Struts2 login action class seems to be reused

classic Classic list List threaded Threaded
35 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
User2 would have logged in some time before that, some times with in a minute before that. I haven't seen any requests from User2 exactly at the time of GET request from User1.

Thanks,
Prasanth

On 03/15/2018 04:45 AM, Yasser Zamani wrote:

>
> On 3/14/2018 5:43 PM, Prasanth Pasala wrote:
>> We had a user report it soon after the deployment. After that we started looking into the specific user who reported (User1) and the user (whose information was seen by the reporting user) say User2.
>> We realized there are login entries from same IP for both of these users.
> As you get IP address from request (rather than Struts action), then it
> seems that request (which contains username/password and that same IP
> address) is being reused.
>
>> In the access log of the server there was a POST request for User1 but at the time of login entry for User2 there was only a
>> GET request.  In the time line GET request is first, User1 sees User2's information logs out and then login again with their credentials.
> At that time when there is a GET request for User1 and this issue
> happens, what are logs for User2 at same time?
>
> Thanks in advance!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 3/15/2018 5:21 PM, Prasanth Pasala wrote:
> User2 would have logged in some time before that, some times with in a minute before that. I haven't seen any requests from User2 exactly at the time of GET request from User1.

It's strange :)

Are login log records have same field values for both User1 and User2?
Do you also have login time in there? If so, are they same and are they
consistent with access log times? Are their IP same (while they
shouldn't, right?)? Is the IP of the GET request of User1 (that is
logged in access log by container) same as the IP field value of your
login log records?

Thanks!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
They actual correspond to a GET entry from a user.

IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
around the same time, which shouldn't be the case.

Thanks,
Prasanth

On 03/15/2018 10:28 AM, Yasser Zamani wrote:

>
> On 3/15/2018 5:21 PM, Prasanth Pasala wrote:
>> User2 would have logged in some time before that, some times with in a minute before that. I haven't seen any requests from User2 exactly at the time of GET request from User1.
> It's strange :)
>
> Are login log records have same field values for both User1 and User2?
> Do you also have login time in there? If so, are they same and are they
> consistent with access log times? Are their IP same (while they
> shouldn't, right?)? Is the IP of the GET request of User1 (that is
> logged in access log by container) same as the IP field value of your
> login log records?
>
> Thanks!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
> We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
> They actual correspond to a GET entry from a user.
>
> IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
> around the same time, which shouldn't be the case.

I'm almost sure Struts always asks object factory to create the action
on each request. This is belong to object factory if create a new one
object of that action, or no, reuse a previous one object of an action.
So have you set any specific object factory via struts.xml?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that.

On 03/16/2018 11:55 AM, Yasser Zamani wrote:

>
> On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>> We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
>> They actual correspond to a GET entry from a user.
>>
>> IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
>> around the same time, which shouldn't be the case.
> I'm almost sure Struts always asks object factory to create the action
> on each request. This is belong to object factory if create a new one
> object of that action, or no, reuse a previous one object of an action.
> So have you set any specific object factory via struts.xml?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2
And you confirm that those log record insertions are only possible via LoginAction.execute method? Right? Or util.authenticate are called elsewhere also?
On Mar 16, 2018, at 9:45PM, Prasanth Pasala <[hidden email]<mailto:[hidden email]>> wrote:

We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that.

On 03/16/2018 11:55 AM, Yasser Zamani wrote:

 On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
 We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
 They actual correspond to a GET entry from a user.

 IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
 around the same time, which shouldn't be the case.
 I'm almost sure Struts always asks object factory to create the action
 on each request. This is belong to object factory if create a new one
 object of that action, or no, reuse a previous one object of an action.
 So have you set any specific object factory via struts.xml?

________________________________

 To unsubscribe, e-mail: [hidden email]
 For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
There is only one reference to Util.authenticate in the project and that is in LoginAction.

On 03/16/2018 02:13 PM, Yasser Zamani wrote:

> And you confirm that those log record insertions are only possible via LoginAction.execute method? Right? Or util.authenticate are called elsewhere also?
> On Mar 16, 2018, at 9:45PM, Prasanth Pasala <[hidden email]<mailto:[hidden email]>> wrote:
>
> We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that.
>
> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>
>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>  We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
>  They actual correspond to a GET entry from a user.
>
>  IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
>  around the same time, which shouldn't be the case.
>  I'm almost sure Struts always asks object factory to create the action
>  on each request. This is belong to object factory if create a new one
>  object of that action, or no, reuse a previous one object of an action.
>  So have you set any specific object factory via struts.xml?
>
> ________________________________
>
>  To unsubscribe, e-mail: [hidden email]
>  For additional commands, e-mail: [hidden email]
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 3/16/2018 11:00 PM, Prasanth Pasala wrote:
> There is only one reference to Util.authenticate in the project and that is in LoginAction.
>

If (those log record insertions are only possible via
LoginAction.execute method && IP field value of them are different and
are consistent with access log of that POST and GET request) then it
seems you're right! i.e. one specific object of LoginAction has executed
both requests, POST from User2 then GET from User1!!

