anybody give some pointers in the right direction? From reading I am thinking url rewriting is the way to go about it, but cant find any good code snippets to get me started. Also, if caching is disabled does this mean that cookies won't be stored on the hard drive? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: FormBeans: A question of Style
On Thu, 2004-02-26 at 23:01, Pradeep, PK wrote: I think whatever you do you can't make JSP and Action Class independent. Where are you populating ActionForm Object from the results from service layer? In Action class only right? Which you know very well for which JSP page it will be applicable. True, but having one well-defined interface between the two (an ActionForm) is preferable to having a handful of poorly-defined interfaces between them (an ActionForm + stuffing a bunch of stuff into the request). Also is it easy to populate all what you need in ActionForm? How one can populate resultset in action form which will automatically get populated in html table.. Yes, call myActionForm.setResults(results) instead of request.setAttribute(results, results). This may seem like a minor point (and it is admittedly a simple example), but maintaining complex pages with a lot of structured data behind them gets difficult when you have to pull a bunch of stuff out of the request with no structure defined between the items you are pulling. Using the ActionForm as the root of your data structure is a simple rule to follow that 'scales up' (with data structure complexity) much better than request-stuffing. -Max - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: java.lang.ClassCastException
I am not sure this will be a complete solution to your problem, but try: moduleConfig.addForwardConfig(new ActionForward(mypath,myurl,true)); ActionForm extends ForwardConfig, not the other way around. -Max On Fri, 2004-02-27 at 03:22, Vano Beridze wrote: Hello I've got struts 1.1 sun jdk 1.4.2_03 Fedora Core 1 I have a simple application one action that has two forwards. One of them I want to costruct dynamically. I created a plugin and in its init method I do the following moduleConfig.addForwardConfig(new ForwardConfig(mypath,myurl,true)); when I do in the action return mapping.findForward(mypath); it gives me a classcast exception java.lang.ClassCastException at org.apache.struts.action.ActionMapping.findForward(ActionMapping.java:151) at com.silkroad.srm3.Login.execute(Login.java:42) When I did some debugging found out that the exception is happening because of the following code return ((ActionForward) config); in org.apache.struts.action.ActionMapping.java line 151 config contains a forward defined by me and has type org.apache.struts.config.ForwardConfig what should I do? are there any other ways dinamically defining global forwards? Thank you Vano - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FormBeans: A question of Style
I consider the ActionForms to be part of the view primarily. They should both collect submitted data and provide the JSP (or other view components) with most or all the data they need to render the page (camp 2). I say 'most' only because sometimes custom tags can be useful for getting data for list boxes, etc. All the data that the Action collects, however, should be carried to the JSP in the ActionForm. The alternatives for carrying data from Actions to JSPs for the camp 1 gang are not attractive, in my opinion. Having an Action put a bunch of stuff into the request or session scope creates a lot of coupling between the Action and JSP. The Action must know where to put it and the JSP must know where to find it with that scenario. I prefer to keep the Actions and JSPs loosely coupled by having them both depend on the ActionForm, rather than depending on each other. The Action populates the ActionForm, and the JSP renders it. For complex pages, the ActionForm can be the root of an object graph that contains all the data you need to render the page. Stashing additional info all over the session and request is sloppy by comparison, in my opinion. I think the ActionForm is the root of all view data approach promotes more concentrated thought about the structure of the data, which is a good thing. It provides a more concrete interface between the controller (Action) and view (JSP) components. Maintaining JSPs that get their data from one place is much easier than maintaining JSPs that have to collect, organize, and display data from multiple sources. JSPs that pull data from the ActionForm, stuff stashed in the session, and/or stuff stashed in the request are harder to maintain. Where do I find it? How does it all relate? Yuk! -Max On Thu, 2004-02-26 at 17:57, [EMAIL PROTECTED] wrote: We have 2 camps of thought on the subject of the appropriate use of Struts form beans. Here are the thoughts: Camp 1: Form beans are controller components and should be used only to transport user input data between JSP forms (or across JSP forms) and Action classes. Camp 2: Form beans should be use for what Camp 1 thinks, plus they should also contain all the data a JSP uses to render a page (i.e. All the model data is inserted into the form bean as well as the form data.) Any thoughts? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet filters and authentication
I'm the primary author of the SecurityFilter project, and the filter
logic is a bit more complicated than the code that was posted. Even if
you decide not to use SecurityFilter, it is probably worth a look at the
doFilter() method.
Some issues that you will/may have to deal with:
1. Filter getting executed on forwards (depends on your container).
2. Sending the user back to the page they requested when the login
sequence was initiated (a key feature, IMO).
3. Keeping request parameters (both GET and POST) across the login
event.
4. Sending the user to an error page when the login fails.
5. Allowing login form and error page requests to be processed without
invoking the login sequence.
6. Knowing what to do / where to send the user if they authenticate
spontaneously (i.e. when they weren't sent to the login form by your
filter).
Basically, there's a lot of stuff to deal with even though it seems
simple at first. :-) If you can use container-managed security or
SecurityFilter, you'll probably save yourself some time that would
otherwise be spent dealing with these issues. It is worth investigating
the existing solutions before rolling your own.
-Max
On Thu, 2004-02-26 at 09:20, Robert Taylor wrote:
You may want to see if this supports your requirements:
https://sourceforge.net/projects/securityfilter/
robert
-Original Message-
From: David Evans [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 12:07 PM
To: Struts Users Mailing List
Subject: servlet filters and authentication
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: data transfer from Action class to jsp page
Put it in the ActionForm. -Max - Original Message - From: Pradeep, PK [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 6:51 AM Subject: data transfer from Action class to jsp page I have this basic question. Suppose action class calls some business object and fetches some data (say employee detail). How to transfer this data to jsp page which is reached through ActionForward? One way I know is storing the data in session object..is there any better/different way - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: expanding %=...%
You can't mix static text and a %= % in the same attribute value. Here is the solution: property=%= popupSrc + p2 % -Max - Original Message - From: Daniel Lipofsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 4:24 PM Subject: expanding %=...% In the JSP below, %=p1% will expand the way I expect. But %=p2 does not. Does anyone know why and how to fix it? Using HTML-EL is not a good option because my real case uses custom tags that extend the HTML taglib. %@ taglib uri=struts-html prefix=html % html:form action=/TransactionListLoad % String foobar = FooBar, p1 = popupSrcForm, p2 = Form; % html:text property=%=p1% value=%=foobar%/ html:text property=popupSrc%=p2% value=%=foobar%/ /html:form Thanks, Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ActionClass
Define what you mean by where the request is coming from and what kind of processing you would like to optionally perform. It is not clear what you are trying to accomplish -- give some more details so we can help. -Max - Original Message - From: Ramadoss Chinnakuzhandai [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 11:26 AM Subject: ActionClass Hi, Is there any features in Struts using which I can make the ActionClass smart enough to understand where the request is coming from and execute appropriate block ? If so could you pls drop some light on it? Thank you in advance, -Ramadoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to implement Role based Security????????
Implement container-managed security, use SecurityFilter (http://www.securityfilter.org), or implement your own filter-based security that will answer request.isUserInRole() calls to make the role information available to Struts. -Max - Original Message - From: [EMAIL PROTECTED] To: Struts Users Mailing List Sent: Wednesday, February 18, 2004 11:52 AM Subject: How to implement Role based Security Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access control. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SecurityFilter with Struts quick and easy question
Nathan, Struts actually uses a Servlet rather than a Filter. But you are right about Filters in general -- requests can pass through as many filters as you have configured. If you have both SecurityFilter and Struts in the same app, SecurityFilter will always be called first (when the request URL matches the url-patterns for both). -Max - Original Message - From: Nathan Maves [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 8:47 AM Subject: SecurityFilter with Struts quick and easy question I am looking into using SecurityFilter to handle all the authentication for my app. Since it uses filters, like sturts, how does the Struts action get called? Will the request pass through multiple servlet filters? Should the authentication servlet filter be placed above the struts filter? Nathan Maves Sun Microsystems - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Moving App to Struts - Best Practices
Michael, There is no issue with bookmarking. Where the app currently responds to: /viewXXXdetail.jsp?scid=23 The Struts version will respond in the same way to: /viewXXXdetail.do?scid=23 Even for viewing data, you will want to use an ActionForm. In the example URL above, you'll want a property to hold the 'scid'. The same ActionForm should also properties for all the detail information about the item that will be shown by the JSP. -Max On Tue, 2004-02-17 at 15:18, Michael Steiger wrote: Hello list, this is my first Struts project, so I hope to get some answers and/or hints for my problems. I already searched the web for some answers but did not find the right ones. I am trying to redesign a partly Struts-enabled application to be a full-fledged Struts app. With partly I mean that there are some entrypoints into the app which are JSPs. If I understand the current design correctly the reason for this was to have the ability to bookmark certain pages. The flow is: If a data object (mostly a row in one db table, sometimes a bit more) should be displayed, a viewXXXdetail.jsp is called with the ID as an argument, e.g. viewXXXdetail.jsp?scid=23. This JSP fetches the data from the backend and displays it. Struts is not involved. To edit/delete this data object two buttons are included in this JSP. The edit button looks like this: html:form action=/apSystemComplexActionLoad html:hidden property=method value=load / html:hidden property=action value=update / input type=hidden name=scid value=%=sc.getSCID()% input type=image src=c:url value=/pics/edit.gif/ alt=Edit /html:form In the corresponding action the data is fetched again from the backend using the supplied scid as the key and the ActionForm is filled with the values from the backend object. First of all I would like to get rid of the viewXXXdetail.jsp but the user should be able to bookmark this detail page. Using the jsp there is no problem doing that but I have not found a way to do this using only Action classes/mappings. Second, what is the correct way of fetching and displaying backend data either in read/only mode (no forms involved) or in update mode (form-ActionForm involved)? Thanks in advance for any answer Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Max Cooper [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can tiles be put in a jar?
Copy the tiles into each webapp as part of your build. -Max On Tue, 2004-02-17 at 18:44, Raymaker, Dora wrote: Hello, I am wondering if tiles can be put in a jar so that they become accessible to multiple struts applications. Any information would be much appreciated! Thanks, Dora Raymaker Sr. Technical Writer XO Communications, Interactive Division 503.972.6808 [EMAIL PROTECTED] -- Max Cooper [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Need to modify the URL path of the forward dynamically
Andrew's procedure is what my team has done on one project, too. Originally, we tried getting the ActionForward and changing it directly, but it turns out that is a shared instance and changing the original was messing up other requests. After we discovered this problem, we switched to Andrew's scheme of creating a new ActionForward to return from the Action. I posted a message today with a note about dynamically adding a query string to an ActionForward in the URL does not change even after changing action thread. This thread has the details about how to do that. I am interested to hear from other folks if they have a novel way to do this (i.e. add a query string to an ActionForward). Anybody got a better way? -Max - Original Message - From: Andrew Hill [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, February 09, 2004 12:36 AM Subject: RE: Need to modify the URL path of the forward dynamically Need to modify the URL path of the forward dynamicallyGet the Forward instance as usual. Obtain its url string using getPath(). Add your additional parameter to end of string and create a new ActionForward instance that uses the decorated path (and copies the redirect property from the original action forward), and return this new actionforward instance. -Original Message- From: Swaminathan Rajagopalan [mailto:[EMAIL PROTECTED] Sent: Monday, 9 February 2004 16:34 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Kamal_Poddar Subject: Need to modify the URL path of the forward dynamically Hi, We have a URL in the path attribute of a forward for an action. We need to dynamically append some request variables to this URL in the action class, for they are available only at execution time. How can this be achieved? E.g actionpath=/additionalAccountInfoScreen type=xxx.yyy.zzz.web.control.action.AdditionalAccountInfoScreenAction name=additionalAccountInfoForm validate=false input=previousPage parameter=populateStmt scope=session forward name=url path=http://www.xyz.com/checks/; To the URL path here e.g http://www.xyz.com/checks we need to add accessId=xxx at run time in the action class(http://www.xyz.com/checks?accessId=xxx). Please let us know how this can be done? Regards, Swaminathan Rajagopalan, Ph : (8520261) Extn: 55955 Mail : [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: URL does not change even after changing action
URL does not change even after changing actionThis is likely a forward vs. redirect issue... Forward: happens on the server, one action forwards the current request to another. The browser never knows about it, so the URL in the address bar does not change. If the original request was for action1 and then it forwards to acion2, the URL in the browser will still be for action1. Redirect: server sends a response to the original request that tells the browser to request something else. The browser then makes another request for the other action, and the browser's address bar reflects this. If the original request is for action1, the server can respond by teling the browser to request action2. The browser makes the request for action2, and the URL for action2 will be in the address bar at that point. In Struts, you setup Struts forwards for both forwards and redirects. To get a redirect for a Struts forward element, you just add an attribute to the forward element, e.g.: forward name=success path=/action2 redirect=true/ Which one of these to use depends on the circumstances. I typically like to respond to requests that change something in the database [typically a POST with parameters for changing a row (or rows) in the database] with a redirect. Otherwise, forwards are usually more appropriate (e.g. action forwarding to JSP to render the view). One issue to consider is that a redirect will mean that a new request is used for action2, so anything that action1 puts into the request scope will not be available in action2. If you need to pass some info from action1 to action2, you'll need to do it via a query string on the URL you are redirecting to. You don't usually want to put these query string parameters in the forward/ element's path since their values will likely need to be dynamic. In that case, you'll need to grab the ActionForward and clone it and then add on or adjust the query string as needed for the context of the current request. There might be better ways to do that now, but that is what we did with Struts 1.02. Note that redirects are always GET requests -- you can redirect to a POST, so the query string is the only way to pass info. You could stick it in the session, too, but that is generally a sloppy practice and should only be a last resort made with your eyes open to the potential consequences (several browser windows with the same session stepping on each other, junk accumulating in the session, old values hanging around in the session messing up future requests from the same browser window, etc.). -Max - Original Message - From: Namasivayam, Sudhakar (Cognizant) To: Struts Users Mailing List Sent: Sunday, February 08, 2004 10:49 AM Subject: URL does not change even after changing action hi, Even after i call another action from the current action the url still remains the previous action .. So if i refresh the current page the previous action is called not the current one.. how do i solve this ??? Thanks regards, Sudhakar -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT]CVS client
Another nice option is SmartCVS (http://www.smartcvs.com). It is a pure Java GUI app that is available as a free version or a reasonably priced commercial version (with more features). One especially nice thing about SmartCVS is that it is easy to setup for CVS over SSH access. I don't mind setting up keys for traditional CVS over SSH access, but SmartCVS is very easy to setup for folks who don't want to mess with SSH key setup (I think it just remembers the password you type in, rather than using keys). However, I generally use WinCVS, and put the directory with cvs.exe in my path so that I can use it from the command line, too. I have Cygwin installed (without installing the cvs package, since WinCVS's cvs in is my path) and use its ssh client for CVS over SSH (may require some additional setup so it finds your SSH keys). I also use IntelliJ IDEA's CVS features. Each client (WinCVS GUI, cvs command line, IDEA) is useful in certain situations. Specifically, WinCVS's flatten and show committable files only feature is nice for committing a bunch of files that I changed in different directories. The command line is nice for updates and tagging when you are already at the command line to run Ant builds, etc. IDEA's client is nice when I am using the IDE. -Max - Original Message - From: Ramadoss Chinnakuzhandai [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:17 PM Subject: [OT]CVS client Hi, can anybody suggest me any better CVS client other than WinCVS and JCVS? Tnx in advance, -Ramadoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: c:out tag inside html:text tag
Two issues may be at work here:
1. It isn't valid to have a JSP tag render an attribute value for another
JSP tag. This might work instead, depending on the scope of styleVar:
html:text
name=Customer
property =Name
maxlength=256
size=256
style=%=styleVar%
/
2. Are you missing the %@ taglib % thingy for the html taglib in your JSP?
-Max
- Original Message -
From: Rahul Mohan [EMAIL PROTECTED]
To: struts [EMAIL PROTECTED]
Sent: Wednesday, January 07, 2004 11:47 PM
Subject: c:out tag inside html:text tag
Hi...I am facing some problems with using JSTL tags inside struts tags.
This is the piece of code I wrote for my application:
html:text
name=Customer
property =Name
maxlength=256
size=256
style=c:out value=${styleVar}/
/
the problem is that it is getting traslated to
html:text
name=w_CustomerWin
property =wca_Name
maxlength=256
size=256
style=width:100;height:22;position:absolute;top:20;left:56;display:none;
/
in the final html page!!
can anybody please tell me why the html:text tag is not getting translated
to input type=text . ?
thank you..
Rahul Mohan
~~~
MasterCraft Group
Tata Consultancy Services
Tata Research Development and Design Center
54B, Hadapsar Industrial Estate
Pune - 411 013
Phone: +91 4042333 or 4031122 Extn 2541
+91 471 3129787 ( Mobile )
Fax: +91 20 4042399
email : [EMAIL PROTECTED]
~~~
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Action without ActionForm
My perspective is that there is still value in having an ActionForm for that example. I generally think it is best for your Actions to pass information to the JSPs that render them through an ActionForm rather than putting things in the request or session directly. For this reason, I think it would be better to put the current time into an ActionForm than to stuff it into the session. Struts will put your ActionForm in the request or session for you; your Action need only populate it with data, and then the JSP can expect to find your well-defined ActionForm in the scope specified in the struts-config.xml file. It doesn't matter if there is no data coming in on the request for Struts to pre-populate the ActionForm. Using an ActionForm still has value in that it defines what the JSP can expect to find, and where. Opinions on this topic surely vary (i.e. I am sure some people will disagree with my recommendation here), and I have seen a lot of Actions and JSPs that communicate via request and session attributes that aren't defined in the struts-config file. But I prefer to limit the communication between the Action and the JSP to a well-defined ActionForm in a well-defined scope to the extent that it is possible. I view the Action/JSP coupling that comes with passing otherwise undefined request and session attributes to be undesireable. I think it is better to keep the interface between these components (a specific ActionForm in a specific scope) well defined (by specifying it in the struts-config.xml file). -Max - Original Message - From: Masashi Nakane [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 5:00 PM Subject: Action without ActionForm Hi ,all I am new to Struts and learning it. And I am wondering how the strtus-config.xml and JSP look like when a JSP doesn't submit any info( dont need ActionForm) . The JSP just display the current time and has one button refresh. CurrentTime.jsp ( user push refresh button) - CurrentTimeAction(get current time and put it to Session Attribute) - CurrentTime.jsp ( get time from Session and render) I have made the JSP without Struts framework . it works . but I have no idea how I can make this with action mapping in struts-config.xml. I made the mapping below and I got error when I try to open the JSP . JSP is using html:form tag to make form. javax.servlet.jsp.JspException: Cannot retrieve definition for form bean null but i dont need any ActionForm - action-mappings action path=/currenttime type=com.somecompany.CurrentTimeAction forward name=success path=/CurrentTime.jsp / /action /action-mappings - I have already checked the which attribute of action tag is mandatory or optional . Should I make dummy ActionForm ? Any comments are appriciated. Masashi Nakane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: No action instance for path /...
