You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Kelly Graus <ke...@toltech.net> on 2008/02/19 18:12:47 UTC
Struts 2 Container Security problem
Hi Everyone,
I'm attempting to secure my first Struts 2 web app using container
security with a DataSourceRealm. I'm using Tomcat 6 as my container.
Here is how my project is setup:
LicensingAdministration/
META-INF/
context.xml
WEB-INF/
web.xml
classes/
struts.xml
protected/
*JSP pages*
login.jsp
error.jsp
Without using struts, this works perfectly. Any attempt to access
anything under the protected area results in a redirect to the login
page, and from there all of the database stuff works fine. However,
when I added in struts, I am now able to bypass the security by
specifying an action directly.
For example, navigating to
http://localhost:8080/LicensingAdministration/CreateProduct.action will
bypass the login page and go directly to the CreateProduct action.
However, navigating to
http://localhost:8080/LicensingAdministration/protected/CreateProduct.action
will perform a redirect to the login (as expected).
Any suggestions on how to secure the actions so that the login cannot be
bypassed would be greatly appreciated! Below are the relevant parts of
my web.xml and context.xml files (I can post the full files if
necessary, but they contain a lot of resource definitions that aren't
related to the problem).
Also, in an slightly unrelated question, is is possible to use struts
tags in the login page? I was trying to use an s:url tag to specify the
location of the css. When redirected to the login page, the server
threw an exception and I got an error message stating the the Struts
dispatcher cannot be found.
Thanks!
Kelly
[web.xml]
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
[snip]
<resource-env-ref>
<resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
<resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
</resource-env-ref>
<!-- Security Constraints -->
<security-constraint>
<display-name>name</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>licensing-admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Licensing Administration</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>licensing-admin</role-name>
</security-role>
<welcome-file-list>
<welcome-file>protected/administer.jsp</welcome-file>
</welcome-file-list>
[/web.xml]
[context.xml]
<Resource name="jdbc/UsersDS" auth="Container"
type="javax.sql.DataSource"
username="username"
password="password"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/users"/>
<!-- Security Realm -->
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/UsersDS" localDataSource="true"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
[/context.xml]
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Kelly Graus <ke...@toltech.net>.
Martin Gainty <mgainty <at> hotmail.com> writes:
>
> start here
> http://www.acegisecurity.org/guide/springsecurity.html
>
> M-
Thank you for the response. I looked at Acegi, but it seemed overly
complex for my requirements. This application is just a simple in
house administration tool (and learning exercise for me) that doesn't
need much in the way of authentication. Basically, once a user logs
in, they are authorized to access the entire app.
>From my research, it seems like using container security should work,
however I have been unable to find any examples using Struts 2 as of
yet (I even bought Practical Apache Struts 2, but the author doesn't
use Tomcat so his container security example didn't help much with my
problem).
Thanks again for you response!
Kelly
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Martin Gainty <mg...@hotmail.com>.
start here
http://www.acegisecurity.org/guide/springsecurity.html
M-
----- Original Message -----
From: "Kelly Graus" <ke...@toltech.net>
To: <us...@struts.apache.org>
Sent: Tuesday, February 19, 2008 12:12 PM
Subject: Struts 2 Container Security problem
> Hi Everyone,
>
> I'm attempting to secure my first Struts 2 web app using container
> security with a DataSourceRealm. I'm using Tomcat 6 as my container.
> Here is how my project is setup:
>
> LicensingAdministration/
> META-INF/
> context.xml
> WEB-INF/
> web.xml
> classes/
> struts.xml
> protected/
> *JSP pages*
> login.jsp
> error.jsp
>
> Without using struts, this works perfectly. Any attempt to access
> anything under the protected area results in a redirect to the login
> page, and from there all of the database stuff works fine. However,
> when I added in struts, I am now able to bypass the security by
> specifying an action directly.
>
> For example, navigating to
> http://localhost:8080/LicensingAdministration/CreateProduct.action will
> bypass the login page and go directly to the CreateProduct action.
> However, navigating to
>
http://localhost:8080/LicensingAdministration/protected/CreateProduct.action
> will perform a redirect to the login (as expected).
>
> Any suggestions on how to secure the actions so that the login cannot be
> bypassed would be greatly appreciated! Below are the relevant parts of
> my web.xml and context.xml files (I can post the full files if
> necessary, but they contain a lot of resource definitions that aren't
> related to the problem).
