You're welcome! Happy to hear that it works there :)
That warning means you still have some more. Please find them by
searching 'request.isUserInRole in your JSPs then replace them with
'#request["MYUtils"].isUserInRole
test='#request["MYUtils"].isUserInRole("UserAdmin")' and
test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
On 7/25/2017 9:35 PM, Deborah White wrote:
> So, it appears to be working so far. Thank you so much!! I do still get
> this warning in my log files, do you know the best way to suppress it?
>
> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess]
> (http-localhost/127.0.0.1:8080-2) Package of target
> [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of
> member [public boolean
> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
> are excluded!
>
> Also, in my jsp I had to use this syntax:
> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
> $('#tabs-UserManagement').tabs();
> </s:if>
>
> Instead of ['MYUtils'] (single quote).
>
> -----Original Message-----
> From: Yasser Zamani [mailto:yasser.zam...@live.com]
> Sent: Monday, July 24, 2017 11:27 AM
> To: Struts Developers List <dev@struts.apache.org>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
> to 2.3.32
>
> Yes I think you should have mappings for all as following order:
>
> <filter-mapping>
> <filter-name>struts-prepare</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
> <filter-mapping>
> <filter-name>MYStrutsPrepareFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
> <filter-mapping>
> <filter-name>struts-execute</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
>
> On 7/24/2017 8:19 PM, Deborah White wrote:
>> It now goes to just a blank page. Do I have an issue in my web.xml?
>> <filter>
>> <filter-name>struts-prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFil
>> ter</filter-class>
>> </filter>
>>
>> <filter>
>> <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>> <filter-name>struts-execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFil
>> ter</filter-class>
>> </filter>
>> <filter-mapping>
>> <filter-name>MYStrutsPrepareFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> <dispatcher>FORWARD</dispatcher>
>> <dispatcher>REQUEST</dispatcher>
>> </filter-mapping>
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>> Sent: Saturday, July 22, 2017 2:18 AM
>> To: Struts Developers List <dev@struts.apache.org>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> I forgot to say about following block in MYStrutsPrepareFilter.java
>> which is new and I added recently (so please copy the whole new
>> MYStrutsPrepareFilter.java) :
>>
>> > if(null != actionContext) {
>> > ValueStack stack = actionContext.getValueStack();
>> > stack.setValue("#request['MYUtils']", MYUtils);
>> > }
>>
>> It avoids null pointer exception.
>>
>> Please reply back to me the `exception stack trace` if you encounter any.
>>
>> IMPORTANT NOTE:
>>
>> To keep security, your MYUtils class should return only and only necessary
>> info (not less not more) in primitive types like string , boolean , int ,
>> etc as much as possible rather than sensitive objects.
>> For example, following get method wake ups currently fixed security issues:
>>
>> public class MYUtils {...
>> public ActionContext getActionContext() {
>> return ActionContext.getContext();
>> }...}
>>
>>
>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>> Sorry! My previous code has sent via my mobile which has a few typo
>>> errors because of issues with copy/pase :(
>>>
>>> Now, at my PC, I tested following configuration which works well :)
>>>
>>> 1. MYStrutsPrepareFilter.java
>>>
>>> *********************************************
>>> package me.zamani.yasser.ww_convention.utils;
>>>
>>> import java.io.IOException;
>>>
>>> import javax.servlet.Filter;
>>> import javax.servlet.FilterChain;
>>> import javax.servlet.FilterConfig;
>>> import javax.servlet.ServletException; import
>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>> import javax.servlet.http.HttpServletRequest;
>>>
>>> import org.apache.struts2.StrutsStatics; import
>>> com.opensymphony.xwork2.ActionContext;
>>> import com.opensymphony.xwork2.util.ValueStack;
>>>
>>> /**
>>> * @author zamani
>>> *
>>> */
>>> public class MYStrutsPrepareFilter implements Filter {
>>>
>>> private MYUtils MYUtils;
>>>
>>> public void init(FilterConfig filterConfig) throws ServletException {
>>> MYUtils = new MYUtils();
>>> }
>>>
>>> public void doFilter(ServletRequest req, ServletResponse res,
>>> FilterChain chain)
>>> throws IOException, ServletException {
>>>
>>> ActionContext actionContext = ActionContext.getContext();
>>> if(null != actionContext) {
>>> ValueStack stack = actionContext.getValueStack();
>>> stack.setValue("#request['MYUtils']", MYUtils);
>>> }
>>>
>>> chain.doFilter(req, res);
>>> }
>>>
>>> public void destroy() {
>>> MYUtils = null;
>>> }
>>>
>>>
>>> public class MYUtils {
>>> public boolean isUserInRole (String user) {
>>> HttpServletRequest httpsr =
>>> ((HttpServletRequest)
