Sorry! My previous code has sent via my mobile which has a few typo
errors because of issues with copy/pase :(
Now, at my PC, I tested following configuration which works well :)
1. MYStrutsPrepareFilter.java
*********************************************
package me.zamani.yasser.ww_convention.utils;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.struts2.StrutsStatics;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.util.ValueStack;
/**
* @author zamani
*
*/
public class MYStrutsPrepareFilter implements Filter {
private MYUtils MYUtils;
public void init(FilterConfig filterConfig) throws ServletException {
MYUtils = new MYUtils();
}
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain)
throws IOException, ServletException {
ActionContext actionContext = ActionContext.getContext();
if(null != actionContext) {
ValueStack stack = actionContext.getValueStack();
stack.setValue("#request['MYUtils']", MYUtils);
}
chain.doFilter(req, res);
}
public void destroy() {
MYUtils = null;
}
public class MYUtils {
public boolean isUserInRole (String user) {
HttpServletRequest httpsr = ((HttpServletRequest)
ActionContext.getContext()
.get(StrutsStatics.HTTP_REQUEST));
return httpsr.isUserInRole(user);
}
}
}
**********************************************************
2. web.xml
**********************************************************
<filter>
<filter-name>struts2prepare</filter-name>
<filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
</filter>
<filter>
<filter-name>MYStrutsPrepareFilter</filter-name>
<filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
</filter>
<filter>
<filter-name>struts2execute</filter-name>
<filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2prepare</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>MYStrutsPrepareFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2execute</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
**************************************************************
3. hello.jsp
**************************************************************
<s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
you are UserAdmin
</s:if>
<s:else>
you are not UserAdmin
</s:else>
**************************************************************
Sincerely Yours,
Yasser.
On 7/22/2017 2:56 AM, Deborah White wrote:
> And the jsp doesn't seem to like this syntax for some reason.
>
> -----Original Message-----
> From: Yasser Zamani [mailto:yasser.zam...@live.com]
> Sent: Friday, July 21, 2017 1:04 PM
> To: Struts Developers List <dev@struts.apache.org>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
> to 2.3.32
>
> That is just an example. For your need, in more detail, you should try
> something like these:
>
> 1. Add following method to class MyUtil:
>
> public boolean isUserInRole (String user) {
> HttpServletRequest httpsr = ((HttpServletRequest)
> ActionContext.getContext()
> .get(StrutsStatics.HTTP_REQUEST)); return
> httpsr.isUserInRole (user); }
>
> 2. Your struts filters in web.xml should looks like:
>
> <filter>
> <filter-name>struts-prepare</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
> <filter-name> MYStrutsPrepareFilter</filter-name>
> <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
> <filter-name>struts-execute</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
> </filter>
>
> 3. Finally find and replace all of
>
> <s:if test='request.isUserInRole("UserAdmin")' >
>
> With
>
> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>
> I think something like these resolve your issue :) please try and let me know.
>
> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>
>> This is what I currently have in my jsp:
>> <s:if test='request.isUserInRole("UserAdmin")' >
>>
>> Where would I put
>> "#request['MYUtils'].requestURI?
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>> Sent: Friday, July 21, 2017 10:53 AM
>> To: Struts Developers List <dev@struts.apache.org>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> You are welcome :) In this solution, by ognl, you only access the MyUtil
>> object and you add what you need from excluded packages into MyUtil class as
>> java getters. While MyUtil is not in excluded packages, so, you can get what
>> you need from excluded packages via ognl then it.
>>
>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>
>>> Sorry, as I said I'm new. Will this allow access to the excluded packages
>>> (ognl)?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>> Sent: Thursday, July 20, 2017 10:55 PM
>>> To: Struts Developers List <dev@struts.apache.org>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> Hi there, welcome to dev list :)
>>>
>>> Do you need access to excluded packages in your JSPs? I had similar
>>> issue and you can see my solution at [1]. I did not need to rewrite
>>> any thing and a find/replace did all needed changes. Please review my
>>> solution if also resolves your one. If not, please feel free continue
>>> here for a solution :)
>>>
>>> [1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>
>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>> Please see the content below. Fairly new to Struts and I'm guessing
>>>> someone out there has been through this. Any help would be appreciated.
