Yes, login page is accessible always. Direct jsp access is not allowed, it has to go through the actions. When a user requests /Login.action login jsp page is displayed. When the user submits username and password (Post to Login.action) the user is authenticated and home page is displayed by Login.action. Since the same action handles both displaying login page and validating, if the values are already present (username, password, value of the button clicked) the action will authenticate the user and display home page as it does this it will make a database entry saying xyz user has logged in.
Actual Setup: Application 1: /context1 --- User can login here and they will be forwarded to context2. This application uses struts 2.5.14 Application 2: /context2 --- User can login directly in /context 2 (in which case no forwarding). This application uses struts 2.3.34 for login and other actions. There are few actions in struts1 also. For replicating the issue I was directly accessing /context2/Login.action. So /context1 was not used in testing. But the Login filter had the below lines to make sure forwarded requests from /context1 would work. request.setAttribute("struts.actionMapping", new ActionMapping()); request.setAttribute("struts.valueStack", null); The request object type is io.undertow.servlet.spec.HttpServletRequestImpl Thanks, Prasanth On 03/03/2018 04:14 AM, Yasser Zamani wrote: > On 3/3/2018 12:37 AM, Prasanth Pasala wrote: >> I was able to replicate the issue today. Asked few users to keep logging in >> and ran jmeter to access login page, with out putting any username or >> password. Out of the 100 attempts 2 attempts were >> successful in getting in with out username/password. I am seeing database >> login entries for these two. Which would happen only if a valid session is >> not present and user has provided username/password. > Shouldn't login page being accessible always? How do you try access > login page, calling directly to jsp? Or action? How do you authenticate > that access try, via session values? Via request parameters and querying > database? > >> Not sure if the behavior is a side effect of having the below lines. >> >> request.setAttribute("struts.actionMapping", new >> ActionMapping()); >> request.setAttribute("struts.valueStack", null); > Not these lines but I guess you may also remove more things from > forwarded request (e.g. session). Could you please print > request.toString before these lines to see what type is it? Could you > serialize request to a xml to see all values stored in that request? > Anyway, like you, I also think this issue is because of forwarding the > request from Struts1 to Struts2. > > Regards. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >