Re: About "Parameter Validation Filter"

[Lukasz Lenart]

2018-02-28 17:55 GMT+01:00 Emi :
> Hello,
>
> There is a topic about Parameter Validation Filter (TrimTextValidationRule,
> FailIfNotCanonicalizedValidationRule, FailIfContainsHTMLValidationRule) for
> servlet (https://www.owasp.org/index.php/Parameter_Validation_Filter).
>
> I just want to know that struts2.5.14.1 already have these kinds of
> validation set by default and no need to add pvf.xml anymore, right?

No, I mean, Struts do not perform such validations automatically.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Action chaining not forwarding ModelDriven model properties

[Lukasz Lenart]

Can you share a source code of your actions?

2018-02-28 13:17 GMT+01:00 shahzad.ism...@gmail.com :
> Hi,
> I'm migrating an app from Struts 1 to Struts 2 (Tomcat v8 and Struts 
> 2.5.14.1). There is a scenario in which mapping goes like:
> jsp1 --> action1 --> action2 --> action3 --> jsp2
>
> So it must be type="chain" for action1 --> action2 and action2 --> action3 as 
> I need to pass ModelDriven model as well as some action member variables, 
> some of them are non-strings. All 3 actions are chaining to different methods 
> of the same action class.
> The **problem** is that action1 --> action2 is passing action variables but 
> not passing any properties of model even though action2 --> action3 is 
> passing all the action variables as well as model properties.
> I'm only using defaultStack of interceptor.
> My interceptors are defined as:
>
> 
> 
> 
> 
>  name="exception.logEnabled">true
> DEBUG
>  name="params.excludeParams">dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*
> 
> 
> 
> 
>
>
> And I'm using them as:
>
> 
>  
> *
> insert
> *
> insert
> 
> kmList_actionmethod2
> kmList_actionmethod3
> 
> actionmethod1, actionmethod2, actionmethod3
> 
> 
>
> I've debugged it a bit and able to figure out that, initially, at the start 
> of action1, request.getParamater("modelprop") is null then I set modelprop in 
> the action1 method which makes mymodel.modelprop == "something" and 
> request.getAttribute("modelprop") == "something" but the 
> request.getParameter("modelprop") remains null by the end of action1 method. 
> So when it chains to action2 method, it simply rewrites 
> request.getParameter("modelprop") value, which is *null*, back to both, 
> request.getAttribute("modelprop") and mymodel.modelprop. Am I messing up with 
> some interceptor configuration?
> I've tried it with type="redirectAction" and the problem of not passing 
> mymodel.modelprop from action1 to action2 remains.
> Any suggestions would be appreciated.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping

[Lukasz Lenart]

2018-03-01 20:20 GMT+01:00 Prasanth :
> 13:17:52,070 ERROR [stderr] (default task-59) Caused by: 
> java.lang.ClassCastException: com.opensymphony.xwork2.ognl.OgnlValueStack 
> cannot be cast to com.opensymphony.xwork2.util.ValueStack

You have two the same JARs on a class path but in different versions
(probably xwork-core-*.jar) or JARs were loaded by different
classloaders which means some framework's JARs were included inside
Wildfly


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Struts2 login action class seems to be reused

[Prasanth]

Hi,

I have an application which uses both struts1 & struts2. The login action was 
recently moved to struts2. Immediately after the deployment we were notified 
that one user is seeing a different user
information, so we had to move to older war files. I am not able to replicate 
it. But after investigating the logs it seems like couple users were logged in 
as soon as they requested the login page.
For the database entry to happen it has to verify the username and password in 
the action class, but the fact that there is no POST entry at that time from 
that IP in my access log makes me believe
that the action class some how already had that information from a prior user.

I do have a login filter to check if users are logged in when accessing other 
pages. In this filter I have the below two lines, we had to do this as we will 
have requests forwarded from one
application to another and when that happens we are getting class cast 
exception for ActionMapping class and valueStack. Not sure if the behavior is a 
side effect of having the below lines.

            request.setAttribute("struts.actionMapping", new ActionMapping());  
     
            request.setAttribute("struts.valueStack", null);

We are using Struts 2.3.34 and Wildfly.

