struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r1009301 - in /websites/production/struts/content/docs: localization.html security.html struts-23-to-25-migration.html
Date Wed, 29 Mar 2017 11:49:09 GMT
Author: lukaszlenart
Date: Wed Mar 29 11:49:09 2017
New Revision: 1009301

Log:
Updates production

Added:
    websites/production/struts/content/docs/security.html
Modified:
    websites/production/struts/content/docs/localization.html
    websites/production/struts/content/docs/struts-23-to-25-migration.html

Modified: websites/production/struts/content/docs/localization.html
==============================================================================
--- websites/production/struts/content/docs/localization.html (original)
+++ websites/production/struts/content/docs/localization.html Wed Mar 29 11:49:09 2017
@@ -140,29 +140,23 @@ under the License.
     <div class="pagecontent">
         <div class="wiki-content">
             <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1488973645845 {padding: 0px;}
-div.rbtoc1488973645845 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1488973645845 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1490686613414 {padding: 0px;}
+div.rbtoc1490686613414 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490686613414 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1488973645845">
+/*]]>*/</style></p><div class="toc-macro rbtoc1490686613414">
 <ul class="toc-indentation"><li><a shape="rect" href="#Localization-Overview">Overview</a></li><li><a
shape="rect" href="#Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#Localization-Defaultaction'sclass">Default
action's class</a></li><li><a shape="rect" href="#Localization-UsinggetTextfromaTag">Using
getText from a Tag</a></li><li><a shape="rect" href="#Localization-Usingthetexttag">Using
the text tag</a></li><li><a shape="rect" href="#Localization-UsingtheI18ntag">Using
the I18n tag</a></li><li><a shape="rect" href="#Localization-UsingtheKeyattributeofUITags">Using
the Key attribute of UI Tags</a></li></ul>
-</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n Interceptor</a></li><li><a
shape="rect" href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a
shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</a></li><li><a
shape="rect" href="#Localization-ComparisonwithStruts1">Comparison with Struts 1</a></li><li><a
shape="rect" href="#Localization-Next:">Next: Type Conversion</a></li></ul>
-</div><h2 id="Localization-Overview">Overview</h2><p>The framework
supports internationalization (i18n) in the following places:</p><ol><li>the
<a shape="rect" href="ui-tags.html">UI Tags</a></li><li>Messages and
Errors from the <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAware.html">ValidationAware</a>
interface (implemented by <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</a>
and <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAwareSupport.html">ValidationAwareSupport</a>)</li><li>Within
action classes that extend <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</
 a> through the getText() method</li></ol><h2 id="Localization-ResourceBundleSearchOrder">Resource
Bundle Search Order</h2><p></p><p></p><p>Resource bundles
are searched in the following order:</p>
-
-<p></p><ol><li>ActionClass.properties</li><li>Interface.properties
(every interface and sub-interface)</li><li>BaseClass.properties (all the way
to Object.properties)</li><li>ModelDriven's model (if implements ModelDriven),
for the model object repeat from 1</li><li>package.properties (of the directory
where class is located and every parent directory all the way to the root directory)</li><li>search
up the i18n message key hierarchy itself</li><li>global resource properties</li></ol>
-For more, see the LocalizedTextUtil class.<div class="confluence-information-macro confluence-information-macro-tip"><p
class="title">Package hierarchy</p><span class="aui-icon aui-icon-small aui-iconfont-approve
confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p></p><p></p><p>To
clarify #5, while traversing the package hierarchy, Struts 2 will look for a file package.properties:</p>
-com/<br clear="none">
-&#160; acme/<br clear="none">
-&#160; &#160; package.properties<br clear="none">
-&#160; &#160; actions/<br clear="none">
-&#160; &#160; &#160; package.properties<br clear="none">
-&#160; &#160; &#160; FooAction.java<br clear="none">
-&#160; &#160; &#160; FooAction.properties<br clear="none">
-<p>
-If FooAction.properties does not exist, com/acme/action/package.properties will be searched
for, if
-not found com/acme/package.properties, if not found com/package.properties, etc.
