Hello,
I would like to access functionality specific to the MM MySql driver in an
application that uses Struts' datasource pool and am having a bit of
troubling casting a GenericConnection back to an
org.gjt.mm.mysql.Connection. Casting from a GenericConnection to an
Hello Struts users,
We are currently evaluating Struts and other web (MVC) frameworks and would like to
ask you some questions:
- Is there some struts-config XML-generation from some
modeling tool (Rose for instance) ?
We would like to design a state or activity diagram in
such
Hi all,
I have installed iplanet webserver(IWS) 4.1 sp7. I
am planning to work on IWS. Please any one tell me
what i need to do for deploy my strut's examples ?
I wish to get the following directory Structure.
/Netscape
/Server4
/https-4qzb11s
Please let me know which
I have an iteration with each row displaying a checkbox, being set to the
underlying bean property in the iteration. Each checkbox needs to have a
different name, and this is not happening...they all have the same name, i
need some way of individually referencing the checkboxes..please help!!!
Well, I guess a way to work around that problem would be to create a data
structure to represent the entire resultset. This could be a LinkedList of
hashtables, with each key being the column name, and the value being the
result.
The disadvantage of this approach is that is requires the entire
Does JBoss work with Struts?
Thanks
Harden
Does JBoss work with Struts?
Thanks
Harden
I am interested in the code. Please send.
Hello Struts users,
We are currently evaluating Struts and other web (MVC) frameworks and
would like to ask you some questions:
- Is there some struts-config XML-generation from some
modeling tool (Rose for instance) ?
We would like to
Hi all,
I want to use a simple action to change the language in a site,
but I would like this feature to be available on all pages of the site.
I'm using a template, and the same menu (with language selection)
is included in each page.
My question is : When a visitor decide to change the
me too
-Original Message-
From: Jonathan Asbell [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:21 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Struts questions for evaluation
I am interested in the code. Please send.
Hello Struts users,
We are currently
I solved my problem with form tag.
I discovered that action mappings in form
!-- Standard Action Servlet Mapping --
servlet-mapping
servlet-nameaction/servlet-name
url-pattern*.do/url-pattern
/servlet-mapping
are unsuitable for use with j2sdkee1.3. Deploytool
( or whatever else
I just thought of another option: If resultsets are tied to a connection and
a statement, then specify the sql query within the iterator:
Hypothetical taglibs:
sql:query id=myQuery
SELECT col1, col2
FROM table
WHERE id 1
!-- even
If you are interested in executing SQL from your JSPs, the taglibs project
might save you some time.
Check into:
http://jakarta.apache.org/taglibs/doc/dbtags-doc/intro.html
For what its worth, this approach breaks the model-view separation struts
may have provided for your project. If that's
I think Struts does a good job dealing with the whole MVC separation
issues... Embedding SQL into yet-another-custom tag seems to (IMHO)
violate a number of the principles Struts is trying to uphold.
Truth-be-told, I haven't been a real JSP/custom tag fan from the start
(aren't there enough
I haven't used it, but this looks similar to whats been developed in the
jakarta taglibs project - see JDBC taglib.
http://jakarta.apache.org/taglibs/doc/jdbc-doc/intro.html
Niall
-Original Message-
From: Mindaugas Idzelis [mailto:[EMAIL PROTECTED]]
Sent: 07 May 2001 15:06
To:
I have a few of questions:
1. Did WL do the JDBC session persistence
automatically (i.e. through configuration)?
2. How does 'app server load balancing' affect
performance? I'm of the impression that having a
load-balancing mechanism redirecting requests based on
sessionId/etc would not affect
I am interested too
From: "Nanduri, Amarnath" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: Struts questions for evaluation
Date: Mon, 7 May 2001 08:20:00 -0400
me too
-Original Message-
From: Jonathan Asbell
I may be wrong about this (only been working w/
Struts for a week now). But I do see a potential security flaw in struts
that I would like to hear from others regarding.
Consider a simple set of struts classes that
represent a user in a system. You would probably have classes that look
Hello,
I've been trying for awhile to get my own version of the 'logon' example
to work. I've done everything essentially the exact same as the struts
example, except using 'login' where I saw 'logon'.
