I apologize, I forgot to mention all the versions we're using.
We are using Struts version 1.3.8 and running on Tomcat 5.5.23 if this
helps.
----Original Message Follows----
From: "Nathan Hook" <[EMAIL PROTECTED]>
I've run into a problem.
If a user either accidentally or maliciously enters an incorrect path that
has a struts extension the user will receive an Exception and a Stack Trace.
For example if we have the path www.xxx.com/login.do mapped like so...
<action path="/login"
type="com.xxx.actions.LoginAction" >
<forward name="success" path="/message.do" redirect="true" />
<forward name="failure" path="/login_error.jsp" redirect="true" />
<forward name="new_user" path="/new_user.do" redirect="true" />
<forward name="user_not_active" path="/user_not_active.jsp"
redirect="true"/>
</action>
and the user types in www.xxx.com/login2.do they will receive an Exception
with the following Stack Trace...
javax.servlet.ServletException: No action config found for the specified
url.
org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:286)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
com.kf.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
com.kf.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
com.kf.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)
Root Cause
org.apache.struts.chain.commands.InvalidPathException: No action config
found for the specified url.
org.apache.struts.chain.commands.AbstractSelectAction.execute(AbstractSelectAction.java:71)
org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:304)
org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
com.xxx.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
com.xxx.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
com.xxx.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)
Instead of a user receiving a nice 404 File Not Found message they are
displayed an Exception. In my mind making the company look bad. Also, a
malicious user now knows our underlying technology, the flow of our
application, and specific class names.
Is there any configuration settings that we can set to make these exceptions
return a 404 page instead of a Exception? Notice that this error fails WAY
before any of the <global-exceptions> are used.
As of right now I'm planning on Extending the
org.apache.struts.action.ActionServlet class to check to see if we receive
an org.apache.struts.chain.commands.InvalidPathException and if so then show
a 404 page, but I'm not excited about extended super basic Struts behavior.
Does anyone have any thoughts on this subject and what do you think the
behavior or Struts should be in this case? I do like the fail fast aspect
of what is happening, but there should be a more elegant way of handling the
Exception.
Looking forward to any and all response.
Thank you for your time.
_________________________________________________________________
Dont miss your chance to WIN $10,000 and other great prizes from Microsoft
Office Live http://clk.atdmt.com/MRT/go/aub0540003042mrt/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Get a preview of Live Earth, the hottest event this summer - only on MSN
http://liveearth.msn.com?source=msntaglineliveearthhm
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