-</p></div></div><h3 id="Localization-Defaultaction'sclass">Default
action's class</h3><p>If you configure action as follow</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n Interceptor</a></li><li><a
shape="rect" href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a
shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</a></li><li><a
shape="rect" href="#Localization-ComparisonwithStruts1">Comparison with Struts 1</a></li><li><a
shape="rect" href="#Localization-CustomTextProviderandTextProviderFactory">Custom TextProvider
and TextProviderFactory</a></li><li><a shape="rect" href="#Localization-Next:">Next:
Type Conversion</a></li></ul>
+</div><h2 id="Localization-Overview">Overview</h2><p>The framework
supports internationalization (i18n) in the following places:</p><ol><li>the
<a shape="rect" href="ui-tags.html">UI Tags</a></li><li>Messages and
Errors from the <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAware.html">ValidationAware</a>
interface (implemented by <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</a>
and <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAwareSupport.html">ValidationAwareSupport</a>)</li><li>Within
action classes that extend <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</
 a> through the getText() method</li></ol><h2 id="Localization-ResourceBundleSearchOrder">Resource
Bundle Search Order</h2><p>Resource bundles are searched in the following order:</p><ol><li><code>ActionClass</code>.properties</li><li><code>Interface</code>.properties
(every interface and sub-interface)</li><li><code>BaseClass</code>.properties
(all the way to Object.properties)</li><li>ModelDriven's model (if implements
ModelDriven), for the model object repeat from 1</li><li>package.properties (of
the directory where class is located and every parent directory all the way to the root directory)</li><li>search
up the i18n message key hierarchy itself</li><li>global resource properties</li></ol><p>This
is how it is implemented in a default implementation of the&#160;<code>LocalizedTextProvider</code>&#160;interface.
You can provide your own implementation using <code>TextProvider</code>&#160;and
<code>TextProviderFactory</code>&#160;interfaces.</p><div class="confluence-information-m
 acro confluence-information-macro-tip"><p class="title">Package hierarchy</p><span
class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>To clarify #5, while traversing the
package hierarchy, Struts 2 will look for a file package.properties:</p><div class="preformatted
panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+<pre>com/
+    acme/
+        package.properties
+        actions/
+                package.properties
+                FooAction.java
+                FooAction.properties</pre>
+</div></div><p>If <code>FooAction</code>.properties does not
exist, <code>com/acme/action/package.properties</code> will be searched for, if
not found <code>com/acme/package.properties</code>, if not found <code>com/package.properties</code>,
etc.</p></div></div><h3 id="Localization-Defaultaction'sclass">Default
action's class</h3><p>If you configure action as follow</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;action
name="index"&gt;
    &lt;result&gt;/index.jsp&lt;/result&gt;
 &lt;/action&gt;</pre>
@@ -194,9 +188,7 @@ not found com/acme/package.properties, i
 ]]></script>
 </div></div><div class="confluence-information-macro confluence-information-macro-tip"><span
class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Internationalizing SiteMesh decorators
is possible, but there are quirks. See <a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33343">SiteMesh
Plugin</a> for more.</p></div></div><h3 id="Localization-UsingtheKeyattributeofUITags">Using
the Key attribute of UI Tags</h3><p>The key attribute of most UI tags can be used
to retrieve a message from a resource bundle:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;s:textfield
key="some.key" name="textfieldName"/&gt;</pre>
-</div></div><h2 id="Localization-I18nInterceptor">I18n Interceptor</h2><p>Essentially,
the i18n Interceptor pushes a locale into the ActionContext map upon every request. The framework
components that support localization all utilize the ActionContext locale. See <a shape="rect"
href="i18n-interceptor.html">I18n Interceptor</a> for details.</p><h2 id="Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in <code>struts.properties</code></h2><p></p><p></p><p>
-A global resource bundle could be specified programmatically, as well as the locale.
