Re: Struts File Not Found (404) Behavior or Lack of...

[Nathan Hook]

Well, the problem has been figured out.  Here is our global-exception entry 
in our struts-config.xml:

<global-exceptions>
    <exception
        handler="com.xxx.action.ExtendedExceptionHandler"
        key="global.error.message"
        scope="request"
        type="java.lang.Exception"/>
</global-exceptions>

We did not have an entry for the key "global.error.message" in our 
message-resources.

So, both the key and scope entries from the global-exception entry were 
removed so it now looks like:

<global-exceptions>
    <exception
        handler="com.xxx.action.ExtendedExceptionHandler"
        type="java.lang.Exception"/>
</global-exceptions>


And, everything is now working as expected.  We receive our 404 page as we 
were hoping.

Sorry to bother everyone with this issue.

Thank you again for your time and thoughtful responses.



----Original Message Follows----
From: "Niall Pemberton" <[EMAIL PROTECTED]>
Reply-To: "Struts Users Mailing List" <user@struts.apache.org>
To: "Struts Users Mailing List" <user@struts.apache.org>
Subject: Re: Struts File Not Found (404) Behavior or Lack of...
Date: Wed, 6 Jun 2007 20:48:24 +0100

On 6/6/07, Nathan Hook <[EMAIL PROTECTED]> wrote:
I've run into a problem.

If a user either accidentally or maliciously enters an incorrect path that
has a struts extension the user will receive an Exception and a Stack 
Trace.

For example if we have the path www.xxx.com/login.do mapped like so...

<action path="/login"
        type="com.xxx.actions.LoginAction" >
   <forward name="success" path="/message.do" redirect="true" />
   <forward name="failure" path="/login_error.jsp" redirect="true" />
   <forward name="new_user" path="/new_user.do" redirect="true" />
   <forward name="user_not_active" path="/user_not_active.jsp"
redirect="true"/>
</action>

and the user types in www.xxx.com/login2.do they will receive an Exception
with the following Stack Trace...

javax.servlet.ServletException: No action config found for the specified
url.
        
org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:286)
        
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
        
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        
com.kf.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
        com.kf.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
        
com.kf.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)

Root Cause

org.apache.struts.chain.commands.InvalidPathException: No action config
found for the specified url.
        
org.apache.struts.chain.commands.AbstractSelectAction.execute(AbstractSelectAction.java:71)
        
org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
        
org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
        
org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:304)
        
org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
        
org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
        
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
        
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        
com.xxx.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
        com.xxx.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
        
com.xxx.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)


Instead of a user receiving a nice 404 File Not Found message they are
displayed an Exception.  In my mind making the company look bad.  Also, a
malicious user now knows our underlying technology, the flow of our
application, and specific class names.

Is there any configuration settings that we can set to make these 
exceptions
return a 404 page instead of a Exception?  Notice that this error fails WAY
before any of the <global-exceptions> are used.

Did you try specifying and exception handler for InvalidPathException?
While it was true in Struts 1.2.x that the exception handler only
dealt with exceptions thrown by the Action - AFAIK Struts 1.3.x
exception handling covers the whole request processing chain - so it
should work.

Also using the standard exception handler you can(from memory) specify
a message key - I believe theres an example(s) in the struts-examples
webapp for "InvalidCancelException" (in the validation module) - that
does just this.

Also as I suggested in the related thread you posted earlier this week
you can also specify an "unknown" action to handle this - just add
unknown="true" to one (and only 1) of your actions in the
struts-config.xml

Niall

As of right now I'm planning on Extending the
org.apache.struts.action.ActionServlet class to check to see if we receive
an org.apache.struts.chain.commands.InvalidPathException and if so then 
show
a 404 page, but I'm not excited about extended super basic Struts behavior.

Does anyone have any thoughts on this subject and what do you think the
behavior or Struts should be in this case?  I do like the fail fast aspect
of what is happening, but there should be a more elegant way of handling 
the
Exception.

Looking forward to any and all response.

Thank you for your time.

_________________________________________________________________
Make every IM count. Download Messenger and join the i’m Initiative now. 
It’s free. http://im.live.com/messenger/im/home/?source=TAGHM_June07


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]