You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Obinna <ob...@gmail.com> on 2010/12/08 10:05:43 UTC
Potential Forms Security Issue
Hi,
Using Struts 2.1.8, I just ran into a security issue in my application
configuration which was a bit difficult to diagnose and turned out to be due
to a struts feature which unexpectedly bypassed my security configuration.
As with many systems, I am using a web filter security mechanism (Spring
security) to filter all requests and forwards. On one of my struts pages I
have a form with a submit button who's action differs from that on the form.
Such as:
<s:form theme="simple" action="*unsecured*">
<s:submit key="button.exit" action="*secured*"/>
</s:form>
The default form action is unsecured. The button's action is secured.
When the form is submitted, the request url is the one provided by the form
of course (/*unsecured.action*). This is permitted access by the security
framework. However, in order to allow multiple submit urls for a single
action, struts submits the following request parameter (action:secured=Exit)
which results in an internal mapping to a the *secured *struts mapping (the
one for the secured action) which struts executes by proxy, bypassing any
REQUEST/FORWARD security configurations.
If forms are developed this way, the result is that user that had
permissions for the unsecured form action but not the secured submit action,
now gains access to the secured action.
Though not a bug, I can imagine that this unexpected behavior can catch many
developers out and can be difficult to diagnose. It also requires that
security considerations be handled (or at least considered) in the jsp,
which seems to break proper separation of concerns (especially for security
configuration).
- Eric
Re: Potential Forms Security Issue
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
Please, do not waste reviewers time directing public discussion to
security@ lists at the ASF. The developers who would resolve any such
issue reside at their respective dev@ lists.
If you want to point out an undisclosed, undiscussed issue, then the
appropriate security@ list would be the place to do so.
And in general, DO NOT crosspost between public and private lists. It
is one, or the other.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Potential Forms Security Issue
Posted by Lukasz Lenart <lu...@googlemail.com>.
2010/12/8 Obinna <ob...@gmail.com>:
> Though not a bug, I can imagine that this unexpected behavior can catch many
> developers out and can be difficult to diagnose. It also requires that
> security considerations be handled (or at least considered) in the jsp,
> which seems to break proper separation of concerns (especially for security
> configuration).
You can always create an interceptor to check user's privileges. My
thought is that it will be very hard to implement such logic in
Struts2 as you're using external filter that has nothing to do with
Struts2 itself. That siad the best option is a dedicated interceptor
that can cooperate with implemented security mechanism - in this case
Spring Security. Maybe we should provide some example or so, but if
you can help, I appreciate that!
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Kapituła Javarsovia 2010 http://javarsovia.pl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org