Is a compiled com.topit.action.WellcomeAction class file in the classpath for your web app (WEB-INF/classes or WEB-INF/lib)? It seems to be saying that it couldn't create an instance of your Action class for that path. -Max - Original Message - From: Daniel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 1:12 PM Subject: No action instance for path /... How can I fix this message ??? SEVERE: No action instance for path /wellcome could be created my struts-config.xml is: ?xml version=1.0 encoding=UTF-8? !DOCTYPE struts-config PUBLIC -//Apache Software Foundation//DTD Struts Configuration 1.1//EN http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd; struts-config !-- == Data Source Configuration === -- data-sources / !-- == Form Bean Definitions == -- form-beans form-bean name=homeBean type=com.topit.bean.HomeBean / form-bean name=indexBean type=com.topit.bean.IndexBean / /form-beans !-- == Global Exception Definitions == -- global-exceptions / !-- == Global Forward Definitions === -- global-forwards / !-- == Action Mapping Definitions === -- action-mappings action path=/home type=com.topit.action.HomeAction validate=false forward name=success path=/home.jsp redirect=true / /action action path=/wellcome type=com.topit.action.WellcomeAction validate=false forward name=success path=/wellcome.jsp redirect=true / /action /action-mappings !-- == Controller Configuration -- controller / !-- == Message Resources Definitions -- message-resources parameter=com.topit.ApplicationResources / !-- == Plug Ins Configuration = -- /struts-config and when i tri to access on the browser: http://localhost:8080/appTeste/wellcome.do this error apper: SEVERE: No action instance for path /wellcome could be created - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SecurityFilter with Struts
Use a regular form tag for the login page. The form will not be submitted to a Struts action but rather it will be processed by the filter. There is no way to call an Action during the authentication process. This is very similar to how container-managed security works. One difference between container security and SecurityFilter is that you can specify a default page to send the user to after they login, if they arrive at the login page on their own. Normally, users are automatically sent to the login page by the filter (just like container security) when they try to access a page they need to be authenticated for. If that is the case, SecurityFilter will redirect them to the page they were going to after they are authenticated: SCENARIO 1: User goes directly to login page: GET /login.jsp POST /j_security_check (server redirects user to the configured default page -- /defaultPage.do in this example) GET /defaultPage.do SCENARIO 2: Filter sends user to login page GET /mustBeLoggedInToSeeThisPage.do (server redirects to /login.jsp) GET /login.jsp POST /j_security_check (server redirects to /mustBeLoggedInToSeeThisPage.do) GET /mustBeLoggedInToSeeThisPage.do -Max - Original Message - From: Dirk Manske (Service Respond) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 6:00 AM Subject: SecurityFilter with Struts Hi, I try to integrate SecurityFilter 1.1 in my struts app. I understand that I have to use j_security_check in my form action to setup SecurityFilter. But how does it work within a html:form? Because j_security_check always gets populated to j_security_check.do the SecurityFilter will never be called!? So how should my login.jsp be designed to pass j_security_check and after this forward to an struts action class? any idea? thanks, Dirk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SecurityFilter with Struts
Oops, this isn't entirely true: There is no way to call an Action during the authentication process. You can have your login page be an action (/login.do) -- I just meant that you can't execute an action when that page is submitted. In other words, you can't process the login request with an Action, or have an Action do additional authentication-time processing when the login page is submitted. -Max - Original Message - From: Max Cooper [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 30, 2004 1:19 PM Subject: Re: SecurityFilter with Struts Use a regular form tag for the login page. The form will not be submitted to a Struts action but rather it will be processed by the filter. There is no way to call an Action during the authentication process. This is very similar to how container-managed security works. One difference between container security and SecurityFilter is that you can specify a default page to send the user to after they login, if they arrive at the login page on their own. Normally, users are automatically sent to the login page by the filter (just like container security) when they try to access a page they need to be authenticated for. If that is the case, SecurityFilter will redirect them to the page they were going to after they are authenticated: SCENARIO 1: User goes directly to login page: GET /login.jsp POST /j_security_check (server redirects user to the configured default page -- /defaultPage.do in this example) GET /defaultPage.do SCENARIO 2: Filter sends user to login page GET /mustBeLoggedInToSeeThisPage.do (server redirects to /login.jsp) GET /login.jsp POST /j_security_check (server redirects to /mustBeLoggedInToSeeThisPage.do) GET /mustBeLoggedInToSeeThisPage.do -Max - Original Message - From: Dirk Manske (Service Respond) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 6:00 AM Subject: SecurityFilter with Struts Hi, I try to integrate SecurityFilter 1.1 in my struts app. I understand that I have to use j_security_check in my form action to setup SecurityFilter. But how does it work within a html:form? Because j_security_check always gets populated to j_security_check.do the SecurityFilter will never be called!? So how should my login.jsp be designed to pass j_security_check and after this forward to an struts action class? any idea? thanks, Dirk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error deploying strus application to JBOSS --- The content of element type taglib must match
Could your struts-bean.tld file be damaged? It seems like the exceptions you posted are ocurring when the .tld file is being parsed, rather than when the server is reading your web.xml specifically. WILD GUESSES: Look for urn in the .tld file -- the parser seems to think there is an XML element in there by that name. The second exception seems to be complaining about the content of a taglib element -- perhaps a uri element got changed to urn in the .tld file somehow? Or it might be bad in the distribution and other app servers aren't as picky about it (what Struts dist are you using? 1.1?). -Max - Original Message - From: Yibing Li [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Friday, January 30, 2004 2:17 PM Subject: Error deploying strus application to JBOSS --- The content of element type taglib must match The following are the errors I got when deploying our Struts application to JBOSS. I think it is related to taglibs. In web.xml it is like: taglib taglib-uri/WEB-INF/struts-bean.tld/taglib-uri taglib-location/WEB-INF/struts-bean.tld/taglib-location /taglib Has anyone experienced the same problem? Thanks, Yibing +++ 2004-01-30 09:43:25,266 ERROR [org.apache.commons.digester.Digester] Parse Error at line 8 column 7: Element type urn must be declared. org.xml.sax.SAXParseException: Element type urn must be declared. org.xml.sax.SAXParseException org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(org.apach e.xerces.xni.parser.XMLParseException) ErrorHandlerWrapper.java:232 and 2004-01-30 09:43:25,391 ERROR [org.apache.commons.digester.Digester] Parse Error at line 23 column 10: The content of element type taglib must match (tlibversion,jspversion?,shortname,uri?,info?,tag+). org.xml.sax.SAXParseException: The content of element type taglib must match (tlibversion,jspversion?,shortname,uri?,info?,tag+). org.xml.sax.SAXParseException org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(org.apach e.xerces.xni.parser.XMLParseException) ErrorHandlerWrapper.java:232 void org.apache.xerces.util.ErrorHandlerWrapper.error(java.lang.String, java.lang.String, org.apache.xerces.xni.parser.XMLParseException) ErrorHandlerWrapper.java:173 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP to static html...
Jacob, It sounds like your requirements preclude doing this at build time. I assume having the button to ftp a static HTML version of the report to a server somewhere means that the report has some parameters to customize the report, or at least that the report should be run at the time the user clicks the button (even if there is no configuration of the report itself). In that case, it seems like you could have the server make a request to itself and then save the response (HTML generated by executing the JSP) in a file or just stream it directly to the ftp server that is waiting to receive it. I don't have any magic tips about converting JSP to HTML -- I would just let the server execute the JSP to convert it to HTML. If you need to strip things out (JavaScript, etc.) you may need to create a new JSP or manipulate the response to remove that stuff. -Max - Original Message - From: Jacob Wilson [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 23, 2004 3:58 PM Subject: Re: JSP to static html... Thanks Max. This sounds very good. Your saying that automatically creating an html when the jsp is rendered sounds good. This should solve my problem. We are using websphere 5.0. We are not using ant though... If you can give me little more details on the configuration stuff and how to specify a particular jsp to be converted into an html, that would be great... -Jacob Max Cooper [EMAIL PROTECTED] wrote: View Source ... Save As works generally, but browsers sometimes mess with the HTML in subtle ways (netscape used to add an HTML tag, for instance), so I would be very wary of using that technique (diff users w/diff browser, changes after browser upgrade, etc.). The command-line tools curl or wget should be more trustworthy to deliver the HTML as delivered by the server with no molestation. If you want to automate the process (which I highly recommend if you are really going to do this), you could use Ant to deploy your app and its JSPs on a server and then make requests for all of the pages, saving the responses as build output. Before doing any of this, I would take a detailed look at why you want to render your JSPs and convert them to HTML. It seems likely that there is a better (easier) way to achieve the intended goal. Ant and its various filtering, token-replacing and other abilities may offer a more manageable solution. -Max - Original Message - From: Ron Day To: Struts Users Mailing List Sent: Friday, January 23, 2004 2:28 PM Subject: RE: JSP to static html... View source in browser and save it to xxx.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with %= ... % inside struts tags
The tag attribute value must be one big %= % or static text. You can't mix
static text and a %= %. This is a limitation of JSP, and not something
strange with Struts JSP tags in particular. Fortunately, it is pretty easy
to create a %= % expression that will have the value you want.
Instead of:
html:select property =exception onClick=java
script:showOtherExceptions('%= ELSEnquiryConstantsIF.EXCEPTION %');
/
You can write it like this (all in one big %= % expression):
html:select property =exception
onClick='%=
javascript:showOtherExceptions('
+ ELSEnquiryConstantsIF.EXCEPTION
+ ');
%'
/
Or something like this:
% String myOnClick = (
javascript:showOtherExceptions('
+ ELSEnquiryConstantsIF.EXCEPTION
+ ');
);
%
html:select property =exception onClick=%=myOnClick% /
-Max
- Original Message -
From: vasudevrao gupta [EMAIL PROTECTED]
To: 'Struts Users Mailing List' [EMAIL PROTECTED]
Sent: Sunday, January 25, 2004 12:17 AM
Subject: Problem with %= ... % inside struts tags
Hi All,
I have the following code in my JSP file, and I am using the STRUTS
framework.
code:
html:select property =exception onClick=java
script:showOtherExceptions('%= ELSEnquiryConstantsIF.EXCEPTION %');
/
where showOtherExceptions is a javascript function I have
already written.
The problem is that this doesn't work as expected. The part that
should be filled with ELSEnquiryConstantsIF.EXCEPTION stays as
ELSEnquiryConstantsIF.EXCEPTION in the final HTML output..
When I view source on the outputted HTML page, the html:submit
tag converts to the following:
code:
input type=select name =exceptione onClick=java
script:showOtherExceptions('%= ELSEnquiryConstantsIF.EXCEPTION %');
/
Please help
Regards
VasudevRaoGupta
Confidentiality Notice
The information contained in this electronic message and any attachments
to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or
privileged information. If
you are not the intended recipient, please notify the sender at Wipro or
[EMAIL PROTECTED] immediately
and destroy all copies of this message and any attachments.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP to static html...
View Source ... Save As works generally, but browsers sometimes mess with the HTML in subtle ways (netscape used to add an HTML base tag, for instance), so I would be very wary of using that technique (diff users w/diff browser, changes after browser upgrade, etc.). The command-line tools curl or wget should be more trustworthy to deliver the HTML as delivered by the server with no molestation. If you want to automate the process (which I highly recommend if you are really going to do this), you could use Ant to deploy your app and its JSPs on a server and then make requests for all of the pages, saving the responses as build output. Before doing any of this, I would take a detailed look at why you want to render your JSPs and convert them to HTML. It seems likely that there is a better (easier) way to achieve the intended goal. Ant and its various filtering, token-replacing and other abilities may offer a more manageable solution. -Max - Original Message - From: Ron Day [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 23, 2004 2:28 PM Subject: RE: JSP to static html... View source in browser and save it to xxx.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [FRIDAY] RE: JSP Protection
Be careful, or charliesheen.jpg will be looking for you! -Max - Original Message - From: Nail, Evan Burke [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 16, 2004 5:19 AM Subject: [FRIDAY] RE: JSP Protection Perhaps I have a different browser, but mine keeps asking for /images/deniserichards.jpg hmmm -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 7:20 PM To: Struts Users Mailing List Subject: Re: JSP Protection The images are requested directly by the browser, so they must be accessible from the outside. Here's a little browser-server dialog to illustrate how it works: Browser: please give me /DoSomething.do Server: Here you go... (server invokes Struts action servlet, action servlet invokes the requested action, action says it wants to forward to a JSP, action servlet does the forward...) htmlimg src=/images/bitchin_camaro.jpg/html Browser: please give me /images/bitchin_camaro.jpg Server: Here you go... 24927image247data7902578259image293data85984396574389... The request for the action returns HTML. The browser reads the HTML and sees that it references an image. The browser then makes a separate request for the image file so that it can render the page. The image file must be request-able by the browser or it won't show up when someone wants to view the page. -Max - Original Message - From: lixin chu [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:07 PM Subject: RE: JSP Protection I can successfully move all the files into /WEB-INF/subfolder (WEB-INF is protected by default) except the images/ folder. It seems that I have to leave it outside - in the webapp root. I am using Tomcat 5.0.16. Is it a defect or it is like this ? --- Karr, David [EMAIL PROTECTED] wrote: Put all JSP pages that can't be accessed directly into a security constraint, only accessible by the role nobody, which you will never add a user to. All accesses of JSPs will be through forwards from actions, which will not be blocked by that security constraint (unless you either have a broken web container or a Servlet 2.4 container where you've enabled auth on forward). -Original Message- From: J#40693;gen Scheffler [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: JSP Protection Hi, how do i block URL guessing? if someone requests abc.com/secret_page.jsp he gets it. In my Action i check if the user object has the right rights for this action and then i forward him. But if guesses the jsp, he opens it. Help me! J#40693;gen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This e-mail is the property of Enron Corp. and/or its relevant affiliate and may contain confidential and privileged material for the sole use of the intended recipient (s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender or reply to Enron Corp. at [EMAIL PROTECTED] and delete all copies of the message. This e-mail (and any attachments hereto) are not intended to be an offer (or an acceptance) and do not create or evidence a binding and enforceable contract between Enron Corp. (or any of its affiliates) and the intended recipient or any other party, and may not be relied on by anyone as the basis of a contract by estoppel or otherwise. Thank you. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: weird Tomcat prob
My guess is that it is finding and executing the servlet, but that something goes wrong while the servlet is being processed. It looks like it drops down into some JSPs, and that seems to be the source of the exception. We need to know more about what that servlet does. I see Struts classes in the stack trace. It also seems like there might be an 'identification.jsp' file that includes an 'incAttachment.jsp' file. Can you look at line 120 of the incAttachment_jsp.java file that Tomcat generates when it transforms the JSP file into a Java class? It might have comments that tell you what the line number in the incAttachment.jsp file is causing the exception. -Max - Original Message - From: Claire Wall [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, January 16, 2004 1:22 AM Subject: weird Tomcat prob Hi, I have a struts application which i am deploying to another server which is running Tomcat 4.1.29 via a WAR file. The application works fine except for one problem: I have a servlet which loads on start-up via the following declaration in web.xml: servlet servlet-namehasAttachments/servlet-name servlet-classHasAttachmentsServlet/servlet-class load-on-startup5/load-on-startup /servlet It loads up fine - the servlet is found as it is logging to the log file that it is loaded. However, when I try to access this servlet it does not find the servlet at all. The servlet has a doGet() method which just passes back some text to be outputted. I call it like this: http://localhost:8080/CRM/servlet/hasAttachments. I get the following error message: org.apache.jasper.JasperException: Exception reading resource http://localhost:8080/CRM/servlet/hasAttachments;jsessionid=B0636FAB02DF85F4E4980AF8092618AF?context=12upload=false: java.io.FileNotFoundException: http://localhost:8080/CRM/servlet/hasAttachments;jsessionid=B0636FAB02DF85F4E4980AF8092618AF?context=12upload=false at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 54) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:684) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatch er.java:575) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher .java:498) at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:8 22) at org.apache.jsp.identification_jsp._jspService(identification_jsp.java:278) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 10) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:684) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:432) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:356) at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:10 69) at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProces sor.java:455) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417) at
Re: Tomcat error with compiling JSPs
This seems telling:
[javac] javac: invalid flag: C:\Program
It seems like some kind of path with a space in it is being passed to the
compiler, but it is not being quoted properly.
javac -classpath C:\Program Files\somelib\lib.jar ...
(should be: javac -classpath C:\Program Files\somelib\lib.jar ...)
However, I would kind of expect the error to be invalid flag:
Files\somelib\lib.jar in that case, since the C:\Program part is before the
space. Could you have some kind of funky classpath like C:\dir\lib.jar;
C:\Program Files\poop\stuff.jar (note the space after the ';'). Are you
setting the classpath for the server process yourself, perhaps by starting
Tomcat using your own script (rather than startup.bat)? Or do you have some
strange classpath in your environment before you start Tomcat?
-Max
- Original Message -
From: Claire Wall [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Thursday, January 15, 2004 4:06 AM
Subject: Tomcat error with compiling JSPs
hi,
I am trying to install my application on another server (Tomcat 4.1). I have
built a WAR file from an ANT build file but when I install it on Tomcat and
try to access it I get the following error:
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it
from fulfilling this request.
exception
org.apache.jasper.JasperException: Unable to compile class for JSP
An error occurred at line: -1 in the jsp file: null
Generated servlet error:
[javac] Since fork is true, ignoring compiler setting.
[javac] Compiling 1 source file
[javac] Since fork is true, ignoring compiler setting.
[javac] javac: invalid flag: C:\Program
[javac] Usage: javac
[javac] where possible options include:
[javac] -gGenerate all debugging info
[javac] -g:none Generate no debugging info
[javac] -g:{lines,vars,source}Generate only some debugging info
[javac] -nowarn Generate no warnings
[javac] -verbose Output messages about what the
compiler is doing
[javac] -deprecation Output source locations where
deprecated APIs are used
[javac] -classpath Specify where to find user class files
[javac] -sourcepath Specify where to find input source files
[javac] -bootclasspath Override location of bootstrap class files
[javac] -extdirsOverride location of installed extensions
[javac] -d Specify where to place generated class files
[javac] -encoding Specify character encoding used by source
files
[javac] -source Provide source compatibility with specified
release
[javac] -target Generate class files for specific VM version
[javac] -help Print a synopsis of standard options
at
org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandle
r.java:130)
at
org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:2
93)
at org.apache.jasper.compiler.Compiler.generateClass(Compiler.java:353)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:370)
at
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:4
73)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:1
90)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:193)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:256)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
Re: JSP Protection
The images are requested directly by the browser, so they must be accessible from the outside. Here's a little browser-server dialog to illustrate how it works: Browser: please give me /DoSomething.do Server: Here you go... (server invokes Struts action servlet, action servlet invokes the requested action, action says it wants to forward to a JSP, action servlet does the forward...) htmlimg src=/images/bitchin_camaro.jpg/html Browser: please give me /images/bitchin_camaro.jpg Server: Here you go... 24927image247data7902578259image293data85984396574389... The request for the action returns HTML. The browser reads the HTML and sees that it references an image. The browser then makes a separate request for the image file so that it can render the page. The image file must be request-able by the browser or it won't show up when someone wants to view the page. -Max - Original Message - From: lixin chu [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:07 PM Subject: RE: JSP Protection I can successfully move all the files into /WEB-INF/subfolder (WEB-INF is protected by default) except the images/ folder. It seems that I have to leave it outside - in the webapp root. I am using Tomcat 5.0.16. Is it a defect or it is like this ? --- Karr, David [EMAIL PROTECTED] wrote: Put all JSP pages that can't be accessed directly into a security constraint, only accessible by the role nobody, which you will never add a user to. All accesses of JSPs will be through forwards from actions, which will not be blocked by that security constraint (unless you either have a broken web container or a Servlet 2.4 container where you've enabled auth on forward). -Original Message- From: J#40693;gen Scheffler [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: JSP Protection Hi, how do i block URL guessing? if someone requests abc.com/secret_page.jsp he gets it. In my Action i check if the user object has the right rights for this action and then i forward him. But if guesses the jsp, he opens it. Help me! J#40693;gen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Database pool full.
We were using the Oracle connection pool implementation, and it is a configurable item on there. There is no config file, so we used a method call to set the strategy in that case. I would expect that other pool implementations might have different options and different configuration procedures. I'm not familiar with the MySQL config, or even if the pool you are using is part of the MySQL driver package (or perhaps the pool is part of Resin?). What is the fully-qualified class name of the DataSource class you are using? -Max - Original Message - From: virupaksha [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 9:02 PM Subject: Re: Database pool full. Dear Max, Yah, this problem occures after visiting some pages, to use #1 strategy, whether I need to do any changes in configuration or is there any other way? Thanks for your suggestions immediate response, Regards, viru - Original Message - From: Max Cooper [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 12:30 PM Subject: Re: Database pool full. My guess is that you have a connection leak somewhere. Does this problem start occurring immediately, or does it only show up after visiting a number of pages in the site? Various db pools have different ways of dealing with no connections being available. Often, you can configure which strategy to use. Here are 3 different strategies: 1. Wait until a connection becomes available. 2. Fail if no connections are available (i.e. return null or throw an exception). 3. Grow the pool temporarily if there are no free connections. It is clear from the errors you are getting that your pool is currently using strategy #2. I like #1 the best, because it is less likely that requests will fail under load. But, you must be sure that you don't have any connection leaks, because the app will eventually hang if you have connection leaks and use strategy #1. Strategy #3 works, but you can run still run out of connections in the database itself, so it can start to act like strategy #2. This is one aspect of connection pooling that important to consider when developing web apps. But, it seems likely that you have leaks somewhere. Some of your requests are probably not returning their connections to the pool. It could be that you have exceptions that are being thrown and not releasing the connection, or it could just be that you have non-exception logic paths that don't return the connections. Some combination of code reviews, debugging, etc. is needed to track them down. Another thing to watch out for is requests that require more than 1 simultaneous connection. For instance, consider the situation where you have a pool of 30 connections, 15 request handler threads, and a request that requires 3 connections. If 15 of those requests come in at once, and each request handler thread grabs 2 connections, you will have deadlock as all the request handler threads wait forever for a third db connection to become available (assuming you are using pooling strategy #1 above). The solution to this problem is to make sure that you don't have any requests that require more than one simultaneous connection, or at least that your db connection pool has enough connections to survive a flood of connection hungry requests (e.g. have a pool of 45 connections in the example scenario described above -- 3 conn/req * 15 threads = 45 connections in the pool). This may seem unlikely, but it is a problem I have faced in a production system (and it wasn't easy to track down!). Another lister here suggested a good technique for ensuring that none of your requests require more than 1 simultaneous connection -- test your app with a pool of 1 connections. -Max - Original Message - From: virupaksha [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 7:14 PM Subject: Database pool full. Dear All, I am developing an application on resin-2.1.9 web server. Connection to MYSQL Database is using JNDI. JNDI connection code is written in a class called DBService. I am instantiating DBService class where ever i need database connection and getting connection using getConnection() method. when user start working on application, i m getting following errors, Class:DBService. Method:getConnection() cann't open connection with full database pool(30) Class:MonthReport. Method:SelectReportDetailNull() cann't open connection with full database pool(30) it sounds like database pool is full, Whether i need to increase the pool size or optimize code in DBService database connection class. for your reference below code performs database connection. -- public Connection
Re: Database pool full.
My guess is that you have a connection leak somewhere. Does this problem
start occurring immediately, or does it only show up after visiting a number
of pages in the site?
Various db pools have different ways of dealing with no connections being
available. Often, you can configure which strategy to use. Here are 3
different strategies:
1. Wait until a connection becomes available.
2. Fail if no connections are available (i.e. return null or throw an
exception).
3. Grow the pool temporarily if there are no free connections.
It is clear from the errors you are getting that your pool is currently
using strategy #2. I like #1 the best, because it is less likely that
requests will fail under load. But, you must be sure that you don't have any
connection leaks, because the app will eventually hang if you have
connection leaks and use strategy #1. Strategy #3 works, but you can run
still run out of connections in the database itself, so it can start to act
like strategy #2. This is one aspect of connection pooling that important to
consider when developing web apps.
But, it seems likely that you have leaks somewhere. Some of your requests
are probably not returning their connections to the pool. It could be that
you have exceptions that are being thrown and not releasing the connection,
or it could just be that you have non-exception logic paths that don't
return the connections. Some combination of code reviews, debugging, etc. is
needed to track them down.
Another thing to watch out for is requests that require more than 1
simultaneous connection. For instance, consider the situation where you have
a pool of 30 connections, 15 request handler threads, and a request that
requires 3 connections. If 15 of those requests come in at once, and each
request handler thread grabs 2 connections, you will have deadlock as all
the request handler threads wait forever for a third db connection to become
available (assuming you are using pooling strategy #1 above). The solution
to this problem is to make sure that you don't have any requests that
require more than one simultaneous connection, or at least that your db
connection pool has enough connections to survive a flood of connection
hungry requests (e.g. have a pool of 45 connections in the example scenario
described above -- 3 conn/req * 15 threads = 45 connections in the pool).
This may seem unlikely, but it is a problem I have faced in a production
system (and it wasn't easy to track down!). Another lister here suggested a
good technique for ensuring that none of your requests require more than 1
simultaneous connection -- test your app with a pool of 1 connections.
-Max
- Original Message -
From: virupaksha [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 7:14 PM
Subject: Database pool full.
Dear All,
I am developing an application on resin-2.1.9 web server.
Connection to MYSQL Database is using JNDI. JNDI connection code is written
in a class called DBService.
I am instantiating DBService class where ever i need database connection and
getting connection using getConnection() method.
when user start working on application, i m getting following errors,
Class:DBService. Method:getConnection() cann't open connection with full
database pool(30)
Class:MonthReport. Method:SelectReportDetailNull() cann't open connection
with full database pool(30)
it sounds like database pool is full, Whether i need to increase the pool
size or optimize code in DBService database connection class.
for your reference below code performs database connection.
--
public Connection getConnection()
{
java.sql.Connection con = null;
javax.sql.DataSource ds=null;
try{
Context initCtx = new InitialContext();
Context envCtx = (Context) initCtx.lookup(java:comp/env);
ds= (DataSource)envCtx.lookup(jdbc/training);
con = ds.getConnection();
}catch(Exception e){
System.out.println(Class : DBService, Method :
getConnection()+e.getMessage());
}
return con;
}//end of getConnection method
-
Your advice will be great help to optimize my application.
Thanks in advance.
Regards,
Viru
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: URGENT - Help defending Struts
http://www.fiskars.com/ is using Struts, too. -Max - Original Message - From: Andy Engle [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, December 18, 2003 7:58 AM Subject: Re: URGENT - Help defending Struts [EMAIL PROTECTED] wrote: Our CIO is currently fighting the use of Struts by saying that it is not widely used in B2C sites. Does anyone know of any sites, preferably commerce sites that are using Struts? This would be extremely helpful. It looks like www.verizonwireless.com has their entire user account setup done with Struts. I love it -- has a great look, lots of information, charts, past billing info, the works. On top of that, it's all pretty quick and easy to use. Andy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Are httpSessions thread safe?
Two threads can access and use the same object from the session at the same time. Struts does not prevent this from occurring. It is something to worry about unless you want to be woken up with bug reports in the middle of the night. :-) -Max - Original Message - From: Joe Hertz [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Wednesday, December 17, 2003 11:56 PM Subject: Are httpSessions thread safe? Not sure how OT this question is. My current plan (unless this is bad for some reason, but if so, Ted H should change his example app :-) is to stash the hibernate Session for a user into his httpSession, and reuse it on each request. A Hibernate Session instance isn't threadsafe. I imagine if two really quick http requests got generated out of the same browser, all hell could break out. I guess I want to know if mortals like me need to worry about this. Does Struts (or the Servlet container FAIK) prevent this from occuring, or do I need to ensure this doesn't happen? If so, how? With a token or is there a better strategy? TIA -Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Are httpSessions thread safe?
Even though you got a few different objects with those calls, they all
represent the same conceptual session underneath. The concept of a session
would be worthless otherwise. In other words, if you stash a reference to
some object in the session, you will be able to get a reference to that same
object from any of the session objects returned by those calls (even though
the object representing the session itself may be different from call to
call).
-Max
- Original Message -
From: Kris Schneider [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 8:11 AM
Subject: RE: Are httpSessions thread safe?
Synchronizing on the session object may cause you all sorts of grief...or
it may
not. It all depends on your container. The spec makes no guarantees about
the
identity of the object returned by methods like PageContext.getSession or
HttpServletRequest.getSession. For example, here's a test JSP:
%@ page contentType=text/plain %
%
out.println(session: + session);
out.println(pageContext.getSession: + pageContext.getSession());
out.println(request.getSession: + request.getSession(false));
out.println(request.getSession: + request.getSession(false));
%
Here's the output from TC 4.1.24:
session:
[EMAIL PROTECTED]
pageContext.getSession:
[EMAIL PROTECTED]
request.getSession:
[EMAIL PROTECTED]
request.getSession:
[EMAIL PROTECTED]
And that's just within the same thread! I'm pretty sure TC 4.1.29 does
return
the same instance, but just remember it's not guaranteed.
Quoting Joe Germuska [EMAIL PROTECTED]:
At 4:09 PM +0800 12/18/03, Andrew Hill wrote:
The sessions essentially just a sort of Map. Access to it may be
threadsafe,
but the stuff thats in it is another matter entirely. Multiple requests
associated with the same session will execute simultaneously.
There's nothing in the specs that guarantee threadsafe access to
session attributes.
A pattern I've become quite fond of is to create a single object (we
call it a shell, analogous to an operating system shell) which
encapsulates everything you want in session context for a given user;
then put just this object into session scope, and use methods on it
to do everything else. This helps you apply synchronization where
appropriate. There's still a risk of a race condition involving the
initial creation of the shell (assuming you do something like check
the session to see if there's a value under the key you use for the
shell) -- you can put that in a block synchronized on the session
object:
MyAppShell shell = null;
synchronized (session)
{
shell = (MyAppShell) session.getAttribute(SHELL_KEY);
if (shell == null)
{
shell = new MyAppShell ();
session.setAttribute(SHELL_KEY, shell);
}
}
If the shell concept seems like high overhead to you, you can still
synchronize accesses on the session object along those lines; you may
just have more trouble keeping track of all the places it needs to
happen.
Joe
--
Joe Germuska
[EMAIL PROTECTED]
http://blog.germuska.com
We want beef in dessert if we can get it there.
-- Betty Hogan, Director of New Product Development, National
Cattlemen's Beef Association
--
Kris Schneider mailto:[EMAIL PROTECTED]
D.O.Tech http://www.dotech.com/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: URGENT - Help defending Struts
I am sure part of it is just that he doesn't want to choose something that doesn't have a lot of mind/market share. How many people use something is a decent (but not perfect) indicator of how likely it will be that support will be available in the future, and that the skills acquired in learning and using the tool will have value in the future. Perhaps a good supporting argument for the CIO would be how many messages have been posted in response to your question in such a short period of time -- or how many messages are posted on this list per day. Struts is about as active as any project that I know of, and has been for long time. :-) -Max - Original Message - From: Joe Germuska [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:13 AM Subject: Re: URGENT - Help defending Struts Our CIO is currently fighting the use of Struts by saying that it is not widely used in B2C sites. Does anyone know of any sites, preferably commerce sites that are using Struts? This would be extremely helpful. The CIO of a company as big as Accenture is going to decide whether Struts should be used or not based on whether or not anyone else is doing it? That's pretty weak. You'd think he'd at least have some trusted technology advisers that could help him decide based on the merits instead of just watching the crowds. Isn't innovation a big buzzword for consulting companies like that? My last project, a collaborative commerce project with a major lawn and garden equipment manufacturer, is built entirely upon Struts, and is already available for dealer registration; the public should be able to use the client's site to purchase tractors and accessories from local dealers in Q1 2004. My company has also developed a number of applications in the home appliances industry for direct to consumer and manufacturer-collaborative appliance sales which were either built from the ground up with Struts, or are gradually being ported to Struts. We also use Struts to run the primary consumer facing sites for companies in home furniture, office furniture, and personal healthcare products which don't currently have commerce components. But hey, if he wants you to write your own web application frameworks from the ground up, and internally perform all the testing that a large user community has already done on the Struts codebase and train all your new employees on the internal way to do it instead of hiring people who might come in already experienced in a framework well, that's one way to do it. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com We want beef in dessert if we can get it there. -- Betty Hogan, Director of New Product Development, National Cattlemen's Beef Association - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Are httpSessions thread safe?
Agreed. I wasn't thinking that the question was to literally synchronize on the session object itself. I see now that that may have been the original intent. Synchronizing on the session object itself seems like a really dangerous idea to me (invitation for deadlock, performance issues). And Kris's test shows it probably wouldn't do what you expect it to anyway. -Max - Original Message - From: Kris Schneider [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:32 AM Subject: Re: Are httpSessions thread safe? The point is about synchronizing on the session object, in which case it makes all the difference in the world that different instances are used to represent the same conceptual session. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Are httpSessions thread safe?
Most (all?) containers pool the request-handler threads, so it won't be creating hibernate sessions for each request. It would still be thread safe, since a single thread won't be used to process two requests simultaneously. This sounds like a good approach to me -- safe and likely to perform just fine. -Max - Original Message - From: David Erickson [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:26 AM Subject: Re: Are httpSessions thread safe? That second one actually works great, 43.html. Since each request is running in its own thread it has the possiblity to create a new hibernate session for every request, but it only creates it if you call the getSession method on the filter. And at the end of the request that session is destroyed. -David - Original Message - From: Joe Hertz [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Thursday, December 18, 2003 10:20 AM Subject: RE: Are httpSessions thread safe? I saw these. I just had this grand idea of minimizing the Hibernate connections by doing what Ted did in his example -- not actually discarding a user's Hibernate Session until his httpSession expired. I've never messed with ThreadLocals before but I suspect that the attempt to put a ThreadLocal into a httpSession I suspect would be funny to watch. -Original Message- From: Kris Schneider [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:45 AM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: RE: Are httpSessions thread safe? Poked aroung on the Hibernate site for a few minutes and found these: http://www.hibernate.org/42.html http://www.hibernate.org/43.html Quoting Joe Hertz [EMAIL PROTECTED]: Yuck. And may I say, Yuck, again? It's not the Session object per se, as much as it is the particular attribute I want to store there. It does strike me that the storage of a Hibernate Session in the httpSession is a fairly common thing, so I doubt this bites people very often. It does seem to have the potential to do so. In the real world why is this not too big of a deal? Or should it be considered one? I suppose that unless you've got time consuming requests, or the user hits some button on the browser twice in rapid succession, it's probably okay. A token could effectively prevent this type of condition I suppose. -J -Original Message- From: Kris Schneider [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:12 AM To: Struts Users Mailing List Subject: RE: Are httpSessions thread safe? Synchronizing on the session object may cause you all sorts of grief...or it may not. It all depends on your container. The spec makes no guarantees about the identity of the object returned by methods like PageContext.getSession or HttpServletRequest.getSession. For example, here's a test JSP: %@ page contentType=text/plain % % out.println(session: + session); out.println(pageContext.getSession: + pageContext.getSession()); out.println(request.getSession: + request.getSession(false)); out.println(request.getSession: + request.getSession(false)); % Here's the output from TC 4.1.24: session: [EMAIL PROTECTED] pageContext.getSession: [EMAIL PROTECTED] request.getSession: [EMAIL PROTECTED] request.getSession: [EMAIL PROTECTED] And that's just within the same thread! I'm pretty sure TC 4.1.29 does return the same instance, but just remember it's not guaranteed. Quoting Joe Germuska [EMAIL PROTECTED]: At 4:09 PM +0800 12/18/03, Andrew Hill wrote: The sessions essentially just a sort of Map. Access to it may be threadsafe, but the stuff thats in it is another matter entirely. Multiple requests associated with the same session will execute simultaneously. There's nothing in the specs that guarantee threadsafe access to session attributes. A pattern I've become quite fond of is to create a single object (we call it a shell, analogous to an operating system shell) which encapsulates everything you want in session context for a given user; then put just this object into session scope, and use methods on it to do everything else. This helps you apply synchronization where appropriate. There's still a risk of a race condition involving the initial creation of the shell (assuming you do something like check the session to see if there's a value under the key you use for the shell) -- you can put that in a block synchronized on the session
Re: Have your Book: UserInRole question
You have only two choices for making request.isUserInRole() work: 1. Use container-managed security. 2. Use or create a Filter-based security system where you wrap the the request objects in order to implement the isUserInRole() method. You can't do this without writing a filter. The SecurityFilter (http://www.securityfilter.org) project I run is an example of #2. Here's a link to the source code for our SecurityRequestWrapper class that implements the isUserInRole() method: http://tinyurl.com/yile -- the implementation just delegates to the realm. -Max - Original Message - From: Ted Husted [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:47 AM Subject: Re: Have your Book: UserInRole question You said it. The database returns the user's various roles ... to the container, which also supplies the request from whence isUserInRole comes. HTH, Ted. Dave Yutzy wrote: Ive been wracking the web to try and find out how to use the request.isUserInRole() functionality. I understand how to setup the web.xml as well as the action tag in the struts config, but where would I actually assign the value of the users role? So, if I have a custom login page and I auth. against a DB that returns the users various roles, how to I get those values into so that they can be read by the request.isUserInRole() call? Anything you can do to point me in the right direction is greatly appreciated! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Very Troubled in Finding Ways to Pass a Variable to a Class
How does your FindEditorData class get called? It is the responsibility of
the caller to tell this class who the user is. I assume that there is an
Action mixed in here since the call is made in response to an HTML form
being submitted. Have your Action figure out who the user is
(request.getRemoteUser()) and then pass that information along to your
FindEditorData class.
Don't trust a hidden field to tell you who the user is. You will get hacked.
-Max
- Original Message -
From: Caroline Jen [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Saturday, December 06, 2003 4:02 PM
Subject: RE: Very Troubled in Finding Ways to Pass a Variable to a Class
It is wonderful to know that there are some ActionForm
methods that holds true in the
scaffold.ProcessAction's execute() method. It gives
the hope that my problem could be resolved.
Via a submit button in my JSP, I try to pass two
variables; username and keyName, to my Java class
(FindEditorData.java) with the
type=org.apache.struts.scaffold.ProcessAction, and
this Java class has this method:
public Object execute() throws Exception { ... }
1. if I use the hidden field technique (see below)
inside the JSP html:form tag:
% String username = request.getRemoteUser();%
html:hidden property=username
value=%=username%/
html:hidden property=keyName
value=journal_category/
How do I retrieve the value of username and keyName in
the Java class? Probably due to my lack of knowledge
of the ActionForm, I got compilation error cannot
resolve symbol: request or cannot resolve symbol:
session because FindEditorData.java does not extend
HttpServlet and FindEditorData.java does not extend
Action.
2. if I want to get 'username' in the Java class
instead of passing the 'username' as a hidden field
from a submit button in my JSP, how do I do it?
String username = request.getRemoteUser(); gives me a
compilation error cannot resolve symbol: request.
The action mapping in my struts-config.xml looks like:
action
roles=editor
path=/find/Category
type=org.apache.struts.scaffold.ProcessAction
parameter=org.apache.artimus.article.FindEditorData
name=articleForm
scope=request
validate=false
forward
name=success
path=.article.Result/
/action
-Caroline
--- Joe Hertz [EMAIL PROTECTED] wrote:
Actually, you haven't illustrated it. You've just
stated it.
In the ActionForm there are methods like validate()
that accept as
parameters an ActionMapping and an
httpServletRequest, and from the
httpServletRequest you can call getSession().
Same holds true in the Action class' execute()
method.
So what is the problem with your class? Why can't
you utilize it from
one of these places that you do have access to these
things? What
exactly is stopping you here? Once you tell us, then
you will have
illustrated the problem.
