FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.

-----Original Message-----
From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
Sent: Thursday, July 13, 2017 9:32 PM
To: Deborah White <[hidden email]>
Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32


    [ https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086832#comment-16086832 ]

Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
------------------------------------------------------------

The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html

And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.


was (Author: lukaszlenart):
The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html

And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.

> Migrating Struts 2.3.16.3 to 2.3.32
> -----------------------------------
>
>                 Key: WW-4815
>                 URL: https://issues.apache.org/jira/browse/WW-4815
>             Project: Struts 2
>          Issue Type: Temp
>          Components: Core
>    Affects Versions: 2.3.16.3
>            Reporter: Deborah White
>             Fix For: 2.3.32
>
>
> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)


CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
Hi there, welcome to dev list :)

Do you need access to excluded packages in your JSPs? I had similar
issue and you can see my solution at [1]. I did not need to rewrite any
thing and a find/replace did all needed changes. Please review my
solution if also resolves your one. If not, please feel free continue
here for a solution :)

[1] https://github.com/apache/struts/pull/125#issuecomment-293608411

On 7/21/2017 2:38 AM, Deborah White wrote:

> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>
> -----Original Message-----
> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
> Sent: Thursday, July 13, 2017 9:32 PM
> To: Deborah White <[hidden email]>
> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
>
>     [ https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086832#comment-16086832 ]
>
> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
> ------------------------------------------------------------
>
> The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>
>
> was (Author: lukaszlenart):
> The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>
>> Migrating Struts 2.3.16.3 to 2.3.32
>> -----------------------------------
>>
>>                 Key: WW-4815
>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>             Project: Struts 2
>>          Issue Type: Temp
>>          Components: Core
>>    Affects Versions: 2.3.16.3
>>            Reporter: Deborah White
>>             Fix For: 2.3.32
>>
>>
>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.4.14#64029)
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Thursday, July 20, 2017 10:55 PM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Hi there, welcome to dev list :)

Do you need access to excluded packages in your JSPs? I had similar issue and you can see my solution at [1]. I did not need to rewrite any thing and a find/replace did all needed changes. Please review my solution if also resolves your one. If not, please feel free continue here for a solution :)

[1] https://github.com/apache/struts/pull/125#issuecomment-293608411

On 7/21/2017 2:38 AM, Deborah White wrote:

> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>
> -----Original Message-----
> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
> Sent: Thursday, July 13, 2017 9:32 PM
> To: Deborah White <[hidden email]>
> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
> to 2.3.32
>
>
>     [
> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1608683
> 2#comment-16086832 ]
>
> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
> ------------------------------------------------------------
>
> The best place to ask such question is to subscribe to the User
> Mailing list as there are more eyes to help you
> http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>
>
> was (Author: lukaszlenart):
> The best place to ask such question is to subscribe to the User
> Mailing list as there are more eyes to help you
> http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>
>> Migrating Struts 2.3.16.3 to 2.3.32
>> -----------------------------------
>>
>>                 Key: WW-4815
>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>             Project: Struts 2
>>          Issue Type: Temp
>>          Components: Core
>>    Affects Versions: 2.3.16.3
>>            Reporter: Deborah White
>>             Fix For: 2.3.32
>>
>>
>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.4.14#64029)
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]


CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
In reply to this post by Deborah White
You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.

Deborah White <[hidden email]> نوشت:

>Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>
>-----Original Message-----
>From: Yasser Zamani [mailto:[hidden email]]
>Sent: Thursday, July 20, 2017 10:55 PM
>To: Struts Developers List <[hidden email]>
>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
>Hi there, welcome to dev list :)
>
>Do you need access to excluded packages in your JSPs? I had similar issue and you can see my solution at [1]. I did not need to rewrite any thing and a find/replace did all needed changes. Please review my solution if also resolves your one. If not, please feel free continue here for a solution :)
>
>[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>
>On 7/21/2017 2:38 AM, Deborah White wrote:
>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>
>> -----Original Message-----
>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>> Sent: Thursday, July 13, 2017 9:32 PM
>> To: Deborah White <[hidden email]>
>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>> to 2.3.32
>>
>>
>>     [
>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1608683
>> 2#comment-16086832 ]
>>
>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>> ------------------------------------------------------------
>>
>> The best place to ask such question is to subscribe to the User
>> Mailing list as there are more eyes to help you
>> http://struts.apache.org/mail.html
>>
>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>
>>
>> was (Author: lukaszlenart):
>> The best place to ask such question is to subscribe to the User
>> Mailing list as there are more eyes to help you
>> http://struts.apache.org/mail.html
>>
>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>
>>> Migrating Struts 2.3.16.3 to 2.3.32
>>> -----------------------------------
>>>
>>>                 Key: WW-4815
>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>             Project: Struts 2
>>>          Issue Type: Temp
>>>          Components: Core
>>>    Affects Versions: 2.3.16.3
>>>            Reporter: Deborah White
>>>             Fix For: 2.3.32
>>>
>>>
>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>
>>
>>
>> --
>> This message was sent by Atlassian JIRA
>> (v6.4.14#64029)
>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
>
>
>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
In reply to this post by Deborah White
That is just an example. For your need, in more detail, you should try something like these:

1. Add following method to class MyUtil:

                public boolean isUserInRole (String user) { HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext() .get(StrutsStatics.HTTP_REQUEST)); return httpsr.isUserInRole (user); }

2. Your struts filters in web.xml should looks like:

<filter>
    <filter-name>struts-prepare</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name> MYStrutsPrepareFilter</filter-name>
    <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>struts-execute</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>

3. Finally find and replace all of

<s:if test='request.isUserInRole("UserAdmin")' >

With

<s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >

I think something like these resolve your issue :) please try and let me know.

Deborah White <[hidden email]> نوشت:

>This is what I currently have in my jsp:
><s:if test='request.isUserInRole("UserAdmin")' >
>
>Where would I put
>"#request['MYUtils'].requestURI?
>
>-----Original Message-----
>From: Yasser Zamani [mailto:[hidden email]]
>Sent: Friday, July 21, 2017 10:53 AM
>To: Struts Developers List <[hidden email]>
>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
>You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>
>Deborah White <[hidden email]> نوشت:
>
>>Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>
>>-----Original Message-----
>>From: Yasser Zamani [mailto:[hidden email]]
>>Sent: Thursday, July 20, 2017 10:55 PM
>>To: Struts Developers List <[hidden email]>
>>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>2.3.16.3 to 2.3.32
>>
>>Hi there, welcome to dev list :)
>>
>>Do you need access to excluded packages in your JSPs? I had similar
>>issue and you can see my solution at [1]. I did not need to rewrite any
>>thing and a find/replace did all needed changes. Please review my
>>solution if also resolves your one. If not, please feel free continue
>>here for a solution :)
>>
>>[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>
>>On 7/21/2017 2:38 AM, Deborah White wrote:
>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>
>>> -----Original Message-----
>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>> Sent: Thursday, July 13, 2017 9:32 PM
>>> To: Deborah White <[hidden email]>
>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>> to 2.3.32
>>>
>>>
>>>     [
>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>
>>>plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1608683
>>> 2#comment-16086832 ]
>>>
>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>> ------------------------------------------------------------
>>>
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>
>>>
>>> was (Author: lukaszlenart):
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>
>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>> -----------------------------------
>>>>
>>>>                 Key: WW-4815
>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>             Project: Struts 2
>>>>          Issue Type: Temp
>>>>          Components: Core
>>>>    Affects Versions: 2.3.16.3
>>>>            Reporter: Deborah White
>>>>             Fix For: 2.3.32
>>>>
>>>>
>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>
>>>
>>>
>>> --
>>> This message was sent by Atlassian JIRA
>>> (v6.4.14#64029)
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [hidden email] For
>>additional commands, e-mail: [hidden email]
>>
>>
>>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [  X  ܚX KK[XZ[
>] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[
>] Z[ ]˘\X K ܙ B B
>
>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
This is what I put in my web.xml
<filter>
    <filter-name>struts-prepare</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>MYStrutsPrepareFilter</filter-name>
    <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>struts-execute</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>
    <filter-mapping>
        <filter-name>MYStrutsPrepareFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

And I get this error:
java.lang.NullPointerException
        gov.ca.doj.ems.util.MYStrutsPrepareFilter.doFilter(MYStrutsPrepareFilter.java:35)

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Friday, July 21, 2017 1:04 PM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

That is just an example. For your need, in more detail, you should try something like these:

1. Add following method to class MyUtil:

                public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }

2. Your struts filters in web.xml should looks like:

<filter>
    <filter-name>struts-prepare</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name> MYStrutsPrepareFilter</filter-name>
    <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>struts-execute</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>

3. Finally find and replace all of

<s:if test='request.isUserInRole("UserAdmin")' >

With

<s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >

I think something like these resolve your issue :) please try and let me know.

Deborah White <[hidden email]> نوشت:

>This is what I currently have in my jsp:
><s:if test='request.isUserInRole("UserAdmin")' >
>
>Where would I put
>"#request['MYUtils'].requestURI?
>
>-----Original Message-----
>From: Yasser Zamani [mailto:[hidden email]]
>Sent: Friday, July 21, 2017 10:53 AM
>To: Struts Developers List <[hidden email]>
>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>2.3.16.3 to 2.3.32
>
>You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>
>Deborah White <[hidden email]> نوشت:
>
>>Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>
>>-----Original Message-----
>>From: Yasser Zamani [mailto:[hidden email]]
>>Sent: Thursday, July 20, 2017 10:55 PM
>>To: Struts Developers List <[hidden email]>
>>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>2.3.16.3 to 2.3.32
>>
>>Hi there, welcome to dev list :)
>>
>>Do you need access to excluded packages in your JSPs? I had similar
>>issue and you can see my solution at [1]. I did not need to rewrite
>>any thing and a find/replace did all needed changes. Please review my
>>solution if also resolves your one. If not, please feel free continue
>>here for a solution :)
>>
>>[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>
>>On 7/21/2017 2:38 AM, Deborah White wrote:
>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>
>>> -----Original Message-----
>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>> Sent: Thursday, July 13, 2017 9:32 PM
>>> To: Deborah White <[hidden email]>
>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>> to 2.3.32
>>>
>>>
>>>     [
>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>
>>>plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160868
>>>3
>>> 2#comment-16086832 ]
>>>
>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>> ------------------------------------------------------------
>>>
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>
>>>
>>> was (Author: lukaszlenart):
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>
>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>> -----------------------------------
>>>>
>>>>                 Key: WW-4815
>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>             Project: Struts 2
>>>>          Issue Type: Temp
>>>>          Components: Core
>>>>    Affects Versions: 2.3.16.3
>>>>            Reporter: Deborah White
>>>>             Fix For: 2.3.32
>>>>
>>>>
>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>
>>>
>>>
>>> --
>>> This message was sent by Atlassian JIRA
>>> (v6.4.14#64029)
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [hidden email] For
>>additional commands, e-mail: [hidden email]
>>
>>
>>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>B
>KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>[  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[ ]˘\X K
>ܙ B B
>
>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
In reply to this post by Yasser Zamani
And the jsp doesn't seem to like this syntax for some reason.

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Friday, July 21, 2017 1:04 PM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

That is just an example. For your need, in more detail, you should try something like these:

1. Add following method to class MyUtil:

                public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }

2. Your struts filters in web.xml should looks like:

<filter>
    <filter-name>struts-prepare</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name> MYStrutsPrepareFilter</filter-name>
    <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>struts-execute</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>

3. Finally find and replace all of

<s:if test='request.isUserInRole("UserAdmin")' >

With

<s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >

I think something like these resolve your issue :) please try and let me know.

Deborah White <[hidden email]> نوشت:

>This is what I currently have in my jsp:
><s:if test='request.isUserInRole("UserAdmin")' >
>
>Where would I put
>"#request['MYUtils'].requestURI?
>
>-----Original Message-----
>From: Yasser Zamani [mailto:[hidden email]]
>Sent: Friday, July 21, 2017 10:53 AM
>To: Struts Developers List <[hidden email]>
>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>2.3.16.3 to 2.3.32
>
>You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>
>Deborah White <[hidden email]> نوشت:
>
>>Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>
>>-----Original Message-----
>>From: Yasser Zamani [mailto:[hidden email]]
>>Sent: Thursday, July 20, 2017 10:55 PM
>>To: Struts Developers List <[hidden email]>
>>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>2.3.16.3 to 2.3.32
>>
>>Hi there, welcome to dev list :)
>>
>>Do you need access to excluded packages in your JSPs? I had similar
>>issue and you can see my solution at [1]. I did not need to rewrite
>>any thing and a find/replace did all needed changes. Please review my
>>solution if also resolves your one. If not, please feel free continue
>>here for a solution :)
>>
>>[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>
>>On 7/21/2017 2:38 AM, Deborah White wrote:
>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>
>>> -----Original Message-----
>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>> Sent: Thursday, July 13, 2017 9:32 PM
>>> To: Deborah White <[hidden email]>
>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>> to 2.3.32
>>>
>>>
>>>     [
>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>
>>>plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160868
>>>3
>>> 2#comment-16086832 ]
>>>
>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>> ------------------------------------------------------------
>>>
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>
>>>
>>> was (Author: lukaszlenart):
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>
>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>> -----------------------------------
>>>>
>>>>                 Key: WW-4815
>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>             Project: Struts 2
>>>>          Issue Type: Temp
>>>>          Components: Core
>>>>    Affects Versions: 2.3.16.3
>>>>            Reporter: Deborah White
>>>>             Fix For: 2.3.32
>>>>
>>>>
>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>
>>>
>>>
>>> --
>>> This message was sent by Atlassian JIRA
>>> (v6.4.14#64029)
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [hidden email] For
>>additional commands, e-mail: [hidden email]
>>
>>
>>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>B
>KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>[  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[ ]˘\X K
>ܙ B B
>
>CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
Sorry! My previous code has sent via my mobile which has a few typo
errors because of issues with copy/pase :(

Now, at my PC, I tested following configuration which works well :)

1. MYStrutsPrepareFilter.java

*********************************************
package me.zamani.yasser.ww_convention.utils;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.struts2.StrutsStatics;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.util.ValueStack;

/**
  * @author zamani
  *
  */
public class MYStrutsPrepareFilter implements Filter {

        private MYUtils MYUtils;

        public void init(FilterConfig filterConfig) throws ServletException {
                MYUtils = new MYUtils();
        }

        public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain)
                        throws IOException, ServletException {

                ActionContext actionContext = ActionContext.getContext();
                if(null != actionContext) {
                        ValueStack stack = actionContext.getValueStack();
                        stack.setValue("#request['MYUtils']", MYUtils);
                }
               
                chain.doFilter(req, res);
        }

        public void destroy() {
                MYUtils = null;
        }

       
        public class MYUtils {
                public boolean isUserInRole (String user) {
                        HttpServletRequest httpsr = ((HttpServletRequest)
ActionContext.getContext()
                                        .get(StrutsStatics.HTTP_REQUEST));
                        return httpsr.isUserInRole(user);
                }
        }
}
**********************************************************

2. web.xml

**********************************************************
     <filter>
         <filter-name>struts2prepare</filter-name>
 
<filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
     </filter>

     <filter>
         <filter-name>MYStrutsPrepareFilter</filter-name>
 
<filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
     </filter>

     <filter>
         <filter-name>struts2execute</filter-name>
 
<filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
     </filter>

     <filter-mapping>
         <filter-name>struts2prepare</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>

     <filter-mapping>
         <filter-name>MYStrutsPrepareFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>

     <filter-mapping>
         <filter-name>struts2execute</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
**************************************************************

3. hello.jsp

**************************************************************
     <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
     you are UserAdmin
     </s:if>
     <s:else>
     you are not UserAdmin
     </s:else>
**************************************************************

Sincerely Yours,
Yasser.