Upon starting up Tomcat, there is a bunch of output generated. After
reading this output,
I am new to struts, and am trying to access the example webapp. I am
using Weblogic 5.1 with service pack 9 installed, and have added
xerces.jar to the JAVA_CLASSPATH, and the examples/WEB-INF/classes,
examples/WEB-INF/lib/struts.jar listings to the WEBLOGIC_CLASSPATH (I
expanded the sample
Hi!
I'm just wondering if anybody else encountered problems with
Netscape and the Struts example.
The POST method (Register for the MailReader Demonstration
Application) seems to take forever until it gives back a
response (however clicking on the browser's title-bar immediately
solves
Jeff,
Are you asking if book marking a URL that contains query parameters might be
a security risk?
Anthony
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:37 AM
To: [EMAIL PROTECTED]
Subject: Potential Security Flaw in Struts MVC
I may be
However, if someone is familiar with the db schema and the
naming convention the developer used, that user could subvert
the application by writing his own version of the UI which
contains an Administrative User Flag field (or any other
field for that matter) and the basic form processing in
I think the problem might be related to resolving
the DTD entity in my
struts-config.xml file. Here is a snippet for the
output I receive
after staring Tomcat. Has anyone seen this problem
at all. I would
appreciate any help.
Following installation instructions worked for me.
If you
That is not what my thinking was. But that could be an issue also. My
concern is someone intentionally and maliciously creating a form to supply
more parameters than originally intented by the developer. For instance,
consider the UserForm fields:
Name(available to enrollment
Curt,
I don't dispute what your saying. However, to the casual struts user this
fact may be easily overlooked and exploited by a hacker.
- jeff
- Original Message -
From: Curt Hagenlocher [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 12:10 PM
Subject: RE:
Title: RE: ActionServlet to change language ?
One solution is for each page to have a hidden field that contains it's relative path. Then you can forard to that page after you have changed the locale.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday,
Wouldn't this not be a concern because the user would
never be in the session on the target server?
-Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 11:37
AMTo: [EMAIL PROTECTED]Subject: Potential
Security Flaw in Struts MVC
I may be
There is a security risk here as you describe, if (and only if) you are using
a generic introspection-based function (like Struts' PropertyUtils.copyBean)
to copy the values from the UserForm object to the User object. There are
several ways to avoid this --
1. Don't put an admin flag "setter"
Title: RE: problem with weblogic 5.1sp9 and example webapp
Use sp8, sp9 is really, really bad.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:58 AM
To: [EMAIL PROTECTED]
Subject: problem with weblogic 5.1sp9 and example webapp
I have one jsp page with submit button, I want when user click on this
button the action performed method will lookup all the information related
to the user from the data base and display it on the 2nd page? what kind of
bean and/or struts tag do I need to perform this task for the 2nd page to
Title: RE: Potential Security Flaw in Struts MVC
You can easily guard against this by using simple JavaBeans in the presentation layer and having your action class do the persistant storage from you JavaBean view layer.
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
I usually just lurk on this list, but I think I'll pipe in here.
I think Curt raises a valid point, and it's one of my particular gripes
about the webapp paradigm (certainly not Struts in general): every action
that is represented by URL is accessible if you know the right information
(or can
Wouldn't the hacker have to get the new form class into the classpath of the
server since all of the code runs server side?
Jeff Trent wrote:
That is not what my thinking was. But that could be an issue also. My
concern is someone intentionally and maliciously creating a form to supply
Can I suggest to any Struts developers listening
that a new form tag called "static" be added which will simply return the
current form value as static text...
Hi all,
I have a question to ask. I want to update the database.xml file and the
database hashtable of the DatabaseServlet class every time the user
register. So when the user logs on next time (even after the tomcat is
restarted), he/she can still log on. Any idea?
Thanks.
Ying
P.S. I
Title: RE: ActionServlet to change language ?
An
other method i would advise is
In
your action class just call the setLocale() passing in the parameter(language
preference)the user has selected. That way you can be assured of not
making an if-elseif-else call
-Original
have to use sp9, at least on the server-side, since sp8 uses green
threads on our environment, and this is too slow.
