struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [4/6] struts-site git commit: cleaned up http-session page
Date Mon, 03 Apr 2017 10:50:43 GMT
cleaned up http-session page


Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/dc2f4ccb
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/dc2f4ccb
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/dc2f4ccb

Branch: refs/heads/master
Commit: dc2f4ccb7a2f5a4de460785b96d5e7875ab9bcc9
Parents: c761447
Author: Stefaan Dutry <stefaan.dutry@gmail.com>
Authored: Sun Apr 2 16:00:37 2017 +0200
Committer: Stefaan Dutry <stefaan.dutry@gmail.com>
Committed: Sun Apr 2 16:00:37 2017 +0200

----------------------------------------------------------------------
 source/getting-started/http-session.md | 129 ++++++++++------------------
 1 file changed, 46 insertions(+), 83 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts-site/blob/dc2f4ccb/source/getting-started/http-session.md
----------------------------------------------------------------------
diff --git a/source/getting-started/http-session.md b/source/getting-started/http-session.md
index fba68cf..ccd598f 100644
--- a/source/getting-started/http-session.md
+++ b/source/getting-started/http-session.md
@@ -6,113 +6,83 @@ title: Http Session
 
 The example code for this tutorial, http_session, is available at [https://github.com/apache/struts-examples](https://github.com/apache/struts-examples)
 
-> 
+__Introduction__
 
-#####Introduction#####
+Your Struts 2 application may need to access the HTTP session object. Struts 2 provides an
interface, [SessionAware](https://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/interceptor/SessionAware.html),
that your Action class should implement to obtain a reference to the HTTP session object.
 
-Your Struts 2 application may need to access the HTTP session object. Struts 2 provides an
interface, [SessionAware](http://struts.apache.org/2.3.1.2/struts2-core/apidocs/org/apache/struts2/interceptor/SessionAware.html)^[http://struts.apache.org/2.3.1.2/struts2-core/apidocs/org/apache/struts2/interceptor/SessionAware.html],
that your Action class should implement to obtain a reference to the HTTP session object.
+The [Struts 2 user mailing list](http://struts.apache.org/mail.html) is an excellent place
to get help. If you are having a problem getting the tutorial example applications to work
search the Struts 2 mailing list. If you don't find an answer to your problem, post a question
on the mailing list.
 
-
-
-| The [Struts 2 user mailing list](http://struts.apache.org/mail.html)^[http://struts.apache.org/mail.html]
is an excellent place to get help. If you are having a problem getting the tutorial example
applications to work search the Struts 2 mailing list. If you don't find an answer to your
problem, post a question on the mailing list.
-
-| 
-
-#####SessionAware Interface#####
+__SessionAware Interface__
 
 The SessionAware interface has one method, setSession, that your Action class will need to
override. In the example application (see above), the HelloWorldAction class implements the
SessionAware interface and includes this code:
 
 **HelloWorldAction.java setSession Method**
 
-
-~~~~~~~
+```java
 private Map<String, Object> userSession ;
 
 public void setSession(Map<String, Object) session) {
-
    userSession = session ;
-
 }
-
-
-~~~~~~~
+```
 
 The Struts 2 framework has an interceptor that will inject the HTTP session object into the
Action class by calling the setSession method.
 
-#####Using the HTTP Session Object In The Action Class#####
+__Using the HTTP Session Object In The Action Class__
 
 The example application keeps track of how many times the user clicks on a Hello link or
submits the hello form. It stores this count in the HTTP session object in the increaseHelloCount
method.
 
 **HelloWorldAction.java increaseHelloCount Method**
 
-
-~~~~~~~
+```java
 private void increaseHelloCount() {
-			
-   Integer helloCount = (Integer) userSession.get(HELLO_COUNT);
+    Integer helloCount = (Integer) userSession.get(HELLO_COUNT);
 		
-   if (helloCount == null ) {
-		
-     helloCount = 1;
-			
-   } else {
-			
-     helloCount++;
+    if (helloCount == null ) {
+        helloCount = 1;
+    } else {
+        helloCount++;
+    }
 
-   }
-		
-   userSession.put(HELLO_COUNT, helloCount);
-	
+    userSession.put(HELLO_COUNT, helloCount);
 }
-
-
-
-~~~~~~~
+```
 
 When the increaseHelloCount method is called from within the execute method, the userSession
object is a reference to the HTTP session object injected by the Struts 2 framework. So any
objects stored in the HTTP session can be retrieved using the userSession object and any objects
stored in the userSession object will be stored in the HTTP session object.
 