>
> Also, in an slightly unrelated question, is is possible to use struts
> tags in the login page? I was trying to use an s:url tag to specify the
> location of the css. When redirected to the login page, the server
> threw an exception and I got an error message stating the the Struts
> dispatcher cannot be found.
>
> Thanks!
>
> Kelly
>
> [web.xml]
> <filter>
> <filter-name>struts2</filter-name>
>
>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>struts2</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> [snip]
>
> <resource-env-ref>
> <resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
> <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
> </resource-env-ref>
>
> <!-- Security Constraints -->
> <security-constraint>
> <display-name>name</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/protected/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>licensing-admin</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Licensing Administration</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>licensing-admin</role-name>
> </security-role>
>
> <welcome-file-list>
> <welcome-file>protected/administer.jsp</welcome-file>
> </welcome-file-list>
> [/web.xml]
>
> [context.xml]
> <Resource name="jdbc/UsersDS" auth="Container"
> type="javax.sql.DataSource"
> username="username"
> password="password"
> driverClassName="com.mysql.jdbc.Driver"
> url="jdbc:mysql://localhost:3306/users"/>
>
> <!-- Security Realm -->
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/UsersDS" localDataSource="true"
> userTable="users" userNameCol="user_name"
userCredCol="user_pass"
> userRoleTable="user_roles" roleNameCol="role_name"/>
> [/context.xml]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Wes Wannemacher <we...@wantii.com>.
On Wed, 2008-02-20 at 05:15 +0000, Kelly Graus wrote:
> Wes Wannemacher <wesw <at> wantii.com> writes:
>
> > I'm jumping in late, so if I refer to something that came up in a
> > previous post, I apologize ahead of time. I'm guessing that you're using
> > tomcat. Tomcat is picky about certain things being actual filesystem
> > resources. There are two possible solutions (if I'm right about Tomcat),
> > the first being Jeromy's suggestion. The other thing I've done that
> > seems to work is to create a blank file that matches the request. In
> > this case a 0-byte file called login.action may do the trick. It's a bit
> > of a hack, and I think when this comes up with the Tomcat peeps, they
> > point to the spec.
> >
> > -Wes
> >
> Hi Wes,
>
> Thanks for the reply! I tried your fix, now Tomcat returns a blank page. Any
> other configuration issues I need to be aware of?
>
> Thanks!
>
> Kelly
>
hmm... It worked for the welcome-file pages for me :)
Do you have the struts filter mapped so that it would have picked up the
request?
I'm thinking you have three choices depending on the amount of time you
have to finish your task. The first would be using a newer version of
Tomcat. As was mentioned earlier, this is basically a gotcha when
dealing with the previous spec (more specifically Tomcat 5.5.x) combined
with a framework that takes over request processing. If not Tomcat,
there are plenty of good alternatives.
Another choice would be to roll your own authentication and
authorization. There is a great tutorial here
http://www.vitarara.org/cms/struts_2_cookbook/creating_a_login_interceptor that gets linked to quite often on this list that will help. Rolling your own is much easier than it sounds and the lack of portability when configuring Tomcat's *Realms led me to start rolling my own whenever I have needed.
The last choice is to forgo the framework for the login-form. IIRC, the
requirement is a j_username string and j_password string posted to
j_security_check. I'm a bit of a purist and I don't really like it, but
sometimes you have to do what works, rather than forcing a square peg in
a round hole.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Kelly Graus <ke...@toltech.net>.
Wes Wannemacher <wesw <at> wantii.com> writes:
> I'm jumping in late, so if I refer to something that came up in a
> previous post, I apologize ahead of time. I'm guessing that you're using
> tomcat. Tomcat is picky about certain things being actual filesystem
> resources. There are two possible solutions (if I'm right about Tomcat),
> the first being Jeromy's suggestion. The other thing I've done that
> seems to work is to create a blank file that matches the request. In
> this case a 0-byte file called login.action may do the trick. It's a bit
> of a hack, and I think when this comes up with the Tomcat peeps, they
> point to the spec.
>
> -Wes
>
Hi Wes,
Thanks for the reply! I tried your fix, now Tomcat returns a blank page. Any
other configuration issues I need to be aware of?
Thanks!
