Actions not called from their expected forms

[wwwclaes <ti...@hotmail.com>]

Hi, we have an S2 application with a lot of actions that are supposed to be
called from html forms. Since a few weeks ago something or someone has
started calling these actions directly, hence the required input values are
missing (which generate a lot of error mails to us administrators).

What might be causing this? Of course, we may have gotten some new, very
stubborn, users but due to the sudden frequency and pattern of the calls my
first bet would be some kind of automatic crawler. Some of the actions
require authentication, so it is not Google & Co. Could some kind of "web
page prefetching" cause this? Or any other ideas?

Anyway, I guess one solution would be to mark all expected input values as
required using S2 validation. However, it would be a bit cumbersome and
repetitive. To keep the application clean, I don't think it would be bad to
keep its current design with relying on form input values to be there (if
it's a combo box for instance, of course not for user entered text fields).
Can you think of some simpler means to stop these errors from occurring and
still keep it simple and Struts-wise?

Thanks,
Claes
-- 
View this message in context: http://www.nabble.com/Actions-not-called-from-their-expected-forms-tp16263668p16263668.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Actions not called from their expected forms

[Laurie Harper <la...@holoweb.net>]

wwwclaes wrote:
> Hi, we have an S2 application with a lot of actions that are supposed to be
> called from html forms. Since a few weeks ago something or someone has
> started calling these actions directly, hence the required input values are
> missing (which generate a lot of error mails to us administrators).
> 
> What might be causing this? Of course, we may have gotten some new, very
> stubborn, users but due to the sudden frequency and pattern of the calls my
> first bet would be some kind of automatic crawler. Some of the actions
> require authentication, so it is not Google & Co. Could some kind of "web
> page prefetching" cause this? Or any other ideas?
> 
> Anyway, I guess one solution would be to mark all expected input values as
> required using S2 validation. However, it would be a bit cumbersome and
> repetitive. To keep the application clean, I don't think it would be bad to
> keep its current design with relying on form input values to be there (if
> it's a combo box for instance, of course not for user entered text fields).
> Can you think of some simpler means to stop these errors from occurring and
> still keep it simple and Struts-wise?

If inputs are required they absolutely should be marked as such in the 
validation rules. Leaving out such checks leaves you wide open to data 
integrity issues at the very least.

As far as figuring out where these 'bogus' requests originate, look at 
the referer logs or add some network-level monitoring.

Fixing you validation so error messages go to the users rather than the 
administrators is probably the sane solution, though :-)

L.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org