-J
-Original Message-
From: Caroline Jen [mailto:[EMAIL PROTECTED]
Sent: Saturday, December 06, 2003 1:47 PM
To: Struts Users Mailing List
Subject: Re: Very Troubled in Finding Ways to Pass
a Variable
to a Class
I know how to pass a hidden field. The problem is
how
to retrieve it in my Java class. I have
illustrated
that my Java class does not extend HttpServlet or
Action.
This Java class has a mapping in the
struts-config.xml
file:
type=org.apache.struts.scaffold.ProcessAction
parameter=org.XYZ.article.FindEditorData
name=articleForm
-Caroline
--- Timo [EMAIL PROTECTED] wrote:
Caroline,
The best way I use it to pass parameters to the
action class is via a hidden
attribute in the form, in your case the
articleForm
you can define the hidden attribute using
input type=hidden name=hiddenField
value=%=request.getRemoteUser();%/
Good luck.
- Original Message -
From: Caroline Jen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 8:17 PM
Subject: Very Troubled in Finding Ways to Pass a
Variable to a Class
I have a class FindEditorData.java. I want to
pass a
vairable 'username' to this class for some
processing.
This class is invoked from a JSP:
html:form action=/find/Category
html:submitView Articles/html:submit
and the value of the 'username' is obtained
this
way:
String username = request.getRemoteUser();
Due to my limited knowledge in Struts, I
cannot
figure out what to do. Let me explain the
problem:
1. This class has this method:
public Object execute() throws Exception {
...
}
I do not make this class extends
HttpServlet or
extends Action. I cannot nest a method inside
a
doGet/doPost or the
Re: how to disabled submit button from action class
The submit button exists on the client. The Action code executes on the server. Action code cannot reach out and disable a submit button on the client. However, you can have the Action decide in advance that the page the browser will render has its submit button disabled. Consider an ActionForm with a submitButtonDisabled property. The Action could set it to true, and then the JSP could render the button accordingly. When the browser renders the plain old HTML produced when the server executes the JSP, it will render the button as disabled. If you want this to work more dynamically, perhaps disabling the button after the user clicks it once, you will need to use something that executes on the client. JavaScript, for instance. Tokens can also be used to handle the user double-clicked the submit button problem. Struts has token support built-in. Sometimes, a number of techniques (JavaScript and tokens) need to be combined to produce the exact behavior desired (or as close as you can get to it). This general topic is discussed quite frequently on this list, so it might be worth searching the mail archive. -Max - Original Message - From: hari_s [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:26 PM Subject: how to disabled submit button from action class Hi all. Is there a way to disabled submit button from action? Any examples will be considered. Thank you, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preserving original request until after login redirect
That one is pretty simple: - Use a GET request so the programId is part of the URL. - Store the whole URL, including the query string. - Redirect back to the URL (including query string) after the login. The more difficult case is POSTed parameters that don't show up on the query string. All redirects are GETs -- you can't send a reirect that will result in a POST. The ONLY ways you can transparently handle keeping POSTed parameters across a login event is with container-managed security or with a filter. There is no request.setParameter() method, so there is no other way to shove the originally POSTed parameters into a later request. Harder still is multi-part file uploads! I haven't tested my SecurityFilter project with file uploads, but I suspect that it would fail. I haven't tested container-managed security under the file upload condition either -- for all I know, they might fail, too. Keeping request parameters across a login event is one of the subtle things that container-managed security (or my filter-based clone, SecurityFilter) does for you. Trying to support this well in a proprietary turns out to harder than it at first seems (but you can look at SecurityFilter for an example). -Max http://www.securityfilter.org/ - Original Message - From: Lukas sterreicher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 9:23 AM Subject: Preserving original request until after login redirect Hello I have recently posted a problem I had and then was told to look at Redirecting after Logon. As far as I have seen (I think I do not have all posts though) this is not a solution for me as it uses predefined structures already hardwired into struts. My Problem is the following: I have user-defined user bean which is put into the session indicating which user is logged in with that session. Most pages require the user to be logged in, some do not (this is checked for in each Action). Now, for instance I have a page that lists radio programs. Clicking on one should display the tracks that are contained in a specific program. For this a programId parameter is passed in a form. The program list page is browsable without authentication, but the track list page is not. So when the user is already logged the tracklist will just be displayed, if it is not, the request containing the programId parameter should be saved, then a login should be done - displaying a login page where the user enters username and password and upon login the user is redirected to the track list page. I can manage the redirection ofcorse, but I do not know how to store and restore the request data properly (in this case, as redirection is done, also the before saved request containing the programId parameter is restored as if the action to which is referred to again was called by a form (but in this case it is redirected to from an Action). Do you know how to do this? Thanx in Advance, Lukas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Redirecting after logon...
Craig Edwards [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] In article [EMAIL PROTECTED], [EMAIL PROTECTED] says... You could do that... or you could do it the J2EE way, decleratively without any coding, letting container do it that way: Thanks for the reply Vic. I can see how that would be the way to go if I were starting from scratch. Unfortunately, I am using a framework that has its own repository for users/roles and I don't think I will be able to coerce it into operating within the J2EE Realm/LoginConfig model. As long as you have users that have passwords, and that might be in zero or more roles, it should be relatively easy to write a realm implementation that would access your custom user information repository. That would allow you to make use of the J2EE container managed security system, which solves your problem about keeping POSTed request parameters across a login event. If there is any way this would work, it seems likely to be the best (least work, most rubust, has some positive side effects) way to go. -Max PS. It is likely that my mail client sucks (Outlook Express), but your messages show up as Newsgroup postings rather than email messages, which makes them a pain to reply to. Are you cross-posting to a newsgroup or something? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Scriplets Question
Scriptlets let you do anything you want in your JSP. Many kinds of processing don't belong in JSPs. Disallowing scriptlets discourages/prevents writing complex logic in JSPs. That might keep your application architecture more tidy. Or it might just anger your JSP authors. Opinions differ, but I would pleased to be able to write an app without using scriptlets. Other folks don't feel any motivation to eradicate them. Assume it proves possible to write all your JSPs without scriptlets. You have team members with two skill sets. The Designers do not know Java, but do know HTML, JSP 2.0 EL, and JSTL. They work on JSPs. Another group, the Developers, knows Java, HTML, JSP 2.0 EL, and JSTL. They work on JSPs ocasionally. By blocking scriptlets, you prevent your Developers from writing JSPs that your Designers could not maintain. -Max - Original Message - From: Srinivas Kusunam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 17, 2003 2:04 PM Subject: Scriplets Question Hi, I have a question on using Scriplets on JSP page?? Why does JSP-2.0 specification given an option to disable scriplets in JSP?? What is the problem of putting Scriplets in JSP... what benefits are we getting using some standard \ custom Tags instead? Thanks, Srini Srinivas Kusunam Sr. Software Engineer US Department of Agriculture Missouri, USA. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rephrased: MysqlDataSource problem?
1. Here is at least one problem, fix this first:
java.lang.ClassNotFoundException: pu.strutsapp.actionform.LogonForm
Perhaps the package structure does not match the structure in
WEB-INF/classes?
2. You need the other jars that come with Struts in your WEB-INF/lib
directory.
3. There are some HTML errors here:
th align=rightUsername:/th
th align=rightPassword:/th
-Max
- Original Message -
From: todd thorner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 7:52 PM
Subject: Rephrased: MysqlDataSource problem?
...because my webapp only started punking out once I tried to add my first
data-source element, I've rephrased this post (even though I'm not sure
that it's the data source where I'm going wrong).
--
- Original Message -
DATE: Mon, 10 Nov 2003 05:29:59
From: todd thorner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc:
Hi,
I'm having some (newbie) problems with my Struts-based webapp running on
Tomcat 4.1.x
Something is going wrong when I try to access the first jsp page that has
a form. One thing I have tried to add recently to my webapp's functionality
is a data-source (I had been using straight JDBC), so I'm wondering if
someone could clarify to me if that's where I'm making a mistake (I'm
especially concerned about the url parameters I'm trying to use).
The following are the relevant stack trace and/or log files that I could
find:
-
Nov 10, 2003 4:22:57 AM org.apache.struts.util.RequestUtils
createActionForm
SEVERE: Error creating form bean of class
pu.strutsapp.actionform.LogonForm
java.lang.ClassNotFoundException: pu.strutsapp.actionform.LogonForm
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1444)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1289)
at
org.apache.struts.util.RequestUtils.applicationClass(RequestUtils.java:207)
...etc.
at java.lang.Thread.run(Thread.java:534)
Nov 10, 2003 4:22:57 AM org.apache.jk.server.JkCoyoteHandler action
INFO: RESET
2003-11-10 04:22:57 ApplicationDispatcher[/porturla] Servlet.service() for
servlet jsp threw exception
org.apache.jasper.JasperException: Exception creating bean of class
pu.strutsapp.actionform.LogonForm: {1}
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2
54)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295)
...etc.
- Root Cause -
javax.servlet.ServletException: Exception creating bean of class
pu.strutsapp.actionform.LogonForm: {1}
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImp
l.java:533)
2003-11-10 04:22:57 ApplicationDispatcher[/porturla] Servlet.service() for
servlet action threw exception
org.apache.jasper.JasperException: Exception creating bean of class
pu.strutsapp.actionform.LogonForm: {1}
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2
54)
at java.lang.Thread.run(Thread.java:534)
...etc.
- Root Cause -
javax.servlet.ServletException: Exception creating bean of class
pu.strutsapp.actionform.LogonForm: {1}
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImp
l.java:533)
at org.apache.jsp.Logon_jsp._jspService(Logon_jsp.java:90)
-
The Logon jsp page that tries to create the LogonForm bean looks like
this (the relevant parts):
html:form action=/LogonSubmit_FromMainPage focus=emailAddress
table border=0 width=100%
tr
th align=rightUsername:/th
td align=lefthtml:text property=emailAddress size=50//td
/tr
tr
th align=rightPassword:/th
td align=lefthtml:password property=password size=50//td
/tr
tr
td align=righthtml:submit//td
td align=lefthtml:reset//td
/tr
/table
/html:form
-
My webapp's web.xml file looks like this (the relevant parts):
resource-ref
description
Resource reference to a com.mysql.jdbc.jdbc2.optional.MysqlDataSource
instance that may be used for data access for the porturla domain,
preconfigured to connect to the appropriate MySql server.
/description
res-ref-name
jdbc/porturla
/res-ref-name
res-type
com.mysql.jdbc.jdbc2.optional.MysqlDataSource
/res-type
res-auth
Container
/res-auth
/resource-ref
resource-ref
description
Resource reference to a factory for javax.mail.Session
instances that may be used for sending electronic mail
messages, preconfigured to connect to the appropriate
SMTP server.
/description
res-ref-name
mail/Session
/res-ref-name
res-type
javax.mail.Session
/res-type
res-auth
Container
/res-auth
/resource-ref
-
My struts-config.xml file looks like this (the relevant parts):
Re: Servlet filter and Struts
That approach breaks the page-level addressibility advantage that building
web apps generally affords, however. The breakage is that the user won't be
sent back to the page they requested after they login.
Container-managed security offers robust and time-tested security for your
Actions/pages, and also redirects users back to the page they wanted after
they login. Everyone that is considering rolling their own security system
would do well to investigate the J2EE standard first. The Servlet spec has
all the details, but it might be better to find a tutorial-style
introduction. It really isn't very complicated. In most cases, it provides
all the functionality you need and want, and is generally both more secure
and easier to implement than a custom solution. Using the standard system
also allows you to make use of security features in the Struts framework and
other libraries, too.
There are a few things that I found lacking in container-managed security,
so I wrote a filter-based clone of it with a few enhancements. You can find
it here: http://www.securityfilter.org/. The main enhancement is that a
default page can be specified as the place to send users to if they
spontaneously login. This allows users to bookmark the login page, and/or
allows app developers to put a login form on every page in the site. It also
moves the realm configuration details into the web app, rather than
requiring realm configuration at the server level. There are more exciting
features, such as persistent logins, coming in a future release.
-Max
- Original Message -
From: David Liles [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 4:14 AM
Subject: RE: Servlet filter and Struts
If you're looking for a simple solution I've used the following snippet
of code:
% if(session.getAttribute(valid) == null) { %
script language=JavaScript
document.location=('/Logon.do');
/script
% } %
I place it in a JSP and then use a jsp include tag in each of the jsp pages
I want secure. This prevents users from bookmarking a page in the site and
by-passing the logon the next time
-Original Message-
From: Steffen Gransow [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 4:10 AM
To: 'Struts Users Mailing List'
Subject: RE: Servlet filter and Struts
But that would be somewhat of an overkill, if all I need is securing
some pages/actions, wouldn't it? I now have a simple servlet filter that
redirects to login page if a simple object isn't to be found in session.
User passwords (that is, hashes) will later be retrieved from a
database. Is this approach wrong or not secure enough? The application
I'm developing only has users, that do all have the same rights. So I
don't need roles at all I think.
A little OT question: What about securing the connection from clients to
server? How is Struts ssl-ext involved in this? I don't know what it can
do. Is it not enough to let clients access the webapp using https? Is it
an added layer of security? I admit to be new to developing larger web
applications (especially struts) and therefore I do not know too much
about role-based or whatever security mechanisms. So please be gentle
with my questions. :)=
Regards,
Steffen
-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Vic Cekvenich
Sent: Monday, November 10, 2003 2:06 PM
To: [EMAIL PROTECTED]
Subject: Re: Servlet filter and Struts
Importance: High
This is the standard way to do what you want... in web-xml only, using
J2EE for container (such as tomcat JDBC realms) for security, a best
practice.
Once you know this part of JAAS, then you can extend, to put more things
about the user in session, and track that in you actions.
!-- guest --
security-constraint
web-resource-collection
web-resource-nameSecure/web-resource-name
url-pattern/do/admin/*/url-pattern
url-pattern/do/what/*/url-pattern
url-pattern/do/not/*/url-pattern
/web-resource-collection
auth-constraint
role-nameVALID/role-name
role-nameENHANCED/role-name
role-nameGUEST/role-name
role-nameEXPIRED/role-name
role-nameADMIN/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/loginBad.jsp/form-error-page
/form-login-config
/login-config
security-role
role-nameGUEST/role-name
/security-role
security-role
role-nameVALID/role-name
/security-role
security-role
role-nameENHANCED/role-name
/security-role
security-role
role-nameEXPIRED/role-name
/security-role
security-role
role-nameADMIN/role-name
/security-role
/web-app
Steffen Gransow wrote:
Sorry, wrong mailing list I guess. :\
But what I would like to know is: If I do forward to a specific page
in
Re: STRUTS - Image/Img tags
The answer is yes, but not in the way you are thinking. You cannot send a stream of HTML and image data together and expect the browser to display it. You can send a stream of HTML data with references to image data (IMG tags) and the browser will make a separate request for each of the images. So, you need to develop an Action that can serve your image data from the database back to the browser. And then create IMG tags in your HTML files where the SRC attribute requests the right images. For instance, if you implemented a showImage.do action that takes a resourceId parameter, you can write out IMG tags like this in your HTML: img src=/contextPath/showImage.doresourceId=2258 alt= The html:img tag offers some help: html:img page=/showImage.doresourceId=2258 alt=/ (There might be some support to write out the resourceId part with attributes like this: id=resourceId name=beanWithResourceIdProperty property=resourceIdProperty, but you can look that up in the docs for html:img -- I don't remember if that works or not.) And then implement an action to serve the images. This discussion comes up on this list periodically, and the archive for this mailing list has enough code and information to understand the issues (caching is one -- Craig McClanahan had a really good reply about this to one of my messages in the past month or two) and implement a good solution. -Max - Original Message - From: Todor Sergueev Petkov [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:15 AM Subject: STRUTS - Image/Img tags Hello everybody, is there a way to use struts Image or Img tags to display thumbnails ( pictures - gif or tiff or jpeg ) on a page from a Stream and not from file. The idea is to pick the picts up directly from a database and display them together with text on the same page? Thanks, Todor - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Security Folter
I haven't tried it myself, but I did get a bug report from someone trying to do that. The bug was fixed, so I think it is working now. SecurityFilter doesn't come with any realm implementations(*), but you can use the CatalinaRealmAdapter to wrap a realm from Tomcat that will do password encryption for you. -Max (*) It does come with a trivial realm for the example app, a SimpleRealmBase class that can be extended if you want to write your own simple realm and not have to deal with Principal objects, and it comes with the CatalinaRealmAdapter, which allows you to use any of the realm implementations that come with Tomcat. On Wed, 2003-11-05 at 23:12, Mike Duffy wrote: Does anyone know if SecurityFilter supports encrypted passwords for a DB realm, or must passwords be stored in plain text? http://securityfilter.sourceforge.net/ Thanks! Mike __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Max Cooper [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Nested tags : Desperately trying to get recursion to work
I don't know anything about the nested tags, but it seems very unlikely that this code, as a complete JSP, could work: %@ taglib uri=/WEB-INF/tld/struts-nested.tld prefix=nested % nested:root nested:write property=objName / /nested:root What bean is objName a property of? This seems to correspond with the error message you are getting since the error message does not have a name of the bean it was looking for. -Max - Original Message - From: Jyothi Panduranga [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:31 PM Subject: Nested tags : Desperately trying to get recursion to work Hi, I am very new to nested tags and I am trying to display a tree using nested tags. I followed Arron's MonkeyTree example. I have been getting 'javax.servlet.ServletException: Cannot find bean in any scope' exception (I have pasted exception trace at the end of this email) . I cannot seem to understand why it's not able to find the bean. Following is my main jsp files and struts-config.xml .. I was able to run Arron's MonkeyTree example successfully. MonkeyTreeBean class populates 'monkeyTree' (TreeNode) in it's construtor. My Form bean does not populate the tree in construtor. Instead it populates the tree in the action class and then forwards to the Tree.jsp. Can somebody suggest a pointer on how to solve this problem? Thanks in advance, Jyothi Tree.jsp PS: It has a base jsp page which inserts nested:form template:put name=contents nested:write name=deviceObjectsOMADMTreeForm property=treeName / hr nested:nest property=omaDmTree jsp:include page=omadmNode.jsp / /nested:nest /template:put omadmNode.jsp [EMAIL PROTECTED] contentType=text/html% %@ taglib uri=/WEB-INF/tld/struts-nested.tld prefix=nested % nested:root nested:write property=objName / /nested:root struts-config.xml form-bean name=deviceObjectsOMADMTreeForm type=com.openwave.opm.ui.configuration.deviceobjects.TreeForm/ . . . action path=/configuration.deviceObjects.omadmTree type=com.openwave.opm.ui.configuration.deviceobjects.HSParamAction name=deviceObjectsOMADMTreeForm parameter=action scope=session validate=false forward name=omadmList path=/scripts/configuration/deviceobjects/omadmList.jsp/ /action Exception javax.servlet.ServletException: Cannot find bean in any scope at org.apache.jasper.runtime.PageContextImpl.handlePageException(Unknown Source) at org.apache.jsp.omadmNode$jsp._jspService(omadmNode$jsp.java:370) at org.apache.jasper.runtime.HttpJspBase.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(Unknown Source) at org.apache.jasper.servlet.JspServlet.serviceJspFile(Unknown Source) at org.apache.jasper.servlet.JspServlet.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationDispatcher.invoke(Unknown Source) at org.apache.catalina.core.ApplicationDispatcher.doInclude(Unknown Source) at org.apache.catalina.core.ApplicationDispatcher.include(Unknown Source) at org.apache.jasper.runtime.JspRuntimeLibrary.include(Unknown Source) at org.apache.jsp.omadmList$jsp._jspService(omadmList$jsp.java:498) at org.apache.jasper.runtime.HttpJspBase.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(Unknown Source) at org.apache.jasper.servlet.JspServlet.serviceJspFile(Unknown Source) at org.apache.jasper.servlet.JspServlet.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationDispatcher.invoke(Unknown Source) at org.apache.catalina.core.ApplicationDispatcher.doForward(Unknown Source) at org.apache.catalina.core.ApplicationDispatcher.forward(Unknown Source) at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:10 69) at com.openwave.cdp.ui.CdpRequestProcessor.doForward(CdpRequestProcessor.java:7 6) at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProces sor.java:455) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279) at com.openwave.cdp.ui.CdpRequestProcessor.process(CdpRequestProcessor.java:85) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source) at
Re: specifying image source as jpg stream