Kelly
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Laurie Harper <la...@holoweb.net>.
Wes Wannemacher wrote:
> On Wed, 2008-02-20 at 00:43 +0000, Kelly Graus wrote:
>> Jeromy Evans <jeromy.evans <at> blueskyminds.com.au> writes:
> [snip]
>>
>>> I would add a login action to the public namespace which prepares a
>>> login page. Unfortunately I don't think the container will allow you to
>>> specify "/login.action" as the login page though, but you can make
>>> login.jsp redirect to it.
>> According to Practical Apache Struts 2, this should be able to be an action.
>> However, I'm having difficulty getting this to work. I keep getting a 404
>> requested resource not found for the logon action. I'll keep working on it,
>> if any one has any ideas it would be great.
>
> I'm jumping in late, so if I refer to something that came up in a
> previous post, I apologize ahead of time. I'm guessing that you're using
> tomcat. Tomcat is picky about certain things being actual filesystem
> resources. There are two possible solutions (if I'm right about Tomcat),
> the first being Jeromy's suggestion. The other thing I've done that
> seems to work is to create a blank file that matches the request. In
> this case a 0-byte file called login.action may do the trick. It's a bit
> of a hack, and I think when this comes up with the Tomcat peeps, they
> point to the spec.
I thought the Servlet 2.5 spec clarified this, and specified that any
resource should be allowable -- or was that just for welcome files?
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Wes Wannemacher <we...@wantii.com>.
On Tue, 2008-02-19 at 17:56 -0800, Dave Newton wrote:
> --- Jeromy Evans <je...@blueskyminds.com.au> wrote:
> > Wes Wannemacher wrote:
> > > In this case a 0-byte file called login.action may do the trick. It's a
> bit
> > > of a hack, and I think when this comes up with the Tomcat peeps, they
> > > point to the spec.
> > Excellent! I loathe using a redirect. This probably belongs in a FAQ
> > somewhere as it comes up a lot with respect to using an action as the
> > welcome file.
>
> Meh. I'd rather see a known, cross-browser technique like a redirect than
> potentially non-portable treachery. What, specifically, does the spec say
> regarding this?
>
> (I'm quickly looking in 2.4, which isn't the latest; it seems to state only
> that it must check that a static resource or servlet is mapped to the file
> named in the welcome-file-list, so I guess the zero-byte trick is
> spec-friendly. Still makes me grumpy, but I'm old and easily irritated :)
>
The only problem with a redirect in this case is that some context may
be lost :(. Generally, with container managed security, after logging
in, the server manages to send you happily on your way back to the
resource that required authorization. I haven't tried it, but assuming
that Tomcat "keeps it simple," I'd bet that redirecting might lose some
of the magic required to make it all work.
I think that the last post was right though (by Laurie?) that the new
spec fixes this. So, don't be down Dave, there is hope yet!
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Dave Newton <ne...@yahoo.com>.
--- Jeromy Evans <je...@blueskyminds.com.au> wrote:
> Wes Wannemacher wrote:
> > In this case a 0-byte file called login.action may do the trick. It's a
bit
> > of a hack, and I think when this comes up with the Tomcat peeps, they
> > point to the spec.
> Excellent! I loathe using a redirect. This probably belongs in a FAQ
> somewhere as it comes up a lot with respect to using an action as the
> welcome file.
Meh. I'd rather see a known, cross-browser technique like a redirect than
potentially non-portable treachery. What, specifically, does the spec say
regarding this?
(I'm quickly looking in 2.4, which isn't the latest; it seems to state only
that it must check that a static resource or servlet is mapped to the file
named in the welcome-file-list, so I guess the zero-byte trick is
spec-friendly. Still makes me grumpy, but I'm old and easily irritated :)
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Jeromy Evans <je...@blueskyminds.com.au>.
Wes Wannemacher wrote:
>
> I'm jumping in late, so if I refer to something that came up in a
> previous post, I apologize ahead of time. I'm guessing that you're using
> tomcat. Tomcat is picky about certain things being actual filesystem
> resources. There are two possible solutions (if I'm right about Tomcat),
> the first being Jeromy's suggestion. The other thing I've done that
> seems to work is to create a blank file that matches the request. In
> this case a 0-byte file called login.action may do the trick. It's a bit
> of a hack, and I think when this comes up with the Tomcat peeps, they
> point to the spec.