To confirm these, could you please change your code as below:

                if(censusID == -1) {
                    message = "Invalid username/password specified";
                    result = "failed";
                }
                else {
                    new
com.xxxxx.xxxxx.model.Logger().loggedIn(censusID, remoteHost,
System.identityHashCode(this));

i.e. also log the identity hash code of the LoginAction object to see if
both records are inserted via a same action object.

Thanks in advance for your support!

> On 03/16/2018 02:13 PM, Yasser Zamani wrote:
>> And you confirm that those log record insertions are only possible via LoginAction.execute method? Right? Or util.authenticate are called elsewhere also?
>> On Mar 16, 2018, at 9:45PM, Prasanth Pasala <[hidden email]<mailto:[hidden email]>> wrote:
>>
>> We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that.
>>
>> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>>
>>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>>  We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
>>  They actual correspond to a GET entry from a user.
>>
>>  IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
>>  around the same time, which shouldn't be the case.
>>  I'm almost sure Struts always asks object factory to create the action
>>  on each request. This is belong to object factory if create a new one
>>  object of that action, or no, reuse a previous one object of an action.
>>  So have you set any specific object factory via struts.xml?
>>
>> ________________________________
>>
>>  To unsubscribe, e-mail: [hidden email]
>>  For additional commands, e-mail: [hidden email]
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
In reply to this post by Prasanth Pasala
Finally we redeployed the code with an added check to make sure the instance variables populated by struts match the request parameters. With in few hours of deployments we got emails indicating that
the values populated into the instance variables don't match those in request parameters. Below you can see the difference between the instance variable and the values in the request object.  The code
is also updated to store the hash code of Login action for each login, so that we can see if the object is reused. Surprisingly the hash code doesn't match with any of the hash codes stored for
successful logins. When the emails are triggered there is only a GET request for the Login action (which should display the login page, on the user enters the username & password it is submitted via
POST). So I am wondering where did these values come from into the instance variables?

-----------------------------------------------------------------
Struts data doesn't match that in request object.
Struts Data:
    Username: jsmith
    Action: Login
Request Data:
    Username: null
    Action: null

Object Hash: 1573857416
-----------------------------------------------------------------

Thanks,
Prasanth

On 03/16/2018 02:30 PM, Prasanth Pasala wrote:

> There is only one reference to Util.authenticate in the project and that is in LoginAction.
>
> On 03/16/2018 02:13 PM, Yasser Zamani wrote:
>> And you confirm that those log record insertions are only possible via LoginAction.execute method? Right? Or util.authenticate are called elsewhere also?
>> On Mar 16, 2018, at 9:45PM, Prasanth Pasala <[hidden email]<mailto:[hidden email]>> wrote:
>>
>> We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that.
>>
>> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>>
>>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>>  We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences.
>>  They actual correspond to a GET entry from a user.
>>
>>  IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs
>>  around the same time, which shouldn't be the case.
>>  I'm almost sure Struts always asks object factory to create the action
>>  on each request. This is belong to object factory if create a new one
>>  object of that action, or no, reuse a previous one object of an action.
>>  So have you set any specific object factory via struts.xml?
>>
>> ________________________________
>>
>>  To unsubscribe, e-mail: [hidden email]
>>  For additional commands, e-mail: [hidden email]
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 4/16/2018 7:19 PM, Prasanth Pasala wrote:
> So I am wondering where did these values come from into the instance variables?

Great! Please also get the current stack trace inside your action's
setUsername method and save it in a private string field inside your
action. Then when action and request data mismatched, also print this
string which answers where did these values come from.

Thanks in advance!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
Below is the stack trace for setting of username. So struts2 has set the username, but that name doesn't exist in the request object.

Struts Data: Username: jsmith Action: Login
Request Data: Username: null Action: null