You may want to write a separate servlet to serve the image data. That allows you to implement getLastModified() and allow proper browser-caching support, which can significantly increase the speed of your pages if the user is likely to view the images more than once. We did this with an Action first and since we had caching turned off, it reloaded the images every time. Switching to a separate servlet where we implemented getLastModified() was perceptably faster. Perhaps Struts should allow Action-implementers to implement some kind of getLastModified() method for this reason. Or at least to turn caching on and off at the Action (or action-mapping) level. getLastModified() is really useful if you have the image data (or document data, etc.) stored in a db. -Max - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:17 AM Subject: Re: specifying image source as jpg stream Kris Schneider wrote: Create an Action whose execute method writes the image data directly to the response's output stream and then returns null (you could also use a servlet or filter). Don't forget that, in HTML images are retrieved (by the client) in *separate* requests. You can't intermix the text/html output of your JSP page and the image/jpg binary content of the image on a single response. What you'd want to do, then is create an Action (as described above) that writes the image data directly, and then arrange that your html:img tag references this Action's URL. Craig Quoting Yoganarasimha G [EMAIL PROTECTED]: Hi all I'm developing a webpage which uses xml to display organization chart. I'm using SVG to display the chart in IE. If the user doesn't have SVG viewer I'm converting SVG to JPG using BATIK. At present I'm creating a image file in a temp folder and then displaying, but i want to avoid this and directly give image stream as the source for html:img tag. Can anyone help me how to do this using struts??? regards Yoga - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: going straight to a jsp
The recommendation is simply to have Actions handle all of your app's requests, rather than sending users to bare (no Action in front) JSPs. That means that the user's browser should never have a URL that ends in .jsp. Some of your Actions may be pretty thin in that all they do is forward to the JSP that backs them, but making sure to send them through an Action first has a few advantages. One is that many apps require some processing that you can't do without going through an Action first. It could be simply having Struts check that the user has a required role, or there might be some application-specific processing in a RequestProcessor or an ActionBase class that is specific to your app. Another advanatge is that if you later decide that you need to do some processing in the controller for a particular request, you don't have to change the URL of that request (requiring changes to pages that link to that request, and breaking any bookmarks users may have for it). You can just add the new processing to the existing Action, or even create a new Action and change the mapping to use the new Action (which still doesn't change the URL). Using forwards with redirect=true is fine, as long as you aren't redirecting them directly to a jsp. forward path=/someOtherAction.do redirect=true/ does not violate the recommendation. In fact, I think it is a good practice to use redirects in some instances, so that the url in the browser's address bar matches the content the user is seeing (it also solves some resubmit-on-back-button issues). I often use a POST followed by a redirect for forms that change the contents of the db -- like when someone submits a change to an 'item' on an 'edit item' page and then you send them back to a 'list of items' page. Since they end up at the 'list of items' page, using a redirect allows you to process the 'edit item' submit and then redirect them back to the 'list of items' URL. -Max - Original Message - From: Simon Matic Langford [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 25, 2003 2:08 AM Subject: going straight to a jsp Hi, I've been using struts for a couple of months now, and have been working on the assumption that it is a bad thing to allow users to go directly to jsp's. So I have ensured that I don't use redirect=true on forwards from an Action. Is this considered best practice for Struts? And are there any concrete reasons for or against this practice? Thanks Simon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: redirection - please help
You can use HttpServletResponse.sendRedirect(): http://tinyurl.com/sdgg Or, and I'm not sure if this works or not, you could have a forward in your action mapping like this: forward path=http://othersite.com/; redirect=true/ -Max - Original Message - From: ajay brar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 25, 2003 6:39 AM Subject: redirection - please help hi! is it possible for me to redirect users to an external site from inside an action class. ie, say a user clicks /foo, this calls FooAction which does some intial processing. I now want to redirect the user to some other site. how can i do that? do i write the link out into the response stream? thanks cheers Ajay _ E-mail just got a whole lot better. New ninemsn Premium. Click here http://ninemsn.com.au/premium/landing.asp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Multiple error pages from validate method
The input page is specified in the action mapping. Use separate action mappings for each input page (add.jsp and edit.jsp). You can use the same Action class for both. -Max - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:15 PM Subject: Multiple error pages from validate method Hello, I am using one ActionForm bean for multiple pages..say for add.jsp and edit.jsp.But when I validate and I get an error I want the user to go to different error pages instead of one just specified in struts-config file as input parameter? Can somebody help?? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: element type null
That seems like some kind of XML parsing error. I validated your web.xml and it passed (no errors). Perhaps there is an XML error in your struts-config.xml? The element type null thing makes me think there is a lone '' in the file somewhere with a space after it. The parser would read the '' and if a space followed, it might think that is an element with a null name. -Max - Original Message - From: ajay brar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 5:18 PM Subject: element type null hi! i am getting the following error, when i try to deploy my application Element type null must be followed by either attribute specification or / could anyone help please. my web.xml looks like this ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app !-- Action Servlet Configuration -- servlet servlet-nameview/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param param-nameconfig/param-name param-value/WEB-INF/struts-config.xml/param-value /init-param init-param param-namedebug/param-name param-value3/param-value /init-param init-param param-namedetail/param-name param-value3/param-value /init-param load-on-startup2/load-on-startup /servlet servlet servlet-nameaction/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param param-nameconfig/param-name param-value/WEB-INF/struts-config.xml/param-value /init-param init-param param-namedebug/param-name param-value3/param-value /init-param init-param param-namedetail/param-name param-value3/param-value /init-param load-on-startup2/load-on-startup /servlet !-- Action Servlet Mapping -- servlet-mapping servlet-nameview/servlet-name url-pattern*.view/url-pattern /servlet-mapping servlet-mapping servlet-nameaction/servlet-name url-pattern*.do/url-pattern /servlet-mapping !-- Struts Tag Library Descriptors -- taglib taglib-uri/WEB-INF/struts-bean.tld/taglib-uri taglib-location/WEB-INF/struts-bean.tld/taglib-location /taglib taglib taglib-uri/WEB-INF/struts-html.tld/taglib-uri taglib-location/WEB-INF/struts-html.tld/taglib-location /taglib taglib taglib-uri/WEB-INF/struts-logic.tld/taglib-uri taglib-location/WEB-INF/struts-logic.tld/taglib-location /taglib taglib taglib-uri/WEB-INF/struts-tiles.tld/taglib-uri taglib-location/WEB-INF/struts-tiles.tld/taglib-location /taglib /web-app thanks cheers Ajay _ ninemsn Premium transforms your e-mail with colours, photos and animated text. Click here http://ninemsn.com.au/premium/landing.asp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Application hangup??
It might be deadlock of a dining philosophers nature. Consider a request
that takes 2 simultaneous database connections to process. You have a db
connection pool with 5 connections in it. If 5 of these
2-connection-requiring requests come in at once, each request-handler thread
might grab one connection from the pool. And then wait forever for another
connection to become available. Your application has dead-locked. We ran
into this problem on a project that I worked on.
Possible solutions:
1. If you have any db connection leaks, fix them. Draining the db connection
pool with a leak will quickly leave you with no connections and hung
requests.
2. Configure your db connection pool to grow above the size limit when it
needs to. In the example above, the pool would grow to 10 connections (even
if the limit is 5) to handle the requests. The extra connections would be
closed when they are returned to the pool, shrinking the pool size back down
to 5 connections.
3. Limit your HTTP requests to requiring only one db connection at a time.
This allows you to use a db connection pool with a fixed size-limit without
risking deadlock. You can code your app carefully so as to never need more
than one simultaneous connection when servicing a request, but that can be
very tricky to do in some cases. Another option is to create some mechanism
that will store a reference to any existing db connection being used by a
thread with the thread itself so that one thread can never use more than one
db connection at a time. At the end of the request, you can ensure that the
connection associated with a thread (if any) is released back to the pool (a
Filter works great for this). Here's some pseudo-code to illustrate:
Connection getConnection() {
connection = get connection from thread
if (connection is null) {
connection = get connection from pool
store reference to connection in thread
set connection-user reference count in thread to 1
} else {
increment connection-user reference count in thread
}
return connection
}
void releaseConnection() {
decrement connection-user reference count in thread
connection-users = get connection-user reference count from thread
if (connection-users is zero) {
return connection to pool
}
}
To make this work more nicely with other components, you could create your
own DataSource and use a dynamic proxy class to wrap the connection objects
so that the releaseConnection()-style processing would occur when the client
calls .close() on the connection. You may also want to have a servlet filter
class release any connections held by a thread when the HTTP request
processing is finished. This would ensure that db connection leaks don't
exhaust your supply of database connections, although obviously it would be
ideal to code everything perfectly so there are no leaks.
QUESTION: Does anyone know of any DataSource implementations that do this
kind of one-connection-per-thread processing? It could be implemented
generically to wrap another DataSource and use dynamic proxy wrappers on the
connection objects. This is a very real problem for web apps, and it would
be nice to have a standard solution. My project team ran into this problem
and wrote our own (proprietary) solution like I have outlined here, but if
someone knows of some open-source library that does this kind of processing,
it would be great if they would post it.
4. Configure your db connection pool to fail when there aren't enough
connections to hand out. In this case, all 5 of those HTTP requests would
fail when they try to get another connection. Having logic that would wait
and then try to get a connection again would still leave your app vulnerable
to deadlock, since no more db connections would ever become available, so it
is best to have the HTTP request fail when this occurs (and release whatever
connections they were holding). However, this option may be unacceptable
since the reason for the HTTP request to fail will be mysterious to your
users.
-Max
-Ursprungliche Nachricht-
Von: Nino Garbin [mailto:[EMAIL PROTECTED]
Gesendet: Montag, 20. Oktober 2003 13:32
An: [EMAIL PROTECTED]
Betreff: Application hangup??
dear pros,
i have a anoying problem with an application using the actual struts on
tomcat 4.1.27 getting data from an mysql-db.
my application works fine doing several requests to call some actions.
the application is framed (navigation, content), each frame calls his own
action.
at no special point, the application hangs up while calling an action,
that
was called and worked fine before. a look on the heapsize doesn`t
show any suspicious changes. the hangup doesn`t seems to depend on the
heapsize. the webserver is still ok at this moment, other applications
still work fine. only if i call an action of the current application, the
constructor of this action is called and after this nothing seems to
happen.
no error message in any logfile, nothing. only a
Re: Application hangup??
I forgot to list one of the easy solutions:
- If you know that your worst offender request takes 3 simultaneous db
connections, and that you have 15 request handler threads, set the max size
of your db connection pool to 3x15 = 45 connections.
-Max
- Original Message -
From: Max Cooper [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 1:35 AM
Subject: Re: Application hangup??
It might be deadlock of a dining philosophers nature. Consider a request
that takes 2 simultaneous database connections to process. You have a db
connection pool with 5 connections in it. If 5 of these
2-connection-requiring requests come in at once, each request-handler
thread
might grab one connection from the pool. And then wait forever for another
connection to become available. Your application has dead-locked. We ran
into this problem on a project that I worked on.
Possible solutions:
1. If you have any db connection leaks, fix them. Draining the db
connection
pool with a leak will quickly leave you with no connections and hung
requests.
2. Configure your db connection pool to grow above the size limit when it
needs to. In the example above, the pool would grow to 10 connections
(even
if the limit is 5) to handle the requests. The extra connections would be
closed when they are returned to the pool, shrinking the pool size back
down
to 5 connections.
3. Limit your HTTP requests to requiring only one db connection at a time.
This allows you to use a db connection pool with a fixed size-limit
without
risking deadlock. You can code your app carefully so as to never need more
than one simultaneous connection when servicing a request, but that can be
very tricky to do in some cases. Another option is to create some
mechanism
that will store a reference to any existing db connection being used by a
thread with the thread itself so that one thread can never use more than
one
db connection at a time. At the end of the request, you can ensure that
the
connection associated with a thread (if any) is released back to the pool
(a
Filter works great for this). Here's some pseudo-code to illustrate:
Connection getConnection() {
connection = get connection from thread
if (connection is null) {
connection = get connection from pool
store reference to connection in thread
set connection-user reference count in thread to 1
} else {
increment connection-user reference count in thread
}
return connection
}
void releaseConnection() {
decrement connection-user reference count in thread
connection-users = get connection-user reference count from thread
if (connection-users is zero) {
return connection to pool
}
}
To make this work more nicely with other components, you could create your
own DataSource and use a dynamic proxy class to wrap the connection
objects
so that the releaseConnection()-style processing would occur when the
client
calls .close() on the connection. You may also want to have a servlet
filter
class release any connections held by a thread when the HTTP request
processing is finished. This would ensure that db connection leaks don't
exhaust your supply of database connections, although obviously it would
be
ideal to code everything perfectly so there are no leaks.
QUESTION: Does anyone know of any DataSource implementations that do this
kind of one-connection-per-thread processing? It could be implemented
generically to wrap another DataSource and use dynamic proxy wrappers on
the
connection objects. This is a very real problem for web apps, and it would
be nice to have a standard solution. My project team ran into this problem
and wrote our own (proprietary) solution like I have outlined here, but if
someone knows of some open-source library that does this kind of
processing,
it would be great if they would post it.
4. Configure your db connection pool to fail when there aren't enough
connections to hand out. In this case, all 5 of those HTTP requests would
fail when they try to get another connection. Having logic that would wait
and then try to get a connection again would still leave your app
vulnerable
to deadlock, since no more db connections would ever become available, so
it
is best to have the HTTP request fail when this occurs (and release
whatever
connections they were holding). However, this option may be unacceptable
since the reason for the HTTP request to fail will be mysterious to your
users.
-Max
-Ursprungliche Nachricht-
Von: Nino Garbin [mailto:[EMAIL PROTECTED]
Gesendet: Montag, 20. Oktober 2003 13:32
An: [EMAIL PROTECTED]
Betreff: Application hangup??
dear pros,
i have a anoying problem with an application using the actual struts on
tomcat 4.1.27 getting data from an mysql-db.
my application works fine doing several requests to call some actions.
the application is framed (navigation, content
Re: Trimming the extra spaces in the output page
First, I understand your motivation -- HTML file size can be a big performance problem for many apps. We did some analysis on a project that I was on and it turned out the server was quite fast, but that HTML file transfer time and then browser redering time were the major factors in actual performance. I would have never guessed that, but it was clearly the case after our analysis. In terms of a solution for this problem, I suggest not doing this at run time, but rather do it at build time. You want to keep spaces in the file for maintainability during development, but it would be nice to strip them out during the build. This would avoid adding any runtime overhead. You should be able to do this easily at build time (using Ant). This is one good reason to have your build copy the web files to a new location during the build. If you are already doing that, it should be easy to strip the whitespace out using an Ant filter. Be careful what you strip out. - Getting rid of line breaks will change the appearance of your HTML files. A line break is considered white space. If you get rid of them, you will likely have instances where some whitespace becomes no whitespace. That will mess up your pages. I wouldn't strip these. You could replace the line breaks with a single space to maintain the appearance, but there seems to be no point in doing that since your won't actually be reducing the file size. No line breaks would make the resulting HTML files very hard to read (for debugging, etc.). Keep the line breaks. - Don't remove all the spaces. You want to eliminate extra whitespace, but not all whitespace entirely (since whitespace matters in HTML). You just want to shrink consecutive runs of whitespace down to one whitespace character, so as to preserve the appearance of the pages. I haven't looked at what comes Ant that might be good for doing this, but it seems like there should be some kind of filter that should help. Here's an example: For instance, you don't want to turn this: table trtd Hello world! /td/tr /table Into this (which won't look the same): tabletrtdHelloworld!/td/tr/table Or this (which also won't look the same): tabletrtdHello world!/td/tr/table But rather it would be best to turn it into this (which is as small as you can make it without requiring too much smarts in the filter): table trtd Hello world! /td/tr /table -Max - Original Message - From: EL AKARI Mehdi [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, October 20, 2003 10:33 AM Subject: Trimming the extra spaces in the output page Hi, I'm trying to optimise the size of the output pages of a struts application. The first thing that i'm trying to do is to trim the extra spaces and carriage returns in the output page. Do you have any ideas of how to do this? If you have any suggestions of how to optimise the page output they are welcome! Thanks Mehdi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Compilation Problem. Help!
2. Putting struts.jar in that location seems like a very bad idea to me. Whenever possible, put the jars for your application in your application's WEB-INF/lib dir. You can almost always do this, and it makes your app more of a self-contained unit. Having dependencies on non-standard libraries (like struts.jar) in the server's classpath is something to avoid. Keeping your app and dependent libraries together in one place generally makes your app much easier to build and much easier to deploy. 3. The process you are using to compile your class does not have commons-scaffold.jar in the classpath. If you are using Ant, make sure that you have setup the classpath to include all the libraries your code depends on. If you are using an IDE-specific build process (not recommended, especially if you are working in a team environment), make sure you have specified the classpath for your project. -Max - Original Message - From: Caroline Jen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 17, 2003 9:39 PM Subject: Compilation Problem. Help! I have all the required jar files in the MyApp/WEB-INF/lib directory. Please help me in identifying the problems with compilation: 1. For example, I have the commons-scaffold.jar in my $TOMCAT_HOME/webapps/MyApp/WEB-INF/lib folder. 2. I have the struts.jar in the j2sdk1.4.1_02/jre/lib/ext folder 3. in my java class, I import org.apache.commons.scaffold.text.ConvertUtils; import org.apache.commons.scaffold.util.ProcessBeanBase; import org.apache.commons.scaffold.lang.Tokens; But, I get compilation error: package org.apache.commons.scaffold.text does not exist package org.apache.commons.scaffold.util does not exist package org.apache.commons.scaffold.lang does not exist __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts and Links
The forward is a forward, not necessarily a request that Struts will know how to handle when it comes in from the outside (which is what will happen with a link). With the JSP residing in the WEB-INF subtree, it could not be served directly anyway. You probably want to setup a doGetCostCenter action mapping, and use that for your link instead. Inside that action mapping, you'll want a forward to the /WEB-INF/pages/getcostcenter.jsp page. OPTIONAL: If you want to be able to have other actions forward to the doGetCostCenter action, you could setup a global forward that forwards to a /doGetCostCenter.do path, which will send the request first through the action and then the doGetCostCenter action will forward to the JSP. You might want to make that a redirect forward (by setting redirect=true in the global forward) so that the URL in the user's browser window will match the page they see. -Max - Original Message - From: Bryce Fischer [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 6:54 PM Subject: Struts and Links I'm crossposting this into the Struts group, as this question may have to do with me not understanding how to access a Global Forward inside an a tag. Specifically, this deals with DisplayTag. I don't know if I can use the html:link tag there I'm trying to create a link in my tag that will call a global forward. I'm using a decorator to create the link. My Global Forward looks like this: forward name=doGetCostCenter path=/WEB-INF/pages/getcostcenter.jsp/ Currently, my link looks like this: a href=doGetCostCenter?id=610380action=editEdit/a I've tried it: doGetCostCenter.do full path to app\doGetCostCenter (with and without the .do) I see in the FAQ, it mentions using requestURI in the display:table tag. Does this affect how I would create my value in the Decorator class? Thanks -- Bryce Fischer [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: requested url within the j_security_check call?
It could be that there is a broken image reference or something (stylesheet, etc.) in the login error page that is requesting a protected resource. That request may reset the URL that the container is holding onto to send the user to, so that they get sent to the wrong place when their login succeeds. If requesting that bad image would send you to the main home page if you were logged in, that might be your problem. The Page Info feature on Netscape or Mozilla is a useful tool for finding bad images references. Scan the list of images for a bad URL. If your login and error pages are good, you shouldn't have to do anything to send the user where they were going. The container does that for you. -Max - Original Message - From: Adam Hardy [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, October 13, 2003 1:39 PM Subject: Re: requested url within the j_security_check call? On 10/13/2003 10:04 PM Mick Knutson wrote: When I get a logon form up from a secured area request, and the user adds a wrong username or password. They get an error logon form to re-logon. But then they get forwarded to the main home page, not their requested URL. How can I get that requested URL when inside the errorLogon.jsp page I created so I can then forward them to the correct page? Hi Mike, as long as you submit to j_security_check you shouldn't need to do what you want to do. Tomcat will keep your original request on stand-by until the login succeeds. I.e. you must be doing something wrong somewhere ;) Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl question
The second problem is likely an infinite redirection loop: Browser: I want http://server/page.jsp Server: Go to https://server/page.jsp Browser: I want https://server/page.jsp Server: Go to http://server/page.jsp Browser: I want http://server/page.jsp Server: Go to https://server/page.jsp ... until the browser or server is shut down You can verify this with a tool like curl or wget, which will allow you to make a request and examine the response more closely than a browser allows. You could even do it with telnet. -Max - Original Message - From: Stephane Grenier [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:40 PM Subject: Re: ssl question As well, it appears that when sslext:pageScheme is set to false, it acts as any on the production box. Any suggestions are appreciated. Thanks Stephane - Original Message - From: Stephane Grenier [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 2:33 AM Subject: ssl question Hello all. I can't seem to find the cause of this particular problem. Perhaps someone can point me in the correct direction. On my local box I'm using sslext with the url being the ip of the box. I have no problems going in and out of ssl. The problem has only risen since I moved to the production box with a domain instead of an ip. The first issue is that when I do a submit on an ssl form, the return url removes the www from the address and thus my ssl certificate says there is an error The name on the security certificate is invalid or does not match the name of the site. The second issue, if I leave the sslext:pageScheme secure=true / in the jsp, it seems to process forever (or until I get bored and stop the process). Any help would be appreciated. Thank you, Stephane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to keep developing time as short a possible?
IntelliJ IDEA is capable checking your JSPs at the end of a build. It
takes a long time, though, which I suspect means that it is compiling them
all to .java and then to .class files. I don't know if it is possible to use
these compiled versions or not, but it can be useful as a check. It does not
appear to be possible to compile one JSP at a time, but the editor is
constantly checking the JSP code for you in the background, so I am not sure
if a separate compile step would have any value. The editor will check for
imports, undeclared variables, taglib usage, etc. It even seems to
understand if you declare a variable with bean:define
id=myNewLocalVariable/, for instance. Good stuff.
I recommend setting up your build so that you can deploy an expanded
version of your app (ear or war) during development. We used to have a /web
directory that we both stored all our JSPs in and used as an output
directory for .class files (under WEB-INF/classes). We used to deploy the
app (a .war, but expanded) from that directory. That would allow you to edit
a JSP and just reload the page in the browser to see the changes.
But that limits some of the things you can do in a build (static templating,
trimming the fat from JSPs, etc.), and co-mingles source and build output
files to some extent (which complicates the 'clean' target). Now we have ant
copy our /web directory to the build output directory (specifically
'/build/web' for our project). Now we deploy the app from the build output
directory for development work (and build the packaged version from the
directory later in the build, if you run the 'dist' target). Ant is very
fast about copying (only copies changed files, and even seems to be darn
fast on a clean build), and as long as you separate out the target that
copies the files, you can run it individually when you change a JSP ('ant
copy-web' or something like that). Running the copy-web target on my project
takes about 2-4 seconds if you only changed a file or two.
-Max
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 7:15 AM
Subject: how to keep developing time as short a possible?
Hi all,
I'm a J2EE developer. I have made a few projects using Struts. And I have
to say I like the Struts framework very much.
I'm using XDoclet to generate struts-config.xml (to speed up development).
The only thing I'm not happy about is the following:
1. I change something in my JSP.
2. Run Ant (create a war and ear).
3. Deploy the ear - file.
4. See the results in the browser. (JSP has to get compiled).
Unfortunatly these four steps take at least (in my case) 3 minutes for
each run.
Is there some way to check my JSP before compiling it? Or some other way
to keep the time as short as possible?
Many thanks,
Harm de Laat
Informatiefabriek
The Netherlands
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cannot retrieve definition for form bean null
Struts is looking for the action form defined for the /kiosk action (since that is what the html:form submits to on your page. The action or action form does not exist, so you get the error of Struts looking for the null action form. Use a regular HTML form tag to evade that issue, or define the stuff for your /kiosk action. -Max - Original Message - From: ajay brar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 9:30 PM Subject: Cannot retrieve definition for form bean null hi! i had heard that a form bean for a form was optional, not sure why i am getting this error here. i have a button on a page and it goes like html:form action=/kiosk browse kiosks html:submit value=Submit//html:form in my struts-config.xml i have defined the following action mapping action path=/kiosk type=KioskAction scope=request forward name=successpath=/kiosk.jsp / /action could someone please help with this error. thanks cheers ajay _ Chat via SMS. Simply send 'CHAT' to 1889918. More info at http://ninemsn.com.au/mobilemania/MoChat.asp?blipid=6800 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: authentication
Use container-managed security, or this filter-based clone, for which I am the project leader: http://securityfilter.sourceforge.net/. The Servlet spec contains the information needed to get started with container-managed security. Your app server documentation will have information about how to configure realms. It may seem complicated at first, but it is much easier than writing your own system. If you organize your action paths by what role they require, you can just use security-constraints and url-patterns to protect everything: /admin/* limited to users with the 'admin' role /order/* limited to users with the 'customer', 'sales', or 'admin' roles ... etc. If that is the case, that is all you need to do. Or you can protect everything with a security-constraint and / url-pattern. Then add a set of roles that will cover your entire user base. For instance, if every user has the 'admin' role OR the 'customer' role OR the 'sales' role, just add that set of roles to the security-constraint so everyone can get to everything after they login. The reason to protect everything like this is so that the container will authenticate users automatically when they make a request for any of these resources. You will add the real protection for individual actions (using roles) in struts-config.xml later. NOTE: You may also need to un-protect url-patterns like /images/* so that the images will display properly on your login form. You can do that by creating a security-constraint with the /images/* (and /styles/*, etc. -- whatever should be publicly accessible) url-pattern and don't assign any roles to it. Now that you have the container doing the authentication for your whole app, you will want to limit which users can execute a given action by assigning a role (or roles) to each action in Struts. You can do that by specifying a roles attribute in an action-mapping: action-mappingsactionpath=/editOrder type=my.package.EditOrderActionname=orderForm scope=requestinput=/editOrder.jsp roles=admin,sales//action-mappingsThe roles=admin,sales attribute here means that users with either the 'admin' or 'sales' role (or both) will be allowed to execute this action. See my posts in the recent Verifying integrity of URLs thread for some ideas on how to do programmatic security when the roles are not specific enough to decide if a user should be able to execute the action or not (e.g. a customer can only see their orders, but not orders for other users). That is a basic overview of how to do Struts security with container-managed security (or a filter-based clone of container-managed security like SecurityFilter). I am a big proponent of using as much standard security stuff as you can (container-managed, or a filter that is a clone of it) because it is easier to implement, generally more secure, generally works better (automatic, just-in-time authentication), and gets along better with other things (like the Struts roles= attribute) than writing your own. Everyone should learn how the container-managed security stuff works before making the decision of what to use for their app. At the very least, there are some useful patterns and behaviors in the standard that will help in writing your own system. Sometimes it still makes to write your own security, but I think we as developers have a tendency to skip over container-managed security before investigating how it could work for us and go right into writing our own stuff. Most of the time, it would be a lot less work and our apps would work a lot better if we just took the time to learn the standard. I am guilty of skipping it over in the past, but it is very clear to me now that learning the standard first is the best approach, even if you don't end up using it directly. -Max - Original Message - From: Manganotti Francesco (USI) [EMAIL PROTECTED] To: Struts Users Mailing List (E-mail) [EMAIL PROTECTED] Sent: Monday, October 06, 2003 12:41 AM Subject: re: authentication Anyone knows a good way to implement AUTHORIZATION with Struts. cheers, F. Questo messaggio di posta elettronica contiene informazioni di carattere confidenziale rivolte esclusivamente al destinatario sopra indicato. E' vietato l'uso, la diffusione, distribuzione o riproduzione da parte di ogni altra persona. Nel caso aveste ricevuto questo messaggio di posta elettronica per errore, siete pregati di segnalarlo immediatamente al mittente e distruggere quanto ricevuto (compresi i file allegati) senza farne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo più grave illecito, ed espone il responsabile alle relative conseguenze. Confidentially notice. This e-mail transmission may contain legally privileged and/or confidential information. Please do not read it if you are not the intended
Re: data disappearing in jsp
If the missing fields are display-only, you might need to add hidden fields to carry their values along in the request when the page is submitted so that they will be available on a validation error. reset() is called before the ActionForm is populated with the values from the request, so I don't think it matters what you do to them there. As long as they are in the request (and the names in the HTML form match your ActionForm), they should be populated in the ActionForm when a validation error occurs. -Max - Original Message - From: krishnamohan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:10 AM Subject: data disappearing in jsp Hi, In my jsp page I have 5 fields out of which 2 fields are required. When the jsp is submitted I am displaying the error messages for the required fields using Action Error in the form bean's validate method. When the jsp page is displayed with the error messages, the data for the remaining 3 fields is disappearing. Can anyone let me know why this is happening. In the reset method all the fields are made to null. Thanks, Krishna - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: error code 404
That is working as designed. The Action (mapping) doesn't exist, so you get a 404 error. This seems like the appropriate behavior to me. -Max - Original Message - From: Peter Ondruska [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 12:09 PM Subject: error code 404 On Struts 1.1 with Jetty 4.2.9 *.do is mapped to struts action servlet. Everything works fine except if requesting unknown action e.g. /thisActionDoesNotExistInStrutsConfig.do instead of web.xml defined error-page with code 404 I get container supplied code 404 general error page (as if no error page was defined in web.xml). Is this designed functionality in Struts or is it container (Jetty) bug? _ Plan your week with MSN Weather - http://www.msn.cz/weather/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Verifying integrity of URLs
better. But it does solve the problem of redundent calls to the db for the same info. Solution 2: I am still attracted to the idea of using a cache for db access that is limited to the scope of a single request. This would support the separate, pluggable security checking modules architecture without leading to redundent db calls. It wouldn't matter how many times different parts of the request processing chain want to load a certain object from the db, since it would be cached after the first load. Perhaps the cache could be attached to the thread (as a ThreadLocal variable), and it would be discarded by a filter at the end of processing for each request, as the server will be pooling the threads for use in processing other requests. (I have used a similar technique to limit the number of db connections used in processing a request to 1 to avoid dining philosphers deadlock issues.) If anyone has any knowledge or ideas about persistence layers (EJB, JDO, custom, etc.) that support this kind of thing, I would love to hear it. It would be great to be able to write the constraints declaratively, and the pluggable architecture backed by a peristence layer that avoid redundent calls seems to get us closer to that goal. It would be cool if you could write your security constraints in some simplified langauge (perhaps in some query language or an XML format) and then attach the constraint to a Struts action or a url-pattern. Simplifying the constraint language might improve communication between customers/users, business analysts, and developers, and would make it easier to change the constraints when the requirements change. And they would be easier to write in the first place. This would also open the door for tools vendors to make it even simpler still. I'd love to hear other ideas for implementing security requirements of this nature. What is your solution, and what are the advantages/disadvantages? If I am out of the loop on some product/project/standard/technology in this area, I'd like to hear about those, too. -Max - Original Message - From: Max Cooper [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Saturday, October 04, 2003 8:00 PM Subject: Re: Verifying integrity of URLs The requirement to allow a given to user to see only a subset of the data in a particular table is a relatively common one. For instance, in a sales reporting application, you may have a table of total monthly sales for a number of territories and a given user may only be allowed to view/edit one territory or several but not all of the territory data. There may also be users who aren't allowed to see any sales data at all. For instance, here is some sample data from our fictitious Sales_Report table: id, territory_id, date, total_sales 1, 1024, May-2003, $1000 2, 1024, Jun-2003, $1200 3, 1908, May-2003, $800 4, 2100, May-2003, $1300 To handle these requirements, you could use a combination of role-based and programmatic security. You can use the role-based part to block access to the sales reporting actions for users that aren't in sales. In other words, a user would have to have the 'sales' role to view them. That takes care of the users who can't see any sales data. Then you need to restrict users who do have the 'sales' role from seeing data from territories they don't have access to. Consider these three actions: /viewSalesReportItem.do?sales_report_id=3 /viewSalesReport.do?territory_id=1024 /viewAllMySalesReports.do For the first one, you can load the sales_report from the db and then get the territory_id from it. Don't trust a territory_id coming in from the request (e.g. /viewSalesReportItem.do?sales_report_id=1908territory_id=1024) because the sales_report_id is really what determines what your app should show, and you can see in my example URL that a user could just provide a territory_id that they do have access to, but that isn't the right one for the sales_report item they are requesting. That may seem obvious, but it is a common mistake on update actions where the territory_id might be in the request as a POST parameter in a hidden field. Users can fake POST parameters, too. Once you have a trustworthy territory_id, check that the user has access to that territory. There should be some join table in the db that indicates what territories the current user has access to. If they don't have access, you want to show some kind of access denied page. If it is okay for the access denied page to be somewhat generic (and you aren't going to show the user any links that would get them there, so I think this is okay), you can setup a global forward to the access_denied page and have your Action return that. The second one is even easier, because it is the territory_id that directly drives what the app is going to show. Again, just check that the user has access to the requested territory, and return the access_denied global forward
Re: Verifying integrity of URLs
The requirement to allow a given to user to see only a subset of the data in a particular table is a relatively common one. For instance, in a sales reporting application, you may have a table of total monthly sales for a number of territories and a given user may only be allowed to view/edit one territory or several but not all of the territory data. There may also be users who aren't allowed to see any sales data at all. For instance, here is some sample data from our fictitious Sales_Report table: id, territory_id, date, total_sales 1, 1024, May-2003, $1000 2, 1024, Jun-2003, $1200 3, 1908, May-2003, $800 4, 2100, May-2003, $1300 To handle these requirements, you could use a combination of role-based and programmatic security. You can use the role-based part to block access to the sales reporting actions for users that aren't in sales. In other words, a user would have to have the 'sales' role to view them. That takes care of the users who can't see any sales data. Then you need to restrict users who do have the 'sales' role from seeing data from territories they don't have access to. Consider these three actions: /viewSalesReportItem.do?sales_report_id=3 /viewSalesReport.do?territory_id=1024 /viewAllMySalesReports.do For the first one, you can load the sales_report from the db and then get the territory_id from it. Don't trust a territory_id coming in from the request (e.g. /viewSalesReportItem.do?sales_report_id=1908territory_id=1024) because the sales_report_id is really what determines what your app should show, and you can see in my example URL that a user could just provide a territory_id that they do have access to, but that isn't the right one for the sales_report item they are requesting. That may seem obvious, but it is a common mistake on update actions where the territory_id might be in the request as a POST parameter in a hidden field. Users can fake POST parameters, too. Once you have a trustworthy territory_id, check that the user has access to that territory. There should be some join table in the db that indicates what territories the current user has access to. If they don't have access, you want to show some kind of access denied page. If it is okay for the access denied page to be somewhat generic (and you aren't going to show the user any links that would get them there, so I think this is okay), you can setup a global forward to the access_denied page and have your Action return that. The second one is even easier, because it is the territory_id that directly drives what the app is going to show. Again, just check that the user has access to the requested territory, and return the access_denied global forward if the check fails. On one app that I worked on, we put a convenience method in our application's ActionBase class, which all of our Actions used as their base class. It is a little clunky still, but our convenience method would return the access_denied ActionForward if the user did not have access, and null if they did have access. The code in each action that used it looks something like this: ActionForward accessDenied = checkAccess(mapping, territoryId, request); if (accessDenied != null) return accessDenied; We pass the mapping in so that the checkAccess method could get the access_denied global forward. We pass the request in for two reasons. The first is that the method needs to call request.getRemoteUser() to figure out who the current user is. The second reason is that we have a utility class that will cache the list of territories the user has access to in the session, and it can get to the session from the request. The third action I listed up there (/viewAllMySalesReports.do) should show a list of all sales_report rows that the user who requests it has access to. In this case, you will want to adjust the db query to only return data that the user can see. You could do that with a WHERE clause like territory_id IN (1024, 1908) or perhaps better yet just join to the table in the db that says what user has access to which territories. By limiting the results in the db query, you avoid getting more data than you need and having to weed through and discard the ones the user isn't supposed to see. I have kicked around another idea where the programmatic security code would not be in the action, but rather you would write a security module for a given request and plug it in somewhere. For instance, for the /viewSalesReportItem.do?sales_report_id=3 request, you would write a module that would load the sales_report to get the territory_id and then determine if the user has access to that territory. I was thinking of incorporating an interface like this in SecurityFilter, where you might write a security module that would allow or deny access and then register it with the filter to be used for request URLs that match /viewSalesReportItem.do. A mechanism that allowed you to register a security module with a particular (or a set of) Struts modules is also
Re: Verifying integrity of URLs
I should have proofread my message before sending. Sorry. If one of my statements doesn't make sense, look here for a correction. Fixes: -- A mechanism that allowed you to register a security module with a particular (or a set of) Struts modules is also possible. A mechanism that allowed you to register a security module with a particular (or a set of) Struts ACTIONS is also possible. -- One option to avoid the extra call would be to have the security module save the sales_report object as a request attribute for the action to retrieve later, but that couples the sales module and the action too much, in my opinion. One option to avoid the extra call would be to have the security module save the sales_report object as a request attribute for the action to retrieve later, but that couples the SECURITY module and the action too much, in my opinion. -- override the wrong method or forget to call a method in the superclass or your action override the wrong method or forget to call a method in the superclass OF your action -Max (SNIP) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: file not found
Is your webapp actually deployed (as opposed to simply uploading the files) on that server? It seems like Struts is not running or your web.xml is messed up if the server is not forwarding *.do requests to the Struts ActionServlet. -Max - Original Message - From: ajay brar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 7:19 PM Subject: file not found hi! i am a new struts user. i am having the following problem when i click on a link that is supposed to perform an action and either return an error or success, it says fileTransfer.do not found here is my link html:link page=/fileTransfer.do?action=getStatistics/html:link my struts-config.xml is ?xml version=1.0 encoding=ISO-8859-1 ? !DOCTYPE struts-config PUBLIC -//Apache Software Foundation//DTD Struts Configuration 1.1//EN http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd; struts-config !-- == Global Forward Definitions == -- global-forwards forward name=success path=/fileTransfer.jsp/ forward name=error path=/fileTransfer.jsp/ /global-forwards !-- == Action Mapping Definitions == -- action-mappings !-- Process a fileTransfer -- actionpath=/fileTransfer type=FileTransferAction scope=request input=fileTransfer/ /action-mappings controller !-- The input parameter on action elements is the name of a local or global forward rather than a module-relative path -- set-property property=inputForward value=true/ /controller !-- == Message Resources Definitions === -- message-resources parameter=ApplicationResources/ /struts-config FileTransferAction is in WEB-INF/classes the program works fine at home where i'm using tomcat 5.0 (the one that comes with java web services developer's pack) however when i upload it to my hosting service provider, www,eroute.net (which uses Tomcat 4.1.24), i get the File Not Found Error the file can be seen at www.ajaybrar.net/projectv2 thanks a lot ajay _ Chat via SMS. Simply send 'CHAT' to 1889918. More info at http://ninemsn.com.au/mobilemania/MoChat.asp?blipid=6800 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Servlet action is currently unavailable
The container knows to look for the servlet that you have named 'action', so at least the servlet-mapping element is present. Are you sure that you have a servlet element in your web.xml for the Struts action servlet, and that it's servlet-name is 'action' (without the quotes)? Assuming you do have the servlet element setup properly, it looks like the Struts action servlet didn't start correctly. Are there any messages earlier in the server log that indicate some kind of failure? -Max - Original Message - From: Parthasarathy Kesavaraj [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 9:33 PM Subject: RE: Servlet action is currently unavailable Hai Koni, Thanks for ur reply.I am not using any database stuff.Still i am getting the same message.I am trying to sort out.I'll let u know if i find any solution. Regards Partha -- From: Koni Roth[SMTP:[EMAIL PROTECTED] Reply To: Struts Users Mailing List Sent: Tuesday, September 30, 2003 8:45 PM To: Struts Users Mailing List Subject: Re: Servlet action is currently unavailable Hi Partha Rarely I run into the same error. Until now I couldn't exactly localize the reason. My guess is the the database connection. I use Struts 1.1 data-sources with MS SQL-Server and it seems the database connection suddenly dies... After restarting Tomcat everything works fine again. ???%ç*/??? Please let me know if you find a solution. Koni Parthasarathy Kesavaraj wrote: Hai I am using Tomcat 4.1.27 and struts 1.1.When i call a .do from my browser i am getting the following error HTTP Status 503 - Servlet action is currently unavailable type Status report message Servlet action is currently unavailable description The requested service (Servlet action is currently unavailable) is not currently available. Apache Tomcat/4.1.27 what could be the reason.Please helpThanks in advance. Regards Partha - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Error Messages using standard security constraint?