Any other suggestions?
Thanks,
John
-Original Message-
From: JasonChaffee [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 12:10 PM
To: struts-user
Cc:
Any
thing dealing with security, (including security validation) keep it in the
request scope. That way no other developer (at runtime) can access the security
data.
[Nanduri,
Amarnath]-Original Message-From:
Hogan, John [mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001
1:10
I can appreciate your concern. And it's always good to emphasize
security concerns. But you are suggesting that I (or any developer)
would write some Action that would accept this UserForm, including the
sensitive admin flag, without checking as to whether the admin flag is
acceptable in the
depends. He would have a session if he has
enrolled already...
- Original Message -
From:
Hogan, John
To: '[EMAIL PROTECTED]'
Sent: Monday, May 07, 2001 1:09 PM
Subject: RE: Potential Security Flaw in
Struts MVC
Wouldn't this not be a concern because the
Title: RE: Potential Security Flaw in Struts MVC
Beyond the scope of my brain container class (maybe
in a week or so I'll know how to translate what you just said in terms of what I
know) :^
- Original Message -
From:
Jason
Chaffee
To: '[EMAIL PROTECTED]'
Sent:
See this for remote resultsets...
http://developer.java.sun.com/developer/earlyAccess/crs/
also there is a good section in Professional Java Server Programming J2EE
Edition (Wrox press) Page 587 on a TableModel tag library...
Lewis
-Original Message-
From: Mindaugas Idzelis
I think that this potential exploit should probably be
thoroughly documented, along with potential
workarounds. Last thing we want is to have Struts
being tagged as being unsecure.
Calvin
--- David Winterfeldt [EMAIL PROTECTED] wrote:
If you share a bean between two security groups, you
can
Christian,
You kick ass!
Apologies to the sensitive but that was a great explanation of a very
obscure but important problem.
Bryan
Christian Cryder wrote:
I usually just lurk on this list, but I think I'll pipe in here.
I like it! I second this request totally! I too have been involved with
large scale development projects and I can relate closely to what you are
saying Chris. A simple implementation could be a new derivation off of
Action called SecurityAction with an abstract method called validate (not
No, I can write a form locaally and have the action run on your server...
- Original Message -
From: Peter Alfors [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:56 PM
Subject: Re: Potential Security Flaw in Struts MVC
Wouldn't the hacker have to get the new form
I think I must be missing something... I don't see how a user/hacker is going
to gain access to the system if one is using security.
If you route each request through a security check (realm) then you should be
able to determine if the current user has access to the requested page/action.
Each
You can also restrict access in a webapp through the
web.xml.
security-constraint
web-resource-collection
web-resource-name
adminPages
/web-resource-name
url-pattern
/admin/*
/url-pattern
/web-resource-collection
auth-constraint
role-name
This is a bit off subject but since I'm in commentary-mode today I'll also
mention it.
I need to give some background here first:
As I mentioned in an earlier message, I worked on a fairly large web project
(several million hits per day, tens of thousand user sessions per day). The
app runs on
I have previously experienced very slow form processing under Netscape 4.76
using Tomcat 3.1. We were not using Struts, but rather our own MVC model at
the time. I even created a test case with only a servlet to post to and it
took a few seconds for the servlet to get the response. This
I think you are trying to make things too hard, you could handle this
relatively simple in two different ways:
1. You could inherit your actions from a super class that simple check
to see if the user is logged our has sufficient privileges. And add a
super(request) method as the first
Hi All,
I noticed that when the tomcat shuts down, it does NOT call the destroy()
method of the DatabaseServlet class. How to let the destroy() method get
called when the server shuts down? Thanks.
Ying
Hi,
Someone had previously posted a power point presentation to the
list (Struts overview). Is it still available somewhere ?
Thanks for any info.
--
Nick
Title: RE: problem with weblogic 5.1sp9 and example webapp
I hope you are aware that sp9 has some serious bugs and if you are counting on it following the servlet specification, well, your Web apps won't work correctly. In fact we found that sp9 loses session scope objects. If you must use
Sure. You could create a jsp page that had the fields you would like, and even
call off a remote action from your own page.