>
> -Wes
>
>
Excellent! I loathe using a redirect. This probably belongs in a FAQ
somewhere as it comes up a lot with respect to using an action as the
welcome file.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Wes Wannemacher <we...@wantii.com>.
On Wed, 2008-02-20 at 00:43 +0000, Kelly Graus wrote:
> Jeromy Evans <jeromy.evans <at> blueskyminds.com.au> writes:
[snip]
>
>
> > I would add a login action to the public namespace which prepares a
> > login page. Unfortunately I don't think the container will allow you to
> > specify "/login.action" as the login page though, but you can make
> > login.jsp redirect to it.
>
> According to Practical Apache Struts 2, this should be able to be an action.
> However, I'm having difficulty getting this to work. I keep getting a 404
> requested resource not found for the logon action. I'll keep working on it,
> if any one has any ideas it would be great.
I'm jumping in late, so if I refer to something that came up in a
previous post, I apologize ahead of time. I'm guessing that you're using
tomcat. Tomcat is picky about certain things being actual filesystem
resources. There are two possible solutions (if I'm right about Tomcat),
the first being Jeromy's suggestion. The other thing I've done that
seems to work is to create a blank file that matches the request. In
this case a 0-byte file called login.action may do the trick. It's a bit
of a hack, and I think when this comes up with the Tomcat peeps, they
point to the spec.
-Wes
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Kelly Graus <ke...@toltech.net>.
Jeromy Evans <jeromy.evans <at> blueskyminds.com.au> writes:
>
>
> >> I would add a login action to the public namespace which prepares a
> >> login page. Unfortunately I don't think the container will allow you to
> >> specify "/login.action" as the login page though, but you can make
> >> login.jsp redirect to it.
> >>
> >
> > According to Practical Apache Struts 2, this should be able to be an
action.
> > However, I'm having difficulty getting this to work. I keep getting a 404
> > requested resource not found for the logon action. I'll keep working on
it,
> > if any one has any ideas it would be great.
> >
> >
> I fairly sure it depends on which container implementation you're using
> and (possibly) whether you're using the 2.4 or 2.5 servlet specification
> (specified in web.xml)
> I think it's not supported in Tomcat 5.5.
>
You're correct, I didn't even think about that. I'm using version 2.5 of the
servlet specification, and Tomcat 6.0. I will try with the redirect.
Thanks again!
Kelly
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Jeromy Evans <je...@blueskyminds.com.au>.
>> I would add a login action to the public namespace which prepares a
>> login page. Unfortunately I don't think the container will allow you to
>> specify "/login.action" as the login page though, but you can make
>> login.jsp redirect to it.
>>
>
> According to Practical Apache Struts 2, this should be able to be an action.
> However, I'm having difficulty getting this to work. I keep getting a 404
> requested resource not found for the logon action. I'll keep working on it,
> if any one has any ideas it would be great.
>
>
I fairly sure it depends on which container implementation you're using
and (possibly) whether you're using the 2.4 or 2.5 servlet specification
(specified in web.xml)
I think it's not supported in Tomcat 5.5.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Dave Newton <ne...@yahoo.com>.
--- Kelly Graus <ke...@toltech.net> wrote:
> > I would add a login action to the public namespace which prepares a
> > login page. Unfortunately I don't think the container will allow you to
> > specify "/login.action" as the login page though, but you can make
> > login.jsp redirect to it.
>
> According to Practical Apache Struts 2, this should be able to be an
> action.
What should be, the container login page? I thought you said you and the book
were using different containers--AFAIK that's probably container-specific.
Did you try the redirect?
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Kelly Graus <ke...@toltech.net>.
Jeromy Evans <jeromy.evans <at> blueskyminds.com.au> writes:
>
> Hi Kelly,
>
> In struts.xml, the namespace given to your package needs be in
> /protected as well.
> eg. <package name="myPackage" namespace="/protected">
> Otherwise, as you've seen, it's available in the root of the
> application's context path.
>
> I usually split my struts2 application into at least two packages:
> <package name="public" namespace="/"> ...
> <package name="secure" namespace="/protected">
>
> Which then allows you to apply your container-managed security where
> necessary.
Thank you very much. This worked perfectly!