Do you have the form-error-page set to something different than the form-login-page? That is the normal means to inform the user that something was wrong with the username/password combo they typed in. Of then the form-error-page is nearly identical to the form-login-page, except that a bad username/password combination error message is displayed. But you are free (and responsible for) creating both pages, and thus have full control over their appearance. The same error is typically displayed no matter what was wrong with the username/password the user supplied. It may be attractive to be able to tell them that the username they enetered does not exist in the system, or that the username was good but the password was wrong, etc. But be aware that providing such messages has some security cost. If someone is trying to break in, they can use that information to find a real account and then just focus on choosing the right password. If they get the same it didn't work message for each failed attempt no matter what wa wrong with it, they won't even know if they are trying to get into a valid user account. If you do wish to provide more informative error messages, you can have the form-error-page get the j_username and j_password from the request (this typically works, though I am not sure it is guaranteed to work on all containers) and use that information to figure out what went wrong. The results of that check can be used to provide a more descriptive error message. -Max - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: struts [EMAIL PROTECTED] Sent: Sunday, September 28, 2003 12:13 PM Subject: [OT] Error Messages using standard security constraint? I am using the standard web.xml security constraint with JBoss, and if a user enters a wrong username and/or password, there is not an error message generated to tell about the error. I just get the same logon form page. How do I add an error message in the struts manner? --- Thanks Mick Knutson coming soon: Your SOS: Your personal emergency contact system. http://YourSos.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Question] Image path - Best way?
Struts has a tag that will put the context path on the front of the src URL for you. Here's an example: html:img page=/images/leiste_oben.jpg width=430 height=80 border=0 alt=/ If you want to reserve the option to internationalize what image gets displayed, Struts has good support for that, too. For instance, if you have a button image with some text on it, and you want to be able to show different images for different languages, you can put the image path in the ApplicationResources.properties file and use something like this: html:img pageKey=button.clickMe.src/ You can also use the altKey attribute of the html:img tag to internationalize the ALT, um, thingy. html:img pageKey=button.clickMe.src altKey=button.clickMe.alt/ In your base ApplicationResources.properties file, you might have something like this: button.clickMe.src=/images/button_clickMe.jpg button.clickMe.alt=Click Me You can override these values for other languages in locale-specific versions of the ApplicationResources.properties file. One thing to be careful of with specifying images this way is that if you set the size in the html:img tag (which is a good idea to speed rendering performance in the browser), make sure that all the images for a given button match the size that is specified. They don't exist now, but it might be useful if heightKey and widthKey attributes were added to the html:img tag to allow those to be looked up in the properties file as well. That way you could specify different sizes for the images if they happen to be different for different locales. For complete documentation, see the online docs for html:img, here: http://jakarta.apache.org/struts/userGuide/struts-html.html#img -Max - Original Message - From: Rajesh M Vasudevan [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, September 26, 2003 11:32 PM Subject: Re: [Question] Image path - Best way? Hi guys, I tried the following, and it seems to work good: img src=%=request.getContextPath()%/images/leiste_oben.jpg width=430 height=80 border=0 alt= Is this the right way? Is there a way to specify it as a Resource? Can you give me a tutorial link of how to do that.. Thanks Rajesh Hi What is the best way to give image paths in JSP pages? I see that an image path given in a certain way works for .jsp files, but the same path fails for pages loaded through a .do and vice versa. Is there a standard way that struts instructs by which images can be defined in a resource configuration file and refer to them in the jsp pages as resource strings, just like application resources? OR Is there a way to refer to an image which works well for both .do or .jsp. Please advise.. Regards, Rajesh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Forward Action with redirect?
Joshua, I am not sure I understand quite what you want to do, but you can use the redirect attribute of a forward element in struts-config.xml to do a redirect: forward path=/foo.jsp redirect=true / -Max - Original Message - From: White, Joshua A (HTSC, CASD) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 26, 2003 8:08 AM Subject: Forward Action with redirect? Currently, the Forward action forwards control to a resource on the server side. How can I specify a forward action that also results in a client side redirect? I don't want to call this resource directly because I need to make use of the struts validate mechanism to validate the previous form. Any suggestions? Regards, Joshua This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Issue with SSLExt and Tiles
I don't think it is valid JSP syntax to nest tags like that. I have tried stuff like that in the past and concluded that you cannot use one JSP custom tag to render an attribute value for another JSP custom tag. This might be an alternative: tiles:useAttribute id=sectionURL name=section_url/ sslext:link page=%=sectionURL% ... The tiles:importAttribute might be relevant to your situation. I am not sure which of these two tiles tags to use, but I think you will need to do something like this to do what you want. -Max - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: struts [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 10:13 PM Subject: Issue with SSLExt and Tiles I have the following code that does not get processed correctly. Currently, the tiles:getAsString name='section_url'/ gets rendered as http://localhost:8080/tiles:getAsString%20name='section_url'/ sslext:link page=tiles:getAsString name='section_url'/ strongbean:message key=%=title% //strong /sslext:linknbsp; --- Thanks Mick Knutson http://www.baselogic.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to include part of a page dynamically?
I like Tiles, too, and think it is definitely worth a look for your site. One of the best parts about it relative to some other page templating techniques is that tiles page definitions support inheritance so you don't have to specify the same stuff over and over for each page. Your proposed solution avoids the duplication of the standard includes, too, but Tiles affords this feature as well. In your scenario, you might create a base page definition that includes all the usual stuff (top, left, right, footer, buttom :-)) and then extend it for each unique page. The SearchPage would be a definition that extends the base page definition and sets MAIN to the 'search.jsp' in your scenario. Struts allows you to forward to a page definition (as opposed to a JSP, etc.), so you can just have the forward for that action go right to the SearchPage definition, without having to create an actual JSP page that includes search.jsp or any of the other stuff. That's just a conceptual description, but it seems this feature of Tiles would be very useful for your situation. Short of that, this might work with your JSP solution: jsp:include page='%=request.getAttribute(specialPage)+.jsp%' / I seem to recall that you can't mix a %= % and static text in setting an attribute for a tag attribute. For example, this won't work: sometaglib:sometag attribute='%=Hello% World'/ But this should: sometaglib:sometag attribute='%=Hello + World%'/ The attribute value in the second one is one big %= %, rather than a mixture of a %= % and static text. And the request.getAttribute(specialPage) part will retrieve the specialPage attribute value from the request scope. But I urge you to look at Tiles. It does what you want to do very cleanly, is integrated with Struts very nicely, and is a standard solution that you don't have to develop or document, and that your team members may already have experience with or at least be more excited about learning than an in-house, one-off system since that experience will have more value in the marketplace. -Max - Original Message - From: Morten Andersen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 11:57 PM Subject: How to include part of a page dynamically? I'm developing a site where the pages consists of a number of different parts: top, left, right, MAIN, footer, buttom I want to dynamically include the MAIN part, so that I include a page, that I generate in the action that forwards to the page. For instance I would like to say: In ViewPage.action I do a: request.setAttribute(specialPage , search). Then in the jsp page I would like to write something like: jsp:include page=%specialPage%.jsp / and get the search.jsp page included in the MAIN block. This way I could extend the site by just adding a jsp page. How can that be done? Thanks Morten Andersen Master of applied mathematics and computer science Amanuensis (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: And now for something completely different... [OT]
What's with this?: Drug and alcohol abusers will vehemently deny their addiction, especially UNIX systems administrators... Are Unix Sys Admins the hardest partyers of the IT bunch? Or maybe the author thinks that Unix is over, and that the sysadmins are just in denial about that and thus prone to denial about other problems? This just strikes me as a very strange statement -- I don't get it. -Max - Original Message - From: Christian Bollmeyer [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 12:06 PM Subject: And now for something completely different... [OT] Please don't kick me for posting this here, but still, one or two might possibly be interested in taking notice: http://www.dba-oracle.com/art_firing.htm It's always good to know one's enemies :-) -- Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSLExt and useMap?
sslext:rewrite / can render URLs to stick into the area href's. -Max - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: struts [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:23 PM Subject: Re: SSLExt and useMap? I have an HTML image map that needs to use the SSLExt links: pmap name=Map2 area shape=rect coords=17,0,84,26 href=/index.jsp area shape=rect coords=96,0,187,26 href=/member.do area shape=rect coords=204,0,284,26 href=/notification.do area shape=rect coords=302,0,406,26 href=/cms.do area shape=rect coords=415,0,483,26 href=/about.do How do I do this with SSLExt as I can't find any examples for this issue. Thanks in advance for your help. --- Thanks Mick Knutson http://www.baselogic.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSLExt and useMap?
Yup, that's the technique I was thinking of. Even though that seems a little like nested tags, it really is not (and should work fine) because the area tag is just HTML rather than a JSP custom tag. -Max - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:36 PM Subject: Re: SSLExt and useMap? Do you mean Like: area shape=rect coords=17,0,84,26 href=sslext:rewrite name='/member.do'/ --- Thanks Mick Knutson http://www.baselogic.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - Original Message - From: Max Cooper [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:29 PM Subject: Re: SSLExt and useMap? sslext:rewrite / can render URLs to stick into the area href's. -Max - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: struts [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:23 PM Subject: Re: SSLExt and useMap? I have an HTML image map that needs to use the SSLExt links: pmap name=Map2 area shape=rect coords=17,0,84,26 href=/index.jsp area shape=rect coords=96,0,187,26 href=/member.do area shape=rect coords=204,0,284,26 href=/notification.do area shape=rect coords=302,0,406,26 href=/cms.do area shape=rect coords=415,0,483,26 href=/about.do How do I do this with SSLExt as I can't find any examples for this issue. Thanks in advance for your help. --- Thanks Mick Knutson http://www.baselogic.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSLExt and useMap?
Oops, I think you need to use the page attribute instead of name. Name will look for an attribute that it will convert to a String and use as the name of the action. The page attribute allows you to specify an action (or other URL) that it will use directly. -Mx - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:51 PM Subject: Re: SSLExt and useMap? I added this: area shape=rect coords=96,0,187,26 href=sslext:rewrite name='/member.do'/ (and I also have this in other areas of the same JSP page: sslext:link page=/member.do Log On/sslext:link) I get this error when I did that: !--- --E[ServletException in:/WEB-INF/default/index.jsp] Cannot find bean /member.do in any scope' javax.servlet.jsp.JspException: Cannot find bean /member.do in any scope at org.apache.struts.util.RequestUtils.lookup(RequestUtils.java:938) at org.apache.struts.util.RequestUtils.computeParameters(RequestUtils.java:286) at org.apache.struts.taglib.html.SecureRewriteTag.doStartTag(SecureRewriteTag.j ava:93) at org.apache.jsp.index$jsp._jspService(index$jsp.java:1004) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.ja va:201) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:381) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:473) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:360) at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandl er.java:294) at org.mortbay.jetty.servlet.Dispatcher.dispatch(Dispatcher.java:192) at org.mortbay.jetty.servlet.Dispatcher.include(Dispatcher.java:121) at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:8 20) at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:391) at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:137) at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:177) at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:756) at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.ja va:881) at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:473) at org.apache.jsp.index$jsp._jspService(index$jsp.java:68) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.ja va:201) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:381) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:473) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:360) at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicatio nHandler.java:342) at com.baselogic.yoursos.security.SecurityContextFilter.doFilter(SecurityContex tFilter.java:102) at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicatio nHandler.java:334) at com.baselogic.yoursos.user.UserPreferenceFilter.doFilter(UserPreferenceFilte r.java:48) at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicatio nHandler.java:334) at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandl er.java:286) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:558) at org.mortbay.http.HttpContext.handle(HttpContext.java:1714) at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext .java:507) at org.mortbay.http.HttpContext.handle(HttpContext.java:1664) at org.mortbay.http.HttpServer.service(HttpServer.java:863) at org.jboss.jetty.Jetty.service(Jetty.java:460) at org.mortbay.http.HttpConnection.service(HttpConnection.java:775) at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:939) at org.mortbay.http.HttpConnection.handle(HttpConnection.java:792) at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:201) at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:289) at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:455) --- Thanks Mick Knutson http://www.baselogic.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - Original Message - From: Max Cooper [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:40 PM Subject: Re: SSLExt and useMap? Yup, that's the technique I was thinking of. Even though that seems a little like nested tags, it really is not (and should work fine) because
Re: And now for something completely different... [OT]
Well, I do some administration work on a few Unix servers from time to time, but I wouldn't really call myself a sysadmin. Oh no! I am in denial. :-) -Max - Original Message - From: Adam Hardy [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 2:35 PM Subject: Re: And now for something completely different... [OT] Oh I see, Max, it sounds like you might be a Unix systems administrator yourself... ;) is it Friday yet? On 09/25/2003 10:28 PM Max Cooper wrote: What's with this?: Drug and alcohol abusers will vehemently deny their addiction, especially UNIX systems administrators... Are Unix Sys Admins the hardest partyers of the IT bunch? Or maybe the author thinks that Unix is over, and that the sysadmins are just in denial about that and thus prone to denial about other problems? This just strikes me as a very strange statement -- I don't get it. -Max - Original Message - From: Christian Bollmeyer [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 12:06 PM Subject: And now for something completely different... [OT] Please don't kick me for posting this here, but still, one or two might possibly be interested in taking notice: http://www.dba-oracle.com/art_firing.htm It's always good to know one's enemies :-) -- Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 4.1.27 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Going from https on /member.do, back to http on index.jsp?