>>> ActionContext.getContext()
>>> .get(StrutsStatics.HTTP_REQUEST));
>>> return httpsr.isUserInRole(user);
>>> }
>>> }
>>> }
>>> **********************************************************
>>>
>>> 2. web.xml
>>>
>>> **********************************************************
>>> <filter>
>>> <filter-name>struts2prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>> <filter-name>MYStrutsPrepareFilter</filter-name>
>>>
>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>> <filter-name>struts2execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>> </filter>
>>>
>>> <filter-mapping>
>>> <filter-name>struts2prepare</filter-name>
>>> <url-pattern>/*</url-pattern>
>>> </filter-mapping>
>>>
>>> <filter-mapping>
>>> <filter-name>MYStrutsPrepareFilter</filter-name>
>>> <url-pattern>/*</url-pattern>
>>> </filter-mapping>
>>>
>>> <filter-mapping>
>>> <filter-name>struts2execute</filter-name>
>>> <url-pattern>/*</url-pattern>
>>> </filter-mapping>
>>> **************************************************************
>>>
>>> 3. hello.jsp
>>>
>>> **************************************************************
>>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>> you are UserAdmin
>>> </s:if>
>>> <s:else>
>>> you are not UserAdmin
>>> </s:else>
>>> **************************************************************
>>>
>>> Sincerely Yours,
>>> Yasser.
>>>
>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>> To: Struts Developers List <dev@struts.apache.org>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> That is just an example. For your need, in more detail, you should try
>>>> something like these:
>>>>
>>>> 1. Add following method to class MyUtil:
>>>>
>>>> public boolean isUserInRole (String user) {
>>>> HttpServletRequest httpsr = ((HttpServletRequest)
>>>> ActionContext.getContext()
>>>> .get(StrutsStatics.HTTP_REQUEST)); return
>>>> httpsr.isUserInRole (user); }
>>>>
>>>> 2. Your struts filters in web.xml should looks like:
>>>>
>>>> <filter>
>>>> <filter-name>struts-prepare</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareF
>>>> i
>>>> lter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>> <filter-name> MYStrutsPrepareFilter</filter-name>
>>>> <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>> <filter-name>struts-execute</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteF
>>>> i
>>>> lter</filter-class>
>>>> </filter>
>>>>
>>>> 3. Finally find and replace all of
>>>>
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> With
>>>>
>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>
>>>> I think something like these resolve your issue :) please try and let me
>>>> know.
>>>>
>>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>>
>>>>> This is what I currently have in my jsp:
>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>
>>>>> Where would I put
>>>>> "#request['MYUtils'].requestURI?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>> To: Struts Developers List <dev@struts.apache.org>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil
>>>>> object and you add what you need from excluded packages into MyUtil class
>>>>> as java getters. While MyUtil is not in excluded packages, so, you can
>>>>> get what you need from excluded packages via ognl then it.
>>>>>
>>>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>>>>>
>>>>>> Sorry, as I said I'm new. Will this allow access to the excluded
>>>>>> packages (ognl)?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>> To: Struts Developers List <dev@struts.apache.org>
>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>> Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>> Hi there, welcome to dev list :)
>>>>>>
>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>> Please review my solution if also resolves your one. If not,
>>>>>> please feel free continue here for a solution :)
>>>>>>
>>>>>> [1]
>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>
>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>> Please see the content below. Fairly new to Struts and I'm guessing
>>>>>>> someone out there has been through this. Any help would be appreciated.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org]
>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>> To: Deborah White <deborah.wh...@doj.ca.gov>
>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>>
>>>>>>> [
>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>
>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16
>>>>>>> 0
>>>>>>> 868
>>>>>>> 3
>>>>>>> 2#comment-16086832 ]
>>>>>>>
>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>> ------------------------------------------------------------
>>>>>>>
>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>> Mailing list as there are more eyes to help you
>>>>>>> http://struts.apache.org/mail.html
>>>>>>>
>>>>>>> And to answer your question: there is no safe way to modify the
>>>>>>> exclusion, I would rather figure out in which expression you use this
>>>>>>> class and move the logic to an action.