-</p><h2 id="Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</h2><p>See
<a shape="rect" href="formatting-dates-and-numbers.html">Formatting Dates and Numbers</a>
for more details and examples.</p><h2 id="Localization-ComparisonwithStruts1">Comparison
with Struts 1</h2><p>Struts 1 users should be familiar with the application.properties
resource bundle, where you can put all the messages in the application that are going to be
translated. Struts 2, though, splits the resource bundles per action or model class, and you
may end up with duplicated messages in those resource bundles. A quick fix for that is to
create a file called ActionSupport.properties in com/opensymphony/xwork2 and put it on your
classpath. This will only work well if all your actions subclass XWork2's ActionSupport.</p><h2
id="Localization-Next:">Next: <a shape="rect" href="type-conversion.html">Type Conversion</a></h2></div>
+</div></div><h2 id="Localization-I18nInterceptor">I18n Interceptor</h2><p>Essentially,
the i18n Interceptor pushes a locale into the ActionContext map upon every request. The framework
components that support localization all utilize the ActionContext locale. See <a shape="rect"
href="i18n-interceptor.html">I18n Interceptor</a> for details.</p><h2 id="Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in <code>struts.properties</code></h2><p>A
global resource bundle could be specified programmatically, as well as the locale.</p><h2
id="Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</h2><p>See
<a shape="rect" href="formatting-dates-and-numbers.html">Formatting Dates and Numbers</a>
for more details and examples.</p><h2 id="Localization-ComparisonwithStruts1">Comparison
with Struts 1</h2><p>Struts 1 users should be familiar with the application.properties
resource bundle, where you can pu
 t all the messages in the application that are going to be translated. Struts 2, though,
splits the resource bundles per action or model class, and you may end up with duplicated
messages in those resource bundles. A quick fix for that is to create a file called ActionSupport.properties
in com/opensymphony/xwork2 and put it on your classpath. This will only work well if all your
actions subclass XWork2's ActionSupport.</p><h2 id="Localization-CustomTextProviderandTextProviderFactory">Custom
TextProvider and TextProviderFactory</h2><p>If you want use a different logic
to search for localized messages, or you want to use a database or just want to search default
bundles, you must implement both those interfaces (or subclass the existing implementations).
You can check a small <a shape="rect" class="external-link" href="https://github.com/apache/struts-examples/tree/master/text-provider"
rel="nofollow">example app</a> how to use both. Please remember that the&#160;<code>TextProvider</c
 ode> interface is implemented by the&#160;<code>ActioSupport</code> class,
that's why an extra layer -&#160;<code>TextProviderFactory</code> - is needed.</p><h2
id="Localization-Next:">Next: <a shape="rect" href="type-conversion.html">Type Conversion</a></h2></div>
         </div>
 
         

Added: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (added)
+++ websites/production/struts/content/docs/security.html Wed Mar 29 11:49:09 2017
@@ -0,0 +1,247 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet'
type='text/css' />
+    <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet'
type='text/css' />
+    <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script>
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>Security</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a
href="guides.html">Guides</a>&nbsp;&gt;&nbsp;<a href="core-developers-guide.html">Core
Developers Guide</a>&nbsp;&gt;&nbsp;<a href="security.html">Security</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="https://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource
-->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px
4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">Security</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34024409">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34024409">Edit
Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse
Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=34024409">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=34024409">Add
Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=34024409">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=34024409">Add
News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490788003243 {padding: 0px;}
+div.rbtoc1490788003243 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490788003243 li {margin-left: 0px;padding-left: 0px;}
+
+/*]]>*/</style></p><div class="toc-macro rbtoc1490788003243">
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-Securitytips">Security
tips</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-RestrictaccesstotheConfigBrowser">Restrict
access to the Config Browser</a></li><li><a shape="rect" href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't
mix different access levels in the same namespace</a></li><li><a shape="rect"
href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</a></li><li><a
shape="rect" href="#Security-DisabledevMode">Disable devMode</a></li><li><a
shape="rect" href="#Security-Reducelogginglevel">Reduce logging level</a></li><li><a
shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 encoding</a></li><li><a
shape="rect" href="#Security-Donotdefinesetterswhennotneeded">Do not define setters when
not needed</a></li><li><a shape="rect" href="#Security-Donotuseincomingvaluesasaninputforlocalisationlogic">Do
not use incoming values as an input for localisation logic</a></li></ul>
+</li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal
security mechanism</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-Accessingstaticmethods">Accessing
static methods</a></li><li><a shape="rect" href="#Security-OGNLisusedtocallaction'smethods">OGNL
is used to call action's methods</a></li><li><a shape="rect" href="#Security-Accepted/Excludedpatterns">Accepted
