struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Struts Two <struts...@yahoo.ca>
Subject Re: Struts 2 Container Security problem
Date Mon, 16 Mar 2009 21:37:21 GMT

There is a problem running Struts 2.1.6 on Websphere when security is enabled. The case happens
when url is an action not a resource like jsp or html. Refer to JIRA WW-2642 that I opened
almost a year ago.

I was hoping that Apache group can get their hands on Websphere to verify the issue but it
seems like a distant probability as I have not heard any news on that for sometime.

But on the bright site, there may be some good news on this soon. As I had to locate WAS L3
support in person and I am working with them on this issue [though the pace is slow].

Also keep in mind, the same issue exists on WAS 7.0.0.1 with a slight variation. If this is
determined to be a Websphere problem with WAS 6.1. Then I have a stronger case to press issue
for WAS 7.0.

--- On Mon, 3/16/09, pblatner <pblatner@gmail.com> wrote:

> From: pblatner <pblatner@gmail.com>
> Subject: Re: Struts 2 Container Security problem
> To: user@struts.apache.org
> Received: Monday, March 16, 2009, 9:05 PM
> 
> I have tried to do the exact thing that Jeromy suggests
> below with 2
> packages.  And then in the web.xml specify a security
> constraint with the
> URL pattern "/protected/*".  After doing so, I am not
> getting the result
> that I think I should be.
> 
> When issuing a request for my action at
> "http://localhost/MyApp/protected/HomeAction", the
> container is not
> intercepting and challenging me with my logon.html page.
> 
> Anyone know why this isn't working?  
> 
> The struts 2 servlet-filter pattern is "/*"..  It seems
> pretty obvious that
> the struts 2 servlet filter is responding to the first part
> of the URL:
> "http://localhost/MyApp/*" and the container isn't
> seeing that as a secured
> resource.
> 
> Am I missing a configuration pattern somewhere that tells
> the container to
> inspect the full URL before allowing the servlet filter to
> process it?
> 
> My deployment environment is WebSphere 6.1.  Are there
> any incompatibilities
> between WebSphere 6.1 and struts 2 that could be causing
> this?
> 
> Thanks,
> Pete.
> 
> 
> Jeromy Evans - Blue Sky Minds wrote:
> > 
> > In struts.xml, the namespace given to your package
> needs be in 
> > /protected as well.
> > eg. <package name="myPackage"
> namespace="/protected">
> > Otherwise, as you've seen, it's available in the root
> of the 
> > application's context path.
> > 
> > I usually split my struts2 application into at least
> two packages:
> > <package name="public" namespace="/"> ...
> > <package name="secure" namespace="/protected">
> > 
> 
> -- 
> View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html
> Sent from the Struts - User mailing list archive at
> Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 


      __________________________________________________________________
Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger
at http://ca.beta.messenger.yahoo.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message