Finally we redeployed the code with an added check to make sure the instance 
variables populated by struts match the request parameters. With in few hours 
of deployments we got emails indicating that
the values populated into the instance variables don't match those in request 
parameters. Below you can see the difference between the instance variable and 
the values in the request object.  The code
is also updated to store the hash code of Login action for each login, so that 
we can see if the object is reused. Surprisingly the hash code doesn't match 
with any of the hash codes stored for
successful logins. When the emails are triggered there is only a GET request 
for the Login action (which should display the login page, on the user enters 
the username & password it is submitted via
POST). So I am wondering where did these values come from into the instance 

Struts data doesn't match that in request object.
Struts Data:
    Username: jsmith
    Action: Login
Request Data:
    Username: null
    Action: null

Object Hash: 1573857416


On 03/16/2018 02:30 PM, Prasanth Pasala wrote:
> There is only one reference to Util.authenticate in the project and that is 
> in LoginAction.
> On 03/16/2018 02:13 PM, Yasser Zamani wrote:
>> And you confirm that those log record insertions are only possible via 
>> LoginAction.execute method? Right? Or util.authenticate are called elsewhere 
>> also?
>> On Mar 16, 2018, at 9:45PM, Prasanth Pasala 
>> <<>> wrote:
>> We have a pretty standard struts.xml just declaration of action and the 
>> class along with the results (tiles results). Nothing other than that.
>> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>>  We do have login time, using that and the IP to correlate that with the 
>> access logs. Not all login entries have corresponding POST entries in access 
>> log, so those would be our problems occurrences.
>>  They actual correspond to a GET entry from a user.
>>  IP of the GET request of User1 matches with the login record in the 
>> database (login would be for User2 id and IP from User1 GET). So it looks as 
>> if the same user logged in from two different IPs
>>  around the same time, which shouldn't be the case.
>>  I'm almost sure Struts always asks object factory to create the action
>>  on each request. This is belong to object factory if create a new one
>>  object of that action, or no, reuse a previous one object of an action.
>>  So have you set any specific object factory via struts.xml?
>> ________________________________
>>  To unsubscribe, e-mail:
>>  For additional commands, e-mail:

Reply via email to