>>>>
>>>> -----Original Message-----
>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org]
>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>> To: Deborah White <deborah.wh...@doj.ca.gov>
>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>>> to 2.3.32
>>>>
>>>>
>>>> [
>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>
>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160868
>>>> 3
>>>> 2#comment-16086832 ]
>>>>
>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>> ------------------------------------------------------------
>>>>
>>>> The best place to ask such question is to subscribe to the User
>>>> Mailing list as there are more eyes to help you
>>>> http://struts.apache.org/mail.html
>>>>
>>>> And to answer your question: there is no safe way to modify the exclusion,
>>>> I would rather figure out in which expression you use this class and move
>>>> the logic to an action.
>>>>
>>>>
>>>> was (Author: lukaszlenart):
>>>> The best place to ask such question is to subscribe to the User
>>>> Mailing list as there are more eyes to help you
>>>> http://struts.apache.org/mail.html
>>>>
>>>> And to answer your question: there is no safe way to modify the exclusion,
>>>> I would rather figure in which expression you use this class and move the
>>>> logic to an action.
>>>>
>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>> -----------------------------------
>>>>>
>>>>> Key: WW-4815
>>>>> URL: https://issues.apache.org/jira/browse/WW-4815
>>>>> Project: Struts 2
>>>>> Issue Type: Temp
>>>>> Components: Core
>>>>> Affects Versions: 2.3.16.3
>>>>> Reporter: Deborah White
>>>>> Fix For: 2.3.32
>>>>>
>>>>>
>>>>> I need some assistance and am hoping you can provide some insight. I
>>>>> know this is probably not the place to do this, but I'm not finding
>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the
>>>>> vulnerability. The problem is that the excluded classes in the
>>>>> struts-default.xml are being used by my application and I certainly do
>>>>> not have time to do a rewrite.
>>>>> This is the Warning I get and then my application does not run as it
>>>>> should because it seems it is not forwarding the roles:
>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of
>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or
>>>>> package of member [public boolean
>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
>>>>> are excluded!
>>>>> I need to know how I can safely modify the struts-default.xml and still
>>>>> have the fix for the vulnerability. Also, if there is something I can
>>>>> instead include in my struts.xml file that would override, that would be
>>>>> better. Thank you.
>>>>
>>>>
>>>>
>>>> --
>>>> This message was sent by Atlassian JIRA
>>>> (v6.4.14#64029)
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>> confidential and/or legally privileged information. It is solely for the
>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>> or disclosure is prohibited and may violate applicable laws including the
>>>> Electronic Communications Privacy Act. If you are not the intended
>>>> recipient, please contact the sender and destroy all copies of the
>>>> communication.
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>> confidential and/or legally privileged information. It is solely for the
>>> use of the intended recipient(s). Unauthorized interception, review, use or
>>> disclosure is prohibited and may violate applicable laws including the
>>> Electronic Communications Privacy Act. If you are not the intended
>>> recipient, please contact the sender and destroy all copies of the
>>> communication.
>> B
>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>> [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ ] Z[ ]˘\X K
>> ܙ B B
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>> confidential and/or legally privileged information. It is solely for the use
>> of the intended recipient(s). Unauthorized interception, review, use or
>> disclosure is prohibited and may violate applicable laws including the
>> Electronic Communications Privacy Act. If you are not the intended
>> recipient, please contact the sender and destroy all copies of the
>> communication.
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain
> confidential and/or legally privileged information. It is solely for the use
> of the intended recipient(s). Unauthorized interception, review, use or
> disclosure is prohibited and may violate applicable laws including the
> Electronic Communications Privacy Act. If you are not the intended recipient,
> please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
