Help : Disable Strict Method Invocation for struts 2 rest plugin

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
I am using Struts 2 with rest plugin and I need to migrate from struts 2.3 to
struts 2.5. My application also has struts 1 with the older apis unmigrated
to struts2.

I have some custom methods in my application other than the default CRUD
operations. As the strict method invocation is enabled now by default, i
cannot use those custom methods now. I am using only the "rest-default"
package and want to disable the *strict method invocation* as I have a
larger number of methods (Adding those many entries might make the code
clumsy).

Thanks in advance.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Lukasz Lenart
2018-04-07 16:18 GMT+02:00 DevaGerald <[hidden email]>:

> I am using Struts 2 with rest plugin and I need to migrate from struts 2.3 to
> struts 2.5. My application also has struts 1 with the older apis unmigrated
> to struts2.
>
> I have some custom methods in my application other than the default CRUD
> operations. As the strict method invocation is enabled now by default, i
> cannot use those custom methods now. I am using only the "rest-default"
> package and want to disable the *strict method invocation* as I have a
> larger number of methods (Adding those many entries might make the code
> clumsy).

This looks similar to https://issues.apache.org/jira/browse/WW-4930


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
Thanks a lot Lukasz.

I have resolved it by adding
<global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
struts.xml

Do I have any alternative for this?

Thanks & Regards,
Deva Gerald.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Lukasz Lenart
2018-04-09 16:59 GMT+02:00 DevaGerald <[hidden email]>:
> Thanks a lot Lukasz.
>
> I have resolved it by adding
> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
> struts.xml
>
> Do I have any alternative for this?

No but I didn't want to suggest this as this basically opens a
potential security hole in your app. In this case any public method
can be called especially when using DMI.
I wonder if we can introduce another pattern here like "allow methods
for this class hierarchy":
<allowed-methods>class:BaseAction</allowed-methods> - wdyt?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
I don't use DMI. I have the following configured in struts.xml.
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

So is there any other way for me to disable strict method invocation? I am
just using struts 2 rest plugin.

Thanks & Regards
Deva.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Yasser Zamani-2
In reply to this post by Lukasz Lenart


On 4/11/2018 11:11 AM, Lukasz Lenart wrote:

> 2018-04-09 16:59 GMT+02:00 DevaGerald <[hidden email]>:
>> Thanks a lot Lukasz.
>>
>> I have resolved it by adding
>> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
>> struts.xml
>>
>> Do I have any alternative for this?
>
> No but I didn't want to suggest this as this basically opens a
> potential security hole in your app. In this case any public method
> can be called especially when using DMI.
> I wonder if we can introduce another pattern here like "allow methods
> for this class hierarchy":
> <allowed-methods>class:BaseAction</allowed-methods> - wdyt?
>

As Lukasz correctly mentioned, if you would like to keep better
security, then you have to separate or define action methods from other
ones. If defining them in xml might make the code clumsy, then couldn't
you refactor their names to have a common regex e.g. user*? then e.g.
you can define
<global-allowed-methods>regex:user[a-zA-Z]*</global-allowed-methods>
which separates them from other methods to satisfy security.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Lukasz Lenart
In reply to this post by DevaGerald
2018-04-14 11:58 GMT+02:00 DevaGerald <[hidden email]>:
> I don't use DMI. I have the following configured in struts.xml.
> <constant name="struts.enable.DynamicMethodInvocation" value="false"/>
>
> So is there any other way for me to disable strict method invocation? I am
> just using struts 2 rest plugin.

Hm... so how do you call those custom methods? Did you configure them
as REST methods?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
Yes i have configured rest plugin for that



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Lukasz Lenart
2018-04-18 9:15 GMT+02:00 DevaGerald <[hidden email]>:
> Yes i have configured rest plugin for that

Ach... so we must fix allowed-methods to include those REST methods,
could you fill a ticket?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
Sorry if I am so dumb. Where should i file the ticket?



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Lukasz Lenart
Here https://issues.apache.org/jira/projects/WW/issues

2018-04-18 15:04 GMT+02:00 DevaGerald <[hidden email]>:

> Sorry if I am so dumb. Where should i file the ticket?
>
>
>
> --
> Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
In reply to this post by Lukasz Lenart
Just a clarification. May be my point was misunderstood.

Ex : /resource/resource_id/hello
This will call the hello method of my controller.
REST plugin directly maps to my custom method. In this case, it calls the
hello method of my ResourceController.

What will be the best solution for this case?

P.S. I am not using struts 2 DMI.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

Lukasz Lenart
2018-04-19 8:58 GMT+02:00 DevaGerald <[hidden email]>:

> Just a clarification. May be my point was misunderstood.
>
> Ex : /resource/resource_id/hello
> This will call the hello method of my controller.
> REST plugin directly maps to my custom method. In this case, it calls the
> hello method of my ResourceController.
>
> What will be the best solution for this case?
>
> P.S. I am not using struts 2 DMI.

Can you share your struts.xml config?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help : Disable Strict Method Invocation for struts 2 rest plugin

DevaGerald
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC &quot;-//Apache Software Foundation//DTD Struts
Configuration 2.5//EN&quot;
&quot;http://struts.apache.org/dtds/struts-2.5.dtd&quot;>
<struts>
       
        <constant name="struts.convention.action.suffix" value="Controller"/>
        <constant name="struts.convention.action.mapAllMatches" value="true"/>
        <constant name="struts.convention.default.parent.package"
value=“my-default"/>
        <constant name="struts.convention.package.locators" value="client"/>
        <constant name="struts.convention.action.includeJars"
value=“.*?/AZC.*?jar(!/)?"/>
        <constant name="struts.rest.defaultExtension" value="json"/>
        <constant name="struts.rest.content.restrictToGET" value="false"/>
        <constant name="struts.multipart.maxSize" value="153600000" />
       
        <bean name="strutsjsonhandler"
type="org.apache.struts2.rest.handler.ContentTypeHandler"
class="com.struts2.StrutsJSONHandler"/>
        <constant name="struts.rest.handlerOverride.json"
value="strutsjsonhandler"/>
        <constant name="struts.rest.handlerOverride.xml"
value="strutsjsonhandler"/>
        <constant name="struts.rest.handlerOverride.xhtml"
value="strutsjsonhandler"/>
       
        <package name=“my-default" extends="rest-default">
                <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods>
        </package>

</struts>



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]