Hi,
Using Struts 2.1.8, I just ran into a security issue in my application
configuration which was a bit difficult to diagnose and turned out to be due
to a struts feature which unexpectedly bypassed my security configuration.
As with many systems, I am using a web filter security mechanism (Spring
security) to filter all requests and forwards. On one of my struts pages I
have a form with a submit button who's action differs from that on the form.
Such as:
<s:form theme="simple" action="*unsecured*">
<s:submit key="button.exit" action="*secured*"/>
</s:form>
The default form action is unsecured. The button's action is secured.
When the form is submitted, the request url is the one provided by the form
of course (/*unsecured.action*). This is permitted access by the security
framework. However, in order to allow multiple submit urls for a single
action, struts submits the following request parameter (action:secured=Exit)
which results in an internal mapping to a the *secured *struts mapping (the
one for the secured action) which struts executes by proxy, bypassing any
REQUEST/FORWARD security configurations.
If forms are developed this way, the result is that user that had
permissions for the unsecured form action but not the secured submit action,
now gains access to the secured action.
Though not a bug, I can imagine that this unexpected behavior can catch many
developers out and can be difficult to diagnose. It also requires that
security considerations be handled (or at least considered) in the jsp,
which seems to break proper separation of concerns (especially for security
configuration).
- Eric
