struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Struts Two <struts...@yahoo.ca>
Subject Re: Struts 2 Container Security problem
Date Tue, 17 Mar 2009 16:54:54 GMT

To be able to run Struts 2 on Websphere 6.1, you definitely need to set com..ibm.ws.webcontainer.invokeFiltersCompatibility
for the custom properties of your server.

However, once the flag is set, you will not be able to access any action directly once container
security is turned on. That is only for Struts 2.1.x. Struts 2.0.11 or 2.0.12 should be okay.

--- On Tue, 3/17/09, pblatner <pblatner@gmail.com> wrote:

> From: pblatner <pblatner@gmail.com>
> Subject: Re: Struts 2 Container Security problem
> To: user@struts.apache.org
> Received: Tuesday, March 17, 2009, 4:15 PM
> 
> I don't see how this fix applies to the problem I mentioned
> below: 
> http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK31377
> 
> The text there doesn't say anything about resolving an
> issue where WebSphere
> doesn't seem to be recognizing servlet filters as resources
> to secure using
> web container authentication.
> 
> 
> Musachy Barroso wrote:
> > 
> > Just as a reference, there is a ticket open for this:
> > 
> > https://issues.apache.org/struts/browse/WW-2642
> > 
> > musachy
> > 
> > On Mon, Mar 16, 2009 at 5:37 PM, Struts Two <strutstwo@yahoo.ca>
> wrote:
> >>
> >> There is a problem running Struts 2.1.6 on
> Websphere when security is
> >> enabled. The case happens when url is an action
> not a resource like jsp
> >> or html. Refer to JIRA WW-2642 that I opened
> almost a year ago.
> >>
> >> I was hoping that Apache group can get their hands
> on Websphere to verify
> >> the issue but it seems like a distant probability
> as I have not heard any
> >> news on that for sometime.
> >>
> >> But on the bright site, there may be some good
> news on this soon. As I
> >> had to locate WAS L3 support in person and I am
> working with them on this
> >> issue [though the pace is slow].
> >>
> >> Also keep in mind, the same issue exists on WAS
> 7.0.0.1 with a slight
> >> variation. If this is determined to be a Websphere
> problem with WAS 6.1.
> >> Then I have a stronger case to press issue for WAS
> 7.0.
> >>
> >> --- On Mon, 3/16/09, pblatner <pblatner@gmail.com>
> wrote:
> >>
> >>> From: pblatner <pblatner@gmail.com>
> >>> Subject: Re: Struts 2 Container Security
> problem
> >>> To: user@struts.apache.org
> >>> Received: Monday, March 16, 2009, 9:05 PM
> >>>
> >>> I have tried to do the exact thing that Jeromy
> suggests
> >>> below with 2
> >>> packages.  And then in the web.xml specify a
> security
> >>> constraint with the
> >>> URL pattern "/protected/*".  After doing so,
> I am not
> >>> getting the result
> >>> that I think I should be.
> >>>
> >>> When issuing a request for my action at
> >>> "http://localhost/MyApp/protected/HomeAction", the
> >>> container is not
> >>> intercepting and challenging me with my
> logon.html page.
> >>>
> >>> Anyone know why this isn't working?
> >>>
> >>> The struts 2 servlet-filter pattern is
> "/*"..  It seems
> >>> pretty obvious that
> >>> the struts 2 servlet filter is responding to
> the first part
> >>> of the URL:
> >>> "http://localhost/MyApp/*" and the
> container isn't
> >>> seeing that as a secured
> >>> resource.
> >>>
> >>> Am I missing a configuration pattern somewhere
> that tells
> >>> the container to
> >>> inspect the full URL before allowing the
> servlet filter to
> >>> process it?
> >>>
> >>> My deployment environment is WebSphere 6.1. 
> Are there
> >>> any incompatibilities
> >>> between WebSphere 6.1 and struts 2 that could
> be causing
> >>> this?
> >>>
> >>> Thanks,
> >>> Pete.
> >>>
> >>>
> >>> Jeromy Evans - Blue Sky Minds wrote:
> >>> >
> >>> > In struts.xml, the namespace given to
> your package
> >>> needs be in
> >>> > /protected as well.
> >>> > eg. <package name="myPackage"
> >>> namespace="/protected">
> >>> > Otherwise, as you've seen, it's available
> in the root
> >>> of the
> >>> > application's context path.
> >>> >
> >>> > I usually split my struts2 application
> into at least
> >>> two packages:
> >>> > <package name="public"
> namespace="/"> ...
> >>> > <package name="secure"
> namespace="/protected">
> >>> >
> >>>
> >>> --
> >>> View this message in context:
> >>> http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html
> >>> Sent from the Struts - User mailing list
> archive at
> >>> Nabble.com.
> >>>
> >>>
> >>>
> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >>> For additional commands, e-mail: user-help@struts.apache.org
> >>>
> >>>
> >>
> >>
> >>    
>  __________________________________________________________________
> >> Instant Messaging, free SMS, sharing photos and
> more... Try the new
> >> Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/
> >>
> >>
> >>
> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts..apache.org
> >> For additional commands, e-mail: user-help@struts.apache..org
> >>
> >>
> > 
> > 
> > 
> > -- 
> > "Hey you! Would you help me to carry the stone?" Pink
> Floyd
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> > 
> > 
> > 
> 
> -- 
> View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22562774.html
> Sent from the Struts - User mailing list archive at
> Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 


      __________________________________________________________________
Looking for the perfect gift? Give the gift of Flickr! 

http://www.flickr.com/gift/


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message