> I would add a login action to the public namespace which prepares a
> login page. Unfortunately I don't think the container will allow you to
> specify "/login.action" as the login page though, but you can make
> login.jsp redirect to it.
According to Practical Apache Struts 2, this should be able to be an action.
However, I'm having difficulty getting this to work. I keep getting a 404
requested resource not found for the logon action. I'll keep working on it,
if any one has any ideas it would be great.
> Hope that helps,
> regards,
> Jeromy Evans
Thanks again!
Kelly
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by pblatner <pb...@gmail.com>.
I have tried to do the exact thing that Jeromy suggests below with 2
packages. And then in the web.xml specify a security constraint with the
URL pattern "/protected/*". After doing so, I am not getting the result
that I think I should be.
When issuing a request for my action at
"http://localhost/MyApp/protected/HomeAction", the container is not
intercepting and challenging me with my logon.html page.
Anyone know why this isn't working?
The struts 2 servlet-filter pattern is "/*". It seems pretty obvious that
the struts 2 servlet filter is responding to the first part of the URL:
"http://localhost/MyApp/*" and the container isn't seeing that as a secured
resource.
Am I missing a configuration pattern somewhere that tells the container to
inspect the full URL before allowing the servlet filter to process it?
My deployment environment is WebSphere 6.1. Are there any incompatibilities
between WebSphere 6.1 and struts 2 that could be causing this?
Thanks,
Pete.
Jeromy Evans - Blue Sky Minds wrote:
>
> In struts.xml, the namespace given to your package needs be in
> /protected as well.
> eg. <package name="myPackage" namespace="/protected">
> Otherwise, as you've seen, it's available in the root of the
> application's context path.
>
> I usually split my struts2 application into at least two packages:
> <package name="public" namespace="/"> ...
> <package name="secure" namespace="/protected">
>
--
View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by Jeromy Evans <je...@blueskyminds.com.au>.
Hi Kelly,
In struts.xml, the namespace given to your package needs be in
/protected as well.
eg. <package name="myPackage" namespace="/protected">
Otherwise, as you've seen, it's available in the root of the
application's context path.
I usually split my struts2 application into at least two packages:
<package name="public" namespace="/"> ...
<package name="secure" namespace="/protected">
Which then allows you to apply your container-managed security where
necessary.
I would add a login action to the public namespace which prepares a
login page. Unfortunately I don't think the container will allow you to
specify "/login.action" as the login page though, but you can make
login.jsp redirect to it.
Hope that helps,
regards,
Jeromy Evans
Kelly Graus wrote:
> Hi Everyone,
>
> I'm attempting to secure my first Struts 2 web app using container
> security with a DataSourceRealm. I'm using Tomcat 6 as my container.
> Here is how my project is setup:
>
> LicensingAdministration/
> META-INF/
> context.xml
> WEB-INF/
> web.xml
> classes/
> struts.xml
> protected/
> *JSP pages*
> login.jsp
> error.jsp
>
> Without using struts, this works perfectly. Any attempt to access
> anything under the protected area results in a redirect to the login
> page, and from there all of the database stuff works fine. However,
> when I added in struts, I am now able to bypass the security by
> specifying an action directly.
>
> For example, navigating to
> http://localhost:8080/LicensingAdministration/CreateProduct.action
> will bypass the login page and go directly to the CreateProduct
> action. However, navigating to
> http://localhost:8080/LicensingAdministration/protected/CreateProduct.action
> will perform a redirect to the login (as expected).
>
> Any suggestions on how to secure the actions so that the login cannot
> be bypassed would be greatly appreciated! Below are the relevant
> parts of my web.xml and context.xml files (I can post the full files
> if necessary, but they contain a lot of resource definitions that
> aren't related to the problem).
>
> Also, in an slightly unrelated question, is is possible to use struts
> tags in the login page? I was trying to use an s:url tag to specify
> the location of the css. When redirected to the login page, the
> server threw an exception and I got an error message stating the the
> Struts dispatcher cannot be found.
>
> Thanks!
