you're welcome :) 1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line `return "renewEsignProc";` after `document.regSubmitForm.submit();`? please verify by a breakpoint.
2. What do you find if you search "renewSave1" (including double quotes) in all of your .java files? (also for "renewSave2") On 8/5/2017 1:57 AM, Deborah White wrote: > So I have now updated to 2.3.33 and have a new piece of code that is not > acting as expected. You were such a big help last time I thought I would ask. > > I have this in my jsp: > > function submitESignature() { > > $('#StatusMessage').html("<img > src='web/images/busySmall.gif'>"); > //document.getElementById("button_cont").disabled = "disabled"; > var url = "<s:url value="renewsave.action" encode="true"/>"; > document.regSubmitForm.eSignStart.value = 1; > document.regSubmitForm.method ="POST"; > document.regSubmitForm.action = url; > document.regSubmitForm.submit(); > > } > > This in my java code: > > else if ( renewSaveStart == 0 && eSignStart == 1 ) { > return "renewEsignProc"; > > This in my struts.xml: > > <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave"> > <result > name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result> > <result > name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result> > <result > name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result> > <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result> > <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result> > <result name="input">/WEB-INF/jsp/renewReview.jsp</result> > <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result> > </action> > > > Instead of going to the page for eSignRenewProcReview, it goes to > renewSaveEPay.jsp. The difference I see is that I am not doing a return from > the java code for renewsSave1 or 2. > > Any thoughts? > > -----Original Message----- > From: Yasser Zamani [mailto:yasser.zam...@live.com] > Sent: Tuesday, July 25, 2017 10:21 AM > To: Struts Developers List <dev@struts.apache.org> > Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 > to 2.3.32 > > You're welcome! Happy to hear that it works there :) > > That warning means you still have some more. Please find them by searching > 'request.isUserInRole in your JSPs then replace them with > '#request["MYUtils"].isUserInRole > > test='#request["MYUtils"].isUserInRole("UserAdmin")' and > test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :) > > On 7/25/2017 9:35 PM, Deborah White wrote: >> So, it appears to be working so far. Thank you so much!! I do still get >> this warning in my log files, do you know the best way to suppress it? >> >> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] >> (http-localhost/127.0.0.1:8080-2) Package of target >> [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of >> member [public boolean >> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] >> are excluded! >> >> Also, in my jsp I had to use this syntax: >> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' > >> $('#tabs-UserManagement').tabs(); >> </s:if> >> >> Instead of ['MYUtils'] (single quote). >> >> -----Original Message----- >> From: Yasser Zamani [mailto:yasser.zam...@live.com] >> Sent: Monday, July 24, 2017 11:27 AM >> To: Struts Developers List <dev@struts.apache.org> >> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >> 2.3.16.3 to 2.3.32 >> >> Yes I think you should have mappings for all as following order: >> >> <filter-mapping> >> <filter-name>struts-prepare</filter-name> >> <url-pattern>/*</url-pattern> >> <dispatcher>FORWARD</dispatcher> >> <dispatcher>REQUEST</dispatcher> >> </filter-mapping> >> <filter-mapping> >> <filter-name>MYStrutsPrepareFilter</filter-name> >> <url-pattern>/*</url-pattern> >> <dispatcher>FORWARD</dispatcher> >> <dispatcher>REQUEST</dispatcher> >> </filter-mapping> >> <filter-mapping> >> <filter-name>struts-execute</filter-name> >> <url-pattern>/*</url-pattern> >> <dispatcher>FORWARD</dispatcher> >> <dispatcher>REQUEST</dispatcher> >> </filter-mapping> >> >> >> On 7/24/2017 8:19 PM, Deborah White wrote: >>> It now goes to just a blank page. Do I have an issue in my