-#####Accessing HTTP Session Objects In The View#####
+__Accessing HTTP Session Objects In The View__
 
 Struts 2 provides an easy way to get an object stored in the HTTP session from within the
view page. In the example application is HelloWorld.jsp with this markup:
 
 **HelloWorld.jsp Get helloCount Value From HTTP Session**
 
-
-~~~~~~~
-   <p>I've said hello to you <s:property value="#session.helloCount" /> times!</p>
-
-
-~~~~~~~
+```html
+    <p>I've said hello to you <s:property value="#session.helloCount" /> times!</p>
+```
 
 The s:property tag's value attribute has a value of \#session.helloCount. The "\#" before
the word session tells the Struts framework to look in the session scope for a key of "helloCount"
(which is the value of the String constant HELLO_COUNT referenced in method increaseHelloCount).
Struts will get the object mapped to helloCount key and then call that object's toString method
to determine what to display in the view page.
 
-#####Best Practices When Using SessionAware#####
+__Best Practices When Using SessionAware__
 
 Using SessionAware does introduce a potential security vulnerability that you should mitigate
by also following these practices in the Action class that implements the SessionAware interface.
 
 1. Do not have a public Map<String, Object) getSession method in the Action class. You
only need a public void setSession method to implement the SessionAware interface.
 
-2. Also have the Action class implement the [ParameterNameAware interface](http://struts.apache.org/2.3.1.2/xwork-core/apidocs/com/opensymphony/xwork2/interceptor/ParameterNameAware.html)^[http://struts.apache.org/2.3.1.2/xwork-core/apidocs/com/opensymphony/xwork2/interceptor/ParameterNameAware.html]
and override its acceptableParameterName method:
+2. Also have the Action class implement the [ParameterNameAware interface](https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/interceptor/ParameterNameAware.html)
and override its acceptableParameterName method:
 
 **HelloWorldAction.java acceptableParameterName Method**
 
+```java
+    public boolean acceptableParameterName(String parameterName) {
+        boolean allowedParameterName = true ;
 
-~~~~~~~
-	public boolean acceptableParameterName(String parameterName) {
-		
-		boolean allowedParameterName = true ;
+        if ( parameterName.contains("session")  || parameterName.contains("request") ) {
+            allowedParameterName = false ;
+        } 
 		
-		if ( parameterName.contains("session")  || parameterName.contains("request") ) {
-		
-			allowedParameterName = false ;
-			
-		} 
-		
-		return allowedParameterName;
-	}
-
-
-~~~~~~~
+        return allowedParameterName;
+    }
+```
 
 This method will be called by the Struts 2 framework for each parameter in the request scope.
By returning false if the parameter name contains "session" we are telling the Struts 2 framework
to ignore that parameter. This will prevent a malicious user from trying to hack the HTTP
session object.
 
@@ -120,35 +90,28 @@ Instead of having each action that implements SessionAware also implement
the Pa
 
 **struts.xml configure params interceptor**
 
-
-~~~~~~~
-	<package name="basicstruts2" extends="struts-default">
-
- 		<interceptors>
-	 		<interceptor-stack name="appDefault">
-	        	 <interceptor-ref name="defaultStack">
-	      			<param name="exception.logEnabled">true</param>
-	      			<param name="exception.logLevel">ERROR</param>
-	      			<param name="params.excludeParams">dojo..*,^struts..*,^session..*,^request..*,^application..*,^servlet(Request|Response)..*,parameters...*</param>
-	   			</interceptor-ref>
-	 	    </interceptor-stack>
-		</interceptors>
+```xml
+    <package name="basicstruts2" extends="struts-default">
+        <interceptors>
+            <interceptor-stack name="appDefault">
+                <interceptor-ref name="defaultStack">
+                    <param name="exception.logEnabled">true</param>
+                    <param name="exception.logLevel">ERROR</param>
+                    <param name="params.excludeParams">dojo..*,^struts..*,^session..*,^request..*,^application..*,^servlet(Request|Response)..*,parameters...*</param>
+                </interceptor-ref>
+            </interceptor-stack>
+        </interceptors>
 		
-		<default-interceptor-ref name="appDefault" />
-
-
-~~~~~~~
+        <default-interceptor-ref name="appDefault" />
+...
+```
 
 The above code will ensure that every action in the "basicstruts2" package that implements
the SessionAware interface will exclude from processing parameters that starts with the strings
provided in the params.excludeParams noded.
 
 The example project includes both methods for mitigating the SessionAware security vulnerability.
 
-
-
 | Note the same issue exists if you implement the ServletRequestAware interface, which is
why the above method returns false if the parameter name contains "request".
 
-| 
-
-#####Summary#####
+__Summary__
 
 When your Action class needs to access the HTTP session object implement the SessionAware
interface and override the setSession method. Be sure to also implement the ParameterNameAware
interface and override the acceptableParameterName method to mitigate a potential security
vulnerability. If you have multiple actions that implement SessionAware then consider modifying
the params interceptor's excludeParams value as part of your Struts 2 package setup.


Mime
View raw message