On 7/22/2017 2:56 AM, Deborah White wrote:

> And the jsp doesn't seem to like this syntax for some reason.
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Friday, July 21, 2017 1:04 PM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
> That is just an example. For your need, in more detail, you should try something like these:
>
> 1. Add following method to class MyUtil:
>
>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>
> 2. Your struts filters in web.xml should looks like:
>
> <filter>
>     <filter-name>struts-prepare</filter-name>
>     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name> MYStrutsPrepareFilter</filter-name>
>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>struts-execute</filter-name>
>     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
> </filter>
>
> 3. Finally find and replace all of
>
> <s:if test='request.isUserInRole("UserAdmin")' >
>
> With
>
> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>
> I think something like these resolve your issue :) please try and let me know.
>
> Deborah White <[hidden email]> نوشت:
>
>> This is what I currently have in my jsp:
>> <s:if test='request.isUserInRole("UserAdmin")' >
>>
>> Where would I put
>> "#request['MYUtils'].requestURI?
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Friday, July 21, 2017 10:53 AM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>
>> Deborah White <[hidden email]> نوشت:
>>
>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Thursday, July 20, 2017 10:55 PM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> Hi there, welcome to dev list :)
>>>
>>> Do you need access to excluded packages in your JSPs? I had similar
>>> issue and you can see my solution at [1]. I did not need to rewrite
>>> any thing and a find/replace did all needed changes. Please review my
>>> solution if also resolves your one. If not, please feel free continue
>>> here for a solution :)
>>>
>>> [1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>
>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>
>>>> -----Original Message-----
>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>> To: Deborah White <[hidden email]>
>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>>> to 2.3.32
>>>>
>>>>
>>>>     [
>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>
>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160868
>>>> 3
>>>> 2#comment-16086832 ]
>>>>
>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>> ------------------------------------------------------------
>>>>
>>>> The best place to ask such question is to subscribe to the User
>>>> Mailing list as there are more eyes to help you
>>>> http://struts.apache.org/mail.html
>>>>
>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>
>>>>
>>>> was (Author: lukaszlenart):
>>>> The best place to ask such question is to subscribe to the User
>>>> Mailing list as there are more eyes to help you
>>>> http://struts.apache.org/mail.html
>>>>
>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>
>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>> -----------------------------------
>>>>>
>>>>>                 Key: WW-4815
>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>             Project: Struts 2
>>>>>          Issue Type: Temp
>>>>>          Components: Core
>>>>>    Affects Versions: 2.3.16.3
>>>>>            Reporter: Deborah White
>>>>>             Fix For: 2.3.32
>>>>>
>>>>>
>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>
>>>>
>>>>
>>>> --
>>>> This message was sent by Atlassian JIRA
>>>> (v6.4.14#64029)
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>> B
>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>> [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[ ]˘\X K
>> ܙ B B
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
I forgot to say about following block in MYStrutsPrepareFilter.java
which is new and I added recently (so please copy the whole new
MYStrutsPrepareFilter.java) :

 > if(null != actionContext) {
 > ValueStack stack = actionContext.getValueStack();
 > stack.setValue("#request['MYUtils']", MYUtils);
 > }

It avoids null pointer exception.

Please reply back to me the `exception stack trace` if you encounter any.

IMPORTANT NOTE:

To keep security, your MYUtils class should return only and only
necessary info (not less not more) in primitive types like string ,
boolean , int , etc as much as possible rather than sensitive objects.
For example, following get method wake ups currently fixed security issues:

  public class MYUtils {...
public ActionContext getActionContext() {
  return ActionContext.getContext();
  }...}


On 7/22/2017 1:27 PM, Yasser Zamani wrote:

> Sorry! My previous code has sent via my mobile which has a few typo
> errors because of issues with copy/pase :(
>
> Now, at my PC, I tested following configuration which works well :)
>
> 1. MYStrutsPrepareFilter.java
>
> *********************************************
> package me.zamani.yasser.ww_convention.utils;
>
> import java.io.IOException;
>
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> import javax.servlet.FilterConfig;
> import javax.servlet.ServletException;
> import javax.servlet.ServletRequest;
> import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
>
> import org.apache.struts2.StrutsStatics;
> import com.opensymphony.xwork2.ActionContext;
> import com.opensymphony.xwork2.util.ValueStack;
>
> /**
>   * @author zamani
>   *
>   */
> public class MYStrutsPrepareFilter implements Filter {
>
> private MYUtils MYUtils;
>
> public void init(FilterConfig filterConfig) throws ServletException {
> MYUtils = new MYUtils();
> }
>
> public void doFilter(ServletRequest req, ServletResponse res,
> FilterChain chain)
> throws IOException, ServletException {
>
> ActionContext actionContext = ActionContext.getContext();
> if(null != actionContext) {
> ValueStack stack = actionContext.getValueStack();
> stack.setValue("#request['MYUtils']", MYUtils);
> }
>
> chain.doFilter(req, res);
> }
>
> public void destroy() {
> MYUtils = null;
> }
>
>
> public class MYUtils {
> public boolean isUserInRole (String user) {
> HttpServletRequest httpsr = ((HttpServletRequest)
> ActionContext.getContext()
> .get(StrutsStatics.HTTP_REQUEST));
> return httpsr.isUserInRole(user);
> }
> }
> }
> **********************************************************
>
> 2. web.xml
>
> **********************************************************
>      <filter>
>          <filter-name>struts2prepare</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>      </filter>
>
>      <filter>
>          <filter-name>MYStrutsPrepareFilter</filter-name>
>
> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>      </filter>
>
>      <filter>
>          <filter-name>struts2execute</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>      </filter>
>
>      <filter-mapping>
>          <filter-name>struts2prepare</filter-name>
>          <url-pattern>/*</url-pattern>
>      </filter-mapping>
>
>      <filter-mapping>
>          <filter-name>MYStrutsPrepareFilter</filter-name>
>          <url-pattern>/*</url-pattern>
>      </filter-mapping>
>
>      <filter-mapping>
>          <filter-name>struts2execute</filter-name>
>          <url-pattern>/*</url-pattern>
>      </filter-mapping>
> **************************************************************
>
> 3. hello.jsp
>
> **************************************************************
>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>      you are UserAdmin
>      </s:if>
>      <s:else>
>      you are not UserAdmin
>      </s:else>
> **************************************************************
>
> Sincerely Yours,
> Yasser.
>
> On 7/22/2017 2:56 AM, Deborah White wrote:
>> And the jsp doesn't seem to like this syntax for some reason.
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Friday, July 21, 2017 1:04 PM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>>
>> That is just an example. For your need, in more detail, you should try something like these:
>>
>> 1. Add following method to class MyUtil:
>>
>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>
>> 2. Your struts filters in web.xml should looks like:
>>
>> <filter>
>>     <filter-name>struts-prepare</filter-name>
>>     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name>struts-execute</filter-name>
>>     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
>> </filter>
>>
>> 3. Finally find and replace all of
>>
>> <s:if test='request.isUserInRole("UserAdmin")' >
>>
>> With
>>
>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>
>> I think something like these resolve your issue :) please try and let me know.
>>
>> Deborah White <[hidden email]> نوشت:
>>
>>> This is what I currently have in my jsp:
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> Where would I put
>>> "#request['MYUtils'].requestURI?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Friday, July 21, 2017 10:53 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>
>>> Deborah White <[hidden email]> نوشت:
>>>
>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> Hi there, welcome to dev list :)
>>>>
>>>> Do you need access to excluded packages in your JSPs? I had similar
>>>> issue and you can see my solution at [1]. I did not need to rewrite
>>>> any thing and a find/replace did all needed changes. Please review my
>>>> solution if also resolves your one. If not, please feel free continue
>>>> here for a solution :)
>>>>
>>>> [1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>
>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>> To: Deborah White <[hidden email]>
>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>>>> to 2.3.32
>>>>>
>>>>>
>>>>>     [
>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>
>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160868
>>>>> 3
>>>>> 2#comment-16086832 ]
>>>>>
>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>> ------------------------------------------------------------
>>>>>
>>>>> The best place to ask such question is to subscribe to the User
>>>>> Mailing list as there are more eyes to help you
>>>>> http://struts.apache.org/mail.html
>>>>>
>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>
>>>>>
>>>>> was (Author: lukaszlenart):
>>>>> The best place to ask such question is to subscribe to the User
>>>>> Mailing list as there are more eyes to help you
>>>>> http://struts.apache.org/mail.html
>>>>>
>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>
>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>> -----------------------------------
>>>>>>
>>>>>>                 Key: WW-4815
>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>             Project: Struts 2
>>>>>>          Issue Type: Temp
>>>>>>          Components: Core
>>>>>>    Affects Versions: 2.3.16.3
>>>>>>            Reporter: Deborah White
>>>>>>             Fix For: 2.3.32
>>>>>>
>>>>>>
>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was sent by Atlassian JIRA
>>>>> (v6.4.14#64029)
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>>> [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[ ]˘\X K
>>> ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
It now goes to just a blank page.  Do I have an issue in my web.xml?
<filter>
    <filter-name>struts-prepare</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>MYStrutsPrepareFilter</filter-name>
    <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
</filter>

<filter>
    <filter-name>struts-execute</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>
    <filter-mapping>
        <filter-name>MYStrutsPrepareFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Saturday, July 22, 2017 2:18 AM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

I forgot to say about following block in MYStrutsPrepareFilter.java which is new and I added recently (so please copy the whole new
MYStrutsPrepareFilter.java) :

 >              if(null != actionContext) {
 >                      ValueStack stack = actionContext.getValueStack();
 >                      stack.setValue("#request['MYUtils']", MYUtils);
 >              }

It avoids null pointer exception.

Please reply back to me the `exception stack trace` if you encounter any.

IMPORTANT NOTE:

To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
For example, following get method wake ups currently fixed security issues:

                public class MYUtils {...
public ActionContext getActionContext() {
                        return ActionContext.getContext();
                }...}


On 7/22/2017 1:27 PM, Yasser Zamani wrote:

> Sorry! My previous code has sent via my mobile which has a few typo
> errors because of issues with copy/pase :(
>
> Now, at my PC, I tested following configuration which works well :)
>
> 1. MYStrutsPrepareFilter.java
>
> *********************************************
> package me.zamani.yasser.ww_convention.utils;
>
> import java.io.IOException;
>
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> import javax.servlet.FilterConfig;
> import javax.servlet.ServletException; import
> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
>
> import org.apache.struts2.StrutsStatics; import
> com.opensymphony.xwork2.ActionContext;
> import com.opensymphony.xwork2.util.ValueStack;
>
> /**
>   * @author zamani
>   *
>   */
> public class MYStrutsPrepareFilter implements Filter {
>
>       private MYUtils MYUtils;
>
>       public void init(FilterConfig filterConfig) throws ServletException {
>               MYUtils = new MYUtils();
>       }
>
>       public void doFilter(ServletRequest req, ServletResponse res,
> FilterChain chain)
>                       throws IOException, ServletException {
>
>               ActionContext actionContext = ActionContext.getContext();
>               if(null != actionContext) {
>                       ValueStack stack = actionContext.getValueStack();
>                       stack.setValue("#request['MYUtils']", MYUtils);
>               }
>
>               chain.doFilter(req, res);
>       }
>
>       public void destroy() {
>               MYUtils = null;
>       }
>
>
>       public class MYUtils {
>               public boolean isUserInRole (String user) {
>                       HttpServletRequest httpsr = ((HttpServletRequest)
> ActionContext.getContext()
>                                       .get(StrutsStatics.HTTP_REQUEST));
>                       return httpsr.isUserInRole(user);
>               }
>       }
> }
> **********************************************************
>
> 2. web.xml
>
> **********************************************************
>      <filter>
>          <filter-name>struts2prepare</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>      </filter>
>
>      <filter>
>          <filter-name>MYStrutsPrepareFilter</filter-name>
>
> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>      </filter>
>
>      <filter>
>          <filter-name>struts2execute</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>      </filter>
>
>      <filter-mapping>
>          <filter-name>struts2prepare</filter-name>
>          <url-pattern>/*</url-pattern>
>      </filter-mapping>
>
>      <filter-mapping>
>          <filter-name>MYStrutsPrepareFilter</filter-name>
>          <url-pattern>/*</url-pattern>
>      </filter-mapping>
>
>      <filter-mapping>
>          <filter-name>struts2execute</filter-name>
>          <url-pattern>/*</url-pattern>
>      </filter-mapping>
> **************************************************************
>
> 3. hello.jsp
>
> **************************************************************
>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>      you are UserAdmin
>      </s:if>
>      <s:else>
>      you are not UserAdmin
>      </s:else>
> **************************************************************
>
> Sincerely Yours,
> Yasser.
>
> On 7/22/2017 2:56 AM, Deborah White wrote:
>> And the jsp doesn't seem to like this syntax for some reason.
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Friday, July 21, 2017 1:04 PM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> That is just an example. For your need, in more detail, you should try something like these:
>>
>> 1. Add following method to class MyUtil:
>>
>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>
>> 2. Your struts filters in web.xml should looks like:
>>
>> <filter>
>>     <filter-name>struts-prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi
>> lter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name>struts-execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi
>> lter</filter-class>
>> </filter>
>>
>> 3. Finally find and replace all of
>>
>> <s:if test='request.isUserInRole("UserAdmin")' >
>>
>> With
>>
>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>
>> I think something like these resolve your issue :) please try and let me know.
>>
>> Deborah White <[hidden email]> نوشت:
>>
>>> This is what I currently have in my jsp:
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> Where would I put
>>> "#request['MYUtils'].requestURI?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Friday, July 21, 2017 10:53 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>
>>> Deborah White <[hidden email]> نوشت:
>>>
>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> Hi there, welcome to dev list :)
>>>>
>>>> Do you need access to excluded packages in your JSPs? I had similar
>>>> issue and you can see my solution at [1]. I did not need to rewrite
>>>> any thing and a find/replace did all needed changes. Please review
>>>> my solution if also resolves your one. If not, please feel free
>>>> continue here for a solution :)
>>>>
>>>> [1]
>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>
>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>> To: Deborah White <[hidden email]>
>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>>
>>>>>     [
>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>
>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160
>>>>> 868
>>>>> 3
>>>>> 2#comment-16086832 ]
>>>>>
>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>> ------------------------------------------------------------
>>>>>
>>>>> The best place to ask such question is to subscribe to the User
>>>>> Mailing list as there are more eyes to help you
>>>>> http://struts.apache.org/mail.html
>>>>>
>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>
>>>>>
>>>>> was (Author: lukaszlenart):
>>>>> The best place to ask such question is to subscribe to the User
>>>>> Mailing list as there are more eyes to help you
>>>>> http://struts.apache.org/mail.html
>>>>>
>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>
>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>> -----------------------------------
>>>>>>
>>>>>>                 Key: WW-4815
>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>             Project: Struts 2
>>>>>>          Issue Type: Temp
>>>>>>          Components: Core
>>>>>>    Affects Versions: 2.3.16.3
>>>>>>            Reporter: Deborah White
>>>>>>             Fix For: 2.3.32
>>>>>>
>>>>>>
>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was sent by Atlassian JIRA
>>>>> (v6.4.14#64029)
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>> CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[
>>> ]˘\X K ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For
> additional commands, e-mail: [hidden email]
>

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
Yes I think you should have mappings for all as following order:

      <filter-mapping>
          <filter-name>struts-prepare</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
          <filter-name>MYStrutsPrepareFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
          <filter-name>struts-execute</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>


On 7/24/2017 8:19 PM, Deborah White wrote:

> It now goes to just a blank page.  Do I have an issue in my web.xml?
> <filter>
>     <filter-name>struts-prepare</filter-name>
>     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>MYStrutsPrepareFilter</filter-name>
>     <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>struts-execute</filter-name>
>     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
> </filter>
>     <filter-mapping>
>         <filter-name>MYStrutsPrepareFilter</filter-name>
>         <url-pattern>/*</url-pattern>
>         <dispatcher>FORWARD</dispatcher>
>         <dispatcher>REQUEST</dispatcher>
>     </filter-mapping>
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Saturday, July 22, 2017 2:18 AM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
> I forgot to say about following block in MYStrutsPrepareFilter.java which is new and I added recently (so please copy the whole new
> MYStrutsPrepareFilter.java) :
>
>  >              if(null != actionContext) {
>  >                      ValueStack stack = actionContext.getValueStack();
>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>  >              }
>
> It avoids null pointer exception.
>
> Please reply back to me the `exception stack trace` if you encounter any.
>
> IMPORTANT NOTE:
>
> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
> For example, following get method wake ups currently fixed security issues:
>
>                 public class MYUtils {...
> public ActionContext getActionContext() {
>                         return ActionContext.getContext();
>                 }...}
>
>
> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>> Sorry! My previous code has sent via my mobile which has a few typo
>> errors because of issues with copy/pase :(
>>
>> Now, at my PC, I tested following configuration which works well :)
>>
>> 1. MYStrutsPrepareFilter.java
>>
>> *********************************************
>> package me.zamani.yasser.ww_convention.utils;
>>
>> import java.io.IOException;
>>
>> import javax.servlet.Filter;
>> import javax.servlet.FilterChain;
>> import javax.servlet.FilterConfig;
>> import javax.servlet.ServletException; import
>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>> import javax.servlet.http.HttpServletRequest;
>>
>> import org.apache.struts2.StrutsStatics; import
>> com.opensymphony.xwork2.ActionContext;
>> import com.opensymphony.xwork2.util.ValueStack;
>>
>> /**
>>   * @author zamani
>>   *
>>   */
>> public class MYStrutsPrepareFilter implements Filter {
>>
>>       private MYUtils MYUtils;
>>
>>       public void init(FilterConfig filterConfig) throws ServletException {
>>               MYUtils = new MYUtils();
>>       }
>>
>>       public void doFilter(ServletRequest req, ServletResponse res,
>> FilterChain chain)
>>                       throws IOException, ServletException {
>>
>>               ActionContext actionContext = ActionContext.getContext();
>>               if(null != actionContext) {
>>                       ValueStack stack = actionContext.getValueStack();
>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>               }
>>
>>               chain.doFilter(req, res);
>>       }
>>
>>       public void destroy() {
>>               MYUtils = null;
>>       }
>>
>>
>>       public class MYUtils {
>>               public boolean isUserInRole (String user) {
>>                       HttpServletRequest httpsr = ((HttpServletRequest)
>> ActionContext.getContext()
>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>                       return httpsr.isUserInRole(user);
>>               }
>>       }
>> }
>> **********************************************************
>>
>> 2. web.xml
>>
>> **********************************************************
>>      <filter>
>>          <filter-name>struts2prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>      </filter>
>>
>>      <filter>
>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>      </filter>
>>
>>      <filter>
>>          <filter-name>struts2execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>      </filter>
>>
>>      <filter-mapping>
>>          <filter-name>struts2prepare</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>>
>>      <filter-mapping>
>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>>
>>      <filter-mapping>
>>          <filter-name>struts2execute</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>> **************************************************************
>>
>> 3. hello.jsp
>>
>> **************************************************************
>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>      you are UserAdmin
>>      </s:if>
>>      <s:else>
>>      you are not UserAdmin
>>      </s:else>
>> **************************************************************
>>
>> Sincerely Yours,
>> Yasser.
>>
>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>> And the jsp doesn't seem to like this syntax for some reason.
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Friday, July 21, 2017 1:04 PM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> That is just an example. For your need, in more detail, you should try something like these:
>>>
>>> 1. Add following method to class MyUtil:
>>>
>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>
>>> 2. Your struts filters in web.xml should looks like:
>>>
>>> <filter>
>>>     <filter-name>struts-prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi
>>> lter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>struts-execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi
>>> lter</filter-class>
>>> </filter>
>>>
>>> 3. Finally find and replace all of
>>>
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> With
>>>
>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>
>>> I think something like these resolve your issue :) please try and let me know.
>>>
>>> Deborah White <[hidden email]> نوشت:
>>>
>>>> This is what I currently have in my jsp:
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> Where would I put
>>>> "#request['MYUtils'].requestURI?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>
>>>> Deborah White <[hidden email]> نوشت:
>>>>
>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> Hi there, welcome to dev list :)
>>>>>
>>>>> Do you need access to excluded packages in your JSPs? I had similar
>>>>> issue and you can see my solution at [1]. I did not need to rewrite
>>>>> any thing and a find/replace did all needed changes. Please review
>>>>> my solution if also resolves your one. If not, please feel free
>>>>> continue here for a solution :)
>>>>>
>>>>> [1]
>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>
>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>> To: Deborah White <[hidden email]>
>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>>
>>>>>>     [
>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>
>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160
>>>>>> 868
>>>>>> 3
>>>>>> 2#comment-16086832 ]
>>>>>>
>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>> ------------------------------------------------------------
>>>>>>
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>
>>>>>>
>>>>>> was (Author: lukaszlenart):
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>
>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>> -----------------------------------
>>>>>>>
>>>>>>>                 Key: WW-4815
>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>             Project: Struts 2
>>>>>>>          Issue Type: Temp
>>>>>>>          Components: Core
>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>            Reporter: Deborah White
>>>>>>>             Fix For: 2.3.32
>>>>>>>
>>>>>>>
>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message was sent by Atlassian JIRA
>>>>>> (v6.4.14#64029)
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>> CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ] Z[
>>>> ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?

WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!

Also, in my jsp I had to use this syntax:
<s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
                                        $('#tabs-UserManagement').tabs();
                                </s:if>

Instead of ['MYUtils'] (single quote).

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Monday, July 24, 2017 11:27 AM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yes I think you should have mappings for all as following order:

      <filter-mapping>
          <filter-name>struts-prepare</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
          <filter-name>MYStrutsPrepareFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
          <filter-name>struts-execute</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>


On 7/24/2017 8:19 PM, Deborah White wrote:

> It now goes to just a blank page.  Do I have an issue in my web.xml?
> <filter>
>     <filter-name>struts-prepare</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFil
> ter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>MYStrutsPrepareFilter</filter-name>
>
> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
> </filter>
>
> <filter>
>     <filter-name>struts-execute</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFil
> ter</filter-class>
> </filter>
>     <filter-mapping>
>         <filter-name>MYStrutsPrepareFilter</filter-name>
>         <url-pattern>/*</url-pattern>
>         <dispatcher>FORWARD</dispatcher>
>         <dispatcher>REQUEST</dispatcher>
>     </filter-mapping>
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Saturday, July 22, 2017 2:18 AM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
> 2.3.16.3 to 2.3.32
>
> I forgot to say about following block in MYStrutsPrepareFilter.java
> which is new and I added recently (so please copy the whole new
> MYStrutsPrepareFilter.java) :
>
>  >              if(null != actionContext) {
>  >                      ValueStack stack = actionContext.getValueStack();
>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>  >              }
>
> It avoids null pointer exception.
>
> Please reply back to me the `exception stack trace` if you encounter any.
>
> IMPORTANT NOTE:
>
> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
> For example, following get method wake ups currently fixed security issues:
>
>                 public class MYUtils {...
> public ActionContext getActionContext() {
>                         return ActionContext.getContext();
>                 }...}
>
>
> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>> Sorry! My previous code has sent via my mobile which has a few typo
>> errors because of issues with copy/pase :(
>>
>> Now, at my PC, I tested following configuration which works well :)
>>
>> 1. MYStrutsPrepareFilter.java
>>
>> *********************************************
>> package me.zamani.yasser.ww_convention.utils;
>>
>> import java.io.IOException;
>>
>> import javax.servlet.Filter;
>> import javax.servlet.FilterChain;
>> import javax.servlet.FilterConfig;
>> import javax.servlet.ServletException; import
>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>> import javax.servlet.http.HttpServletRequest;
>>
>> import org.apache.struts2.StrutsStatics; import
>> com.opensymphony.xwork2.ActionContext;
>> import com.opensymphony.xwork2.util.ValueStack;
>>
>> /**
>>   * @author zamani
>>   *
>>   */
>> public class MYStrutsPrepareFilter implements Filter {
>>
>>       private MYUtils MYUtils;
>>
>>       public void init(FilterConfig filterConfig) throws ServletException {
>>               MYUtils = new MYUtils();
>>       }
>>
>>       public void doFilter(ServletRequest req, ServletResponse res,
>> FilterChain chain)
>>                       throws IOException, ServletException {
>>
>>               ActionContext actionContext = ActionContext.getContext();
>>               if(null != actionContext) {
>>                       ValueStack stack = actionContext.getValueStack();
>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>               }
>>
>>               chain.doFilter(req, res);
>>       }
>>
>>       public void destroy() {
>>               MYUtils = null;
>>       }
>>
>>
>>       public class MYUtils {
>>               public boolean isUserInRole (String user) {
>>                       HttpServletRequest httpsr =
>> ((HttpServletRequest)
>> ActionContext.getContext()
>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>                       return httpsr.isUserInRole(user);
>>               }
>>       }
>> }
>> **********************************************************
>>
>> 2. web.xml
>>
>> **********************************************************
>>      <filter>
>>          <filter-name>struts2prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>      </filter>
>>
>>      <filter>
>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>      </filter>
>>
>>      <filter>
>>          <filter-name>struts2execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>      </filter>
>>
>>      <filter-mapping>
>>          <filter-name>struts2prepare</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>>
>>      <filter-mapping>
>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>>
>>      <filter-mapping>
>>          <filter-name>struts2execute</filter-name>
>>          <url-pattern>/*</url-pattern>
>>      </filter-mapping>
>> **************************************************************
>>
>> 3. hello.jsp
>>
>> **************************************************************
>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>      you are UserAdmin
>>      </s:if>
>>      <s:else>
>>      you are not UserAdmin
>>      </s:else>
>> **************************************************************
>>
>> Sincerely Yours,
>> Yasser.
>>
>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>> And the jsp doesn't seem to like this syntax for some reason.
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Friday, July 21, 2017 1:04 PM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> That is just an example. For your need, in more detail, you should try something like these:
>>>
>>> 1. Add following method to class MyUtil:
>>>
>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>
>>> 2. Your struts filters in web.xml should looks like:
>>>
>>> <filter>
>>>     <filter-name>struts-prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareF
>>> i
>>> lter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>struts-execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteF
>>> i
>>> lter</filter-class>
>>> </filter>
>>>
>>> 3. Finally find and replace all of
>>>
>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>
>>> With
>>>
>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>
>>> I think something like these resolve your issue :) please try and let me know.
>>>
>>> Deborah White <[hidden email]> نوشت:
>>>
>>>> This is what I currently have in my jsp:
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> Where would I put
>>>> "#request['MYUtils'].requestURI?
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>
>>>> Deborah White <[hidden email]> نوشت:
>>>>
>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>> Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> Hi there, welcome to dev list :)
>>>>>
>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>> Please review my solution if also resolves your one. If not,
>>>>> please feel free continue here for a solution :)
>>>>>
>>>>> [1]
>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>
>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>> To: Deborah White <[hidden email]>
>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>>
>>>>>>     [
>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>
>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16
>>>>>> 0
>>>>>> 868
>>>>>> 3
>>>>>> 2#comment-16086832 ]
>>>>>>
>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>> ------------------------------------------------------------
>>>>>>
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>
>>>>>>
>>>>>> was (Author: lukaszlenart):
>>>>>> The best place to ask such question is to subscribe to the User
>>>>>> Mailing list as there are more eyes to help you
>>>>>> http://struts.apache.org/mail.html
>>>>>>
>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>
>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>> -----------------------------------
>>>>>>>
>>>>>>>                 Key: WW-4815
>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>             Project: Struts 2
>>>>>>>          Issue Type: Temp
>>>>>>>          Components: Core
>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>            Reporter: Deborah White
>>>>>>>             Fix For: 2.3.32
>>>>>>>
>>>>>>>
>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message was sent by Atlassian JIRA
>>>>>> (v6.4.14#64029)
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>> K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ]
>>>> Z[ ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For
> additional commands, e-mail: [hidden email]
>
B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 ] Z[  ]˘\X K ܙ B B

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
You're welcome! Happy to hear that it works there :)

That warning means you still have some more. Please find them by
searching 'request.isUserInRole in your JSPs then replace them with
'#request["MYUtils"].isUserInRole

test='#request["MYUtils"].isUserInRole("UserAdmin")' and
test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)

On 7/25/2017 9:35 PM, Deborah White wrote:

> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>
> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>
> Also, in my jsp I had to use this syntax:
> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>                                         $('#tabs-UserManagement').tabs();
>                                 </s:if>
>
> Instead of ['MYUtils'] (single quote).
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Monday, July 24, 2017 11:27 AM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
> Yes I think you should have mappings for all as following order:
>
>       <filter-mapping>
>           <filter-name>struts-prepare</filter-name>
>           <url-pattern>/*</url-pattern>
>           <dispatcher>FORWARD</dispatcher>
>           <dispatcher>REQUEST</dispatcher>
>       </filter-mapping>
>       <filter-mapping>
>           <filter-name>MYStrutsPrepareFilter</filter-name>
>           <url-pattern>/*</url-pattern>
>           <dispatcher>FORWARD</dispatcher>
>           <dispatcher>REQUEST</dispatcher>
>       </filter-mapping>
>       <filter-mapping>
>           <filter-name>struts-execute</filter-name>
>           <url-pattern>/*</url-pattern>
>           <dispatcher>FORWARD</dispatcher>
>           <dispatcher>REQUEST</dispatcher>
>       </filter-mapping>
>
>
> On 7/24/2017 8:19 PM, Deborah White wrote:
>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>> <filter>
>>     <filter-name>struts-prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFil
>> ter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name>struts-execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFil
>> ter</filter-class>
>> </filter>
>>     <filter-mapping>
>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>         <url-pattern>/*</url-pattern>
>>         <dispatcher>FORWARD</dispatcher>
>>         <dispatcher>REQUEST</dispatcher>
>>     </filter-mapping>
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Saturday, July 22, 2017 2:18 AM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> I forgot to say about following block in MYStrutsPrepareFilter.java
>> which is new and I added recently (so please copy the whole new
>> MYStrutsPrepareFilter.java) :
>>
>>  >              if(null != actionContext) {
>>  >                      ValueStack stack = actionContext.getValueStack();
>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>  >              }
>>
>> It avoids null pointer exception.
>>
>> Please reply back to me the `exception stack trace` if you encounter any.
>>
>> IMPORTANT NOTE:
>>
>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>> For example, following get method wake ups currently fixed security issues:
>>
>>                 public class MYUtils {...
>> public ActionContext getActionContext() {
>>                         return ActionContext.getContext();
>>                 }...}
>>
>>
>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>> Sorry! My previous code has sent via my mobile which has a few typo
>>> errors because of issues with copy/pase :(
>>>
>>> Now, at my PC, I tested following configuration which works well :)
>>>
>>> 1. MYStrutsPrepareFilter.java
>>>
>>> *********************************************
>>> package me.zamani.yasser.ww_convention.utils;
>>>
>>> import java.io.IOException;
>>>
>>> import javax.servlet.Filter;
>>> import javax.servlet.FilterChain;
>>> import javax.servlet.FilterConfig;
>>> import javax.servlet.ServletException; import
>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>> import javax.servlet.http.HttpServletRequest;
>>>
>>> import org.apache.struts2.StrutsStatics; import
>>> com.opensymphony.xwork2.ActionContext;
>>> import com.opensymphony.xwork2.util.ValueStack;
>>>
>>> /**
>>>   * @author zamani
>>>   *
>>>   */
>>> public class MYStrutsPrepareFilter implements Filter {
>>>
>>>       private MYUtils MYUtils;
>>>
>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>               MYUtils = new MYUtils();
>>>       }
>>>
>>>       public void doFilter(ServletRequest req, ServletResponse res,
>>> FilterChain chain)
>>>                       throws IOException, ServletException {
>>>
>>>               ActionContext actionContext = ActionContext.getContext();
>>>               if(null != actionContext) {
>>>                       ValueStack stack = actionContext.getValueStack();
>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>               }
>>>
>>>               chain.doFilter(req, res);
>>>       }
>>>
>>>       public void destroy() {
>>>               MYUtils = null;
>>>       }
>>>
>>>
>>>       public class MYUtils {
>>>               public boolean isUserInRole (String user) {
>>>                       HttpServletRequest httpsr =
>>> ((HttpServletRequest)
>>> ActionContext.getContext()
>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>                       return httpsr.isUserInRole(user);
>>>               }
>>>       }
>>> }
>>> **********************************************************
>>>
>>> 2. web.xml
>>>
>>> **********************************************************
>>>      <filter>
>>>          <filter-name>struts2prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>      </filter>
>>>
>>>      <filter>
>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>
>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>      </filter>
>>>
>>>      <filter>
>>>          <filter-name>struts2execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>      </filter>
>>>
>>>      <filter-mapping>
>>>          <filter-name>struts2prepare</filter-name>
>>>          <url-pattern>/*</url-pattern>
>>>      </filter-mapping>
>>>
>>>      <filter-mapping>
>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>          <url-pattern>/*</url-pattern>
>>>      </filter-mapping>
>>>
>>>      <filter-mapping>
>>>          <filter-name>struts2execute</filter-name>
>>>          <url-pattern>/*</url-pattern>
>>>      </filter-mapping>
>>> **************************************************************
>>>
>>> 3. hello.jsp
>>>
>>> **************************************************************
>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>      you are UserAdmin
>>>      </s:if>
>>>      <s:else>
>>>      you are not UserAdmin
>>>      </s:else>
>>> **************************************************************
>>>
>>> Sincerely Yours,
>>> Yasser.
>>>
>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>
>>>> 1. Add following method to class MyUtil:
>>>>
>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>
>>>> 2. Your struts filters in web.xml should looks like:
>>>>
>>>> <filter>
>>>>     <filter-name>struts-prepare</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareF
>>>> i
>>>> lter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>>     <filter-name>struts-execute</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteF
>>>> i
>>>> lter</filter-class>
>>>> </filter>
>>>>
>>>> 3. Finally find and replace all of
>>>>
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> With
>>>>
>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>
>>>> I think something like these resolve your issue :) please try and let me know.
>>>>
>>>> Deborah White <[hidden email]> نوشت:
>>>>
>>>>> This is what I currently have in my jsp:
>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>
>>>>> Where would I put
>>>>> "#request['MYUtils'].requestURI?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>
>>>>> Deborah White <[hidden email]> نوشت:
>>>>>
>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>> To: Struts Developers List <[hidden email]>
>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>> Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>> Hi there, welcome to dev list :)
>>>>>>
>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>> Please review my solution if also resolves your one. If not,
>>>>>> please feel free continue here for a solution :)
>>>>>>
>>>>>> [1]
>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>
>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>> To: Deborah White <[hidden email]>
>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>>
>>>>>>>     [
>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>
>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16
>>>>>>> 0
>>>>>>> 868
>>>>>>> 3
>>>>>>> 2#comment-16086832 ]
>>>>>>>
>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>> ------------------------------------------------------------
>>>>>>>
>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>> Mailing list as there are more eyes to help you
>>>>>>> http://struts.apache.org/mail.html
>>>>>>>
>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>
>>>>>>>
>>>>>>> was (Author: lukaszlenart):
>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>> Mailing list as there are more eyes to help you
>>>>>>> http://struts.apache.org/mail.html
>>>>>>>
>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>
>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>> -----------------------------------
>>>>>>>>
>>>>>>>>                 Key: WW-4815
>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>             Project: Struts 2
>>>>>>>>          Issue Type: Temp
>>>>>>>>          Components: Core
>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>            Reporter: Deborah White
>>>>>>>>             Fix For: 2.3.32
>>>>>>>>
>>>>>>>>
>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> This message was sent by Atlassian JIRA
>>>>>>> (v6.4.14#64029)
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------
>>>>>> -
>>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>>> additional commands, e-mail: [hidden email]
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>> B
>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>> K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ ]
>>>>> Z[ ]˘\X K ܙ B B
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> --------------------------------------------------------------------
>>>> - To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
> B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
>  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
>  ] Z[  ]˘\X K ܙ B B
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.