However, if I route my actions through a security realm, then the requested
action will be denied because the current user is not logged in. Or.. If the
would be hacker is
At 12:17 PM 5/7/2001 -0700, you wrote:
Role-Based Action Execution.
Add the ability to require the current user to be in a
particular security role before they can execute a
particular action.
I just wanted to pipe in here because we're integrating Struts into our
stuff (Slowly!) The Expresso
Please unsubscribe me, email id [EMAIL PROTECTED]
Thanks,
Raju
-Original Message-
From: Siping Liu [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 02, 2001 01:12 PM
To: [EMAIL PROTECTED]
Subject: unsubscribe ... please
please unsubscribe me. thanks,
I was also using tomcat 3.2.1. I just upgraded from JDK 1.2 to 1.3, and
that seems to have solved the problem.
--
Tim Moore / Blackboard Inc. / Software Engineer
1899 L Street, NW/ 5th Floor / Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
I think I must be missing something... I don't see how a
user/hacker is going to gain access to the system if one
is using security. If you route each request through a
security check (realm) then you should be able to determine
if the current user has access to the requested page/action.
Hi,
I dont know whether this is relevant or not. This is what I found out.
when ever I post something to tomcat server, and the action is a JSP
page(just modified, not compiled yet). It always used to take a minute or
more. Then I opened up NT Task manager, amazingly Netscape was using 99% of
the
A basic problem with most web development is that
people arebuilding security into their applications. It should be handled
outside of the application. You can have your application work in conjunction
with an external security mechanism for more granular control but I the security
Either you are misunderstanding Struts, or I am misunderstanding you.
Struts will populate your UserForm for you, prior to your UserAction being
called. However, it is your responsibility to, within UserAction, copy the
values from UserForm to User.
Bryan
Jeff Trent wrote:
Can someone explain me about property parameter in the logic:iterate tag?
I have something like below and this works fine. but I have seen in struts
example
where property parameter is alos used:
e.g. logic:iterate id=subscription name=user property=subscriptions
in this line I know
True, the security realm validates if the request is legal. However, if the
uderlying model objects are shared (User and UserForm objects in my example)
for both admin and user level forms, then the request could be manipulated
to set other fields beyond what was exposed for the normal user
We are doing something very similar. We are using the jaas security to map
each action to a permission.
This way, each user is mapped to the actions that he/she is allowed to
perform.
Each request is routed through a security check to verify that the currently
logged in user has permissions to
I'll have to check into that...thanks for the heads-up.
John
-Original Message-
From: JasonChaffee [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 3:08 PM
To: struts-user
Cc: JasonChaffee
Subject: RE: problem with weblogic 5.1sp9 and example webapp
I hope you are aware that
Ah, this maybe a problem in the way I've adapted
Struts. I reflect all UserForm method calls directly into the contained
User object owned by the UserForm. So for instance, I have
public class UserForm extends
ActionsForm
{
protected User
user;
...
public String
getName()
{
return
I want
to second Martin's opinion. Secrurity (e.g, authentication and authorization)
should be outside of the application, if possible. In our company, we are using
Entrust's getAccess in combination with Apache. It can easily protect resources
(most likely defined by URL) after the
Jeff Trent wrote:
True, the security realm validates if the request is legal. However, if the
uderlying model objects are shared (User and UserForm objects in my example)
for both admin and user level forms, then the request could be manipulated
to set other fields beyond what was exposed
I think I must be missing something... I don't see how a user/hacker is
going
to gain access to the system if one is using security.
hackers arent always from the outside, you also have to protect yourself
from legitimate users, who could try to force the system. Not every secure
user is
Yes I think that's a problem; interesting that you would do it that way,
I never saw it from that perspective. But I believe the intent of Struts
(e.g. the examples, etc) is that your ActionForms are really just forms --
conduits for moving field values between HTML forms and Java primitives.
I'm working on a very complex webapp with hundreds of form pages. Frequently
there are chunks of a form that are shared across several pages. I was
hoping to use the components library to separate these common form chunks
into reusable pages, but I'm not having much luck with this.
The problem
It's
fine to nest a JavaBean in an ActionForm if that bean is just a transport object
that is passed to EJBs but it probably isn't a good idea to nest your model
objects directly in the form.