>
> Kelly
>
> [web.xml]
> <filter>
> <filter-name>struts2</filter-name>
>
> <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
>
> </filter>
>
> <filter-mapping>
> <filter-name>struts2</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> [snip]
>
> <resource-env-ref>
> <resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
> <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
> </resource-env-ref>
>
> <!-- Security Constraints -->
> <security-constraint>
> <display-name>name</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/protected/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>licensing-admin</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Licensing Administration</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>licensing-admin</role-name>
> </security-role>
>
> <welcome-file-list>
> <welcome-file>protected/administer.jsp</welcome-file>
> </welcome-file-list>
> [/web.xml]
>
> [context.xml]
> <Resource name="jdbc/UsersDS" auth="Container"
> type="javax.sql.DataSource"
> username="username"
> password="password"
> driverClassName="com.mysql.jdbc.Driver"
> url="jdbc:mysql://localhost:3306/users"/>
> <!-- Security Realm -->
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/UsersDS" localDataSource="true"
> userTable="users" userNameCol="user_name"
> userCredCol="user_pass"
> userRoleTable="user_roles" roleNameCol="role_name"/>
> [/context.xml]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by pblatner <pb...@gmail.com>.
I installed the latest fix pack for WebSphere, bringing my version up to
6.1.0.21 and it did the trick. The Web container authentication now works
as I expected it to.
Thanks for the feedback.
Pete.
pblatner wrote:
>
> I don't see how this fix applies to the problem I mentioned below:
> http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK31377
>
> The text there doesn't say anything about resolving an issue where
> WebSphere doesn't seem to be recognizing servlet filters as resources to
> secure using web container authentication.
>
>
> Musachy Barroso wrote:
>>
>> Just as a reference, there is a ticket open for this:
>>
>> https://issues.apache.org/struts/browse/WW-2642
>>
>> musachy
>>
>> On Mon, Mar 16, 2009 at 5:37 PM, Struts Two <st...@yahoo.ca> wrote:
>>>
>>> There is a problem running Struts 2.1.6 on Websphere when security is
>>> enabled. The case happens when url is an action not a resource like jsp
>>> or html. Refer to JIRA WW-2642 that I opened almost a year ago.
>>>
>>> I was hoping that Apache group can get their hands on Websphere to
>>> verify the issue but it seems like a distant probability as I have not
>>> heard any news on that for sometime.
>>>
>>> But on the bright site, there may be some good news on this soon. As I
>>> had to locate WAS L3 support in person and I am working with them on
>>> this issue [though the pace is slow].
>>>
>>> Also keep in mind, the same issue exists on WAS 7.0.0.1 with a slight
>>> variation. If this is determined to be a Websphere problem with WAS 6.1.
>>> Then I have a stronger case to press issue for WAS 7.0.
>>>
>>> --- On Mon, 3/16/09, pblatner <pb...@gmail.com> wrote:
>>>
>>>> From: pblatner <pb...@gmail.com>
>>>> Subject: Re: Struts 2 Container Security problem
>>>> To: user@struts.apache.org
>>>> Received: Monday, March 16, 2009, 9:05 PM
>>>>
>>>> I have tried to do the exact thing that Jeromy suggests
>>>> below with 2
>>>> packages. And then in the web.xml specify a security
>>>> constraint with the
>>>> URL pattern "/protected/*". After doing so, I am not
>>>> getting the result
>>>> that I think I should be.
>>>>
>>>> When issuing a request for my action at
>>>> "http://localhost/MyApp/protected/HomeAction", the
>>>> container is not
>>>> intercepting and challenging me with my logon.html page.
>>>>
>>>> Anyone know why this isn't working?
>>>>
>>>> The struts 2 servlet-filter pattern is "/*".. It seems
>>>> pretty obvious that
>>>> the struts 2 servlet filter is responding to the first part
>>>> of the URL:
>>>> "http://localhost/MyApp/*" and the container isn't
>>>> seeing that as a secured
>>>> resource.
>>>>
>>>> Am I missing a configuration pattern somewhere that tells
>>>> the container to
>>>> inspect the full URL before allowing the servlet filter to
>>>> process it?
>>>>
>>>> My deployment environment is WebSphere 6.1. Are there
>>>> any incompatibilities
>>>> between WebSphere 6.1 and struts 2 that could be causing
>>>> this?
>>>>
>>>> Thanks,
>>>> Pete.
>>>>
>>>>
>>>> Jeromy Evans - Blue Sky Minds wrote:
>>>> >
>>>> > In struts.xml, the namespace given to your package
>>>> needs be in
>>>> > /protected as well.
