Re: Struts File Not Found (404) Behavior or Lack of...

Wed, 06 Jun 2007 12:21:47 -0700 

Good Afternoon Nathan-

login2 != login

in your webapp /WEB-INF/web.xml
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>

HTH
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.
----- Original Message ----- From: "Nathan Hook" <[EMAIL PROTECTED]> 
To: <user@struts.apache.org>
Sent: Wednesday, June 06, 2007 12:23 PM
Subject: RE: Struts File Not Found (404) Behavior or Lack of...



I apologize, I forgot to mention all the versions we're using.
We are using Struts version 1.3.8 and running on Tomcat 5.5.23 if this helps. 


----Original Message Follows----
From: "Nathan Hook" <[EMAIL PROTECTED]>

I've run into a problem.
If a user either accidentally or maliciously enters an incorrect path that has a struts extension the user will receive an Exception and a Stack Trace. 

For example if we have the path www.xxx.com/login.do mapped like so...

<action path="/login"
       type="com.xxx.actions.LoginAction" >
  <forward name="success" path="/message.do" redirect="true" />
  <forward name="failure" path="/login_error.jsp" redirect="true" />
  <forward name="new_user" path="/new_user.do" redirect="true" />
<forward name="user_not_active" path="/user_not_active.jsp" redirect="true"/> 
</action>
and the user types in www.xxx.com/login2.do they will receive an Exception with the following Stack Trace...
javax.servlet.ServletException: No action config found for the specified url. 
org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:286)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
com.kf.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
com.kf.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
com.kf.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)

Root Cause
org.apache.struts.chain.commands.InvalidPathException: No action config found for the specified url. 
org.apache.struts.chain.commands.AbstractSelectAction.execute(AbstractSelectAction.java:71)
org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:304)
org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
com.xxx.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
com.xxx.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
com.xxx.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)
Instead of a user receiving a nice 404 File Not Found message they are displayed an Exception. In my mind making the company look bad. Also, a malicious user now knows our underlying technology, the flow of our application, and specific class names.
Is there any configuration settings that we can set to make these exceptions return a 404 page instead of a Exception? Notice that this error fails WAY before any of the <global-exceptions> are used.
As of right now I'm planning on Extending the org.apache.struts.action.ActionServlet class to check to see if we receive an org.apache.struts.chain.commands.InvalidPathException and if so then show a 404 page, but I'm not excited about extended super basic Struts behavior.
Does anyone have any thoughts on this subject and what do you think the behavior or Struts should be in this case? I do like the fail fast aspect of what is happening, but there should be a more elegant way of handling the Exception. 

Looking forward to any and all response.

Thank you for your time.

_________________________________________________________________
Don't miss your chance to WIN $10,000 and other great prizes from Microsoft Office Live http://clk.atdmt.com/MRT/go/aub0540003042mrt/direct/01/ 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

_________________________________________________________________
Get a preview of Live Earth, the hottest event this summer - only on MSN http://liveearth.msn.com?source=msntaglineliveearthhm 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to