web.xml? >>> <filter> >>> <filter-name>struts-prepare</filter-name> >>> >>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi >>> l >>> ter</filter-class> >>> </filter> >>> >>> <filter> >>> <filter-name>MYStrutsPrepareFilter</filter-name> >>> >>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class >>>> >>> </filter> >>> >>> <filter> >>> <filter-name>struts-execute</filter-name> >>> >>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi >>> l >>> ter</filter-class> >>> </filter> >>> <filter-mapping> >>> <filter-name>MYStrutsPrepareFilter</filter-name> >>> <url-pattern>/*</url-pattern> >>> <dispatcher>FORWARD</dispatcher> >>> <dispatcher>REQUEST</dispatcher> >>> </filter-mapping> >>> >>> -----Original Message----- >>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>> Sent: Saturday, July 22, 2017 2:18 AM >>> To: Struts Developers List <dev@struts.apache.org> >>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>> 2.3.16.3 to 2.3.32 >>> >>> I forgot to say about following block in MYStrutsPrepareFilter.java >>> which is new and I added recently (so please copy the whole new >>> MYStrutsPrepareFilter.java) : >>> >>> > if(null != actionContext) { >>> > ValueStack stack = actionContext.getValueStack(); >>> > stack.setValue("#request['MYUtils']", MYUtils); >>> > } >>> >>> It avoids null pointer exception. >>> >>> Please reply back to me the `exception stack trace` if you encounter any. >>> >>> IMPORTANT NOTE: >>> >>> To keep security, your MYUtils class should return only and only necessary >>> info (not less not more) in primitive types like string , boolean , int , >>> etc as much as possible rather than sensitive objects. >>> For example, following get method wake ups currently fixed security issues: >>> >>> public class MYUtils {... >>> public ActionContext getActionContext() { >>> return ActionContext.getContext(); >>> }...} >>> >>> >>> On 7/22/2017 1:27 PM, Yasser Zamani wrote: >>>> Sorry! My previous code has sent via my mobile which has a few typo >>>> errors because of issues with copy/pase :( >>>> >>>> Now, at my PC, I tested following configuration which works well :) >>>> >>>> 1. MYStrutsPrepareFilter.java >>>> >>>> ********************************************* >>>> package me.zamani.yasser.ww_convention.utils; >>>> >>>> import java.io.IOException; >>>> >>>> import javax.servlet.Filter; >>>> import javax.servlet.FilterChain; >>>> import javax.servlet.FilterConfig; >>>> import javax.servlet.ServletException; import >>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse; >>>> import javax.servlet.http.HttpServletRequest; >>>> >>>> import org.apache.struts2.StrutsStatics; import >>>> com.opensymphony.xwork2.ActionContext; >>>> import com.opensymphony.xwork2.util.ValueStack; >>>> >>>> /** >>>> * @author zamani >>>> * >>>> */ >>>> public class MYStrutsPrepareFilter implements Filter { >>>> >>>> private MYUtils MYUtils; >>>> >>>> public void init(FilterConfig filterConfig) throws ServletException { >>>> MYUtils = new MYUtils(); >>>> } >>>> >>>> public void doFilter(ServletRequest req, ServletResponse res, >>>> FilterChain chain) >>>> throws IOException, ServletException { >>>> >>>> ActionContext actionContext = ActionContext.getContext(); >>>> if(null != actionContext) { >>>> ValueStack stack = actionContext.getValueStack(); >>>> stack.setValue("#request['MYUtils']", MYUtils); >>>> } >>>> >>>> chain.doFilter(req, res); >>>> } >>>> >>>> public void destroy() { >>>> MYUtils = null; >>>> } >>>> >>>> >>>> public class MYUtils { >>>> public boolean isUserInRole (String user) { >>>> HttpServletRequest httpsr = >>>> ((HttpServletRequest) >>>> ActionContext.getContext() >>>> .get(StrutsStatics.HTTP_REQUEST)); >>>> return httpsr.isUserInRole(user); >>>> } >>>> } >>>> } >>>> ********************************************************** >>>> >>>> 2. web.xml >>>> >>>> ********************************************************** >>>> <filter> >>>> <filter-name>struts2prepare</filter-name> >>>> >>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class> >>>> </filter> >>>> >>>> <filter> >>>> <filter-name>MYStrutsPrepareFilter</filter-name> >>>> >>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class> >>>> </filter> >>>> >>>> <filter> >>>> <filter-name>struts2execute</filter-name> >>>> >>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class> >>>> </filter> >>>> >>>> <filter-mapping> >>>> <filter-name>struts2prepare</filter-name> >>>> <url-pattern>/*</url-pattern> >>>> </filter-mapping> >>>> >>>> <filter-mapping> >>>> <filter-name>MYStrutsPrepareFilter</filter-name> >>>> <url-pattern>/*</url-pattern> >>>> </filter-mapping> >>>> >>>> <filter-mapping> >>>> <filter-name>struts2execute</filter-name> >>>> <url-pattern>/*</url-pattern> >>>> </filter-mapping> >>>> ************************************************************** >>>> >>>> 3. hello.jsp >>>> >>>> ************************************************************** >>>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'> >>>> you are UserAdmin >>>> </s:if> >>>> <s:else> >>>> you are not UserAdmin >>>> </s:else> >>>> ************************************************************** >>>> >>>> Sincerely Yours, >>>> Yasser. >>>> >>>> On 7/22/2017 2:56 AM, Deborah White wrote: >>>>> And the jsp doesn't seem to like this syntax for some reason. >>>>> >>>>> -----Original Message----- >>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>>>> Sent: Friday, July 21, 2017 1:04 PM >>>>> To: Struts Developers List <dev@struts.apache.org> >>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>>> 2.3.16.3 to 2.3.32 >>>>> >>>>> That is just an example. For your need, in more detail, you should try >>>>> something like these: >>>>> >>>>> 1. Add following method to class MyUtil: >>>>> >>>>> public boolean isUserInRole (String user) { >>>>> HttpServletRequest httpsr = ((HttpServletRequest) >>>>> ActionContext.getContext() >>>>> .get(StrutsStatics.HTTP_REQUEST)); return >>>>> httpsr.isUserInRole (user); } >>>>> >>>>> 2. Your struts filters in web.xml should looks like: >>>>> >>>>> <filter> >>>>> <filter-name>struts-prepare</filter-name> >>>>> >>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepare >>>>> F >>>>> i >>>>> lter</filter-class> >>>>> </filter> >>>>> >>>>> <filter> >>>>> <filter-name> MYStrutsPrepareFilter</filter-name> >>>>> <filter-class>my.package. MYStrutsPrepareFilter</filter-class> >>>>> </filter> >>>>> >>>>> <filter> >>>>> <filter-name>struts-execute</filter-name> >>>>> >>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecute >>>>> F >>>>> i >>>>> lter</filter-class> >>>>> </filter> >>>>> >>>>> 3. Finally find and replace all of >>>>> >>>>> <s:if test='request.isUserInRole("UserAdmin")' > >>>>> >>>>> With >>>>> >>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' > >>>>> >>>>> I think something like these resolve your issue :) please try and let me >>>>> know. >>>>> >>>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت: >>>>> >>>>>> This is what I currently have in my jsp: >>>>>> <s:if test='request.isUserInRole("UserAdmin")' > >>>>>> >>>>>> Where would I put >>>>>> "#request['MYUtils'].requestURI? >>>>>> >>>>>> -----Original Message----- >>>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>>>>> Sent: Friday, July 21, 2017 10:53 AM >>>>>> To: Struts Developers List <dev@struts.apache.org> >>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating >>>>>> Struts >>>>>> 2.3.16.3 to 2.3.32 >>>>>> >>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil >>>>>> object and you add what you need from excluded packages into MyUtil >>>>>> class as java getters. While MyUtil is not in excluded packages, so, you >>>>>> can get what you need from excluded packages via ognl then it. >>>>>> >>>>>> Deborah White <deborah.wh...@doj.ca.gov> نوشت: >>>>>> >>>>>>> Sorry, as I said I'm new. Will this allow access to the excluded >>>>>>> packages (ognl)? >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Yasser Zamani [mailto:yasser.zam...