>>>> > eg. <package name="myPackage"
>>>> namespace="/protected">
>>>> > Otherwise, as you've seen, it's available in the root
>>>> of the
>>>> > application's context path.
>>>> >
>>>> > I usually split my struts2 application into at least
>>>> two packages:
>>>> > <package name="public" namespace="/"> ...
>>>> > <package name="secure" namespace="/protected">
>>>> >
>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html
>>>> Sent from the Struts - User mailing list archive at
>>>> Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: user-help@struts.apache.org
>>>>
>>>>
>>>
>>>
>>> __________________________________________________________________
>>> Instant Messaging, free SMS, sharing photos and more... Try the new
>>> Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>
>>
>>
>> --
>> "Hey you! Would you help me to carry the stone?" Pink Floyd
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22568026.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2 Container Security problem
Posted by pblatner <pb...@gmail.com>.
I don't see how this fix applies to the problem I mentioned below:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK31377
The text there doesn't say anything about resolving an issue where WebSphere
doesn't seem to be recognizing servlet filters as resources to secure using
web container authentication.
Musachy Barroso wrote:
>
> Just as a reference, there is a ticket open for this:
>
> https://issues.apache.org/struts/browse/WW-2642
>
> musachy
>
> On Mon, Mar 16, 2009 at 5:37 PM, Struts Two <st...@yahoo.ca> wrote:
>>
>> There is a problem running Struts 2.1.6 on Websphere when security is
>> enabled. The case happens when url is an action not a resource like jsp
>> or html. Refer to JIRA WW-2642 that I opened almost a year ago.
>>
>> I was hoping that Apache group can get their hands on Websphere to verify
>> the issue but it seems like a distant probability as I have not heard any
>> news on that for sometime.
>>
>> But on the bright site, there may be some good news on this soon. As I
>> had to locate WAS L3 support in person and I am working with them on this
>> issue [though the pace is slow].
>>
>> Also keep in mind, the same issue exists on WAS 7.0.0.1 with a slight
>> variation. If this is determined to be a Websphere problem with WAS 6.1.
>> Then I have a stronger case to press issue for WAS 7.0.
>>
>> --- On Mon, 3/16/09, pblatner <pb...@gmail.com> wrote:
>>
>>> From: pblatner <pb...@gmail.com>
>>> Subject: Re: Struts 2 Container Security problem
>>> To: user@struts.apache.org
>>> Received: Monday, March 16, 2009, 9:05 PM
>>>
>>> I have tried to do the exact thing that Jeromy suggests
>>> below with 2
>>> packages. And then in the web.xml specify a security
>>> constraint with the
>>> URL pattern "/protected/*". After doing so, I am not
>>> getting the result
>>> that I think I should be.
>>>
>>> When issuing a request for my action at
>>> "http://localhost/MyApp/protected/HomeAction", the
>>> container is not
>>> intercepting and challenging me with my logon.html page.
>>>
>>> Anyone know why this isn't working?
>>>
>>> The struts 2 servlet-filter pattern is "/*".. It seems
>>> pretty obvious that
>>> the struts 2 servlet filter is responding to the first part
>>> of the URL:
>>> "http://localhost/MyApp/*" and the container isn't
>>> seeing that as a secured
>>> resource.
>>>
>>> Am I missing a configuration pattern somewhere that tells
>>> the container to
>>> inspect the full URL before allowing the servlet filter to
>>> process it?
>>>
>>> My deployment environment is WebSphere 6.1. Are there
>>> any incompatibilities
>>> between WebSphere 6.1 and struts 2 that could be causing
>>> this?
>>>
>>> Thanks,
>>> Pete.
>>>
>>>
>>> Jeromy Evans - Blue Sky Minds wrote:
>>> >
>>> > In struts.xml, the namespace given to your package
>>> needs be in
>>> > /protected as well.
>>> > eg. <package name="myPackage"
>>> namespace="/protected">
>>> > Otherwise, as you've seen, it's available in the root
>>> of the
>>> > application's context path.
>>> >
>>> > I usually split my struts2 application into at least
>>> two packages:
>>> > <package name="public" namespace="/"> ...
>>> > <package name="secure" namespace="/protected">
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html
>>> Sent from the Struts - User mailing list archive at
>>> Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>
>>
>> __________________________________________________________________
>> Instant Messaging, free SMS, sharing photos and more... Try the new
>> Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
>
>
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22562774.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org