I have this in my jsp:

function submitESignature() {

                $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
        //document.getElementById("button_cont").disabled = "disabled";
        var url = "<s:url value="renewsave.action" encode="true"/>";
        document.regSubmitForm.eSignStart.value = 1;
        document.regSubmitForm.method ="POST";
                document.regSubmitForm.action = url;
                document.regSubmitForm.submit();

        }

This in my java code:

else if ( renewSaveStart == 0 && eSignStart == 1 ) {
           return "renewEsignProc";

This in my struts.xml:

<action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
                 <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
                 <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
                 <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
             <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
             <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
             <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
             <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
        </action>


Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.

Any thoughts?

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Tuesday, July 25, 2017 10:21 AM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

You're welcome! Happy to hear that it works there :)

That warning means you still have some more. Please find them by searching 'request.isUserInRole in your JSPs then replace them with '#request["MYUtils"].isUserInRole

test='#request["MYUtils"].isUserInRole("UserAdmin")' and test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)

On 7/25/2017 9:35 PM, Deborah White wrote:

> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>
> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>
> Also, in my jsp I had to use this syntax:
> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>                                         $('#tabs-UserManagement').tabs();
>                                 </s:if>
>
> Instead of ['MYUtils'] (single quote).
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Monday, July 24, 2017 11:27 AM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
> 2.3.16.3 to 2.3.32
>
> Yes I think you should have mappings for all as following order:
>
>       <filter-mapping>
>           <filter-name>struts-prepare</filter-name>
>           <url-pattern>/*</url-pattern>
>           <dispatcher>FORWARD</dispatcher>
>           <dispatcher>REQUEST</dispatcher>
>       </filter-mapping>
>       <filter-mapping>
>           <filter-name>MYStrutsPrepareFilter</filter-name>
>           <url-pattern>/*</url-pattern>
>           <dispatcher>FORWARD</dispatcher>
>           <dispatcher>REQUEST</dispatcher>
>       </filter-mapping>
>       <filter-mapping>
>           <filter-name>struts-execute</filter-name>
>           <url-pattern>/*</url-pattern>
>           <dispatcher>FORWARD</dispatcher>
>           <dispatcher>REQUEST</dispatcher>
>       </filter-mapping>
>
>
> On 7/24/2017 8:19 PM, Deborah White wrote:
>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>> <filter>
>>     <filter-name>struts-prepare</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi
>> l
>> ter</filter-class>
>> </filter>
>>
>> <filter>
>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>
>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class
>> >
>> </filter>
>>
>> <filter>
>>     <filter-name>struts-execute</filter-name>
>>
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi
>> l
>> ter</filter-class>
>> </filter>
>>     <filter-mapping>
>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>         <url-pattern>/*</url-pattern>
>>         <dispatcher>FORWARD</dispatcher>
>>         <dispatcher>REQUEST</dispatcher>
>>     </filter-mapping>
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Saturday, July 22, 2017 2:18 AM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> I forgot to say about following block in MYStrutsPrepareFilter.java
>> which is new and I added recently (so please copy the whole new
>> MYStrutsPrepareFilter.java) :
>>
>>  >              if(null != actionContext) {
>>  >                      ValueStack stack = actionContext.getValueStack();
>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>  >              }
>>
>> It avoids null pointer exception.
>>
>> Please reply back to me the `exception stack trace` if you encounter any.
>>
>> IMPORTANT NOTE:
>>
>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>> For example, following get method wake ups currently fixed security issues:
>>
>>                 public class MYUtils {...
>> public ActionContext getActionContext() {
>>                         return ActionContext.getContext();
>>                 }...}
>>
>>
>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>> Sorry! My previous code has sent via my mobile which has a few typo
>>> errors because of issues with copy/pase :(
>>>
>>> Now, at my PC, I tested following configuration which works well :)
>>>
>>> 1. MYStrutsPrepareFilter.java
>>>
>>> *********************************************
>>> package me.zamani.yasser.ww_convention.utils;
>>>
>>> import java.io.IOException;
>>>
>>> import javax.servlet.Filter;
>>> import javax.servlet.FilterChain;
>>> import javax.servlet.FilterConfig;
>>> import javax.servlet.ServletException; import
>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>> import javax.servlet.http.HttpServletRequest;
>>>
>>> import org.apache.struts2.StrutsStatics; import
>>> com.opensymphony.xwork2.ActionContext;
>>> import com.opensymphony.xwork2.util.ValueStack;
>>>
>>> /**
>>>   * @author zamani
>>>   *
>>>   */
>>> public class MYStrutsPrepareFilter implements Filter {
>>>
>>>       private MYUtils MYUtils;
>>>
>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>               MYUtils = new MYUtils();
>>>       }
>>>
>>>       public void doFilter(ServletRequest req, ServletResponse res,
>>> FilterChain chain)
>>>                       throws IOException, ServletException {
>>>
>>>               ActionContext actionContext = ActionContext.getContext();
>>>               if(null != actionContext) {
>>>                       ValueStack stack = actionContext.getValueStack();
>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>               }
>>>
>>>               chain.doFilter(req, res);
>>>       }
>>>
>>>       public void destroy() {
>>>               MYUtils = null;
>>>       }
>>>
>>>
>>>       public class MYUtils {
>>>               public boolean isUserInRole (String user) {
>>>                       HttpServletRequest httpsr =
>>> ((HttpServletRequest)
>>> ActionContext.getContext()
>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>                       return httpsr.isUserInRole(user);
>>>               }
>>>       }
>>> }
>>> **********************************************************
>>>
>>> 2. web.xml
>>>
>>> **********************************************************
>>>      <filter>
>>>          <filter-name>struts2prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>      </filter>
>>>
>>>      <filter>
>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>
>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>      </filter>
>>>
>>>      <filter>
>>>          <filter-name>struts2execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>      </filter>
>>>
>>>      <filter-mapping>
>>>          <filter-name>struts2prepare</filter-name>
>>>          <url-pattern>/*</url-pattern>
>>>      </filter-mapping>
>>>
>>>      <filter-mapping>
>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>          <url-pattern>/*</url-pattern>
>>>      </filter-mapping>
>>>
>>>      <filter-mapping>
>>>          <filter-name>struts2execute</filter-name>
>>>          <url-pattern>/*</url-pattern>
>>>      </filter-mapping>
>>> **************************************************************
>>>
>>> 3. hello.jsp
>>>
>>> **************************************************************
>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>      you are UserAdmin
>>>      </s:if>
>>>      <s:else>
>>>      you are not UserAdmin
>>>      </s:else>
>>> **************************************************************
>>>
>>> Sincerely Yours,
>>> Yasser.
>>>
>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>
>>>> 1. Add following method to class MyUtil:
>>>>
>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>
>>>> 2. Your struts filters in web.xml should looks like:
>>>>
>>>> <filter>
>>>>     <filter-name>struts-prepare</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepare
>>>> F
>>>> i
>>>> lter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>>     <filter-name>struts-execute</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecute
>>>> F
>>>> i
>>>> lter</filter-class>
>>>> </filter>
>>>>
>>>> 3. Finally find and replace all of
>>>>
>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>
>>>> With
>>>>
>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>
>>>> I think something like these resolve your issue :) please try and let me know.
>>>>
>>>> Deborah White <[hidden email]> نوشت:
>>>>
>>>>> This is what I currently have in my jsp:
>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>
>>>>> Where would I put
>>>>> "#request['MYUtils'].requestURI?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>> Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>
>>>>> Deborah White <[hidden email]> نوشت:
>>>>>
>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>> To: Struts Developers List <[hidden email]>
>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>> Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>> Hi there, welcome to dev list :)
>>>>>>
>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>> Please review my solution if also resolves your one. If not,
>>>>>> please feel free continue here for a solution :)
>>>>>>
>>>>>> [1]
>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>
>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>> To: Deborah White <[hidden email]>
>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>>
>>>>>>>     [
>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>
>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1
>>>>>>> 6
>>>>>>> 0
>>>>>>> 868
>>>>>>> 3
>>>>>>> 2#comment-16086832 ]
>>>>>>>
>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>> ------------------------------------------------------------
>>>>>>>
>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>> Mailing list as there are more eyes to help you
>>>>>>> http://struts.apache.org/mail.html
>>>>>>>
>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>
>>>>>>>
>>>>>>> was (Author: lukaszlenart):
>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>> Mailing list as there are more eyes to help you
>>>>>>> http://struts.apache.org/mail.html
>>>>>>>
>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>
>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>> -----------------------------------
>>>>>>>>
>>>>>>>>                 Key: WW-4815
>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>             Project: Struts 2
>>>>>>>>          Issue Type: Temp
>>>>>>>>          Components: Core
>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>            Reporter: Deborah White
>>>>>>>>             Fix For: 2.3.32
>>>>>>>>
>>>>>>>>
>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> This message was sent by Atlassian JIRA
>>>>>>> (v6.4.14#64029)
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> -
>>>>>> -
>>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>>> additional commands, e-mail: [hidden email]
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>> B
>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>> K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[
>>>>> ] Z[ ]˘\X K ܙ B B
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> -------------------------------------------------------------------
>>>> -
>>>> - To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
> B
> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[
> [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For
> additional commands, e-mail: [hidden email]
>
B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 ] Z[  ]˘\X K ܙ B B

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
you're welcome :)

1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line
`return "renewEsignProc";` after `document.regSubmitForm.submit();`?
please verify by a breakpoint.

2. What do you find if you search "renewSave1" (including double quotes)
in all of your .java files? (also for "renewSave2")

On 8/5/2017 1:57 AM, Deborah White wrote:

> So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.
>
> I have this in my jsp:
>
> function submitESignature() {
>
>                 $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
>         //document.getElementById("button_cont").disabled = "disabled";
>         var url = "<s:url value="renewsave.action" encode="true"/>";
>         document.regSubmitForm.eSignStart.value = 1;
>         document.regSubmitForm.method ="POST";
>                 document.regSubmitForm.action = url;
>                 document.regSubmitForm.submit();
>
>         }
>
> This in my java code:
>
> else if ( renewSaveStart == 0 && eSignStart == 1 ) {
>            return "renewEsignProc";
>
> This in my struts.xml:
>
> <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
>                  <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
>                  <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
>                  <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
>              <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
>              <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
>              <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
>              <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
>         </action>
>
>
> Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.
>
> Any thoughts?
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Tuesday, July 25, 2017 10:21 AM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
> You're welcome! Happy to hear that it works there :)
>
> That warning means you still have some more. Please find them by searching 'request.isUserInRole in your JSPs then replace them with '#request["MYUtils"].isUserInRole
>
> test='#request["MYUtils"].isUserInRole("UserAdmin")' and test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
>
> On 7/25/2017 9:35 PM, Deborah White wrote:
>> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>>
>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>
>> Also, in my jsp I had to use this syntax:
>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>>                                         $('#tabs-UserManagement').tabs();
>>                                 </s:if>
>>
>> Instead of ['MYUtils'] (single quote).
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Monday, July 24, 2017 11:27 AM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> Yes I think you should have mappings for all as following order:
>>
>>       <filter-mapping>
>>           <filter-name>struts-prepare</filter-name>
>>           <url-pattern>/*</url-pattern>
>>           <dispatcher>FORWARD</dispatcher>
>>           <dispatcher>REQUEST</dispatcher>
>>       </filter-mapping>
>>       <filter-mapping>
>>           <filter-name>MYStrutsPrepareFilter</filter-name>
>>           <url-pattern>/*</url-pattern>
>>           <dispatcher>FORWARD</dispatcher>
>>           <dispatcher>REQUEST</dispatcher>
>>       </filter-mapping>
>>       <filter-mapping>
>>           <filter-name>struts-execute</filter-name>
>>           <url-pattern>/*</url-pattern>
>>           <dispatcher>FORWARD</dispatcher>
>>           <dispatcher>REQUEST</dispatcher>
>>       </filter-mapping>
>>
>>
>> On 7/24/2017 8:19 PM, Deborah White wrote:
>>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>>> <filter>
>>>     <filter-name>struts-prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFi
>>> l
>>> ter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>>
>>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-class
>>>>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>struts-execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFi
>>> l
>>> ter</filter-class>
>>> </filter>
>>>     <filter-mapping>
>>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>>         <url-pattern>/*</url-pattern>
>>>         <dispatcher>FORWARD</dispatcher>
>>>         <dispatcher>REQUEST</dispatcher>
>>>     </filter-mapping>
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Saturday, July 22, 2017 2:18 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> I forgot to say about following block in MYStrutsPrepareFilter.java
>>> which is new and I added recently (so please copy the whole new
>>> MYStrutsPrepareFilter.java) :
>>>
>>>  >              if(null != actionContext) {
>>>  >                      ValueStack stack = actionContext.getValueStack();
>>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>>  >              }
>>>
>>> It avoids null pointer exception.
>>>
>>> Please reply back to me the `exception stack trace` if you encounter any.
>>>
>>> IMPORTANT NOTE:
>>>
>>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>>> For example, following get method wake ups currently fixed security issues:
>>>
>>>                 public class MYUtils {...
>>> public ActionContext getActionContext() {
>>>                         return ActionContext.getContext();
>>>                 }...}
>>>
>>>
>>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>>> Sorry! My previous code has sent via my mobile which has a few typo
>>>> errors because of issues with copy/pase :(
>>>>
>>>> Now, at my PC, I tested following configuration which works well :)
>>>>
>>>> 1. MYStrutsPrepareFilter.java
>>>>
>>>> *********************************************
>>>> package me.zamani.yasser.ww_convention.utils;
>>>>
>>>> import java.io.IOException;
>>>>
>>>> import javax.servlet.Filter;
>>>> import javax.servlet.FilterChain;
>>>> import javax.servlet.FilterConfig;
>>>> import javax.servlet.ServletException; import
>>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>>> import javax.servlet.http.HttpServletRequest;
>>>>
>>>> import org.apache.struts2.StrutsStatics; import
>>>> com.opensymphony.xwork2.ActionContext;
>>>> import com.opensymphony.xwork2.util.ValueStack;
>>>>
>>>> /**
>>>>   * @author zamani
>>>>   *
>>>>   */
>>>> public class MYStrutsPrepareFilter implements Filter {
>>>>
>>>>       private MYUtils MYUtils;
>>>>
>>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>>               MYUtils = new MYUtils();
>>>>       }
>>>>
>>>>       public void doFilter(ServletRequest req, ServletResponse res,
>>>> FilterChain chain)
>>>>                       throws IOException, ServletException {
>>>>
>>>>               ActionContext actionContext = ActionContext.getContext();
>>>>               if(null != actionContext) {
>>>>                       ValueStack stack = actionContext.getValueStack();
>>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>>               }
>>>>
>>>>               chain.doFilter(req, res);
>>>>       }
>>>>
>>>>       public void destroy() {
>>>>               MYUtils = null;
>>>>       }
>>>>
>>>>
>>>>       public class MYUtils {
>>>>               public boolean isUserInRole (String user) {
>>>>                       HttpServletRequest httpsr =
>>>> ((HttpServletRequest)
>>>> ActionContext.getContext()
>>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>>                       return httpsr.isUserInRole(user);
>>>>               }
>>>>       }
>>>> }
>>>> **********************************************************
>>>>
>>>> 2. web.xml
>>>>
>>>> **********************************************************
>>>>      <filter>
>>>>          <filter-name>struts2prepare</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>>      </filter>
>>>>
>>>>      <filter>
>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>
>>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>>      </filter>
>>>>
>>>>      <filter>
>>>>          <filter-name>struts2execute</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>>      </filter>
>>>>
>>>>      <filter-mapping>
>>>>          <filter-name>struts2prepare</filter-name>
>>>>          <url-pattern>/*</url-pattern>
>>>>      </filter-mapping>
>>>>
>>>>      <filter-mapping>
>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>          <url-pattern>/*</url-pattern>
>>>>      </filter-mapping>
>>>>
>>>>      <filter-mapping>
>>>>          <filter-name>struts2execute</filter-name>
>>>>          <url-pattern>/*</url-pattern>
>>>>      </filter-mapping>
>>>> **************************************************************
>>>>
>>>> 3. hello.jsp
>>>>
>>>> **************************************************************
>>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>>      you are UserAdmin
>>>>      </s:if>
>>>>      <s:else>
>>>>      you are not UserAdmin
>>>>      </s:else>
>>>> **************************************************************
>>>>
>>>> Sincerely Yours,
>>>> Yasser.
>>>>
>>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>>
>>>>> 1. Add following method to class MyUtil:
>>>>>
>>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>>
>>>>> 2. Your struts filters in web.xml should looks like:
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepare
>>>>> F
>>>>> i
>>>>> lter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-execute</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecute
>>>>> F
>>>>> i
>>>>> lter</filter-class>
>>>>> </filter>
>>>>>
>>>>> 3. Finally find and replace all of
>>>>>
>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>
>>>>> With
>>>>>
>>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>>
>>>>> I think something like these resolve your issue :) please try and let me know.
>>>>>
>>>>> Deborah White <[hidden email]> نوشت:
>>>>>
>>>>>> This is what I currently have in my jsp:
>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>
>>>>>> Where would I put
>>>>>> "#request['MYUtils'].requestURI?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>>> To: Struts Developers List <[hidden email]>
>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>> Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>>
>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>
>>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>> Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>> Hi there, welcome to dev list :)
>>>>>>>
>>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>>> Please review my solution if also resolves your one. If not,
>>>>>>> please feel free continue here for a solution :)
>>>>>>>
>>>>>>> [1]
>>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>>
>>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>>> To: Deborah White <[hidden email]>
>>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>
>>>>>>>>
>>>>>>>>     [
>>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>>
>>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1
>>>>>>>> 6
>>>>>>>> 0
>>>>>>>> 868
>>>>>>>> 3
>>>>>>>> 2#comment-16086832 ]
>>>>>>>>
>>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>>> ------------------------------------------------------------
>>>>>>>>
>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>
>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>>
>>>>>>>>
>>>>>>>> was (Author: lukaszlenart):
>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>
>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>>
>>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>>> -----------------------------------
>>>>>>>>>
>>>>>>>>>                 Key: WW-4815
>>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>>             Project: Struts 2
>>>>>>>>>          Issue Type: Temp
>>>>>>>>>          Components: Core
>>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>>            Reporter: Deborah White
>>>>>>>>>             Fix For: 2.3.32
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> This message was sent by Atlassian JIRA
>>>>>>>> (v6.4.14#64029)
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>>
>>>>>>>
>>>>>>> -----------------------------------------------------------------
>>>>>>> -
>>>>>>> -
>>>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>> B
>>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>>> K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[
>>>>>> ] Z[ ]˘\X K ܙ B B
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -
>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> - To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>> B
>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>>  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[
>> [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
> B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
>  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
>  ] Z[  ]˘\X K ܙ B B
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
It does reach that line and for some reason, it gets a value of 0 instead of 1 passed in from the .jsp, so then it does not do the return.  I can't see anything obvious at all.  Works with 2.3.16.3.

