Yes, login page is accessible always. Direct jsp access is not allowed, it has
to go through the actions. When a user requests /Login.action login jsp page is
displayed. When the user submits username
and password (Post to Login.action) the user is authenticated and home page is
displayed by Login.action. Since the same action handles both displaying login
page and validating, if the values are
already present (username, password, value of the button clicked) the action
will authenticate the user and display home page as it does this it will make a
database entry saying xyz user has logged in.
Actual Setup:
Application 1: /context1 --- User can login here and they will be forwarded
to context2. This application uses struts 2.5.14
Application 2: /context2 --- User can login directly in /context 2 (in which
case no forwarding). This application uses struts 2.3.34 for login and other
actions. There are few actions in struts1 also.
For replicating the issue I was directly accessing /context2/Login.action. So
/context1 was not used in testing. But the Login filter had the below lines to
make sure forwarded requests from /context1
would work.
request.setAttribute("struts.actionMapping", new ActionMapping());
request.setAttribute("struts.valueStack", null);
The request object type is io.undertow.servlet.spec.HttpServletRequestImpl
Thanks,
Prasanth
On 03/03/2018 04:14 AM, Yasser Zamani wrote:
> On 3/3/2018 12:37 AM, Prasanth Pasala wrote:
>> I was able to replicate the issue today. Asked few users to keep logging in
>> and ran jmeter to access login page, with out putting any username or
>> password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database
>> login entries for these two. Which would happen only if a valid session is
>> not present and user has provided username/password.
> Shouldn't login page being accessible always? How do you try access
> login page, calling directly to jsp? Or action? How do you authenticate
> that access try, via session values? Via request parameters and querying
> database?
>
>> Not sure if the behavior is a side effect of having the below lines.
>>
>> request.setAttribute("struts.actionMapping", new
>> ActionMapping());
>> request.setAttribute("struts.valueStack", null);
> Not these lines but I guess you may also remove more things from
> forwarded request (e.g. session). Could you please print
> request.toString before these lines to see what type is it? Could you
> serialize request to a xml to see all values stored in that request?
> Anyway, like you, I also think this issue is because of forwarding the
> request from Struts1 to Struts2.
>
> Regards.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