/ Excluded patterns</a></li><li><a shape="rect" href="#Security-StrictMethodInvocation">Strict
Method Invocation</a></li></ul>
+</li></ul>
+</div><h3 id="Security-Securitytips">Security tips</h3><p>The Apache
Struts 2 doesn't provide any security mechanism - it is just a pure web framework. Below are
few tips you should consider during application development with the Apache Struts 2.</p><h4
id="Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</h4><p><a
shape="rect" href="config-browser-plugin.html">Config Browser Plugin</a>&#160;exposes
internal configuration and should be used only during development phase. If you must use it
on production site, we strictly recommend restricting access to it - you can use &#160;Basic
Authentication or any other security mechanism (e.g. <a shape="rect" class="external-link"
href="http://shiro.apache.org/">Apache Shiro</a>)</p><h4 id="Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't
mix different access levels in the same namespace</h4><p>Very often access to
different resources is controlled based on URL patterns, see snippet below. Becaus
 e of that you cannot mix actions with different security levels in the same namespace. Always
group actions in one namespace by security level.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">   
&lt;security-constraint&gt;
+        &lt;web-resource-collection&gt;
+            &lt;web-resource-name&gt;admin&lt;/web-resource-name&gt;
+            &lt;url-pattern&gt;/secure/*&lt;/url-pattern&gt;
+        &lt;/web-resource-collection&gt;
+        &lt;auth-constraint&gt;
+            &lt;role-name&gt;admin&lt;/role-name&gt;
+        &lt;/auth-constraint&gt;
+    &lt;/security-constraint&gt;
+</pre>
+</div></div><h4 id="Security-NeverexposeJSPfilesdirectly">Never expose
JSP files directly</h4><p>You must always hide JSP file behind an action, you
cannot allow for direct access to the JSP files as this can leads to unpredictable security
vulnerabilities. You can achieve this by putting all your JSP files under the&#160;<code>WEB-INF</code>
folder - most of the JEE containers restrict access to files placed under the&#160;<code>WEB-INF</code>
folder. Second option is to add security constraint to the <code>web.xml</code>&#160;file:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;!--
Restricts access to pure JSP files - access available only via Struts action --&gt;
+&lt;security-constraint&gt;
+    &lt;display-name&gt;No direct JSP access&lt;/display-name&gt;
+    &lt;web-resource-collection&gt;
+        &lt;web-resource-name&gt;No-JSP&lt;/web-resource-name&gt;
+        &lt;url-pattern&gt;*.jsp&lt;/url-pattern&gt;
+    &lt;/web-resource-collection&gt;
+    &lt;auth-constraint&gt;
+        &lt;role-name&gt;no-users&lt;/role-name&gt;
+    &lt;/auth-constraint&gt;
+&lt;/security-constraint&gt;
+
+&lt;security-role&gt;
+    &lt;description&gt;Don't assign users to this role&lt;/description&gt;
+    &lt;role-name&gt;no-users&lt;/role-name&gt;
+&lt;/security-role&gt;</pre>
+</div></div><p>The best approach is to used the both solutions.</p><h4
id="Security-DisabledevMode">Disable devMode</h4><p>The&#160;<code style="line-height:
1.4285715;">devMode</code> is a very useful option during development time, allowing
for deep introspection and debugging into you app.</p><p>However, in production
it exposes your application to be presenting too many informations on application's internals
or to evaluating risky parameter expressions.&#160;Please&#160;<strong>always
disable&#160;<code>devMode</code></strong>&#160;before deploying
your application to a production environment. While it is disabled by default, your <code>struts.xml</code>&#160;might
include a line setting it to <code>true</code>. The best way is to ensure the
following setting is applied to our <code>struts.xml</code>&#160;for production
deployment:</p><div class="confluence-information-macro confluence-information-macro-note"><p
class="title">How to disable devMode in production</p><span class=
 "aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p><span>&lt;</span><span
style="color: rgb(0,0,128);">constant </span><span style="color: rgb(0,0,255);">name</span><span
style="color: rgb(0,128,0);">="struts.devMode" </span><span style="color: rgb(0,0,255);">value</span><span
style="color: rgb(0,128,0);">="false"</span><span>/&gt;</span></p></div></div><h4
id="Security-Reducelogginglevel">Reduce logging level</h4><p>It's a good practice
to reduce logging level from <strong>DEBUG</strong> to <strong>INFO</strong>
or less. Framework's classes can produce a lot of logging entries which will pollute the log
file. You can even set logging level to <strong>WARN</strong> for classes that
belongs to the framework, see example Log4j2 configuration:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;?xml
version="1.0" encoding="UTF-8"?&gt;
+&lt;Configuration&gt;
+    &lt;Appenders&gt;
+        &lt;Console name="STDOUT" target="SYSTEM_OUT"&gt;
+            &lt;PatternLayout pattern="%d %-5p [%t] %C{2} (%F:%L) - %m%n"/&gt;
+        &lt;/Console&gt;
+    &lt;/Appenders&gt;
+    &lt;Loggers&gt;
+        &lt;Logger name="com.opensymphony.xwork2" level="warn"/&gt;
+        &lt;Logger name="org.apache.struts2" level="warn"/&gt;
+        &lt;Root level="info"&gt;
+            &lt;AppenderRef ref="STDOUT"/&gt;
+        &lt;/Root&gt;
+    &lt;/Loggers&gt;
+&lt;/Configuration&gt;</pre>
+</div></div><h4 id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always
use&#160;<code>UTF-8</code> encoding when building an application with the
Apache Struts 2, when using JSPs please add the following header to each JSP file</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;%@
page contentType="text/html; charset=UTF-8" %&gt;</pre>
+</div></div><h4 id="Security-Donotdefinesetterswhennotneeded">Do not define
setters when not needed</h4><p>You should carefully design your actions without
exposing anything via setters and getters, thus can leads to potential security vulnerabilities.