Not finding renewSave1 or 2 in the .java file, strictly in struts.xml.

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Friday, August 04, 2017 10:11 PM
To: Struts Developers List <[hidden email]>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

you're welcome :)

1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line `return "renewEsignProc";` after `document.regSubmitForm.submit();`?
please verify by a breakpoint.

2. What do you find if you search "renewSave1" (including double quotes) in all of your .java files? (also for "renewSave2")

On 8/5/2017 1:57 AM, Deborah White wrote:

> So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.
>
> I have this in my jsp:
>
> function submitESignature() {
>
>                 $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
>         //document.getElementById("button_cont").disabled = "disabled";
>         var url = "<s:url value="renewsave.action" encode="true"/>";
>         document.regSubmitForm.eSignStart.value = 1;
>         document.regSubmitForm.method ="POST";
>                 document.regSubmitForm.action = url;
>                 document.regSubmitForm.submit();
>
>         }
>
> This in my java code:
>
> else if ( renewSaveStart == 0 && eSignStart == 1 ) {
>            return "renewEsignProc";
>
> This in my struts.xml:
>
> <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
>                  <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
>                  <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
>                  <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
>              <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
>              <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
>              <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
>              <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
>         </action>
>
>
> Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.
>
> Any thoughts?
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Tuesday, July 25, 2017 10:21 AM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
> 2.3.16.3 to 2.3.32
>
> You're welcome! Happy to hear that it works there :)
>
> That warning means you still have some more. Please find them by
> searching 'request.isUserInRole in your JSPs then replace them with
> '#request["MYUtils"].isUserInRole
>
> test='#request["MYUtils"].isUserInRole("UserAdmin")' and
> test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
>
> On 7/25/2017 9:35 PM, Deborah White wrote:
>> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>>
>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>
>> Also, in my jsp I had to use this syntax:
>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>>                                         $('#tabs-UserManagement').tabs();
>>                                 </s:if>
>>
>> Instead of ['MYUtils'] (single quote).
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Monday, July 24, 2017 11:27 AM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> Yes I think you should have mappings for all as following order:
>>
>>       <filter-mapping>
>>           <filter-name>struts-prepare</filter-name>
>>           <url-pattern>/*</url-pattern>
>>           <dispatcher>FORWARD</dispatcher>
>>           <dispatcher>REQUEST</dispatcher>
>>       </filter-mapping>
>>       <filter-mapping>
>>           <filter-name>MYStrutsPrepareFilter</filter-name>
>>           <url-pattern>/*</url-pattern>
>>           <dispatcher>FORWARD</dispatcher>
>>           <dispatcher>REQUEST</dispatcher>
>>       </filter-mapping>
>>       <filter-mapping>
>>           <filter-name>struts-execute</filter-name>
>>           <url-pattern>/*</url-pattern>
>>           <dispatcher>FORWARD</dispatcher>
>>           <dispatcher>REQUEST</dispatcher>
>>       </filter-mapping>
>>
>>
>> On 7/24/2017 8:19 PM, Deborah White wrote:
>>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>>> <filter>
>>>     <filter-name>struts-prepare</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareF
>>> i
>>> l
>>> ter</filter-class>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>>
>>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-clas
>>> s
>>>>
>>> </filter>
>>>
>>> <filter>
>>>     <filter-name>struts-execute</filter-name>
>>>
>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteF
>>> i
>>> l
>>> ter</filter-class>
>>> </filter>
>>>     <filter-mapping>
>>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>>         <url-pattern>/*</url-pattern>
>>>         <dispatcher>FORWARD</dispatcher>
>>>         <dispatcher>REQUEST</dispatcher>
>>>     </filter-mapping>
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Saturday, July 22, 2017 2:18 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> I forgot to say about following block in MYStrutsPrepareFilter.java
>>> which is new and I added recently (so please copy the whole new
>>> MYStrutsPrepareFilter.java) :
>>>
>>>  >              if(null != actionContext) {
>>>  >                      ValueStack stack = actionContext.getValueStack();
>>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>>  >              }
>>>
>>> It avoids null pointer exception.
>>>
>>> Please reply back to me the `exception stack trace` if you encounter any.
>>>
>>> IMPORTANT NOTE:
>>>
>>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>>> For example, following get method wake ups currently fixed security issues:
>>>
>>>                 public class MYUtils {...
>>> public ActionContext getActionContext() {
>>>                         return ActionContext.getContext();
>>>                 }...}
>>>
>>>
>>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>>> Sorry! My previous code has sent via my mobile which has a few typo
>>>> errors because of issues with copy/pase :(
>>>>
>>>> Now, at my PC, I tested following configuration which works well :)
>>>>
>>>> 1. MYStrutsPrepareFilter.java
>>>>
>>>> *********************************************
>>>> package me.zamani.yasser.ww_convention.utils;
>>>>
>>>> import java.io.IOException;
>>>>
>>>> import javax.servlet.Filter;
>>>> import javax.servlet.FilterChain;
>>>> import javax.servlet.FilterConfig;
>>>> import javax.servlet.ServletException; import
>>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>>> import javax.servlet.http.HttpServletRequest;
>>>>
>>>> import org.apache.struts2.StrutsStatics; import
>>>> com.opensymphony.xwork2.ActionContext;
>>>> import com.opensymphony.xwork2.util.ValueStack;
>>>>
>>>> /**
>>>>   * @author zamani
>>>>   *
>>>>   */
>>>> public class MYStrutsPrepareFilter implements Filter {
>>>>
>>>>       private MYUtils MYUtils;
>>>>
>>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>>               MYUtils = new MYUtils();
>>>>       }
>>>>
>>>>       public void doFilter(ServletRequest req, ServletResponse res,
>>>> FilterChain chain)
>>>>                       throws IOException, ServletException {
>>>>
>>>>               ActionContext actionContext = ActionContext.getContext();
>>>>               if(null != actionContext) {
>>>>                       ValueStack stack = actionContext.getValueStack();
>>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>>               }
>>>>
>>>>               chain.doFilter(req, res);
>>>>       }
>>>>
>>>>       public void destroy() {
>>>>               MYUtils = null;
>>>>       }
>>>>
>>>>
>>>>       public class MYUtils {
>>>>               public boolean isUserInRole (String user) {
>>>>                       HttpServletRequest httpsr =
>>>> ((HttpServletRequest)
>>>> ActionContext.getContext()
>>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>>                       return httpsr.isUserInRole(user);
>>>>               }
>>>>       }
>>>> }
>>>> **********************************************************
>>>>
>>>> 2. web.xml
>>>>
>>>> **********************************************************
>>>>      <filter>
>>>>          <filter-name>struts2prepare</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>>      </filter>
>>>>
>>>>      <filter>
>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>
>>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>>      </filter>
>>>>
>>>>      <filter>
>>>>          <filter-name>struts2execute</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>>      </filter>
>>>>
>>>>      <filter-mapping>
>>>>          <filter-name>struts2prepare</filter-name>
>>>>          <url-pattern>/*</url-pattern>
>>>>      </filter-mapping>
>>>>
>>>>      <filter-mapping>
>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>          <url-pattern>/*</url-pattern>
>>>>      </filter-mapping>
>>>>
>>>>      <filter-mapping>
>>>>          <filter-name>struts2execute</filter-name>
>>>>          <url-pattern>/*</url-pattern>
>>>>      </filter-mapping>
>>>> **************************************************************
>>>>
>>>> 3. hello.jsp
>>>>
>>>> **************************************************************
>>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>>      you are UserAdmin
>>>>      </s:if>
>>>>      <s:else>
>>>>      you are not UserAdmin
>>>>      </s:else>
>>>> **************************************************************
>>>>
>>>> Sincerely Yours,
>>>> Yasser.
>>>>
>>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>> Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>>
>>>>> 1. Add following method to class MyUtil:
>>>>>
>>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>>
>>>>> 2. Your struts filters in web.xml should looks like:
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepar
>>>>> e
>>>>> F
>>>>> i
>>>>> lter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-execute</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecut
>>>>> e
>>>>> F
>>>>> i
>>>>> lter</filter-class>
>>>>> </filter>
>>>>>
>>>>> 3. Finally find and replace all of
>>>>>
>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>
>>>>> With
>>>>>
>>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>>
>>>>> I think something like these resolve your issue :) please try and let me know.
>>>>>
>>>>> Deborah White <[hidden email]> نوشت:
>>>>>
>>>>>> This is what I currently have in my jsp:
>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>
>>>>>> Where would I put
>>>>>> "#request['MYUtils'].requestURI?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>>> To: Struts Developers List <[hidden email]>
>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>> Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>>
>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>
>>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>> Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>> Hi there, welcome to dev list :)
>>>>>>>
>>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>>> Please review my solution if also resolves your one. If not,
>>>>>>> please feel free continue here for a solution :)
>>>>>>>
>>>>>>> [1]
>>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>>
>>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>>> To: Deborah White <[hidden email]>
>>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>
>>>>>>>>
>>>>>>>>     [
>>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>>
>>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=
>>>>>>>> 1
>>>>>>>> 6
>>>>>>>> 0
>>>>>>>> 868
>>>>>>>> 3
>>>>>>>> 2#comment-16086832 ]
>>>>>>>>
>>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>>> ------------------------------------------------------------
>>>>>>>>
>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>
>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>>
>>>>>>>>
>>>>>>>> was (Author: lukaszlenart):
>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>
>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>>
>>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>>> -----------------------------------
>>>>>>>>>
>>>>>>>>>                 Key: WW-4815
>>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>>             Project: Struts 2
>>>>>>>>>          Issue Type: Temp
>>>>>>>>>          Components: Core
>>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>>            Reporter: Deborah White
>>>>>>>>>             Fix For: 2.3.32
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> This message was sent by Atlassian JIRA
>>>>>>>> (v6.4.14#64029)
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>>
>>>>>>>
>>>>>>> ----------------------------------------------------------------
>>>>>>> -
>>>>>>> -
>>>>>>> -
>>>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>> B
>>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>>> K K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[
>>>>>> K[XZ[ ] Z[ ]˘\X K ܙ B B
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>>
>>>> -------------------------------------------------------------------
>>>> -
>>>> - To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>> B
>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKC
>> B  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
> B
> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[
> [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]


CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
Ouch... I now remembered same issue and what the problem was. Please try
following which is documented at [1].

Field names
If you have field names which starts with single lower case letter, for
example:

private String sTrng;
public String getSTrng() {...}
public void setSTrng(String str) {...}

change accessors to getsTrng and setsTrng.

Or better yet, change field names to not contain single lower case letter:

private String strng;
public String getStrng() {...}
public void setStrng(String str) {...}

For additional info see WW-3909.

[1] https://struts.apache.org/docs/struts-23-to-25-migration.html

On 8/8/2017 3:36 AM, Deborah White wrote:

> It does reach that line and for some reason, it gets a value of 0 instead of 1 passed in from the .jsp, so then it does not do the return.  I can't see anything obvious at all.  Works with 2.3.16.3.
>
> Not finding renewSave1 or 2 in the .java file, strictly in struts.xml.
>
> -----Original Message-----
> From: Yasser Zamani [mailto:[hidden email]]
> Sent: Friday, August 04, 2017 10:11 PM
> To: Struts Developers List <[hidden email]>
> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
> you're welcome :)
>
> 1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line `return "renewEsignProc";` after `document.regSubmitForm.submit();`?
> please verify by a breakpoint.
>
> 2. What do you find if you search "renewSave1" (including double quotes) in all of your .java files? (also for "renewSave2")
>
> On 8/5/2017 1:57 AM, Deborah White wrote:
>> So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.
>>
>> I have this in my jsp:
>>
>> function submitESignature() {
>>
>>                 $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
>>         //document.getElementById("button_cont").disabled = "disabled";
>>         var url = "<s:url value="renewsave.action" encode="true"/>";
>>         document.regSubmitForm.eSignStart.value = 1;
>>         document.regSubmitForm.method ="POST";
>>                 document.regSubmitForm.action = url;
>>                 document.regSubmitForm.submit();
>>
>>         }
>>
>> This in my java code:
>>
>> else if ( renewSaveStart == 0 && eSignStart == 1 ) {
>>            return "renewEsignProc";
>>
>> This in my struts.xml:
>>
>> <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
>>                  <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
>>                  <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
>>                  <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
>>              <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
>>              <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
>>              <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
>>              <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
>>         </action>
>>
>>
>> Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.
>>
>> Any thoughts?
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Tuesday, July 25, 2017 10:21 AM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> You're welcome! Happy to hear that it works there :)
>>
>> That warning means you still have some more. Please find them by
>> searching 'request.isUserInRole in your JSPs then replace them with
>> '#request["MYUtils"].isUserInRole
>>
>> test='#request["MYUtils"].isUserInRole("UserAdmin")' and
>> test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
>>
>> On 7/25/2017 9:35 PM, Deborah White wrote:
>>> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>>>
>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>
>>> Also, in my jsp I had to use this syntax:
>>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>>>                                         $('#tabs-UserManagement').tabs();
>>>                                 </s:if>
>>>
>>> Instead of ['MYUtils'] (single quote).
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Monday, July 24, 2017 11:27 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> Yes I think you should have mappings for all as following order:
>>>
>>>       <filter-mapping>
>>>           <filter-name>struts-prepare</filter-name>
>>>           <url-pattern>/*</url-pattern>
>>>           <dispatcher>FORWARD</dispatcher>
>>>           <dispatcher>REQUEST</dispatcher>
>>>       </filter-mapping>
>>>       <filter-mapping>
>>>           <filter-name>MYStrutsPrepareFilter</filter-name>
>>>           <url-pattern>/*</url-pattern>
>>>           <dispatcher>FORWARD</dispatcher>
>>>           <dispatcher>REQUEST</dispatcher>
>>>       </filter-mapping>
>>>       <filter-mapping>
>>>           <filter-name>struts-execute</filter-name>
>>>           <url-pattern>/*</url-pattern>
>>>           <dispatcher>FORWARD</dispatcher>
>>>           <dispatcher>REQUEST</dispatcher>
>>>       </filter-mapping>
>>>
>>>
>>> On 7/24/2017 8:19 PM, Deborah White wrote:
>>>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>>>> <filter>
>>>>     <filter-name>struts-prepare</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareF
>>>> i
>>>> l
>>>> ter</filter-class>
>>>> </filter>
>>>>
>>>> <filter>
>>>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>
>>>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-clas
>>>> s
>>>>>
>>>> </filter>
>>>>
>>>> <filter>
>>>>     <filter-name>struts-execute</filter-name>
>>>>
>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteF
>>>> i
>>>> l
>>>> ter</filter-class>
>>>> </filter>
>>>>     <filter-mapping>
>>>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>         <url-pattern>/*</url-pattern>
>>>>         <dispatcher>FORWARD</dispatcher>
>>>>         <dispatcher>REQUEST</dispatcher>
>>>>     </filter-mapping>
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Saturday, July 22, 2017 2:18 AM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> I forgot to say about following block in MYStrutsPrepareFilter.java
>>>> which is new and I added recently (so please copy the whole new
>>>> MYStrutsPrepareFilter.java) :
>>>>
>>>>  >              if(null != actionContext) {
>>>>  >                      ValueStack stack = actionContext.getValueStack();
>>>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>>>  >              }
>>>>
>>>> It avoids null pointer exception.
>>>>
>>>> Please reply back to me the `exception stack trace` if you encounter any.
>>>>
>>>> IMPORTANT NOTE:
>>>>
>>>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>>>> For example, following get method wake ups currently fixed security issues:
>>>>
>>>>                 public class MYUtils {...
>>>> public ActionContext getActionContext() {
>>>>                         return ActionContext.getContext();
>>>>                 }...}
>>>>
>>>>
>>>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>>>> Sorry! My previous code has sent via my mobile which has a few typo
>>>>> errors because of issues with copy/pase :(
>>>>>
>>>>> Now, at my PC, I tested following configuration which works well :)
>>>>>
>>>>> 1. MYStrutsPrepareFilter.java
>>>>>
>>>>> *********************************************
>>>>> package me.zamani.yasser.ww_convention.utils;
>>>>>
>>>>> import java.io.IOException;
>>>>>
>>>>> import javax.servlet.Filter;
>>>>> import javax.servlet.FilterChain;
>>>>> import javax.servlet.FilterConfig;
>>>>> import javax.servlet.ServletException; import
>>>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>>>> import javax.servlet.http.HttpServletRequest;
>>>>>
>>>>> import org.apache.struts2.StrutsStatics; import
>>>>> com.opensymphony.xwork2.ActionContext;
>>>>> import com.opensymphony.xwork2.util.ValueStack;
>>>>>
>>>>> /**
>>>>>   * @author zamani
>>>>>   *
>>>>>   */
>>>>> public class MYStrutsPrepareFilter implements Filter {
>>>>>
>>>>>       private MYUtils MYUtils;
>>>>>
>>>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>>>               MYUtils = new MYUtils();
>>>>>       }
>>>>>
>>>>>       public void doFilter(ServletRequest req, ServletResponse res,
>>>>> FilterChain chain)
>>>>>                       throws IOException, ServletException {
>>>>>
>>>>>               ActionContext actionContext = ActionContext.getContext();
>>>>>               if(null != actionContext) {
>>>>>                       ValueStack stack = actionContext.getValueStack();
>>>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>>>               }
>>>>>
>>>>>               chain.doFilter(req, res);
>>>>>       }
>>>>>
>>>>>       public void destroy() {
>>>>>               MYUtils = null;
>>>>>       }
>>>>>
>>>>>
>>>>>       public class MYUtils {
>>>>>               public boolean isUserInRole (String user) {
>>>>>                       HttpServletRequest httpsr =
>>>>> ((HttpServletRequest)
>>>>> ActionContext.getContext()
>>>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>>>                       return httpsr.isUserInRole(user);
>>>>>               }
>>>>>       }
>>>>> }
>>>>> **********************************************************
>>>>>
>>>>> 2. web.xml
>>>>>
>>>>> **********************************************************
>>>>>      <filter>
>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>>>      </filter>
>>>>>
>>>>>      <filter>
>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>
>>>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>>>      </filter>
>>>>>
>>>>>      <filter>
>>>>>          <filter-name>struts2execute</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>>>      </filter>
>>>>>
>>>>>      <filter-mapping>
>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>          <url-pattern>/*</url-pattern>
>>>>>      </filter-mapping>
>>>>>
>>>>>      <filter-mapping>
>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>          <url-pattern>/*</url-pattern>
>>>>>      </filter-mapping>
>>>>>
>>>>>      <filter-mapping>
>>>>>          <filter-name>struts2execute</filter-name>
>>>>>          <url-pattern>/*</url-pattern>
>>>>>      </filter-mapping>
>>>>> **************************************************************
>>>>>
>>>>> 3. hello.jsp
>>>>>
>>>>> **************************************************************
>>>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>>>      you are UserAdmin
>>>>>      </s:if>
>>>>>      <s:else>
>>>>>      you are not UserAdmin
>>>>>      </s:else>
>>>>> **************************************************************
>>>>>
>>>>> Sincerely Yours,
>>>>> Yasser.
>>>>>
>>>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>>>> To: Struts Developers List <[hidden email]>
>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>> Struts
>>>>>> 2.3.16.3 to 2.3.32
>>>>>>
>>>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>>>
>>>>>> 1. Add following method to class MyUtil:
>>>>>>
>>>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>>>
>>>>>> 2. Your struts filters in web.xml should looks like:
>>>>>>
>>>>>> <filter>
>>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepar
>>>>>> e
>>>>>> F
>>>>>> i
>>>>>> lter</filter-class>
>>>>>> </filter>
>>>>>>
>>>>>> <filter>
>>>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>>>> </filter>
>>>>>>
>>>>>> <filter>
>>>>>>     <filter-name>struts-execute</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecut
>>>>>> e
>>>>>> F
>>>>>> i
>>>>>> lter</filter-class>
>>>>>> </filter>
>>>>>>
>>>>>> 3. Finally find and replace all of
>>>>>>
>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>
>>>>>> With
>>>>>>
>>>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>>>
>>>>>> I think something like these resolve your issue :) please try and let me know.
>>>>>>
>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>
>>>>>>> This is what I currently have in my jsp:
>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> Where would I put
>>>>>>> "#request['MYUtils'].requestURI?
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>> Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>>>
>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>
>>>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>> Struts
>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>
>>>>>>>> Hi there, welcome to dev list :)
>>>>>>>>
>>>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>>>> Please review my solution if also resolves your one. If not,
>>>>>>>> please feel free continue here for a solution :)
>>>>>>>>
>>>>>>>> [1]
>>>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>>>
>>>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>>>> To: Deborah White <[hidden email]>
>>>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>     [
>>>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>>>
>>>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=
>>>>>>>>> 1
>>>>>>>>> 6
>>>>>>>>> 0
>>>>>>>>> 868
>>>>>>>>> 3
>>>>>>>>> 2#comment-16086832 ]
>>>>>>>>>
>>>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>
>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> was (Author: lukaszlenart):
>>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>
>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>>>
>>>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>>>> -----------------------------------
>>>>>>>>>>
>>>>>>>>>>                 Key: WW-4815
>>>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>>>             Project: Struts 2
>>>>>>>>>>          Issue Type: Temp
>>>>>>>>>>          Components: Core
>>>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>>>            Reporter: Deborah White
>>>>>>>>>>             Fix For: 2.3.32
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> This message was sent by Atlassian JIRA
>>>>>>>>> (v6.4.14#64029)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>>>
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------
>>>>>>>> -
>>>>>>>> -
>>>>>>>> -
>>>>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>> B
>>>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>>>> K K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[
>>>>>>> K[XZ[ ] Z[ ]˘\X K ܙ B B
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>
>>>>>> ------------------------------------------------------------------
>>>>>> -
>>>>>> -
>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>> additional commands, e-mail: [hidden email]
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -
>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> --------------------------------------------------------------------
>>>> - To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKC
>>> B  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email] For
>>> additional commands, e-mail: [hidden email]
>>>
>> B
>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>>  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[
>> [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Yasser Zamani
So in your ExtRenewSave class ...

Replace setESignStart and getESignStart with seteSignStart and geteSignStart

Or better yet...

Refactor eSignStart field to esignStart and in order, setESignStart to
setEsignStart and getESignStart to getEsignStart.

On 8/8/2017 10:10 AM, Yasser Zamani wrote:

> Ouch... I now remembered same issue and what the problem was. Please try
> following which is documented at [1].
>
> Field names
> If you have field names which starts with single lower case letter, for
> example:
>
> private String sTrng;
> public String getSTrng() {...}
> public void setSTrng(String str) {...}
>
> change accessors to getsTrng and setsTrng.
>
> Or better yet, change field names to not contain single lower case letter:
>
> private String strng;
> public String getStrng() {...}
> public void setStrng(String str) {...}
>
> For additional info see WW-3909.
>
> [1] https://struts.apache.org/docs/struts-23-to-25-migration.html
>
> On 8/8/2017 3:36 AM, Deborah White wrote:
>> It does reach that line and for some reason, it gets a value of 0 instead of 1 passed in from the .jsp, so then it does not do the return.  I can't see anything obvious at all.  Works with 2.3.16.3.
>>
>> Not finding renewSave1 or 2 in the .java file, strictly in struts.xml.
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Friday, August 04, 2017 10:11 PM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>>
>> you're welcome :)
>>
>> 1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line `return "renewEsignProc";` after `document.regSubmitForm.submit();`?
>> please verify by a breakpoint.
>>
>> 2. What do you find if you search "renewSave1" (including double quotes) in all of your .java files? (also for "renewSave2")
>>
>> On 8/5/2017 1:57 AM, Deborah White wrote:
>>> So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.
>>>
>>> I have this in my jsp:
>>>
>>> function submitESignature() {
>>>
>>>                 $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
>>>         //document.getElementById("button_cont").disabled = "disabled";
>>>         var url = "<s:url value="renewsave.action" encode="true"/>";
>>>         document.regSubmitForm.eSignStart.value = 1;
>>>         document.regSubmitForm.method ="POST";
>>>                 document.regSubmitForm.action = url;
>>>                 document.regSubmitForm.submit();
>>>
>>>         }
>>>
>>> This in my java code:
>>>
>>> else if ( renewSaveStart == 0 && eSignStart == 1 ) {
>>>            return "renewEsignProc";
>>>
>>> This in my struts.xml:
>>>
>>> <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
>>>                  <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
>>>                  <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
>>>                  <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
>>>              <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
>>>              <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
>>>              <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
>>>              <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
>>>         </action>
>>>
>>>
>>> Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.
>>>
>>> Any thoughts?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Tuesday, July 25, 2017 10:21 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> You're welcome! Happy to hear that it works there :)
>>>
>>> That warning means you still have some more. Please find them by
>>> searching 'request.isUserInRole in your JSPs then replace them with
>>> '#request["MYUtils"].isUserInRole
>>>
>>> test='#request["MYUtils"].isUserInRole("UserAdmin")' and
>>> test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
>>>
>>> On 7/25/2017 9:35 PM, Deborah White wrote:
>>>> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>>>>
>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>
>>>> Also, in my jsp I had to use this syntax:
>>>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>>>>                                         $('#tabs-UserManagement').tabs();
>>>>                                 </s:if>
>>>>
>>>> Instead of ['MYUtils'] (single quote).
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Monday, July 24, 2017 11:27 AM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> Yes I think you should have mappings for all as following order:
>>>>
>>>>       <filter-mapping>
>>>>           <filter-name>struts-prepare</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>       <filter-mapping>
>>>>           <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>       <filter-mapping>
>>>>           <filter-name>struts-execute</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>
>>>>
>>>> On 7/24/2017 8:19 PM, Deborah White wrote:
>>>>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>>>>> <filter>
>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareF
>>>>> i
>>>>> l
>>>>> ter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>
>>>>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-clas
>>>>> s
>>>>>>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-execute</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteF
>>>>> i
>>>>> l
>>>>> ter</filter-class>
>>>>> </filter>
>>>>>     <filter-mapping>
>>>>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>         <url-pattern>/*</url-pattern>
>>>>>         <dispatcher>FORWARD</dispatcher>
>>>>>         <dispatcher>REQUEST</dispatcher>
>>>>>     </filter-mapping>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Saturday, July 22, 2017 2:18 AM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> I forgot to say about following block in MYStrutsPrepareFilter.java
>>>>> which is new and I added recently (so please copy the whole new
>>>>> MYStrutsPrepareFilter.java) :
>>>>>
>>>>>  >              if(null != actionContext) {
>>>>>  >                      ValueStack stack = actionContext.getValueStack();
>>>>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>>>>  >              }
>>>>>
>>>>> It avoids null pointer exception.
>>>>>
>>>>> Please reply back to me the `exception stack trace` if you encounter any.
>>>>>
>>>>> IMPORTANT NOTE:
>>>>>
>>>>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>>>>> For example, following get method wake ups currently fixed security issues:
>>>>>
>>>>>                 public class MYUtils {...
>>>>> public ActionContext getActionContext() {
>>>>>                         return ActionContext.getContext();
>>>>>                 }...}
>>>>>
>>>>>
>>>>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>>>>> Sorry! My previous code has sent via my mobile which has a few typo
>>>>>> errors because of issues with copy/pase :(
>>>>>>
>>>>>> Now, at my PC, I tested following configuration which works well :)
>>>>>>
>>>>>> 1. MYStrutsPrepareFilter.java
>>>>>>
>>>>>> *********************************************
>>>>>> package me.zamani.yasser.ww_convention.utils;
>>>>>>
>>>>>> import java.io.IOException;
>>>>>>
>>>>>> import javax.servlet.Filter;
>>>>>> import javax.servlet.FilterChain;
>>>>>> import javax.servlet.FilterConfig;
>>>>>> import javax.servlet.ServletException; import
>>>>>> javax.servlet.ServletRequest; import javax.servlet.ServletResponse;
>>>>>> import javax.servlet.http.HttpServletRequest;
>>>>>>
>>>>>> import org.apache.struts2.StrutsStatics; import
>>>>>> com.opensymphony.xwork2.ActionContext;
>>>>>> import com.opensymphony.xwork2.util.ValueStack;
>>>>>>
>>>>>> /**
>>>>>>   * @author zamani
>>>>>>   *
>>>>>>   */
>>>>>> public class MYStrutsPrepareFilter implements Filter {
>>>>>>
>>>>>>       private MYUtils MYUtils;
>>>>>>
>>>>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>>>>               MYUtils = new MYUtils();
>>>>>>       }
>>>>>>
>>>>>>       public void doFilter(ServletRequest req, ServletResponse res,
>>>>>> FilterChain chain)
>>>>>>                       throws IOException, ServletException {
>>>>>>
>>>>>>               ActionContext actionContext = ActionContext.getContext();
>>>>>>               if(null != actionContext) {
>>>>>>                       ValueStack stack = actionContext.getValueStack();
>>>>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>>>>               }
>>>>>>
>>>>>>               chain.doFilter(req, res);
>>>>>>       }
>>>>>>
>>>>>>       public void destroy() {
>>>>>>               MYUtils = null;
>>>>>>       }
>>>>>>
>>>>>>
>>>>>>       public class MYUtils {
>>>>>>               public boolean isUserInRole (String user) {
>>>>>>                       HttpServletRequest httpsr =
>>>>>> ((HttpServletRequest)
>>>>>> ActionContext.getContext()
>>>>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>>>>                       return httpsr.isUserInRole(user);
>>>>>>               }
>>>>>>       }
>>>>>> }
>>>>>> **********************************************************
>>>>>>
>>>>>> 2. web.xml
>>>>>>
>>>>>> **********************************************************
>>>>>>      <filter>
>>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter>
>>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>>
>>>>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter>
>>>>>>          <filter-name>struts2execute</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>struts2execute</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>> **************************************************************
>>>>>>
>>>>>> 3. hello.jsp
>>>>>>
>>>>>> **************************************************************
>>>>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>>>>      you are UserAdmin
>>>>>>      </s:if>
>>>>>>      <s:else>
>>>>>>      you are not UserAdmin
>>>>>>      </s:else>
>>>>>> **************************************************************
>>>>>>
>>>>>> Sincerely Yours,
>>>>>> Yasser.
>>>>>>
>>>>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>> Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>>>>
>>>>>>> 1. Add following method to class MyUtil:
>>>>>>>
>>>>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>>>>
>>>>>>> 2. Your struts filters in web.xml should looks like:
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>>>
>>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepar
>>>>>>> e
>>>>>>> F
>>>>>>> i
>>>>>>> lter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>>>>     <filter-class>my.package. MYStrutsPrepareFilter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name>struts-execute</filter-name>
>>>>>>>
>>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecut
>>>>>>> e
>>>>>>> F
>>>>>>> i
>>>>>>> lter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> 3. Finally find and replace all of
>>>>>>>
>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> With
>>>>>>>
>>>>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> I think something like these resolve your issue :) please try and let me know.
>>>>>>>
>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>
>>>>>>>> This is what I currently have in my jsp:
>>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>>
>>>>>>>> Where would I put
>>>>>>>> "#request['MYUtils'].requestURI?
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>> Struts
>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>
>>>>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>>>>
>>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>>
>>>>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>>> Struts
>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>
>>>>>>>>> Hi there, welcome to dev list :)
>>>>>>>>>
>>>>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>>>>> similar issue and you can see my solution at [1]. I did not need
>>>>>>>>> to rewrite any thing and a find/replace did all needed changes.
>>>>>>>>> Please review my solution if also resolves your one. If not,
>>>>>>>>> please feel free continue here for a solution :)
>>>>>>>>>
>>>>>>>>> [1]
>>>>>>>>> https://github.com/apache/struts/pull/125#issuecomment-293608411
>>>>>>>>>
>>>>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>>>>> To: Deborah White <[hidden email]>
>>>>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     [
>>>>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>>>>
>>>>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=
>>>>>>>>>> 1
>>>>>>>>>> 6
>>>>>>>>>> 0
>>>>>>>>>> 868
>>>>>>>>>> 3
>>>>>>>>>> 2#comment-16086832 ]
>>>>>>>>>>
>>>>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>>
>>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> was (Author: lukaszlenart):
>>>>>>>>>> The best place to ask such question is to subscribe to the User
>>>>>>>>>> Mailing list as there are more eyes to help you
>>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>>
>>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>>>>
>>>>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>>>>> -----------------------------------
>>>>>>>>>>>
>>>>>>>>>>>                 Key: WW-4815
>>>>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>>>>             Project: Struts 2
>>>>>>>>>>>          Issue Type: Temp
>>>>>>>>>>>          Components: Core
>>>>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>>>>            Reporter: Deborah White
>>>>>>>>>>>             Fix For: 2.3.32
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> This message was sent by Atlassian JIRA
>>>>>>>>>> (v6.4.14#64029)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------
>>>>>>>>> -
>>>>>>>>> -
>>>>>>>>> -
>>>>>>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>> B
>>>>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>>>>> K K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[  [X[
>>>>>>>> K[XZ[ ] Z[ ]˘\X K ܙ B B
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>> ------------------------------------------------------------------
>>>>>>> -
>>>>>>> -
>>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> -
>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>> additional commands, e-mail: [hidden email]
>>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKC
>>>> B  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>>>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>>>  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[
>>> [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
I didn't write this code, just trying to get it working.  I'm still getting a 0 for esignStart.