>>>>>>>
>>>>>>>
>>>>>>> was (Author: lukaszlenart):
>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>> Mailing list as there are more eyes to help you
>>>>>>> http://struts.apache.org/mail.html
>>>>>>>
>>>>>>> And to answer your question: there is no safe way to modify the
>>>>>>> exclusion, I would rather figure in which expression you use this class
>>>>>>> and move the logic to an action.
>>>>>>>
>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>> -----------------------------------
>>>>>>>>
>>>>>>>> Key: WW-4815
>>>>>>>> URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>> Project: Struts 2
>>>>>>>> Issue Type: Temp
>>>>>>>> Components: Core
>>>>>>>> Affects Versions: 2.3.16.3
>>>>>>>> Reporter: Deborah White
>>>>>>>> Fix For: 2.3.32
>>>>>>>>
>>>>>>>>
>>>>>>>> I need some assistance and am hoping you can provide some insight. I
>>>>>>>> know this is probably not the place to do this, but I'm not finding
>>>>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the
>>>>>>>> vulnerability. The problem is that the excluded classes in the
>>>>>>>> struts-default.xml are being used by my application and I certainly do
>>>>>>>> not have time to do a rewrite.
>>>>>>>> This is the Warning I get and then my application does not run as it
>>>>>>>> should because it seems it is not forwarding the roles:
>>>>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of
>>>>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f]
>>>>>>>> or package of member [public boolean
>>>>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
>>>>>>>> are excluded!
>>>>>>>> I need to know how I can safely modify the struts-default.xml and
>>>>>>>> still have the fix for the vulnerability. Also, if there is something
>>>>>>>> I can instead include in my struts.xml file that would override, that
>>>>>>>> would be better. Thank you.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> This message was sent by Atlassian JIRA
>>>>>>> (v6.4.14#64029)
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may
>>>>>>> contain confidential and/or legally privileged information. It is
>>>>>>> solely for the use of the intended recipient(s). Unauthorized
>>>>>>> interception, review, use or disclosure is prohibited and may violate
>>>>>>> applicable laws including the Electronic Communications Privacy Act. If
>>>>>>> you are not the intended recipient, please contact the sender and
>>>>>>> destroy all copies of the communication.
>>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------
>>>>>> -
>>>>>> -- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>>>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>>>> confidential and/or legally privileged information. It is solely for the
>>>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>>>> or disclosure is prohibited and may violate applicable laws including
>>>>>> the Electronic Communications Privacy Act. If you are not the intended
>>>>>> recipient, please contact the sender and destroy all copies of the
>>>>>> communication.
>>>>> B
>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>> K CB [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ ]
>>>>> Z[ ]˘\X K ܙ B B
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>>> confidential and/or legally privileged information. It is solely for the
>>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>>> or disclosure is prohibited and may violate applicable laws including the
>>>>> Electronic Communications Privacy Act. If you are not the intended
>>>>> recipient, please contact the sender and destroy all copies of the
>>>>> communication.
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>>> confidential and/or legally privileged information. It is solely for the
>>>> use of the intended recipient(s). Unauthorized interception, review, use
>>>> or disclosure is prohibited and may violate applicable laws including the
>>>> Electronic Communications Privacy Act. If you are not the intended
>>>> recipient, please contact the sender and destroy all copies of the
>>>> communication.
>>>>
>>>> --------------------------------------------------------------------
>>>> - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>> additional commands, e-mail: dev-h...@struts.apache.org
>>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>> confidential and/or legally privileged information. It is solely for the use
>> of the intended recipient(s). Unauthorized interception, review, use or
>> disclosure is prohibited and may violate applicable laws including the
>> Electronic Communications Privacy Act. If you are not the intended
>> recipient, please contact the sender and destroy all copies of the
>> communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>> additional commands, e-mail: dev-h...@struts.apache.org
>>
> �B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB �
> �[ X ܚX K��K[XZ[
> ��] ][ X ܚX P� � ]�˘\�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
> ��] Z�[��� � ]�˘\�X �K ܙ B B
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain
> confidential and/or legally privileged information. It is solely for the use
> of the intended recipient(s). Unauthorized interception, review, use or
> disclosure is prohibited and may violate applicable laws including the
> Electronic Communications Privacy Act. If you are not the intended recipient,
> please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