@live.com] >>>>>>> Sent: Thursday, July 20, 2017 10:55 PM >>>>>>> To: Struts Developers List <dev@struts.apache.org> >>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating >>>>>>> Struts >>>>>>> 2.3.16.3 to 2.3.32 >>>>>>> >>>>>>> Hi there, welcome to dev list :) >>>>>>> >>>>>>> Do you need access to excluded packages in your JSPs? I had >>>>>>> similar issue and you can see my solution at [1]. I did not need >>>>>>> to rewrite any thing and a find/replace did all needed changes. >>>>>>> Please review my solution if also resolves your one. If not, >>>>>>> please feel free continue here for a solution :) >>>>>>> >>>>>>> [1] >>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411 >>>>>>> >>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote: >>>>>>>> Please see the content below. Fairly new to Struts and I'm guessing >>>>>>>> someone out there has been through this. Any help would be >>>>>>>> appreciated. >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org] >>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM >>>>>>>> To: Deborah White <deborah.wh...@doj.ca.gov> >>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts >>>>>>>> 2.3.16.3 to 2.3.32 >>>>>>>> >>>>>>>> >>>>>>>> [ >>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira. >>>>>>>> >>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1 >>>>>>>> 6 >>>>>>>> 0 >>>>>>>> 868 >>>>>>>> 3 >>>>>>>> 2#comment-16086832 ] >>>>>>>> >>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM: >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> The best place to ask such question is to subscribe to the User >>>>>>>> Mailing list as there are more eyes to help you >>>>>>>> http://struts.apache.org/mail.html >>>>>>>> >>>>>>>> And to answer your question: there is no safe way to modify the >>>>>>>> exclusion, I would rather figure out in which expression you use this >>>>>>>> class and move the logic to an action. >>>>>>>> >>>>>>>> >>>>>>>> was (Author: lukaszlenart): >>>>>>>> The best place to ask such question is to subscribe to the User >>>>>>>> Mailing list as there are more eyes to help you >>>>>>>> http://struts.apache.org/mail.html >>>>>>>> >>>>>>>> And to answer your question: there is no safe way to modify the >>>>>>>> exclusion, I would rather figure in which expression you use this >>>>>>>> class and move the logic to an action. >>>>>>>> >>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32 >>>>>>>>> ----------------------------------- >>>>>>>>> >>>>>>>>> Key: WW-4815 >>>>>>>>> URL: https://issues.apache.org/jira/browse/WW-4815 >>>>>>>>> Project: Struts 2 >>>>>>>>> Issue Type: Temp >>>>>>>>> Components: Core >>>>>>>>> Affects Versions: 2.3.16.3 >>>>>>>>> Reporter: Deborah White >>>>>>>>> Fix For: 2.3.32 >>>>>>>>> >>>>>>>>> >>>>>>>>> I need some assistance and am hoping you can provide some insight. I >>>>>>>>> know this is probably not the place to do this, but I'm not finding >>>>>>>>> answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the >>>>>>>>> vulnerability. The problem is that the excluded classes in the >>>>>>>>> struts-default.xml are being used by my application and I certainly >>>>>>>>> do not have time to do a rewrite. >>>>>>>>> This is the Warning I get and then my application does not run as it >>>>>>>>> should because it seems it is not forwarding the roles: >>>>>>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of >>>>>>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] >>>>>>>>> or package of member [public boolean >>>>>>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] >>>>>>>>> are excluded! >>>>>>>>> I need to know how I can safely modify the struts-default.xml and >>>>>>>>> still have the fix for the vulnerability. Also, if there is >>>>>>>>> something I can instead include in my struts.xml file that would >>>>>>>>> override, that would be better. Thank you. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> This message was sent by Atlassian JIRA >>>>>>>> (v6.4.14#64029) >>>>>>>> >>>>>>>> >>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may >>>>>>>> contain confidential and/or legally privileged information. It is >>>>>>>> solely for the use of the intended recipient(s). Unauthorized >>>>>>>> interception, review, use or disclosure is prohibited and may violate >>>>>>>> applicable laws including the Electronic Communications Privacy Act. >>>>>>>> If you are not the intended recipient, please contact the sender and >>>>>>>> destroy all copies of the communication. >>>>>>>> >>>>>>> >>>>>>> ----------------------------------------------------------------- >>>>>>> - >>>>>>> - >>>>>>> -- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>>>>>> additional commands, e-mail: dev-h...