Any action's setter can be used to set incoming untrusted user's value which can contain suspicious
expression. Some Struts&#160;<code>Result</code>s automatically populate params
based on values in&#160;<code>ValueStack</code> (action in most cases is the
root) which means incoming value will be evaluated as an expression during this process.</p><h4
id="Security-Donotuseincomingvaluesasaninputforlocalisationlogic">Do not use incoming values
as an input for localisation logic</h4><p>All&#160;<code>TextProvider</code>'s
<code>getText(...)&#160;</code>methods (e.g in&#160;<code>ActionSupport</code>)
perform evaluation of parameters included in a message to properly localize the text. This
means using incoming request parameters with&#16
 0;<code>getText(...)</code> methods is potentially dangerous and should be avoided.
See example below, assuming that an action implements getter and setter for property&#160;<code>message</code>,
the below code allows inject an OGNL expression:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public
String execute() throws Exception {
+    setMessage(getText(getMessage()));
+    return SUCCESS;
+}</pre>
+</div></div><p>Never use value of incoming request parameter as part of
your localisation logic.</p><h3 id="Security-Internalsecuritymechanism">Internal
security mechanism</h3><p>The Apache Struts 2 contains internal security manager
which blocks access to particular classes and Java packages - it's a OGNL-wide mechanism which
means it affects any aspect of the framework ie. incoming parameters, expressions used in
JSPs, etc.</p><p>There are three options that can be used to configure excluded
packages and classes:</p><ul style="list-style-type: square;"><li><code>struts.excludedClasses</code>
- comma-separated list of excluded classes</li><li><code>struts.excludedPackageNamePatterns</code>
- patterns used to exclude packages based on RegEx - this option is slower than simple string
comparison but it's more flexible</li><li><code>struts.excludedPackageNames</code>
- comma-separated list of excluded packages, it is used with simple string comparison via&#160;<code>startWith</code>
an
 d&#160;<code>equals</code></li></ul><p>The defaults are
as follow:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;constant
name="struts.excludedClasses"
+          value="com.opensymphony.xwork2.ActionContext" /&gt;
+
+&lt;!-- this must be valid regex, each '.' in package name must be escaped! --&gt;
+&lt;!-- it's more flexible but slower than simple string comparison --&gt;
+&lt;!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)"
/ --&gt;
+
+&lt;!-- this is simpler version of the above used with string comparison --&gt;
+&lt;constant name="struts.excludedPackageNames" value="java.lang,ognl,javax" /&gt;</pre>
+</div></div><p>Any expression or target which evaluates to one of these
will be blocked and you see a WARN in logs:</p><div class="preformatted panel" style="border-width:
1px;"><div class="preformattedContent panelContent">
+<pre>[WARNING] Target class [class example.MyBean] or declaring class of member type
[public example.MyBean()] are excluded!</pre>
+</div></div><p>In that case&#160;<code>new MyBean()</code>
was used to create a new instance of class (inside JSP) - it's blocked because&#160;<code>target</code>
of such expression is evaluated to&#160;<code>java.lang.Class</code></p><div
class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon
aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>It is possible to redefine the above
constants in <code>struts.xml</code> but try to avoid this and rather change design
of your application!</p></div></div><h4 id="Security-Accessingstaticmethods">Accessing
static methods</h4><div class="confluence-information-macro confluence-information-macro-warning"><span
class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Support for accessing static methods
from expression will be disabled soon, please
  consider re-factoring your application to avoid further problems! Please check <a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/WW-4348">WW-4348</a>.</p></div></div><h4
id="Security-OGNLisusedtocallaction'smethods">OGNL is used to call action's methods</h4><p>This
can impact actions which have large inheritance hierarchy and use the same method's name throughout
the hierarchy, this was reported as an issue <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4405">WW-4405</a>.