If you
are going to nest a javabean in a form you don't need the getName()/setName()
methods,
Carl,
I think you're right except that you also need:
3. A custom tag that uses the same security model as the Action which
is only required if a .JSP is accessed directly.
Personally, I pre-populate a lot of my views, so most of the time I'm
hitting the Action first.
Anthony
Title: RE: Struts forms and JSP components/templates
I think the scope of the form is specified in struts-config.xml, you can put it in session scope.
Shunhui
-Original Message-
From: Tim Moore [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 2:40 PM
To: '[EMAIL
I think the change from page to request was alread made for html:form. Get
the latest Struts from CVS.
Hal
-Original Message-
From: Tim Moore [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 5:40 PM
To: '[EMAIL PROTECTED]'
Subject: Struts forms and JSP components/templates
Title: RE: Struts forms and JSP components/templates
That
just specifies the scope where the form bean is stored. If you look at the
doStartTag method in the FormTag.java source, it contains a few lines that look
somethinglike this:
pageContext.setAttribute(Constants.BEAN_KEY, bean);
Yes. I'm developing using JBoss 2.2.1 with Tomcat 3.2.1.
You can get an integrated download of these from this
page: http://jboss.org/business/binary.html
-Greg-
-Original Message-
From: Harden ZHU [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 4:53 AM
To: [EMAIL PROTECTED]
Feel free. If you would like to document it, I'd be happy to find a
place for it in the users guide.
Calvin Yu wrote:
I think that this potential exploit should probably be
thoroughly documented, along with potential
workarounds. Last thing we want is to have Struts
being tagged as being
This is open source. Anyone is welcome to jump in and join the
management by submitting code.
Jeff Trent wrote:
Therefore, if I haven't reached my quota today, I'd like to suggest to
management that there is a bean property (or something) that results in form
fields being propogated accross
Feel free to submit some code.
Jeff Trent wrote:
I like it! I second this request totally!
Title: RE: Struts and DAO pattern. Expensive?
That opens up lots of questions I also have, I'm sure many of you have some
solutions to these:
(1)I went through a similar exercise, I first followed the Petstore example,
to have a getConnection() method in my DAOs (well, I have BaseDAO,
Ted,
I wish I had time. Now that I have three kids I can't spend any spare
cycle(s) on anything but changing diapers!
- Original Message -
From: Ted Husted [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 7:46 PM
Subject: Re: Potential Security Flaw in Struts MVC
I need to confess I'm lost. The PetStore approach sounds cleaner in some
sence, but also sounds too repetite in other, and mostly, sounds way to
expensive (or it isn't?).
Struts uses a connection pool. So when you do a getConnection() you're
actually pulling one out from a pool of shared
Here is a xsl and an ant build file to convert a web.xml file into the
needed appname.webapp and the part.xml file to cut and past into the
default_servlet_engine file
This assumes that all your Action classes are in a Visual Age project called
MyProject
R,
Nick
build.xml
webapp.xsl
Title: RE: Struts and DAO pattern. Expensive?
Does anyone know how to make struts work with
JBoss? Seems not working for me.
Thanks
Harden
Any special setup for jboss? I put struts app under tomcat. And then run.
Jboss gave errors. said classno found. I do put struts.jar at lib.
Any hint?
Thank you very much
harden
- Original Message -
From: Greg Ritter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001
I had no problems at all. I unzipped the JBoss + Tomcat download
on a Windows 2000 box, started it using the batch script included
in the bin directory, and then dropped each of the struts-*.war files
into the deploy directory. They all deployed without problems.
-Greg-
On Monday, May 7, 2001,
but if i use external security mechanism, will it be dynamic? i mean to say,
if the admin wants to change his/her password from the application
(using admin interface), how can he/she do that without restarting the
server?
-Original Message-
From: Martin Duffy [SMTP:[EMAIL PROTECTED]]
If you use something like one of the mod_ldap implementations for apache the
admin would have his password in the ldap directory. I also am pretty sure
that there is a auth module for apache that uses a database like MySQL. In
that case the admins id and password would be in the database. So when
91 matches
Mail list logo