Creating an index.do is one option. If it is not marked as secure, sslext will write an absolute URL back to http:// for it. Many Struts users advocate that all requests should be served by Actions, even if the action merely forwards to a JSP. I think you can also use the secure attribute in the sslext tags to indicate whether the target of the link or form should be accessed securely. In this case, you would add secure=false to the sslext:link tag that goes back to /index.jsp. -Max - Original Message - From: Mick Knutson [EMAIL PROTECTED] To: struts [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 2:50 PM Subject: Going from https on /member.do, back to http on index.jsp? How do I go from https on /member.do, back to http on index.jsp? Must I make an /index.do and just eliminate the index.jsp? --- Thanks Mick Knutson http://www.baselogic.com +001(805) 563-0666 Office +001 (708) 570-2772 Fax --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: html:base / Question
I don't like HTML base tags, generally, because they make debugging confusing and they specify something that has no value (doesn't help, but reduces flexibility, and might break stuff). I have heard some justifications for their use, but I've written thousands of web pages and never needed one. I tend to prefer to use context-relative URLs for everything that is within my site or webapp. I do take great care to make sure that my webapps could be deployed with any context path (/myapp or /myapp-1.2 or /myapp-debugging-something-old-without-disturbing-my-main-deployment). If you start out with the idea that your app may be deployed with any context path, it doesn't take much to keep everything working correctly. I know that different people on my project team deploy the app with different context paths, and I really like that since it continuously tests that we are doing things properly. Mozilla Netscape's Page Info feature is useful for examining all the image references in a rendered page if you suspect a problem. Those browsers also have a more visible indicator that an image reference is broken than IE, which is also nice. I really like the struts tag libraries in that they allow you to specify a context-relative path to resources using the page attribute. I use these all the time. For your image tag, you could do something like this: html:img page=/images/myimage.jpg / Another alternative without using a tag lib: img src=%=request.getContextPath()%/images/myimage.jpg Both of these will render like this (assuming your app's context path is /webapp): img src=/webapp/images/myimage.jpg -Max - Original Message - From: Bryce Fischer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 5:16 PM Subject: html:base / Question This is probably less a Struts question than it is an HTML question, but I figured most here have dealt with this issue. I'm a little confused by the html:base / tag. Lets say we have the following directory structure WITHIN our webapp: webapp - images - myimage.jpg - scripts - WEB-INF - pages - test.jsp Ok. Now I've got a jsp page that's in the webapp/WEB-INF/pages directory. In that webapp, I've got the html:base / tag declared in the header. Now, when I view source on my test.jsp page, I see this: base href=http://localhost/webapp/WEB-INF/pages/test.jsp/ Now, on that page, I want to reference an image in webapp/images/myimage.jpg. I can get there by using: href=../../images/myimage.jpg But I'd rather not. Is there a way to get to the root of the webapp? I've tried: /images/myimage.jpg And that doesn't seem to work. -- Bryce Fischer [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is it possible to remove *.do or /do/* from the URL
I agree with Matt here wholeheartedly. If you build an app that runs in a web browser, your app should work properly in that environment. Asking users not to use the Back button is not a reasonable expectation, and trying to hide it with JavaScript or other hacks is folly. However, there are MANY, MANY questions about how to escape the responsibility of making our apps work properly in a browser on this list. And I know that the apps I have built aren't all perfect (even though I think it is a good goal to shoot for). The fact is that it is HARD to design an app for the web and implement it so that it works well in a browser. Part of me thinks the solution will NOT be that web developers all become willing and capable of making their apps work (more) correctly in a browser. But rather that some other technology will come along that avoids client installation like a web app does, but also avoids some of the web site problems, and perhaps most importantly enables developers to write richer, more responsive GUIs. There are many technologies in this space, and I have no recommendations or even any clue as to which ones have a good chance of spreading. But I think something like this might catch on in a big way at some point. On the other hand, perhaps a web site is a good model for writing our applications. And that we should figure out strategies and design patterns to make our apps work correctly in this environment. Web apps do have some pretty cool advantages -- for instance, you can send someone a link to a particular page/screen in the app. Our managers send out a link to the timesheet we have on our intranet. You can bookmark a particular screen or pages in an app that are most relevant to your activities for quick access. Having a web interface also means that your app can be scripted by simply making a HTTP requests, and perhaps looking at the responses. For these reasons, perhaps we should come around to the idea that all web apps are web sites, and take care to build them as such. Whatever the case, I think the bottom line is that if you are deploying your app to run on a browser, it should work correctly when the user presses the Back button, bookmarks a page, or decides to mess with the URL a bit. It isn't always easy to make the app work properly, but there should be some conscious thought about how to design the app so that it can work properly, and some care in implementation to make sure that it does work as well as the design allows. I have long wanted to write some design patterns to record good solutions to common problems (or anti-patterns for bad ones) that could be re-used by myself (when I forget, or when I need delegate) and others. It would also be useful to describe why a certain pattern works or why it is good about it to help raise awareness of the issues. But it sure is hard to find the time... perhaps if I stopped writing long, rambling email messages to the struts-user list I could get this done. :-) -Max - Original Message - From: Kruse, Matt [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:42 PM Subject: RE: Is it possible to remove *.do or /do/* from the URL The important principle here is Web Application != Web Site. Why? In many cases, it's the same difference. These days, web sites usually are web applications on the back-end. There are a lot of stupid users out there. In many cases, every attempt needs to be made to cater to them. If your users feel compelled to use bookmarks and the back button in your webapps, despite efforts to train them correctly, this is a pretty good sign that you have not provided enough suitable navigation controls in your basic UI. On the contrary, I'd say that if your web application can't handle the back button and bookmarking, then you've designed it incorrectly. ESPECIALLY if your users want to use them :) When web applications are done right, they have nice URL's, the back button can be used without causing any problems, and bookmarking is possible wherever it makes sense. IMO, there are too many lazy developers out there who do poor design and don't consider the 'Back' button, for example, then look for cheap hacks to stop the user from using it. Instead, they should think differently and handle these cases. It's sometimes more work, sure, but that's part of the job! Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Errors / Messages
Edgar, What is your aim in doing this? If there is a validation error, the Struts framework sends the user back to the input page to inform them of the problem, and possibly allow them to fix it and resubmit. If the request still gets passed to the action, the action will need to do conditional processing based on the presence of errors, and then it is unclear how control will pass back to Struts so that it can send the user back to the input page to inform them of what went wrong. I have sometimes thought about having the action produce a validation-style error if something goes wrong in processing the request, after which it could pass control back to the Struts framework to send the user back to the input page. You can of course add another forward or something, but it would be nice if you could just tell Struts more cleary that something went wrong and that Struts should send the user back to the input form (as it does with a validation error), but I am not sure if there is an elegant way to do that. This is distinct from your proposed flow, but it seems the same feature (tell Struts there was an error and user should be sent back to input form) could support both of our scenarios. What is the scenario you wish to support with the control flow that are looking for? -Max - Original Message - From: Edgar P Dollin [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, September 15, 2003 2:54 AM Subject: Errors / Messages In validate, if you add an error to the message list, validator returns without forwarding. Has anyone done anything with an alternate message file or prioritized messages, so you can add a message yet still forward. Thanks in advance. Edgar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: sslext can only get it to post
Hi Stephane, Here is how the system currently appears to work: 1. User is on shopping cart page, clicks checkout, the form is submitted unencrypted to the ShoppingCartAction (which is fine since it isn't supposed to be secure). 2. ShoppingCartAction does its magic (saves cart changes, for instance) and then forwards to the checkout JSP. 3. checkout.jsp has an sslext:pageScheme tag in it that says it is supposed to be secure. The current request was not secure, so the tag creates a redirect to the secure port with all the request parameters appended to the URL as a query string. By the time the app figures out that you want to go to the checkout, it is too late so sslext can't really help too much. The request has already been sent, and it wasn't secure. Some design changes are needed to make the switch to the https port in what I consider to be an acceptable manner. Here are some possible solutions: 1. I don't like this one, but you could have JavaScript submit the shopping cart form to ShoppingCartAction securely by changing the action to an absolute URL that starts with https when the user clicks the checkout button. There is an sslext:rewite tag that would be useful for this purpose. 2. If you have a checkout button other places on the site (not a form submit, but rather a simple link to some kind of CheckoutAction), you could have the ShoppingCartAction redirect to the CheckoutAction when it is done processing the changes in the cart. I am not sure if sslext will work its magic on forwards, which in this case is actually going to be a redirect by setting redirect=true on the forward. If sslext doesn't fix the redirect, I believe we can get Steve (sslext author) to make this change. It should work that way, IMO. Even if it doesn't switch on the redirect, it will switch with a second redirect so long as CheckoutAction is specified as a secure action. This would require the least amount of changes to the current actions if you already have a simple checkout link, and for that reason is my favorite solution if it would work for you. NOTE: This would be the app making the redirect to a different page, which is totally okay in my opinion -- my aversion to redirects is limited only to sslext doing the redirect itself to correct the port that the current request came in on. 3. If you don't have a simple checkout link, you could rework the app to make this work. This is a good idea anyway to encourage users to get to the checkout. The checkout action would need to access the contents of the cart from the session (since that information won't be coming in on the request), perhaps by accessing the shopping cart ActionForm from the session. Perhaps one of the property copying utilities from commons-beanutils would be useful for copying the cart contents to the checkout ActionForm. Once you get the simple checkout link working, just do a redirect to it as described in #3 above. 4. You could remove the sslext:pageScheme tag from checkout.jsp, which would avoid the redirect upon entering the page. The form on that page will submit the form securely since you have the sslext:form tag there and the action it submits to has been configured to be secure in struts-config.xml. However, this is one of those cases where users are likely to prefer that the form page itself is already secure, even though it isn't technically necessary. A note on the pageScheme tag: If all your pages are Struts actions and you use sslext:form and sslext:link to navigate to your secure actions, there is no need for the sslext:pageScheme tags. Configuring the actions in struts-config.xml is all that is needed (which I also prefer for its simplicity). The tag is convenient if you have directly-accessed JSPs and things that need to be secured and you dip the site one level deeper into the SSL bin, but otherwise they are of no value. -Max - Original Message - From: Stephane Grenier [EMAIL PROTECTED] To: Max Cooper [EMAIL PROTECTED]; Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, September 12, 2003 5:40 PM Subject: Re: sslext can only get it to post Hello Max. Thank you for the information. You cleared up some vagueness in my understanding. However let me expand more into the details. The thing is I'm not sure how to actually implement what you have just said, I actually think that is what I'm currently doing which it is obviously not... If you don't mind I'm sending you my relevant chunks of code. I would like to have the shopping cart page not secure, but once moving to the checkout section to start the ssl security. Struts-config.xml form-beans form-bean name=ShoppingCartForm type=com.rana.release.forms.ShoppingCartForm / form-bean name=CheckoutForm type=com.rana.release.forms.ssl.CheckoutForm / /form-beans action-mappings type=org.apache.struts.config.SecureActionConfig action path=/ShoppingCartAction type=com.rana.release.actions.ShoppingCartAction name=ShoppingCartForm
Re: sslext can only get it to post
Stephane, The parameters are getting appended to the URL because sslext is doing a redirect. So the POST is probably working, but then sslext thinks the request should have arrived on the other port, and since you can't do a POST in a redirect, sslext appends the POSTed data to the URL as a query string and sends that as a redirect. Finally, the redirect comes in as a GET with the params on the query string. The solution is to configure the app so that the form will POST to the right port (i.e. have sslext write an absolute URL for you) and won't have to redirect. The real strength of sslext is that you can specify which actions are secure, and then as long as you use the sslext tags to navigate to that action (either with a link or a form tag), sslext will get you there WITHOUT HAVING TO DO A REDIRECT. That last part is important -- in my opinion, the app should be written such that sslext never has to do a redirect. It will do redirects for your convenience, but that is inefficient, turns POSTs into GETs, and has some security problems (there is no point in making a page secure if you are going to submit a form without SSL and then redirect it to the SSL port). An alternative approach is to dip your site one level deeper in SSL. For instance, if you want a form submittal to be secure, you can dip your site in the SSL a little deeper by specifying that BOTH the request that displays the form and the form submittal request itself are secure. Technically, you don't need to secure the request that displays the form, but by making it secure you avoid the redirect on the form submittal since you are already on the secure port. If you end up getting a redirect at form submittal, the effort to secure that form has been a folly since the form data has already passed over the network unencrypted twice and sticks in the browser's history after the redirect. I don't like this approach in most instances, and sslext gives you the power to do better without much effort. Here are some reasons I don't like it: 1) it is inefficient since it relies on using redirects to switch ports 2) it is inefficient since it requires sending more data over SSL than necessary (debatable) 3) it's too easy to inadvertently create security holes by forgetting to make the display form request secure 4) it is messy since you end up specifying which pages should be secure in several different ways (as opposed to ONLY doing it in struts-config.xml) Securing the display form request actually is appropriate in many instances, even though that request doesn't technically need to be encrypted. Users often want to get some feedback that they are working securely before filling out the form. But you can still achieve this goal without resorting to redirects. Of course doing it the right way requires that you use the sslext link and form tags all over the place (any time the request could change ports), which can be hard to remember sometimes if you are used to the Struts versions. The sslext versions aren't any harder to use (just a few additional optional attributes); it's just remembering to use them in the first place that can be problematic. For this reason, I would REALLY like to see sslext integrated into the Struts core. The only effect on users would be that they could now specify that an action (mapping) is to be secure, which is just how it should work. Holy crap, that turned into a bit of a rant. :-) Well, I hope you find the solution to your problem in there somewhere, and that perhaps some of this additional info is useful to you or other list members. -Max - Original Message - From: Stephane Grenier [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Friday, September 12, 2003 11:06 AM Subject: sslext can only get it to post Hello all. I've added sslext to my struts application. However I can't seem to get it to post (the parameters are appended to the url). In the jsp, the form tag is: sslext:form action=ShoppingCartAction name=ShoppingCartForm type=com.rana.release.forms.ShoppingCartForm scope=request method=POST So as far as I can tell it should be a post. If I change the tabs from sslext to html then it puts the action in the url (http://localhost:8080/ShoppingCartAction.do). If I put the sslext it puts the jsp, the session id, and all the parameters. Thank you, Stephane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: jsp - java naming issue
I'm not sure I understand the exact problem, but I do see something that
seems like it might be relevant.
I don't think the method getbfData() conforms to the JavaBeans naming
standard. If I ask for the bfData property, I am pretty sure that
there needs to be a method named getBfData() [note the case of the 'B']
or I am going to get an exception.
-Max
On Thu, 2003-09-11 at 10:31, Gregory F. March wrote:
On Sep 11, 2003, Gregory F. March [EMAIL PROTECTED] wrote:
|=
|My action (BfPerformSearch.java):
|
|BfSearchAdapter bfsa = new BfSearchAdapter(ad, bfsc);
|
|request.setAttribute(bfData, bfsa.getbfData());
|
|=
|My adapter (BfSearchAdapter.java):
|
|BankFullEntryData[] bed = SomeFunction();
|
|bflist = new Vector();
|
|for(int i = 0; i bed.length; i++) {
|BfFullEntryData bffed = new BfFullEntryData();
|bffed.setName(bed[i].NameAndAddress);
|
|LOOK HERE - #1 !!!
|
|bffed.setWireData(bed[i].WireInfo);
|
|bflist.add(bffed);
|}
|}
Sorry, I should have mentioned that bfsa.getbfData() returns bflist.
/greg
--
Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Max Cooper [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Icon?
And one more thing... the favicon doesn't seem to show up in IE unless you add the page to your Favorites. And even then it only seems to work if the page is not secure (it only works for http://, not https://). And it doesn't show the icon for all pages in the site, just the particular pages you have added to your Favorites. Bleh... Mozilla seems to show the icon if it is available, no matter if you have added it to your bookmarks or not. Much better... -Max - Original Message - From: Bjørn T Johansen [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, September 08, 2003 11:12 PM Subject: Re: Icon? On Mon, 2003-09-08 at 03:27, Max Cooper wrote: Two things come to mind: 1. Do you want an icon that will show up in a browser when a user accesses your application/site? If so, you need to do something else -- the icon part of the servlet spec seems to indicate that it is for GUI tools (like your app server's management console) rather than for browser access to the webapp itself. I am not totally sure about this as I have not tried it myself, but that is my impression from reading the servlet spec. Well, I want to change the icon that appear in front of the url in the browser, I see other use it... 2. Is the icon element in the right place in the web.xml file? An editor that does XML validation (like IntelliJ IDEA and other IDEs and XML editors) is very helpful for pointing out such errors. I tried moving it around and the only thing that happens is that I am getting an error msg if I am putting it under the servlet tag and under the web tag nothing happens. I also tried setting this in the header: link rel=shortcut icon href=html:rewrite forward=mainIcon/ type=image/x-icon / but nothing... Anyone? -Max - Original Message - From: Bjørn T Johansen [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 8:44 AM Subject: Icon? I am trying to customize the icon my webapp is using by adding icon small-icon path-to-icon /small-icon /icon in my web.xml file, but nothing happens. What am I overlooking? Regards, BTJ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- - Bjørn T Johansen (BSc,MNIF) Executive Manager [EMAIL PROTECTED] Havleik Consulting Phone : +47 67 54 15 17 Conradisvei 4 Fax : +47 67 54 13 91 N-1338 Sandvika Cellular : +47 926 93 298 http://www.havleik.no -- - The stickers on the side of the box said Supported Platforms: Windows 98, Windows NT 4.0, Windows 2000 or better, so clearly Linux was a supported platform. -- - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Icon?
I did a little investigation and it looks like the icon part of web.xml has nothing to do with displaying a custom icon in the web browser's address bar, as I suspected. I think icon is intended to allow you to specify a custom icon for your web app that will appear in GUI tools related to the app server. For instance, many app servers have web-based administration consoles or some other kind of GUI administration tool. However, I tried this with WebLogic 6.1 and it doesn't seem to use my icons. Perhaps later versions do, but 6.1 seems to ignore it, even though the icon image paths I specified do show up in the deployment descriptor (web.xml editor) section of the admin console. But you don't actually see the images with this app server. I did a google search as Ramesh suggested and found the solution that Louise recommended. Here's a page with more details: http://www.chami.com/tips/internet/110599I.html -Max - Original Message - From: Bjørn T Johansen [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, September 08, 2003 11:12 PM Subject: Re: Icon? On Mon, 2003-09-08 at 03:27, Max Cooper wrote: Two things come to mind: 1. Do you want an icon that will show up in a browser when a user accesses your application/site? If so, you need to do something else -- the icon part of the servlet spec seems to indicate that it is for GUI tools (like your app server's management console) rather than for browser access to the webapp itself. I am not totally sure about this as I have not tried it myself, but that is my impression from reading the servlet spec. Well, I want to change the icon that appear in front of the url in the browser, I see other use it... 2. Is the icon element in the right place in the web.xml file? An editor that does XML validation (like IntelliJ IDEA and other IDEs and XML editors) is very helpful for pointing out such errors. I tried moving it around and the only thing that happens is that I am getting an error msg if I am putting it under the servlet tag and under the web tag nothing happens. I also tried setting this in the header: link rel=shortcut icon href=html:rewrite forward=mainIcon/ type=image/x-icon / but nothing... Anyone? -Max - Original Message - From: Bjørn T Johansen [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 8:44 AM Subject: Icon? I am trying to customize the icon my webapp is using by adding icon small-icon path-to-icon /small-icon /icon in my web.xml file, but nothing happens. What am I overlooking? Regards, BTJ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- - Bjørn T Johansen (BSc,MNIF) Executive Manager [EMAIL PROTECTED] Havleik Consulting Phone : +47 67 54 15 17 Conradisvei 4 Fax : +47 67 54 13 91 N-1338 Sandvika Cellular : +47 926 93 298 http://www.havleik.no -- - The stickers on the side of the box said Supported Platforms: Windows 98, Windows NT 4.0, Windows 2000 or better, so clearly Linux was a supported platform. -- - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Prevent URL requested directly from browser
Keep these things in mind as you develop a solution: 1. There is absolutely no way to prevent users from making whatever requests they want. Bookmarking, typing in URLs, emailing URLs, etc. are all possible and there is nothing that can be done to prevent people from making these requests. 2. You do have total control over how your web app responds to those requests. -Max - Original Message - From: veera maria [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 11:11 AM Subject: Prevent URL requested directly from browser Hello, What is the best way to prevent user to request web application's actions from browser manually? E.g. user is using web application and taking it's current url to clipboard. Then user goes e.g. to Google for surfing for a while. After surfing (s)he pastes web applications url back to browser's address field. Best technique in Struts applicaton to prevent this? Vera _ Tilaa nyt Hotmail postit kännykkääsi! http://www.msn.fi/mobiili/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why servlet as controller in MVC
That is kind of an open-ended question, but here are two alternatives and some problems associated with them: 1. Filter -- some containers require that a request really does map to a resource, so even if the Filter mapping matched the request you could end up with 404 errors in the case where the resource doesn't exist. One way to avoid this would be to have each request map to a JSP directly, but that would be pretty confusing if the controller decided to map the request to some other JSP (or some other, similar view resource) instead of passing it down the chain to the indicated JSP. Some Actions have some kind of switching behavior to route the request to one of a number of view resources. 2. JSP -- the controller normally passes the request to a view resource (like a JSP) but doesn't produce the response directly. JSPs are best suited to producing a response (usually HTML) directly, where a servlet better matches the needs of writing a controller. Other view-oriented technologies are similar to JSPs, and many use their own servlet to process the requests anyway. Since those don't work so well, a Servlet turns out to be a good match for the needs of the controller component in comparison. It sounds like you might have something else in mind -- what alternative implementation strategy are you thinking of? -Max On Mon, 2003-09-08 at 19:24, virupaksha wrote: Dear All, I have a simple doubt, Why servlet is considered as controller in in MVC framework, Can any one please answer.. Regards, viru - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Icon?
Two things come to mind: 1. Do you want an icon that will show up in a browser when a user accesses your application/site? If so, you need to do something else -- the icon part of the servlet spec seems to indicate that it is for GUI tools (like your app server's management console) rather than for browser access to the webapp itself. I am not totally sure about this as I have not tried it myself, but that is my impression from reading the servlet spec. 2. Is the icon element in the right place in the web.xml file? An editor that does XML validation (like IntelliJ IDEA and other IDEs and XML editors) is very helpful for pointing out such errors. -Max - Original Message - From: Bjrn T Johansen [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 8:44 AM Subject: Icon? I am trying to customize the icon my webapp is using by adding icon small-icon path-to-icon /small-icon /icon in my web.xml file, but nothing happens. What am I overlooking? Regards, BTJ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: skipping repopulation between actions without external forwarding
You can't change the request parameters at all. (Technically, you can change them with a Filter, but that would not be appropriate here, so they are essentially immutable in this context.) Use a redirect after the login action rather than a forward. That way the URL in the browser will match what the user sees in their browser window, and it sounds like it might also fix your other problem. -Max - Original Message - From: David Friedman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 1:39 PM Subject: skipping repopulation between actions without external forwarding Without an HTTP redirect, so the call is internal to Struts and not sent back to the client browser, how can I either: a) remove all GET/POST parameters that came with the request so my action gets passed nothing for repopulation. b) change one parameter that was submitted with the HTTP GET/POST Request. In my case, I have page=1 set with the login page but need it forced down to page=0 the very first time as it forwards from the login to the regular action. The reset() function won't work because I setPage(0) but it auto populates to 1 again. That initial sign-on problem screws up my actions in my forms. I've set my actions to use 2 instead of one to check some things but that is an ugly solution. Thanks, David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