In jsp
  var url = "<s:url value="renewsave.action" encode="true"/>";
        document.regSubmitForm.eSignStart.value = 0;
        document.regSubmitForm.nextsection.value = -1;
        document.regSubmitForm.method ="POST";
        document.regSubmitForm.action = url;
        document.regSubmitForm.submit();


<input type="hidden" name="esignStart" id="esignStart" value=""/>

In ExtRenewSave class
else if ( renewSaveStart == 0 && esignStart == 1 ) {
           return "renewEsignProc";

public void setESignStart(int esignStart) {
        this.esignStart = esignStart;
    }

    public int getESignStart() {
        return esignStart;
    }
-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Monday, August 07, 2017 11:18 PM
To: [hidden email]
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

So in your ExtRenewSave class ...

Replace setESignStart and getESignStart with seteSignStart and geteSignStart

Or better yet...

Refactor eSignStart field to esignStart and in order, setESignStart to setEsignStart and getESignStart to getEsignStart.

On 8/8/2017 10:10 AM, Yasser Zamani wrote:

> Ouch... I now remembered same issue and what the problem was. Please
> try following which is documented at [1].
>
> Field names
> If you have field names which starts with single lower case letter,
> for
> example:
>
> private String sTrng;
> public String getSTrng() {...}
> public void setSTrng(String str) {...}
>
> change accessors to getsTrng and setsTrng.
>
> Or better yet, change field names to not contain single lower case letter:
>
> private String strng;
> public String getStrng() {...}
> public void setStrng(String str) {...}
>
> For additional info see WW-3909.
>
> [1] https://struts.apache.org/docs/struts-23-to-25-migration.html
>
> On 8/8/2017 3:36 AM, Deborah White wrote:
>> It does reach that line and for some reason, it gets a value of 0 instead of 1 passed in from the .jsp, so then it does not do the return.  I can't see anything obvious at all.  Works with 2.3.16.3.
>>
>> Not finding renewSave1 or 2 in the .java file, strictly in struts.xml.
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Friday, August 04, 2017 10:11 PM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> you're welcome :)
>>
>> 1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line `return "renewEsignProc";` after `document.regSubmitForm.submit();`?
>> please verify by a breakpoint.
>>
>> 2. What do you find if you search "renewSave1" (including double
>> quotes) in all of your .java files? (also for "renewSave2")
>>
>> On 8/5/2017 1:57 AM, Deborah White wrote:
>>> So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.
>>>
>>> I have this in my jsp:
>>>
>>> function submitESignature() {
>>>
>>>                 $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
>>>         //document.getElementById("button_cont").disabled = "disabled";
>>>         var url = "<s:url value="renewsave.action" encode="true"/>";
>>>         document.regSubmitForm.eSignStart.value = 1;
>>>         document.regSubmitForm.method ="POST";
>>>                 document.regSubmitForm.action = url;
>>>                 document.regSubmitForm.submit();
>>>
>>>         }
>>>
>>> This in my java code:
>>>
>>> else if ( renewSaveStart == 0 && eSignStart == 1 ) {
>>>            return "renewEsignProc";
>>>
>>> This in my struts.xml:
>>>
>>> <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
>>>                  <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
>>>                  <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
>>>                  <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
>>>              <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
>>>              <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
>>>              <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
>>>              <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
>>>         </action>
>>>
>>>
>>> Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.
>>>
>>> Any thoughts?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Tuesday, July 25, 2017 10:21 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> You're welcome! Happy to hear that it works there :)
>>>
>>> That warning means you still have some more. Please find them by
>>> searching 'request.isUserInRole in your JSPs then replace them with
>>> '#request["MYUtils"].isUserInRole
>>>
>>> test='#request["MYUtils"].isUserInRole("UserAdmin")' and
>>> test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
>>>
>>> On 7/25/2017 9:35 PM, Deborah White wrote:
>>>> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>>>>
>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>
>>>> Also, in my jsp I had to use this syntax:
>>>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>>>>                                         $('#tabs-UserManagement').tabs();
>>>>                                 </s:if>
>>>>
>>>> Instead of ['MYUtils'] (single quote).
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Monday, July 24, 2017 11:27 AM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> Yes I think you should have mappings for all as following order:
>>>>
>>>>       <filter-mapping>
>>>>           <filter-name>struts-prepare</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>       <filter-mapping>
>>>>           <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>       <filter-mapping>
>>>>           <filter-name>struts-execute</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>
>>>>
>>>> On 7/24/2017 8:19 PM, Deborah White wrote:
>>>>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>>>>> <filter>
>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepar
>>>>> eF
>>>>> i
>>>>> l
>>>>> ter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>
>>>>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-cl
>>>>> as
>>>>> s
>>>>>>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-execute</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecut
>>>>> eF
>>>>> i
>>>>> l
>>>>> ter</filter-class>
>>>>> </filter>
>>>>>     <filter-mapping>
>>>>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>         <url-pattern>/*</url-pattern>
>>>>>         <dispatcher>FORWARD</dispatcher>
>>>>>         <dispatcher>REQUEST</dispatcher>
>>>>>     </filter-mapping>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Saturday, July 22, 2017 2:18 AM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>> Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> I forgot to say about following block in
>>>>> MYStrutsPrepareFilter.java which is new and I added recently (so
>>>>> please copy the whole new
>>>>> MYStrutsPrepareFilter.java) :
>>>>>
>>>>>  >              if(null != actionContext) {
>>>>>  >                      ValueStack stack = actionContext.getValueStack();
>>>>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>>>>  >              }
>>>>>
>>>>> It avoids null pointer exception.
>>>>>
>>>>> Please reply back to me the `exception stack trace` if you encounter any.
>>>>>
>>>>> IMPORTANT NOTE:
>>>>>
>>>>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>>>>> For example, following get method wake ups currently fixed security issues:
>>>>>
>>>>>                 public class MYUtils {...
>>>>> public ActionContext getActionContext() {
>>>>>                         return ActionContext.getContext();
>>>>>                 }...}
>>>>>
>>>>>
>>>>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>>>>> Sorry! My previous code has sent via my mobile which has a few
>>>>>> typo errors because of issues with copy/pase :(
>>>>>>
>>>>>> Now, at my PC, I tested following configuration which works well
>>>>>> :)
>>>>>>
>>>>>> 1. MYStrutsPrepareFilter.java
>>>>>>
>>>>>> *********************************************
>>>>>> package me.zamani.yasser.ww_convention.utils;
>>>>>>
>>>>>> import java.io.IOException;
>>>>>>
>>>>>> import javax.servlet.Filter;
>>>>>> import javax.servlet.FilterChain; import
>>>>>> javax.servlet.FilterConfig; import
>>>>>> javax.servlet.ServletException; import
>>>>>> javax.servlet.ServletRequest; import
>>>>>> javax.servlet.ServletResponse; import
>>>>>> javax.servlet.http.HttpServletRequest;
>>>>>>
>>>>>> import org.apache.struts2.StrutsStatics; import
>>>>>> com.opensymphony.xwork2.ActionContext;
>>>>>> import com.opensymphony.xwork2.util.ValueStack;
>>>>>>
>>>>>> /**
>>>>>>   * @author zamani
>>>>>>   *
>>>>>>   */
>>>>>> public class MYStrutsPrepareFilter implements Filter {
>>>>>>
>>>>>>       private MYUtils MYUtils;
>>>>>>
>>>>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>>>>               MYUtils = new MYUtils();
>>>>>>       }
>>>>>>
>>>>>>       public void doFilter(ServletRequest req, ServletResponse
>>>>>> res, FilterChain chain)
>>>>>>                       throws IOException, ServletException {
>>>>>>
>>>>>>               ActionContext actionContext = ActionContext.getContext();
>>>>>>               if(null != actionContext) {
>>>>>>                       ValueStack stack = actionContext.getValueStack();
>>>>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>>>>               }
>>>>>>
>>>>>>               chain.doFilter(req, res);
>>>>>>       }
>>>>>>
>>>>>>       public void destroy() {
>>>>>>               MYUtils = null;
>>>>>>       }
>>>>>>
>>>>>>
>>>>>>       public class MYUtils {
>>>>>>               public boolean isUserInRole (String user) {
>>>>>>                       HttpServletRequest httpsr =
>>>>>> ((HttpServletRequest)
>>>>>> ActionContext.getContext()
>>>>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>>>>                       return httpsr.isUserInRole(user);
>>>>>>               }
>>>>>>       }
>>>>>> }
>>>>>> **********************************************************
>>>>>>
>>>>>> 2. web.xml
>>>>>>
>>>>>> **********************************************************
>>>>>>      <filter>
>>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter>
>>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>>
>>>>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter>
>>>>>>          <filter-name>struts2execute</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>struts2execute</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>> **************************************************************
>>>>>>
>>>>>> 3. hello.jsp
>>>>>>
>>>>>> **************************************************************
>>>>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>>>>      you are UserAdmin
>>>>>>      </s:if>
>>>>>>      <s:else>
>>>>>>      you are not UserAdmin
>>>>>>      </s:else>
>>>>>> **************************************************************
>>>>>>
>>>>>> Sincerely Yours,
>>>>>> Yasser.
>>>>>>
>>>>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>> Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>>>>
>>>>>>> 1. Add following method to class MyUtil:
>>>>>>>
>>>>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>>>>
>>>>>>> 2. Your struts filters in web.xml should looks like:
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>>>
>>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrep
>>>>>>> ar
>>>>>>> e
>>>>>>> F
>>>>>>> i
>>>>>>> lter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>>>>     <filter-class>my.package.
>>>>>>> MYStrutsPrepareFilter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name>struts-execute</filter-name>
>>>>>>>
>>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExec
>>>>>>> ut
>>>>>>> e
>>>>>>> F
>>>>>>> i
>>>>>>> lter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> 3. Finally find and replace all of
>>>>>>>
>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> With
>>>>>>>
>>>>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> I think something like these resolve your issue :) please try and let me know.
>>>>>>>
>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>
>>>>>>>> This is what I currently have in my jsp:
>>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>>
>>>>>>>> Where would I put
>>>>>>>> "#request['MYUtils'].requestURI?
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>> Struts
>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>
>>>>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>>>>
>>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>>
>>>>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>>> Struts
>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>
>>>>>>>>> Hi there, welcome to dev list :)
>>>>>>>>>
>>>>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>>>>> similar issue and you can see my solution at [1]. I did not
>>>>>>>>> need to rewrite any thing and a find/replace did all needed changes.
>>>>>>>>> Please review my solution if also resolves your one. If not,
>>>>>>>>> please feel free continue here for a solution :)
>>>>>>>>>
>>>>>>>>> [1]
>>>>>>>>> https://github.com/apache/struts/pull/125#issuecomment-2936084
>>>>>>>>> 11
>>>>>>>>>
>>>>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>>>>> To: Deborah White <[hidden email]>
>>>>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     [
>>>>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>>>>
>>>>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentI
>>>>>>>>>> d=
>>>>>>>>>> 1
>>>>>>>>>> 6
>>>>>>>>>> 0
>>>>>>>>>> 868
>>>>>>>>>> 3
>>>>>>>>>> 2#comment-16086832 ]
>>>>>>>>>>
>>>>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> The best place to ask such question is to subscribe to the
>>>>>>>>>> User Mailing list as there are more eyes to help you
>>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>>
>>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> was (Author: lukaszlenart):
>>>>>>>>>> The best place to ask such question is to subscribe to the
>>>>>>>>>> User Mailing list as there are more eyes to help you
>>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>>
>>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>>>>
>>>>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>>>>> -----------------------------------
>>>>>>>>>>>
>>>>>>>>>>>                 Key: WW-4815
>>>>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>>>>             Project: Struts 2
>>>>>>>>>>>          Issue Type: Temp
>>>>>>>>>>>          Components: Core
>>>>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>>>>            Reporter: Deborah White
>>>>>>>>>>>             Fix For: 2.3.32
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> This message was sent by Atlassian JIRA
>>>>>>>>>> (v6.4.14#64029)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------
>>>>>>>>> --
>>>>>>>>> -
>>>>>>>>> -
>>>>>>>>> -
>>>>>>>>> -- To unsubscribe, e-mail: [hidden email]
>>>>>>>>> For additional commands, e-mail: [hidden email]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>> B
>>>>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>>>>> KK K K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[
>>>>>>>> [X[ K[XZ[ ] Z[ ]˘\X K ܙ B B
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>> ----------------------------------------------------------------
>>>>>>> --
>>>>>>> -
>>>>>>> -
>>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> --
>>>>>> -
>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>> additional commands, e-mail: [hidden email]
>>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> --
>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>> KC B  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>>>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>> CB  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 ] Z[  ]˘\X K ܙ B B

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Deborah White
In reply to this post by Yasser Zamani
Thank you, got it. :) One more question.  Do you know why I am seeing this since migrating?

Unable to find 'struts.multipart.saveDir' property setting. Defaulting to javax.servlet.context.tempdir

I have a struts.properties file, do I need to add something?

-----Original Message-----
From: Yasser Zamani [mailto:[hidden email]]
Sent: Monday, August 07, 2017 11:18 PM
To: [hidden email]
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

So in your ExtRenewSave class ...

Replace setESignStart and getESignStart with seteSignStart and geteSignStart

Or better yet...

Refactor eSignStart field to esignStart and in order, setESignStart to setEsignStart and getESignStart to getEsignStart.