java.lang.Thread.getStackTrace(Thread.java:1559)
 com.xxxxx.webaccess.LoginAction.setUsername(LoginAction.java:273)
 sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 java.lang.reflect.Method.invoke(Method.java:498)
 ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:897)
 ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1299)
 ognl.OgnlRuntime.setMethodValue(OgnlRuntime.java:1508)
 ognl.ObjectPropertyAccessor.setPossibleProperty(ObjectPropertyAccessor.java:85)
 ognl.ObjectPropertyAccessor.setProperty(ObjectPropertyAccessor.java:162)
 com.opensymphony.xwork2.ognl.accessor.ObjectAccessor.setProperty(ObjectAccessor.java:27)
 ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2437)
 ognl.ASTProperty.setValueBody(ASTProperty.java:127)
 ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
 ognl.SimpleNode.setValue(SimpleNode.java:301)
 ognl.Ognl.setValue(Ognl.java:713)
 com.opensymphony.xwork2.ognl.OgnlUtil$6.execute(OgnlUtil.java:504)
 com.opensymphony.xwork2.ognl.OgnlUtil$6.execute(OgnlUtil.java:501)
 com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:393)
 com.opensymphony.xwork2.ognl.OgnlUtil.copy(OgnlUtil.java:501)
 com.opensymphony.xwork2.ognl.OgnlReflectionProvider.copy(OgnlReflectionProvider.java:73)
 com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153)
 com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143)
 com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
 com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
 com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:140)
 com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
 com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)
 com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)
 com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)
 org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:575)
 org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81)
 org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99)
 io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 com.xxxxx.webaccess.LoginFilter.doFilter(LoginFilter.java:52)
 io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
 io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
 io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
 io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
 io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
 io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147)
 io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111)
 org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:722)
 org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:695)
 org.apache.jsp.index_jsp._jspService(index_jsp.java:107)
 org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433)
 org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:403)
 org.apache.jasper.servlet.JspServlet.service(JspServlet.java:347)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
 io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
 io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32)
 io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
 org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
 io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
 io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
 io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
 io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
 io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
 io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
 io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
 io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
 io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
 io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
 io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
 io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
 io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
 org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
 org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
 io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
 io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
 io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
 io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 java.lang.Thread.run(Thread.java:748)
 

Thanks,
Prasanth

On 04/17/2018 10:28 AM, Yasser Zamani wrote:

>
> On 4/16/2018 7:19 PM, Prasanth Pasala wrote:
>> So I am wondering where did these values come from into the instance variables?
> Great! Please also get the current stack trace inside your action's
> setUsername method and save it in a private string field inside your
> action. Then when action and request data mismatched, also print this
> string which answers where did these values come from.
>
> Thanks in advance!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 4/19/2018 7:21 AM, Prasanth Pasala wrote:
>  com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153)
>  com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143)

Thanks! These lines show Struts doesn't set username from a request
parameter, but it seems that you have a chain result to login action
which sets username from it's previous action's getUsername! Could you
verify these via reviewing your struts.xml finding an action that has a
chain result to login action?

Thanks in advance!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
There is a index.jsp which is defined as default page in web.xml it just forwards the request to Login.action. There is no chaining of actions in struts itself. We do have a LoginFilter which verifies
if a user is logged in.

Thanks,
Prasanth

On 04/19/2018 03:26 AM, Yasser Zamani wrote:

>
> On 4/19/2018 7:21 AM, Prasanth Pasala wrote:
>>  com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153)
>>  com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143)
> Thanks! These lines show Struts doesn't set username from a request
> parameter, but it seems that you have a chain result to login action
> which sets username from it's previous action's getUsername! Could you
> verify these via reviewing your struts.xml finding an action that has a
> chain result to login action?
>
> Thanks in advance!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 4/19/2018 4:39 PM, Prasanth Pasala wrote:
> There is a index.jsp which is defined as default page in web.xml it just forwards the request to Login.action. There is no chaining of actions in struts itself. We do have a LoginFilter which verifies
> if a user is logged in.
>

So maybe there is a bug with chain interceptor! Could you please use
following code in your action setUsername method (save it's log in a
private string field in your action). Then print it when your action
data are not consistent with request params.

String log = "";
ActionInvocation invocation= ActionContext.getActionInvocation();
ValueStack stack = invocation.getStack();
CompoundRoot root = stack.getRoot();
log += "Root Size: " + root.size();
Result result = invocation.getResult();
log += "\r\nResult: " + result;
List list = new ArrayList(root);
list.remove(0);
Collections.reverse(list);
for (Object object : list) {
    log += "\r\nObject: " + object;
}
this.log = log; //saves for possible future use

Thanks!

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
Below is the result of the new logging.

Root Size: 3
Result: null
Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d
Object: com.xxxxxx.webaccess.LoginAction@40c80ce8

Thanks,
Prasanth

On 04/21/2018 05:09 AM, Yasser Zamani wrote:

>
> On 4/19/2018 4:39 PM, Prasanth Pasala wrote:
>> There is a index.jsp which is defined as default page in web.xml it just forwards the request to Login.action. There is no chaining of actions in struts itself. We do have a LoginFilter which verifies
>> if a user is logged in.
>>
> So maybe there is a bug with chain interceptor! Could you please use
> following code in your action setUsername method (save it's log in a
> private string field in your action). Then print it when your action
> data are not consistent with request params.
>
> String log = "";
> ActionInvocation invocation= ActionContext.getActionInvocation();
> ValueStack stack = invocation.getStack();
> CompoundRoot root = stack.getRoot();
> log += "Root Size: " + root.size();
> Result result = invocation.getResult();
> log += "\r\nResult: " + result;
> List list = new ArrayList(root);
> list.remove(0);
> Collections.reverse(list);
> for (Object object : list) {
>     log += "\r\nObject: " + object;
> }
> this.log = log; //saves for possible future use
>
> Thanks!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12