See the example below:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public
class RealAction extends BaseAction {  
+    @Action("save")
+    public String save() throws Exception {
+        super.save();
+        return SUCCESS;
+    }
+}    
+&#160;
+public class BaseAction extends AbstractAction {
+    public String save() throws Exception {
+        save(Double.MAX_VALUE);
+        return SUCCESS;
+    }
+}
+&#160;
+public abstract class AbstractAction extends ActionSupport {
+    protected void save(Double val) {
+        // some logic
+    }
+}</pre>
+</div></div><p>In such case OGNL cannot properly map which method to call
when request is coming. This is do the OGNL limitation. To solve the problem don't use the
same method's names through the hierarchy, you can simply change the action's method from&#160;<code>save()</code>
to&#160;<code>saveAction()</code>&#160;and leaving annotation as is to
allow&#160;<span style="line-height: 1.4285715;">call this action via&#160;</span><code
style="line-height: 1.4285715;">/save.action</code><span style="line-height: 1.4285715;">
request.</span></p><h4 id="Security-Accepted/Excludedpatterns"><span
style="line-height: 1.4285715;">Accepted / Excluded patterns</span></h4><p><span
style="line-height: 1.4285715;">As from version 2.3.20 the framework provides two new interfaces
which are used to accept / exclude param names and values -&#160;<a shape="rect" class="external-link"
href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.htm
 l">AcceptedPatternsChecker</a> and&#160;<a shape="rect" class="external-link"
href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a>
with default implementations. These two interfaces are used by&#160;<a shape="rect"
href="parameters-interceptor.html">Parameters Interceptor</a> and&#160;<a
shape="rect" href="cookie-interceptor.html">Cookie Interceptor</a> to check if param
can be accepted or must be excluded. If you were using&#160;<code>excludeParams</code>
previously please compare patterns used by you with these provided by the framework in default
implementation.</span></p><h4 id="Security-StrictMethodInvocation"><span
style="line-height: 1.4285715;">Strict Method Invocation</span></h4><p><span
style="line-height: 1.4285715;">This mechanism was introduced in version 2.5. It allows
control what methods can be accessed with the bang "!" operator via <a shape="rect" href="action-configurat
 ion.html">Dynamic Method Invocation</a>. Please read more&#160;in Strict Method
Invocation section of&#160;<a shape="rect" href="action-configuration.html">Action
Configuration</a>.</span></p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>

Modified: websites/production/struts/content/docs/struts-23-to-25-migration.html
==============================================================================
--- websites/production/struts/content/docs/struts-23-to-25-migration.html (original)
+++ websites/production/struts/content/docs/struts-23-to-25-migration.html Wed Mar 29 11:49:09
2017
@@ -139,13 +139,13 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h3 id="Struts2.3to2.5migration-/*&lt;![CDATA[*/div.rbtoc1490016579651{padding:0px;}div.rbtoc1490016579651ul{list-style:disc;margin-left:0px;}div.rbtoc1490016579651li{margin-left:0px;padding-left:0px;}/*]]&gt;*/#Struts2.3to2.5migration-Dependencies#Struts2.3to2.5migrat"><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1490016579651 {padding: 0px;}
-div.rbtoc1490016579651 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1490016579651 li {margin-left: 0px;padding-left: 0px;}
+            <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490686616575 {padding: 0px;}
+div.rbtoc1490686616575 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490686616575 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></h3><div class="toc-macro rbtoc1490016579651">
-<ul class="toc-indentation"><li><a shape="rect" href="#Struts2.3to2.5migration-"></a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags attributes</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work
directory of ApplicationServer/ServletContainer</a></li></ul>
+/*]]>*/</style></p><div class="toc-macro rbtoc1490686616575">
+<ul class="toc-indentation"><li><a shape="rect" href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags attributes</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work
directory of ApplicationServer/ServletContainer</a></li></ul>
 </div><h3 id="Struts2.3to2.5migration-Dependencies">Dependencies</h3><p>Update
Struts dependencies to 2.5.<br clear="none"><br clear="none">Remove the following
plugin dependencies because they were dropped and aren't supported anymore.</p><ul><li>Dojo
Plugin</li><li>Codebehind Plugin</li><li>JSF Plugin</li><li>Struts1
Plugin</li></ul><h3 id="Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</h3><p>The&#160;<code>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</code>
was moved to <code>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</code>.<br
clear="none"><br clear="none">In web.xml replace this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;filter&gt;
     &lt;filter-name&gt;struts2&lt;/filter-name&gt;



Mime
View raw message