On 8/8/2017 10:10 AM, Yasser Zamani wrote:

> Ouch... I now remembered same issue and what the problem was. Please
> try following which is documented at [1].
>
> Field names
> If you have field names which starts with single lower case letter,
> for
> example:
>
> private String sTrng;
> public String getSTrng() {...}
> public void setSTrng(String str) {...}
>
> change accessors to getsTrng and setsTrng.
>
> Or better yet, change field names to not contain single lower case letter:
>
> private String strng;
> public String getStrng() {...}
> public void setStrng(String str) {...}
>
> For additional info see WW-3909.
>
> [1] https://struts.apache.org/docs/struts-23-to-25-migration.html
>
> On 8/8/2017 3:36 AM, Deborah White wrote:
>> It does reach that line and for some reason, it gets a value of 0 instead of 1 passed in from the .jsp, so then it does not do the return.  I can't see anything obvious at all.  Works with 2.3.16.3.
>>
>> Not finding renewSave1 or 2 in the .java file, strictly in struts.xml.
>>
>> -----Original Message-----
>> From: Yasser Zamani [mailto:[hidden email]]
>> Sent: Friday, August 04, 2017 10:11 PM
>> To: Struts Developers List <[hidden email]>
>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>> 2.3.16.3 to 2.3.32
>>
>> you're welcome :)
>>
>> 1. Does gov.ca.doj.sotas.action.renew.ExtRenewSave.execute reach line `return "renewEsignProc";` after `document.regSubmitForm.submit();`?
>> please verify by a breakpoint.
>>
>> 2. What do you find if you search "renewSave1" (including double
>> quotes) in all of your .java files? (also for "renewSave2")
>>
>> On 8/5/2017 1:57 AM, Deborah White wrote:
>>> So I have now updated to 2.3.33 and have a new piece of code that is not acting as expected.  You were such a big help last time I thought I would ask.
>>>
>>> I have this in my jsp:
>>>
>>> function submitESignature() {
>>>
>>>                 $('#StatusMessage').html("<img src='web/images/busySmall.gif'>");
>>>         //document.getElementById("button_cont").disabled = "disabled";
>>>         var url = "<s:url value="renewsave.action" encode="true"/>";
>>>         document.regSubmitForm.eSignStart.value = 1;
>>>         document.regSubmitForm.method ="POST";
>>>                 document.regSubmitForm.action = url;
>>>                 document.regSubmitForm.submit();
>>>
>>>         }
>>>
>>> This in my java code:
>>>
>>> else if ( renewSaveStart == 0 && eSignStart == 1 ) {
>>>            return "renewEsignProc";
>>>
>>> This in my struts.xml:
>>>
>>> <action name="renewsave" class="gov.ca.doj.sotas.action.renew.ExtRenewSave">
>>>                  <result name="success">/WEB-INF/jsp/renewSaveESignature.jsp</result>
>>>                  <result name="InternalRenew">/WEB-INF/jsp/renewSave.jsp</result>
>>>                  <result name="renewEsignProc">/WEB-INF/jsp/eSignRenewProcReview.jsp</result>
>>>              <result name="renewSave1">/WEB-INF/jsp/renewSaveEPay.jsp</result>
>>>              <result name="renewSave2">/WEB-INF/jsp/renewSave.jsp</result>
>>>              <result name="input">/WEB-INF/jsp/renewReview.jsp</result>
>>>              <result name="error">/WEB-INF/jsp/sotasExternalHome.jsp</result>
>>>         </action>
>>>
>>>
>>> Instead of going to the page for eSignRenewProcReview, it goes to renewSaveEPay.jsp.  The difference I see is that I am not doing a return from the java code for renewsSave1 or 2.
>>>
>>> Any thoughts?
>>>
>>> -----Original Message-----
>>> From: Yasser Zamani [mailto:[hidden email]]
>>> Sent: Tuesday, July 25, 2017 10:21 AM
>>> To: Struts Developers List <[hidden email]>
>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>> 2.3.16.3 to 2.3.32
>>>
>>> You're welcome! Happy to hear that it works there :)
>>>
>>> That warning means you still have some more. Please find them by
>>> searching 'request.isUserInRole in your JSPs then replace them with
>>> '#request["MYUtils"].isUserInRole
>>>
>>> test='#request["MYUtils"].isUserInRole("UserAdmin")' and
>>> test="#request['MYUtils'].isUserInRole('UserAdmin')" are both OK :)
>>>
>>> On 7/25/2017 9:35 PM, Deborah White wrote:
>>>> So, it appears to be working so far.  Thank you so much!!  I do still get this warning in my log files, do you know the best way to suppress it?
>>>>
>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (http-localhost/127.0.0.1:8080-2) Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@ebb2d3] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>
>>>> Also, in my jsp I had to use this syntax:
>>>> <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")' >
>>>>                                         $('#tabs-UserManagement').tabs();
>>>>                                 </s:if>
>>>>
>>>> Instead of ['MYUtils'] (single quote).
>>>>
>>>> -----Original Message-----
>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>> Sent: Monday, July 24, 2017 11:27 AM
>>>> To: Struts Developers List <[hidden email]>
>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>> 2.3.16.3 to 2.3.32
>>>>
>>>> Yes I think you should have mappings for all as following order:
>>>>
>>>>       <filter-mapping>
>>>>           <filter-name>struts-prepare</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>       <filter-mapping>
>>>>           <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>       <filter-mapping>
>>>>           <filter-name>struts-execute</filter-name>
>>>>           <url-pattern>/*</url-pattern>
>>>>           <dispatcher>FORWARD</dispatcher>
>>>>           <dispatcher>REQUEST</dispatcher>
>>>>       </filter-mapping>
>>>>
>>>>
>>>> On 7/24/2017 8:19 PM, Deborah White wrote:
>>>>> It now goes to just a blank page.  Do I have an issue in my web.xml?
>>>>> <filter>
>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepar
>>>>> eF
>>>>> i
>>>>> l
>>>>> ter</filter-class>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>
>>>>> <filter-class>gov.ca.doj.ems.util.MYStrutsPrepareFilter</filter-cl
>>>>> as
>>>>> s
>>>>>>
>>>>> </filter>
>>>>>
>>>>> <filter>
>>>>>     <filter-name>struts-execute</filter-name>
>>>>>
>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecut
>>>>> eF
>>>>> i
>>>>> l
>>>>> ter</filter-class>
>>>>> </filter>
>>>>>     <filter-mapping>
>>>>>         <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>         <url-pattern>/*</url-pattern>
>>>>>         <dispatcher>FORWARD</dispatcher>
>>>>>         <dispatcher>REQUEST</dispatcher>
>>>>>     </filter-mapping>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>> Sent: Saturday, July 22, 2017 2:18 AM
>>>>> To: Struts Developers List <[hidden email]>
>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>> Struts
>>>>> 2.3.16.3 to 2.3.32
>>>>>
>>>>> I forgot to say about following block in
>>>>> MYStrutsPrepareFilter.java which is new and I added recently (so
>>>>> please copy the whole new
>>>>> MYStrutsPrepareFilter.java) :
>>>>>
>>>>>  >              if(null != actionContext) {
>>>>>  >                      ValueStack stack = actionContext.getValueStack();
>>>>>  >                      stack.setValue("#request['MYUtils']", MYUtils);
>>>>>  >              }
>>>>>
>>>>> It avoids null pointer exception.
>>>>>
>>>>> Please reply back to me the `exception stack trace` if you encounter any.
>>>>>
>>>>> IMPORTANT NOTE:
>>>>>
>>>>> To keep security, your MYUtils class should return only and only necessary info (not less not more) in primitive types like string , boolean , int , etc as much as possible rather than sensitive objects.
>>>>> For example, following get method wake ups currently fixed security issues:
>>>>>
>>>>>                 public class MYUtils {...
>>>>> public ActionContext getActionContext() {
>>>>>                         return ActionContext.getContext();
>>>>>                 }...}
>>>>>
>>>>>
>>>>> On 7/22/2017 1:27 PM, Yasser Zamani wrote:
>>>>>> Sorry! My previous code has sent via my mobile which has a few
>>>>>> typo errors because of issues with copy/pase :(
>>>>>>
>>>>>> Now, at my PC, I tested following configuration which works well
>>>>>> :)
>>>>>>
>>>>>> 1. MYStrutsPrepareFilter.java
>>>>>>
>>>>>> *********************************************
>>>>>> package me.zamani.yasser.ww_convention.utils;
>>>>>>
>>>>>> import java.io.IOException;
>>>>>>
>>>>>> import javax.servlet.Filter;
>>>>>> import javax.servlet.FilterChain; import
>>>>>> javax.servlet.FilterConfig; import
>>>>>> javax.servlet.ServletException; import
>>>>>> javax.servlet.ServletRequest; import
>>>>>> javax.servlet.ServletResponse; import
>>>>>> javax.servlet.http.HttpServletRequest;
>>>>>>
>>>>>> import org.apache.struts2.StrutsStatics; import
>>>>>> com.opensymphony.xwork2.ActionContext;
>>>>>> import com.opensymphony.xwork2.util.ValueStack;
>>>>>>
>>>>>> /**
>>>>>>   * @author zamani
>>>>>>   *
>>>>>>   */
>>>>>> public class MYStrutsPrepareFilter implements Filter {
>>>>>>
>>>>>>       private MYUtils MYUtils;
>>>>>>
>>>>>>       public void init(FilterConfig filterConfig) throws ServletException {
>>>>>>               MYUtils = new MYUtils();
>>>>>>       }
>>>>>>
>>>>>>       public void doFilter(ServletRequest req, ServletResponse
>>>>>> res, FilterChain chain)
>>>>>>                       throws IOException, ServletException {
>>>>>>
>>>>>>               ActionContext actionContext = ActionContext.getContext();
>>>>>>               if(null != actionContext) {
>>>>>>                       ValueStack stack = actionContext.getValueStack();
>>>>>>                       stack.setValue("#request['MYUtils']", MYUtils);
>>>>>>               }
>>>>>>
>>>>>>               chain.doFilter(req, res);
>>>>>>       }
>>>>>>
>>>>>>       public void destroy() {
>>>>>>               MYUtils = null;
>>>>>>       }
>>>>>>
>>>>>>
>>>>>>       public class MYUtils {
>>>>>>               public boolean isUserInRole (String user) {
>>>>>>                       HttpServletRequest httpsr =
>>>>>> ((HttpServletRequest)
>>>>>> ActionContext.getContext()
>>>>>>                                       .get(StrutsStatics.HTTP_REQUEST));
>>>>>>                       return httpsr.isUserInRole(user);
>>>>>>               }
>>>>>>       }
>>>>>> }
>>>>>> **********************************************************
>>>>>>
>>>>>> 2. web.xml
>>>>>>
>>>>>> **********************************************************
>>>>>>      <filter>
>>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter>
>>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>>
>>>>>> <filter-class>me.zamani.yasser.ww_convention.utils.MYStrutsPrepareFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter>
>>>>>>          <filter-name>struts2execute</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.struts2.dispatcher.filter.StrutsExecuteFilter</filter-class>
>>>>>>      </filter>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>struts2prepare</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>MYStrutsPrepareFilter</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>>
>>>>>>      <filter-mapping>
>>>>>>          <filter-name>struts2execute</filter-name>
>>>>>>          <url-pattern>/*</url-pattern>
>>>>>>      </filter-mapping>
>>>>>> **************************************************************
>>>>>>
>>>>>> 3. hello.jsp
>>>>>>
>>>>>> **************************************************************
>>>>>>      <s:if test='#request["MYUtils"].isUserInRole("UserAdmin")'>
>>>>>>      you are UserAdmin
>>>>>>      </s:if>
>>>>>>      <s:else>
>>>>>>      you are not UserAdmin
>>>>>>      </s:else>
>>>>>> **************************************************************
>>>>>>
>>>>>> Sincerely Yours,
>>>>>> Yasser.
>>>>>>
>>>>>> On 7/22/2017 2:56 AM, Deborah White wrote:
>>>>>>> And the jsp doesn't seem to like this syntax for some reason.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>> Sent: Friday, July 21, 2017 1:04 PM
>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>> Struts
>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>
>>>>>>> That is just an example. For your need, in more detail, you should try something like these:
>>>>>>>
>>>>>>> 1. Add following method to class MyUtil:
>>>>>>>
>>>>>>>                 public boolean isUserInRole (String user) {                     HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()                                    .get(StrutsStatics.HTTP_REQUEST));                      return httpsr.isUserInRole (user);              }
>>>>>>>
>>>>>>> 2. Your struts filters in web.xml should looks like:
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name>struts-prepare</filter-name>
>>>>>>>
>>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrep
>>>>>>> ar
>>>>>>> e
>>>>>>> F
>>>>>>> i
>>>>>>> lter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name> MYStrutsPrepareFilter</filter-name>
>>>>>>>     <filter-class>my.package.
>>>>>>> MYStrutsPrepareFilter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> <filter>
>>>>>>>     <filter-name>struts-execute</filter-name>
>>>>>>>
>>>>>>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExec
>>>>>>> ut
>>>>>>> e
>>>>>>> F
>>>>>>> i
>>>>>>> lter</filter-class>
>>>>>>> </filter>
>>>>>>>
>>>>>>> 3. Finally find and replace all of
>>>>>>>
>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> With
>>>>>>>
>>>>>>> <s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
>>>>>>>
>>>>>>> I think something like these resolve your issue :) please try and let me know.
>>>>>>>
>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>
>>>>>>>> This is what I currently have in my jsp:
>>>>>>>> <s:if test='request.isUserInRole("UserAdmin")' >
>>>>>>>>
>>>>>>>> Where would I put
>>>>>>>> "#request['MYUtils'].requestURI?
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>> Sent: Friday, July 21, 2017 10:53 AM
>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>> Struts
>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>
>>>>>>>> You are welcome :) In this solution, by ognl, you only access the MyUtil object and you add what you need from excluded packages into MyUtil class as java getters. While MyUtil is not in excluded packages, so, you can get what you need from excluded packages via ognl then it.
>>>>>>>>
>>>>>>>> Deborah White <[hidden email]> نوشت:
>>>>>>>>
>>>>>>>>> Sorry, as I said I'm new.  Will this allow access to the excluded packages (ognl)?
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Yasser Zamani [mailto:[hidden email]]
>>>>>>>>> Sent: Thursday, July 20, 2017 10:55 PM
>>>>>>>>> To: Struts Developers List <[hidden email]>
>>>>>>>>> Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating
>>>>>>>>> Struts
>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>
>>>>>>>>> Hi there, welcome to dev list :)
>>>>>>>>>
>>>>>>>>> Do you need access to excluded packages in your JSPs? I had
>>>>>>>>> similar issue and you can see my solution at [1]. I did not
>>>>>>>>> need to rewrite any thing and a find/replace did all needed changes.
>>>>>>>>> Please review my solution if also resolves your one. If not,
>>>>>>>>> please feel free continue here for a solution :)
>>>>>>>>>
>>>>>>>>> [1]
>>>>>>>>> https://github.com/apache/struts/pull/125#issuecomment-2936084
>>>>>>>>> 11
>>>>>>>>>
>>>>>>>>> On 7/21/2017 2:38 AM, Deborah White wrote:
>>>>>>>>>> Please see the content below.  Fairly new to Struts and I'm guessing someone out there has been through this.  Any help would be appreciated.
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Lukasz Lenart (JIRA) [mailto:[hidden email]]
>>>>>>>>>> Sent: Thursday, July 13, 2017 9:32 PM
>>>>>>>>>> To: Deborah White <[hidden email]>
>>>>>>>>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>>>>>>>>> 2.3.16.3 to 2.3.32
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     [
>>>>>>>>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>>>>>>>>
>>>>>>>>>> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentI
>>>>>>>>>> d=
>>>>>>>>>> 1
>>>>>>>>>> 6
>>>>>>>>>> 0
>>>>>>>>>> 868
>>>>>>>>>> 3
>>>>>>>>>> 2#comment-16086832 ]
>>>>>>>>>>
>>>>>>>>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> The best place to ask such question is to subscribe to the
>>>>>>>>>> User Mailing list as there are more eyes to help you
>>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>>
>>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> was (Author: lukaszlenart):
>>>>>>>>>> The best place to ask such question is to subscribe to the
>>>>>>>>>> User Mailing list as there are more eyes to help you
>>>>>>>>>> http://struts.apache.org/mail.html
>>>>>>>>>>
>>>>>>>>>> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>>>>>>>>>>
>>>>>>>>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>>>>>>>>> -----------------------------------
>>>>>>>>>>>
>>>>>>>>>>>                 Key: WW-4815
>>>>>>>>>>>                 URL: https://issues.apache.org/jira/browse/WW-4815
>>>>>>>>>>>             Project: Struts 2
>>>>>>>>>>>          Issue Type: Temp
>>>>>>>>>>>          Components: Core
>>>>>>>>>>>    Affects Versions: 2.3.16.3
>>>>>>>>>>>            Reporter: Deborah White
>>>>>>>>>>>             Fix For: 2.3.32
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I need some assistance and am hoping you can provide some insight.  I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>>>>>>>>>>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>>>>>>>>>>> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>>>>>>>>>>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability.  Also, if there is something I can instead include in my struts.xml file that would override, that would be better.  Thank you.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> This message was sent by Atlassian JIRA
>>>>>>>>>> (v6.4.14#64029)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------
>>>>>>>>> --
>>>>>>>>> -
>>>>>>>>> -
>>>>>>>>> -
>>>>>>>>> -- To unsubscribe, e-mail: [hidden email]
>>>>>>>>> For additional commands, e-mail: [hidden email]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>> B
>>>>>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>>>>>> KK K K K CB [  X  ܚX KK[XZ[ ] ][  X  ܚX P ]˘\X K ܙ B  ܈Y][ۘ[
>>>>>>>> [X[ K[XZ[ ] Z[ ]˘\X K ܙ B B
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>>>
>>>>>>> ----------------------------------------------------------------
>>>>>>> --
>>>>>>> -
>>>>>>> -
>>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>>> additional commands, e-mail: [hidden email]
>>>>>>>
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> --
>>>>>> -
>>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>>> additional commands, e-mail: [hidden email]
>>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> --
>>>>> - To unsubscribe, e-mail: [hidden email] For
>>>>> additional commands, e-mail: [hidden email]
>>>>>
>>>> B
>>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>>> KC B  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>>>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>>
>>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: [hidden email] For
>>>> additional commands, e-mail: [hidden email]
>>>>
>>> B
>>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>>> CB  [  X  ܚX KK[XZ[  ] ][  X  ܚX P  ]˘\X K ܙ B
>>> ܈Y][ۘ[ [X[  K[XZ[  ] Z[  ]˘\X K ܙ B B
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
>>
>> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email] For
>> additional commands, e-mail: [hidden email]
>>
B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 ] ][  X  ܚX P  ]˘\X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 ] Z[  ]˘\X K ܙ B B

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12
Loading...