Help : Disable Strict Method Invocation for struts 2 rest plugin

I am using Struts 2 with rest plugin and I need to migrate from struts 2.3 to
struts 2.5. My application also has struts 1 with the older apis unmigrated
to struts2.

I have some custom methods in my application other than the default CRUD
operations. As the strict method invocation is enabled now by default, i
cannot use those custom methods now. I am using only the "rest-default"
package and want to disable the *strict method invocation* as I have a
larger number of methods (Adding those many entries might make the code
clumsy).

Thanks in advance.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-07 16:18 GMT+02:00 DevaGerald <[hidden email]>:
This looks similar to https://issues.apache.org/jira/browse/WW-4930


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Thanks a lot Lukasz.

I have resolved it by adding
<global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
struts.xml

Do I have any alternative for this?

Thanks & Regards,
Deva Gerald.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-09 16:59 GMT+02:00 DevaGerald <[hidden email]>:
> Thanks a lot Lukasz.
>
> I have resolved it by adding
> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
> struts.xml
>
> Do I have any alternative for this?

No but I didn't want to suggest this as this basically opens a
potential security hole in your app. In this case any public method
can be called especially when using DMI.
I wonder if we can introduce another pattern here like "allow methods
for this class hierarchy":
<allowed-methods>class:BaseAction</allowed-methods> - wdyt?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

I don't use DMI. I have the following configured in struts.xml.
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

So is there any other way for me to disable strict method invocation? I am
just using struts 2 rest plugin.

Thanks & Regards
Deva.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 4/11/2018 11:11 AM, Lukasz Lenart wrote:
As Lukasz correctly mentioned, if you would like to keep better
security, then you have to separate or define action methods from other
ones. If defining them in xml might make the code clumsy, then couldn't
you refactor their names to have a common regex e.g. user*? then e.g.
you can define
<global-allowed-methods>regex:user[a-zA-Z]*</global-allowed-methods>
which separates them from other methods to satisfy security.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-14 11:58 GMT+02:00 DevaGerald <[hidden email]>:
> I don't use DMI. I have the following configured in struts.xml.
> <constant name="struts.enable.DynamicMethodInvocation" value="false"/>
>
> So is there any other way for me to disable strict method invocation? I am
> just using struts 2 rest plugin.

Hm... so how do you call those custom methods? Did you configure them
as REST methods?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Yes i have configured rest plugin for that



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-18 9:15 GMT+02:00 DevaGerald <[hidden email]>:
> Yes i have configured rest plugin for that

Ach... so we must fix allowed-methods to include those REST methods,
could you fill a ticket?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Sorry if I am so dumb. Where should i file the ticket?



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Here https://issues.apache.org/jira/projects/WW/issues

2018-04-18 15:04 GMT+02:00 DevaGerald <[hidden email]>:
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Just a clarification. May be my point was misunderstood.

Ex : /resource/resource_id/hello
This will call the hello method of my controller.
REST plugin directly maps to my custom method. In this case, it calls the
hello method of my ResourceController.

What will be the best solution for this case?

P.S. I am not using struts 2 DMI.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-19 8:58 GMT+02:00 DevaGerald <[hidden email]>:
Can you share your struts.xml config?


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC &quot;-//Apache Software Foundation//DTD Struts
Configuration 2.5//EN&quot;
&quot;http://struts.apache.org/dtds/struts-2.5.dtd&quot;>
<struts>
       
        <constant name="struts.convention.action.suffix" value="Controller"/>
        <constant name="struts.convention.action.mapAllMatches" value="true"/>
        <constant name="struts.convention.default.parent.package"
value=“my-default"/>
        <constant name="struts.convention.package.locators" value="client"/>
        <constant name="struts.convention.action.includeJars"
value=“.*?/AZC.*?jar(!/)?"/>
        <constant name="struts.rest.defaultExtension" value="json"/>
        <constant name="struts.rest.content.restrictToGET" value="false"/>
        <constant name="struts.multipart.maxSize" value="153600000" />
       
        <bean name="strutsjsonhandler"
type="org.apache.struts2.rest.handler.ContentTypeHandler"
class="com.struts2.StrutsJSONHandler"/>
        <constant name="struts.rest.handlerOverride.json"
value="strutsjsonhandler"/>
        <constant name="struts.rest.handlerOverride.xml"
value="strutsjsonhandler"/>
        <constant name="struts.rest.handlerOverride.xhtml"
value="strutsjsonhandler"/>
       
        <package name=“my-default" extends="rest-default">
                <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods>
        </package>

</struts>



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Any update on this?



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Thinking on solution ... not so easy :(

2018-04-26 13:24 GMT+02:00 DevaGerald <[hidden email]>:
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Thanks for the reply. We will use the existing (regex in
global-allowed-methods) solution till that.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 4/26/2018 4:03 PM, Lukasz Lenart wrote:
> Thinking on solution ... not so easy :(

I couldn't understand what's the user expected behavior and what we
should try to fix. Because of security, SMI is enabled by default and
user has to annotate or define allowed methods. right? I think there are
no other solution to keep both security and all methods allowed.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Hi Yasser,

We already have a layer of security(a filter which runs first in our
web-app) which handles allowed url patterns. So in this we have to again add
code for allowed methods. So we are trying to get an option to disable it.

Thanks,
Deva.



--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

2018-04-29 11:24 GMT+02:00 Yasser Zamani <[hidden email]>:
> I couldn't understand what's the user expected behavior and what we
> should try to fix. Because of security, SMI is enabled by default and
> user has to annotate or define allowed methods. right? I think there are
> no other solution to keep both security and all methods allowed.

The problem is that we should support existing configurations (like
automatically define allowed methods for those used in struts.xml).
The same should happen with the REST plugin but the problem is that i
tries to guess the method name based on url. I do not see a good
solution for now.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]