Appreciate any insights you might have.

Thanks,
Prasanth

Re: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping

[Prasanth]

Below is the exception you would get if the valueStack is not set to null.

Thanks,
Prasanth

13:17:52,070 ERROR [stderr] (default task-59) Caused by: 
java.lang.ClassCastException: com.opensymphony.xwork2.ognl.OgnlValueStack 
cannot be cast to com.opensymphony.xwork2.util.ValueStack
13:17:52,070 ERROR [stderr] (default task-59)     at 
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:546)
13:17:52,070 ERROR [stderr] (default task-59)     at 
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81)
13:17:52,070 ERROR [stderr] (default task-59)     at 
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99)
13:17:52,070 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
13:17:52,071 ERROR [stderr] (default task-59)     at 
com.xxx.xx.LoginFilter.doFilter(LoginFilter.java:46)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
13:17:52,071 ERROR [stderr] (default task-59)     at 
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
13:17:52,071 ERROR [stderr] (default task-59)     ... 128 more

On 03/01/2018 12:42 PM, Prasanth wrote:
> Sorry didn't check the website, I am not getting the emails to my inbox, will 
> try to subscribe again.  I will get back to you with the exception I was 
> getting if you don't set the valueStack to
> null. Thanks, Prasanth 
> -- [show/hide 
> original text]
>
> Thank you very much for your time and report!
> [show/hide original text]
>
> Hmm... so how and why `request.setAttribute("struts.valueStack", null)` 
> works.
>
> That's weird and so very important to me :)
>
> Could you please see what is the type of request when you receive it in 
> your second context filter? e.g. println(request.getType()) before those 
> your two lines (I could see myself but maybe it will be different from 
> your one!)
>
> Thanks in advance!
>
>
> On 12/18/2017 11:03 AM, Prasanth Pasala wrote:
>> Added it to Struts JIRA (WW-4904) If I set the struts.actionMapping 
>> attribute to null it still causes the class cast exception. What I have seen 
>> is that after setting it to null if you call
>> getAttribute you would still get the old ActionMapping object, not sure how 
>> that is possible. Thanks, Prasanth 
>> --- 
>> [show/hide
>> original text]
>> No it's not a Struts issue. You don't see this in Struts1 because maybe 
>> it doesn't use any object bounded to dispatched request. But Struts2 
>> wants to
>>
>> ActionMapping mapping = 
>> (ActionMapping)request.getAttribute("struts.actionMapping");
>>
>> A workaround would be removing object with key "struts.actionMapping" 
>> from request before dispatching.
>>
>> I hope this helps.
>>
>>
>> On 12/15/2017 04:54 PM, Prasanth Pasala wrote:
>>> Added the below two lines to my filter (before the struts2 filter) in 
>>> context2 app. That seems to do the trick. Thought it might create a problem 
>>> as I am setting a new ActionMapping in the
>>> request, but seems to work fine. Do you see any side effects of this?
>>>
>>>         request.setAttribute("struts.actionMapping", new ActionMapping());
>>>         request.setAttribute("struts.valueStack", null);
>>>
>>> Thanks,

Re: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping

[Prasanth]

Sorry didn't check the website, I am not getting the emails to my inbox, will 
try to subscribe again.  I will get back to you with the exception I was 
getting if you don't set the valueStack to null.
Thanks, Prasanth 
-- [show/hide 
original text]

Thank you very much for your time and report!
[show/hide original text]

Hmm... so how and why `request.setAttribute("struts.valueStack", null)` 
works.

That's weird and so very important to me :)

Could you please see what is the type of request when you receive it in 
your second context filter? e.g. println(request.getType()) before those 
your two lines (I could see myself but maybe it will be different from 
your one!)

Thanks in advance!



