Re: About "Parameter Validation Filter"
2018-02-28 17:55 GMT+01:00 Emi: > Hello, > > There is a topic about Parameter Validation Filter (TrimTextValidationRule, > FailIfNotCanonicalizedValidationRule, FailIfContainsHTMLValidationRule) for > servlet (https://www.owasp.org/index.php/Parameter_Validation_Filter). > > I just want to know that struts2.5.14.1 already have these kinds of > validation set by default and no need to add pvf.xml anymore, right? No, I mean, Struts do not perform such validations automatically. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Action chaining not forwarding ModelDriven model properties
Can you share a source code of your actions? 2018-02-28 13:17 GMT+01:00 shahzad.ism...@gmail.com: > Hi, > I'm migrating an app from Struts 1 to Struts 2 (Tomcat v8 and Struts > 2.5.14.1). There is a scenario in which mapping goes like: > jsp1 --> action1 --> action2 --> action3 --> jsp2 > > So it must be type="chain" for action1 --> action2 and action2 --> action3 as > I need to pass ModelDriven model as well as some action member variables, > some of them are non-strings. All 3 actions are chaining to different methods > of the same action class. > The **problem** is that action1 --> action2 is passing action variables but > not passing any properties of model even though action2 --> action3 is > passing all the action variables as well as model properties. > I'm only using defaultStack of interceptor. > My interceptors are defined as: > > > > > > name="exception.logEnabled">true > DEBUG > name="params.excludeParams">dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...* > > > > > > > And I'm using them as: > > > > * > insert > * > insert > > kmList_actionmethod2 > kmList_actionmethod3 > > actionmethod1, actionmethod2, actionmethod3 > > > > I've debugged it a bit and able to figure out that, initially, at the start > of action1, request.getParamater("modelprop") is null then I set modelprop in > the action1 method which makes mymodel.modelprop == "something" and > request.getAttribute("modelprop") == "something" but the > request.getParameter("modelprop") remains null by the end of action1 method. > So when it chains to action2 method, it simply rewrites > request.getParameter("modelprop") value, which is *null*, back to both, > request.getAttribute("modelprop") and mymodel.modelprop. Am I messing up with > some interceptor configuration? > I've tried it with type="redirectAction" and the problem of not passing > mymodel.modelprop from action1 to action2 remains. > Any suggestions would be appreciated. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping
2018-03-01 20:20 GMT+01:00 Prasanth: > 13:17:52,070 ERROR [stderr] (default task-59) Caused by: > java.lang.ClassCastException: com.opensymphony.xwork2.ognl.OgnlValueStack > cannot be cast to com.opensymphony.xwork2.util.ValueStack You have two the same JARs on a class path but in different versions (probably xwork-core-*.jar) or JARs were loaded by different classloaders which means some framework's JARs were included inside Wildfly Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Struts2 login action class seems to be reused
Hi, I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page. For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe that the action class some how already had that information from a prior user. I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines. request.setAttribute("struts.actionMapping", new ActionMapping()); request.setAttribute("struts.valueStack", null); We are using Struts 2.3.34 and Wildfly. Appreciate any insights you might have. Thanks, Prasanth
Re: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping
Below is the exception you would get if the valueStack is not set to null. Thanks, Prasanth 13:17:52,070 ERROR [stderr] (default task-59) Caused by: java.lang.ClassCastException: com.opensymphony.xwork2.ognl.OgnlValueStack cannot be cast to com.opensymphony.xwork2.util.ValueStack 13:17:52,070 ERROR [stderr] (default task-59) at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:546) 13:17:52,070 ERROR [stderr] (default task-59) at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81) 13:17:52,070 ERROR [stderr] (default task-59) at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99) 13:17:52,070 ERROR [stderr] (default task-59) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 13:17:52,071 ERROR [stderr] (default task-59) at com.xxx.xx.LoginFilter.doFilter(LoginFilter.java:46) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209) 13:17:52,071 ERROR [stderr] (default task-59) at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221) 13:17:52,071 ERROR [stderr] (default task-59) ... 128 more On 03/01/2018 12:42 PM, Prasanth wrote: > Sorry didn't check the website, I am not getting the emails to my inbox, will > try to subscribe again. I will get back to you with the exception I was > getting if you don't set the valueStack to > null. Thanks, Prasanth > -- [show/hide > original text] > > Thank you very much for your time and report! > [show/hide original text] > > Hmm... so how and why `request.setAttribute("struts.valueStack", null)` > works. > > That's weird and so very important to me :) > > Could you please see what is the type of request when you receive it in > your second context filter? e.g. println(request.getType()) before those > your two lines (I could see myself but maybe it will be different from > your one!) > > Thanks in advance! > > > On 12/18/2017 11:03 AM, Prasanth Pasala wrote: >> Added it to Struts JIRA (WW-4904) If I set the struts.actionMapping >> attribute to null it still causes the class cast exception. What I have seen >> is