Finally we redeployed the code with an added check to make sure the instance variables populated by struts match the request parameters. With in few hours of deployments we got emails indicating that the values populated into the instance variables don't match those in request parameters. Below you can see the difference between the instance variable and the values in the request object. The code is also updated to store the hash code of Login action for each login, so that we can see if the object is reused. Surprisingly the hash code doesn't match with any of the hash codes stored for successful logins. When the emails are triggered there is only a GET request for the Login action (which should display the login page, on the user enters the username & password it is submitted via POST). So I am wondering where did these values come from into the instance variables?
----------------------------------------------------------------- Struts data doesn't match that in request object. Struts Data: Username: jsmith Action: Login Request Data: Username: null Action: null Object Hash: 1573857416 ----------------------------------------------------------------- Thanks, Prasanth On 03/16/2018 02:30 PM, Prasanth Pasala wrote: > There is only one reference to Util.authenticate in the project and that is > in LoginAction. > > On 03/16/2018 02:13 PM, Yasser Zamani wrote: >> And you confirm that those log record insertions are only possible via >> LoginAction.execute method? Right? Or util.authenticate are called elsewhere >> also? >> On Mar 16, 2018, at 9:45PM, Prasanth Pasala >> <ppas...@pangburngroup.com<mailto:ppas...@pangburngroup.com>> wrote: >> >> We have a pretty standard struts.xml just declaration of action and the >> class along with the results (tiles results). Nothing other than that. >> >> On 03/16/2018 11:55 AM, Yasser Zamani wrote: >> >> On 3/16/2018 1:49 AM, Prasanth Pasala wrote: >> We do have login time, using that and the IP to correlate that with the >> access logs. Not all login entries have corresponding POST entries in access >> log, so those would be our problems occurrences. >> They actual correspond to a GET entry from a user. >> >> IP of the GET request of User1 matches with the login record in the >> database (login would be for User2 id and IP from User1 GET). So it looks as >> if the same user logged in from two different IPs >> around the same time, which shouldn't be the case. >> I'm almost sure Struts always asks object factory to create the action >> on each request. This is belong to object factory if create a new one >> object of that action, or no, reuse a previous one object of an action. >> So have you set any specific object factory via struts.xml? >> >> ________________________________ >> >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> >