On 12/18/2017 11:03 AM, Prasanth Pasala wrote:
> Added it to Struts JIRA (WW-4904) If I set the struts.actionMapping attribute 
> to null it still causes the class cast exception. What I have seen is that 
> after setting it to null if you call
> getAttribute you would still get the old ActionMapping object, not sure how 
> that is possible. Thanks, Prasanth 
> --- 
> [show/hide
> original text]
> No it's not a Struts issue. You don't see this in Struts1 because maybe 
> it doesn't use any object bounded to dispatched request. But Struts2 
> wants to
>
> ActionMapping mapping = 
> (ActionMapping)request.getAttribute("struts.actionMapping");
>
> A workaround would be removing object with key "struts.actionMapping" 
> from request before dispatching.
>
> I hope this helps.
>
>
> On 12/15/2017 04:54 PM, Prasanth Pasala wrote:
>> Added the below two lines to my filter (before the struts2 filter) in 
>> context2 app. That seems to do the trick. Thought it might create a problem 
>> as I am setting a new ActionMapping in the request,
>> but seems to work fine. Do you see any side effects of this?
>>
>>         request.setAttribute("struts.actionMapping", new ActionMapping());
>>         request.setAttribute("struts.valueStack", null);
>>
>> Thanks,
>> Prasanth
>>
>> On 12/15/2017 04:10 PM, Prasanth Pasala wrote:
>>> It seems like removeAttribute or setAttribute is not getting rid of the 
>>> attribute from request. See below. If I set the value to a random string 
>>> then I get a String can't be cast to ActionMapping
>>> exception.
>>>
>>>    Enumeration attrs = request.getAttributeNames();
>>>         while(attrs.hasMoreElements()) {
>>>             System.out.println(attrs.nextElement());
>>>         }
>>>         System.out.println(request.getAttribute("struts.actionMapping"));
>>>         request.setAttribute("struts.actionMapping", null);
>>>         System.out.println(request.getAttribute("struts.actionMapping"));
>>>
>>> Output:
>>> 16:05:05,300 INFO  [stdout] (default task-13) 
>>> javax.servlet.forward.context_path
>>> 16:05:05,302 INFO  [stdout] (default task-13) 
>>> javax.servlet.forward.servlet_path
>>> 16:05:05,303 INFO  [stdout] (default task-13) 
>>> javax.servlet.forward.request_uri
>>> 16:05:05,303 INFO  [stdout] (default task-13) 
>>> javax.servlet.forward.path_info
>>> 16:05:05,303 INFO  [stdout] (default task-13) 
>>> javax.servlet.forward.query_string
>>> 16:05:05,303 INFO  [stdout] (default task-13) javax.servlet.request.key_size
>>> 16:05:05,303 INFO  [stdout] (default task-13) __cleanup_recursion_counter
>>> 16:05:05,303 INFO  [stdout] (default task-13) 
>>> javax.servlet.request.cipher_suite
>>> 16:05:05,304 INFO  [stdout] (default task-13) struts.valueStack
>>> 16:05:05,308 INFO  [stdout] (default task-13) 
>>> javax.servlet.request.ssl_session_id
>>> 16:05:09,121 INFO  [stdout] (default task-13) ActionMapping{name='Login', 
>>> namespace='/', method='null', extension='action', params=null, result=null}
>>> 16:05:10,960 INFO  [stdout] (default task-13) ActionMapping{name='Login', 
>>> namespace='/', method='null', extension='action', params=null, result=null}
>>>
>>>
>>> On 12/15/2017 02:28 PM, Prasanth Pasala wrote:
 Thanks for the prompt response. Tried removing the attribute from the 
 request, but still getting the class cast exception. Is it possible it is 
 being set after I have called the forward?    
 request.removeAttribute("struts.actionMapping");     // FORWARD THE 
 REQUEST     ServletContext sContext = context.getContext("/context2");     
 RequestDispatcher rd =
 sContext.getRequestDispatcher("/Login.action");    rd.forward(request, 
 response);    [show/hide original text]
 No it's not a Struts issue. You don't see this in Struts1 because maybe 
 it doesn't use any object bounded to dispatched request. But Struts2 
 wants to

 ActionMapping mapping = 
 (ActionMapping)request.getAttribute("struts.actionMapping");

 A workaround would be removing object with key "struts.actionMapping" 
 from request before dispatching.

 I hope this helps.