that after setting it to null if you call >> getAttribute you would still get the old ActionMapping object, not sure how >> that is possible. Thanks, Prasanth >> --- >> [show/hide >> original text] >> No it's not a Struts issue. You don't see this in Struts1 because maybe >> it doesn't use any object bounded to dispatched request. But Struts2 >> wants to >> >> ActionMapping mapping = >> (ActionMapping)request.getAttribute("struts.actionMapping"); >> >> A workaround would be removing object with key "struts.actionMapping" >> from request before dispatching. >> >> I hope this helps. >> >> >> On 12/15/2017 04:54 PM, Prasanth Pasala wrote: >>> Added the below two lines to my filter (before the struts2 filter) in >>> context2 app. That seems to do the trick. Thought it might create a problem >>> as I am setting a new ActionMapping in the >>> request, but seems to work fine. Do you see any side effects of this? >>> >>> request.setAttribute("struts.actionMapping", new ActionMapping()); >>> request.setAttribute("struts.valueStack", null); >>> >>> Thanks,
Re: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping
Sorry didn't check the website, I am not getting the emails to my inbox, will try to subscribe again. I will get back to you with the exception I was getting if you don't set the valueStack to null. Thanks, Prasanth -- [show/hide original text] Thank you very much for your time and report! [show/hide original text] Hmm... so how and why `request.setAttribute("struts.valueStack", null)` works. That's weird and so very important to me :) Could you please see what is the type of request when you receive it in your second context filter? e.g. println(request.getType()) before those your two lines (I could see myself but maybe it will be different from your one!) Thanks in advance! On 12/18/2017 11:03 AM, Prasanth Pasala wrote: > Added it to Struts JIRA (WW-4904) If I set the struts.actionMapping attribute > to null it still causes the class cast exception. What I have seen is that > after setting it to null if you call > getAttribute you would still get the old ActionMapping object, not sure how > that is possible. Thanks, Prasanth > --- > [show/hide > original text] > No it's not a Struts issue. You don't see this in Struts1 because maybe > it doesn't use any object bounded to dispatched request. But Struts2 > wants to > > ActionMapping mapping = > (ActionMapping)request.getAttribute("struts.actionMapping"); > > A workaround would be removing object with key "struts.actionMapping" > from request before dispatching. > > I hope this helps. > > > On 12/15/2017 04:54 PM, Prasanth Pasala wrote: >> Added the below two lines to my filter (before the struts2 filter) in >> context2 app. That seems to do the trick. Thought it might create a problem >> as I am setting a new ActionMapping in the request, >> but seems to work fine. Do you see any side effects of this? >> >> request.setAttribute("struts.actionMapping", new ActionMapping()); >> request.setAttribute("struts.valueStack", null); >> >> Thanks, >> Prasanth >> >> On 12/15/2017 04:10 PM, Prasanth Pasala wrote: >>> It seems like removeAttribute or setAttribute is not getting rid of the >>> attribute from request. See below. If I set the value to a random string >>> then I get a String can't be cast to ActionMapping >>> exception. >>> >>> Enumeration attrs = request.getAttributeNames(); >>> while(attrs.hasMoreElements()) { >>> System.out.println(attrs.nextElement()); >>> } >>> System.out.println(request.getAttribute("struts.actionMapping")); >>> request.setAttribute("struts.actionMapping", null); >>> System.out.println(request.getAttribute("struts.actionMapping")); >>> >>> Output: >>> 16:05:05,300 INFO [stdout] (default task-13) >>> javax.servlet.forward.context_path >>> 16:05:05,302 INFO [stdout] (default task-13) >>> javax.servlet.forward.servlet_path >>> 16:05:05,303 INFO [stdout] (default task-13) >>> javax.servlet.forward.request_uri >>> 16:05:05,303 INFO [stdout] (default task-13) >>> javax.servlet.forward.path_info >>> 16:05:05,303 INFO [stdout] (default task-13) >>> javax.servlet.forward.query_string >>> 16:05:05,303 INFO [stdout] (default task-13) javax.servlet.request.key_size >>> 16:05:05,303 INFO [stdout] (default task-13) __cleanup_recursion_counter >>> 16:05:05,303 INFO [stdout] (default task-13) >>> javax.servlet.request.cipher_suite >>> 16:05:05,304 INFO [stdout] (default task-13) struts.valueStack >>> 16:05:05,308 INFO [stdout] (default task-13) >>> javax.servlet.request.ssl_session_id >>> 16:05:09,121 INFO [stdout] (default task-13) ActionMapping{name='Login', >>> namespace='/', method='null', extension='action', params=null, result=null} >>> 16:05:10,960 INFO [stdout] (default task-13) ActionMapping{name='Login', >>> namespace='/', method='null', extension='action', params=null, result=null} >>> >>> >>> On 12/15/2017 02:28 PM, Prasanth Pasala wrote: Thanks for the prompt response. Tried removing the attribute from the request, but still getting the class cast exception. Is it possible it is being set after I have called the forward? request.removeAttribute("struts.actionMapping"); // FORWARD THE REQUEST ServletContext sContext = context.getContext("/context2"); RequestDispatcher rd = sContext.getRequestDispatcher("/Login.action"); rd.forward(request, response); [show/hide original text] No it's not a Struts issue. You don't see this in Struts1 because maybe it doesn't use any object bounded to dispatched request. But Struts2 wants to ActionMapping mapping = (ActionMapping)request.getAttribute("struts.actionMapping"); A workaround would be removing object with key "struts.actionMapping" from request before dispatching. I hope this helps.