@struts.apache.org >>>>>>> >>>>>>> >>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may >>>>>>> contain confidential and/or legally privileged information. It is >>>>>>> solely for the use of the intended recipient(s). Unauthorized >>>>>>> interception, review, use or disclosure is prohibited and may violate >>>>>>> applicable laws including the Electronic Communications Privacy Act. If >>>>>>> you are not the intended recipient, please contact the sender and >>>>>>> destroy all copies of the communication. >>>>>> B >>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK >>>>>> K K CB [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ >>>>>> ] Z[ ]˘\X K ܙ B B >>>>>> >>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>>>> confidential and/or legally privileged information. It is solely for the >>>>>> use of the intended recipient(s). Unauthorized interception, review, use >>>>>> or disclosure is prohibited and may violate applicable laws including >>>>>> the Electronic Communications Privacy Act. If you are not the intended >>>>>> recipient, please contact the sender and destroy all copies of the >>>>>> communication. >>>>> >>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>>>> confidential and/or legally privileged information. It is solely for the >>>>> use of the intended recipient(s). Unauthorized interception, review, use >>>>> or disclosure is prohibited and may violate applicable laws including the >>>>> Electronic Communications Privacy Act. If you are not the intended >>>>> recipient, please contact the sender and destroy all copies of the >>>>> communication. >>>>> >>>>> ------------------------------------------------------------------- >>>>> - >>>>> - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>>>> additional commands, e-mail: dev-h...@struts.apache.org >>>>> >>>> >>>> -------------------------------------------------------------------- >>>> - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>>> additional commands, e-mail: dev-h...@struts.apache.org >>>> >>> >>> CONFIDENTIALITY NOTICE: This communication with its contents may contain >>> confidential and/or legally privileged information. It is solely for the >>> use of the intended recipient(s). Unauthorized interception, review, use or >>> disclosure is prohibited and may violate applicable laws including the >>> Electronic Communications Privacy Act. If you are not the intended >>> recipient, please contact the sender and destroy all copies of the >>> communication. >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >>> additional commands, e-mail: dev-h...@struts.apache.org >>> >> B >> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB >> [ X ܚX KK[XZ[ ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ >> [X[ K[XZ[ ] Z[ ]˘\X K ܙ B B >> >> CONFIDENTIALITY NOTICE: This communication with its contents may contain >> confidential and/or legally privileged information. It is solely for the use >> of the intended recipient(s). Unauthorized interception, review, use or >> disclosure is prohibited and may violate applicable laws including the >> Electronic Communications Privacy Act. If you are not the intended >> recipient, please contact the sender and destroy all copies of the >> communication. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >> additional commands, e-mail: dev-h...@struts.apache.org >> > B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB > [ X ܚX KK[XZ[ > ] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ > ] Z[ ]˘\X K ܙ B B > > CONFIDENTIALITY NOTICE: This communication with its contents may contain > confidential and/or legally privileged information. It is solely for the use > of the intended recipient(s). Unauthorized interception, review, use or > disclosure is prohibited and may violate applicable laws including the > Electronic Communications Privacy Act. If you are not the intended recipient, > please contact the sender and destroy all copies of the communication. > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org