Help : Disable Strict Method Invocation for struts 2 rest plugin

I am using Struts 2 with rest plugin and I need to migrate from struts 2.3 to
struts 2.5. My application also has struts 1 with the older apis unmigrated
to struts2.

I have some custom methods in my application other than the default CRUD
operations. As the strict method invocation is enabled now by default, i
cannot use those custom methods now. I am using only the "rest-default"
package and want to disable the *strict method invocation* as I have a
larger number of methods (Adding those many entries might make the code
clumsy).

Thanks in advance.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-07 16:18 GMT+02:00 DevaGerald <[hidden email]>:
This looks similar to https://issues.apache.org/jira/browse/WW-4930


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Thanks a lot Lukasz.

I have resolved it by adding
<global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
struts.xml

Do I have any alternative for this?

Thanks & Regards,
Deva Gerald.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-09 16:59 GMT+02:00 DevaGerald <[hidden email]>:
> Thanks a lot Lukasz.
>
> I have resolved it by adding
> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
> struts.xml
>
> Do I have any alternative for this?

No but I didn't want to suggest this as this basically opens a
potential security hole in your app. In this case any public method
can be called especially when using DMI.
I wonder if we can introduce another pattern here like "allow methods
for this class hierarchy":
<allowed-methods>class:BaseAction</allowed-methods> - wdyt?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

I don't use DMI. I have the following configured in struts.xml.
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

So is there any other way for me to disable strict method invocation? I am
just using struts 2 rest plugin.

Thanks & Regards
Deva.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 4/11/2018 11:11 AM, Lukasz Lenart wrote:
As Lukasz correctly mentioned, if you would like to keep better
security, then you have to separate or define action methods from other
ones. If defining them in xml might make the code clumsy, then couldn't
you refactor their names to have a common regex e.g. user*? then e.g.
you can define
<global-allowed-methods>regex:user[a-zA-Z]*</global-allowed-methods>
which separates them from other methods to satisfy security.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-14 11:58 GMT+02:00 DevaGerald <[hidden email]>:
> I don't use DMI. I have the following configured in struts.xml.
> <constant name="struts.enable.DynamicMethodInvocation" value="false"/>
>
> So is there any other way for me to disable strict method invocation? I am
> just using struts 2 rest plugin.

Hm... so how do you call those custom methods? Did you configure them
as REST methods?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Yes i have configured rest plugin for that



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-18 9:15 GMT+02:00 DevaGerald <[hidden email]>:
> Yes i have configured rest plugin for that

Ach... so we must fix allowed-methods to include those REST methods,
could you fill a ticket?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Sorry if I am so dumb. Where should i file the ticket?



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Here https://issues.apache.org/jira/projects/WW/issues

2018-04-18 15:04 GMT+02:00 DevaGerald <[hidden email]>:
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Just a clarification. May be my point was misunderstood.

Ex : /resource/resource_id/hello
This will call the hello method of my controller.
REST plugin directly maps to my custom method. In this case, it calls the
hello method of my ResourceController.

What will be the best solution for this case?

P.S. I am not using struts 2 DMI.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-19 8:58 GMT+02:00 DevaGerald <[hidden email]>:
Can you share your struts.xml config?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC &quot;-//Apache Software Foundation//DTD Struts
Configuration 2.5//EN&quot;
&quot;http://struts.apache.org/dtds/struts-2.5.dtd&quot;>
<struts>
       
        <constant name="struts.convention.action.suffix" value="Controller"/>
        <constant name="struts.convention.action.mapAllMatches" value="true"/>
        <constant name="struts.convention.default.parent.package"
value=“my-default"/>
        <constant name="struts.convention.package.locators" value="client"/>
        <constant name="struts.convention.action.includeJars"
value=“.*?/AZC.*?jar(!/)?"/>
        <constant name="struts.rest.defaultExtension" value="json"/>
        <constant name="struts.rest.content.restrictToGET" value="false"/>
        <constant name="struts.multipart.maxSize" value="153600000" />
       
        <bean name="strutsjsonhandler"
type="org.apache.struts2.rest.handler.ContentTypeHandler"
class="com.struts2.StrutsJSONHandler"/>
        <constant name="struts.rest.handlerOverride.json"
value="strutsjsonhandler"/>
        <constant name="struts.rest.handlerOverride.xml"
value="strutsjsonhandler"/>
        <constant name="struts.rest.handlerOverride.xhtml"
value="strutsjsonhandler"/>
       
        <package name=“my-default" extends="rest-default">
                <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods>
        </package>

</struts>



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]