[
https://issues.apache.org/jira/browse/WW-5475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17893244#comment-17893244
]
Lukasz Lenart commented on WW-5475:
-----------------------------------
The problem here is that this request is routed out of Struts as this is just a
pure JSP file - it's handled by native JSP support in container. Then the
Struts machinery is used because you used {{<s:action/>}} tag, this is a bad
practice and raises security concerns. I would suggest rewriting these pages to
be used behind actions.
[https://struts.apache.org/security/#never-expose-jsp-files-directly]
It's hard to add a warning but I will try to figure out something.
> Struts 7: improve error when "s:action" is used on jsp page and jsp is
> invoked directly in browser
> --------------------------------------------------------------------------------------------------
>
> Key: WW-5475
> URL: https://issues.apache.org/jira/browse/WW-5475
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 7.0.0
> Reporter: Wolfgang Knauf
> Priority: Minor
> Fix For: 7.0.0
>
> Attachments: Struts2Sample.war, Struts7Sample.war, StrutsBasics.war
>
>
> I have a "index.jsp" and invoke an action using "s:action" tag, then render
> data from this action. In the browser I navigate to this jsp direcly
> ("http://localhost/index.jsp"; instead of browsing to ".../index.action").
> Snippet from my JSP:
> {quote}{{<s:action name="myAction" var="myActionResult">}}
> {{ ...}}
> {{ <s:iterator value="#myActionResult.items">}}
> {{ </s:iterator><table><tbody>}}
> {{ <tr>}}
> {{ <td>}}
> {{ <s:property value="a">}}
> {{ </s:property></td>}}
> {{ <td>}}
> {{ <s:property value="b">}}
> {{ </s:property></td>}}
> {{ <td>}}
> {{ <s:property value="c">}}
> {{ </s:property></td>}}
> {{ </tr>}}{{ </tbody>}}
> {{</table>}}
> {quote}
> This worked with Struts 2. But when migrating this to Struts 7M9, this error
> is reported on the server console:
>
> {quote}11:54:55,939 ERROR [io.undertow.request] (default task-1) UT005023:
> Exception handling request to /Struts7Sample/:
> org.apache.jasper.JasperException: java.lang.NullPointerException: Cannot
> invoke "com.opensymphony.xwork2.ActionInvocation.getProxy()" because
> "invocation" is null
> at
> io.undertow.jsp@2.2.7.Final//org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:461)
> at
> io.undertow.jsp@2.2.7.Final//org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:403)
> at
> io.undertow.jsp@2.2.7.Final//org.apache.jasper.servlet.JspServlet.service(JspServlet.java:347)
> at
> jakarta.servlet.api@6.0.0//jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> deployment.Struts7Sample.war//org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.handleRequest(StrutsPrepareAndExecuteFilter.java:149)
> at
> deployment.Struts7Sample.war//org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.tryHandleRequest(StrutsPrepareAndExecuteFilter.java:135)
> at
> deployment.Struts7Sample.war//org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:123)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.jsp@2.2.7.Final//io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.security.elytron-web.undertow-server@4.1.0.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
> at
> org.wildfly.security.elytron-base@2.5.0.Final//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
> at
> org.wildfly.security.elytron-base@2.5.0.Final//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
> at
> org.wildfly.security.elytron-base@2.5.0.Final//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
> at
> org.wildfly.security.elytron-web.undertow-server@4.1.0.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.core@2.3.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.core@2.3.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.core@2.3.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> org.wildfly.security.elytron-web.undertow-server-servlet@4.1.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
> at
> io.undertow.core@2.3.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow@33.0.0.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44)
> at
> io.undertow.core@2.3.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow@33.0.0.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:51)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
> at
> io.undertow.core@2.3.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
> org.wildfly.extension.undertow@33.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
> at
> org.wildfly.extension.undertow@33.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
> at
> org.wildfly.extension.undertow@33.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
> at
> org.wildfly.extension.undertow@33.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256)
> at
> io.undertow.servlet@2.3.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101)
> at
> io.undertow.core@2.3.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
> at
> io.undertow.core@2.3.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859)
> at
> org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at
> org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
> at
> org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> at
> org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> at
> org.jboss.xnio@3.8.16.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
> at java.base/java.lang.Thread.run(Thread.java:842)
> Caused by: java.lang.NullPointerException: Cannot invoke
> "com.opensymphony.xwork2.ActionInvocation.getProxy()" because "invocation" is
> null
> at
> deployment.Struts7Sample.war//org.apache.struts2.components.Component.getNamespace(Component.java:448)
> at
> deployment.Struts7Sample.war//org.apache.struts2.components.ActionComponent.executeAction(ActionComponent.java:252)
> at
> deployment.Struts7Sample.war//org.apache.struts2.components.ActionComponent.end(ActionComponent.java:166)
> at
> deployment.Struts7Sample.war//org.apache.struts2.views.jsp.ComponentTagSupport.doEndTag(ComponentTagSupport.java:39)
> at
> org.apache.jsp.index_jsp._jspx_meth_s_005faction_005f0(index_jsp.java:170)
> at org.apache.jsp.index_jsp._jspService(index_jsp.java:116)
> at
> io.undertow.jsp@2.2.7.Final//org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> at
> jakarta.servlet.api@6.0.0//jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614)
> at
> io.undertow.jsp@2.2.7.Final//org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
> ... 53 more
> {quote}
>
> The browser renders an empty page in this situation.
> I was told (question on the [mailing
> list|https://lists.apache.org/thread/f4l1t4vtmvobl4l9jycfw5sj2dh7xyx1]) that
> direct access to a jsp is not supported. This issue is about creating a
> helpful error message instead of printing a (meaningless) exception on the
> console.
>
> Attached are two sample apps, one for Struts 2 (runs on a WildFly 26 server)
> and Struts 7.0 M9 (WildFly 33 server). Reproduce the error by calling
> "http://localhost:8080/Struts7Sample/index.jsp";. It works when invoking
> "http://localhost:8080/Struts7Sample/index.action";.
> The war files contain the sources for the actions, and also all necessary
> Struts jars. You can import it to Eclipse by using the type "Import" => "Web"
> => "WAR file"
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
