You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Arun M <ma...@gmail.com> on 2008/07/26 19:48:47 UTC
Data Leakage in Struts 2
We are using struts 2.0.11
We have lots of action class. Say one of them is CustomerRegisterAction
(which extends ActionSupport ) . When a say user X registers himself on
the website; this CustomerRegisterAction is populated (using OGNL) and the
customer data is saved to DB. But after sometime some other user Y from some
other PCcomes and clicks the Register link, then the data entered by X is
prefilled now.
I think the CustomerRegisterAction is reused, instead of creating new
instance every request. we want to setup such that new
CustomerRegisterAction is created every httprequest, so that data is not
leaking between users.
Please help us.
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18669314.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Arun M <ma...@gmail.com>.
Thanks a lot...
We included singleton="false" in the applicationContext.xml
Now it works perfectly ...
Thanks Once Again
Piero Sartini-3 wrote:
>
> Am Sonntag, 27. Juli 2008 06:04:46 schrieb Arun M:
>> Yes , we are using spring and hibernate also along with struts.
>> Could you suggest us, where to configure to resue the beans ??
>
> The spring plugin is described in detail at
> http://struts.apache.org/2.x/docs/spring-plugin.html
> I am not using spring and do not know it very well.
>
> If you do not create your action with struts2 but with Spring, try s.th.
> like
> <bean id="bar" class="com.my.BarAction" singleton="false"/>
> oin your applicationContext.xml
>
> Piero
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18674358.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Arun M <ma...@gmail.com>.
Thanks a lot...
We included singleton="false" in the applicationContext.xml
Now it works perfectly ...
dusty wrote:
>
> I think you need to post the relevant section from struts.xml so we can
> see how you declare the action as well as your spring configuration files.
>
> -D
>
>
> Miguel-55 wrote:
>>
>> Well, the question is if you are using Spring 1.x or 2.x and creating
>> spring beans (using the spring plugin and in your struts.xml using the
>> spring bean name instead of the full class name):
>> If you are using the 1.x version, do as said by Piero Sartini
>> (singleton="false") in your application-context.xml
>> If you are using the 2.x version use scope="prototype" in your
>> application-context.xml
>>
>> If you are not using the spring plugin or using the spring object
>> factory to autowire the beans (via the autowire by name or type of the
>> spring plugin configured in struts.xml), you can allways create a
>> preparable bean (implements Preparable) and in the prepare() method,
>> clear what you need; or you can additionally use the
>> ParamsPrepareParams stack to do more complicated stuff.
>>
>> Si quieres ser más positivo, pierde un electrón
>> Miguel Ruiz Velasco S.
>>
>>
>>
>> On Sat, Jul 26, 2008 at 23:21, Piero Sartini <li...@pierosartini.de>
>> wrote:
>>> Am Sonntag, 27. Juli 2008 06:04:46 schrieb Arun M:
>>>> Yes , we are using spring and hibernate also along with struts.
>>>> Could you suggest us, where to configure to resue the beans ??
>>>
>>> The spring plugin is described in detail at
>>> http://struts.apache.org/2.x/docs/spring-plugin.html
>>> I am not using spring and do not know it very well.
>>>
>>> If you do not create your action with struts2 but with Spring, try s.th.
>>> like
>>> <bean id="bar" class="com.my.BarAction" singleton="false"/>
>>> oin your applicationContext.xml
>>>
>>> Piero
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18674405.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by dusty <du...@yahoo.com>.
I think you need to post the relevant section from struts.xml so we can see
how you declare the action as well as your spring configuration files.
-D
Miguel-55 wrote:
>
> Well, the question is if you are using Spring 1.x or 2.x and creating
> spring beans (using the spring plugin and in your struts.xml using the
> spring bean name instead of the full class name):
> If you are using the 1.x version, do as said by Piero Sartini
> (singleton="false") in your application-context.xml
> If you are using the 2.x version use scope="prototype" in your
> application-context.xml
>
> If you are not using the spring plugin or using the spring object
> factory to autowire the beans (via the autowire by name or type of the
> spring plugin configured in struts.xml), you can allways create a
> preparable bean (implements Preparable) and in the prepare() method,
> clear what you need; or you can additionally use the
> ParamsPrepareParams stack to do more complicated stuff.
>
> Si quieres ser más positivo, pierde un electrón
> Miguel Ruiz Velasco S.
>
>
>
> On Sat, Jul 26, 2008 at 23:21, Piero Sartini <li...@pierosartini.de>
> wrote:
>> Am Sonntag, 27. Juli 2008 06:04:46 schrieb Arun M:
>>> Yes , we are using spring and hibernate also along with struts.
>>> Could you suggest us, where to configure to resue the beans ??
>>
>> The spring plugin is described in detail at
>> http://struts.apache.org/2.x/docs/spring-plugin.html
>> I am not using spring and do not know it very well.
>>
>> If you do not create your action with struts2 but with Spring, try s.th.
>> like
>> <bean id="bar" class="com.my.BarAction" singleton="false"/>
>> oin your applicationContext.xml
>>
>> Piero
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18673505.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Miguel <mi...@gmail.com>.
Well, the question is if you are using Spring 1.x or 2.x and creating
spring beans (using the spring plugin and in your struts.xml using the
spring bean name instead of the full class name):
If you are using the 1.x version, do as said by Piero Sartini
(singleton="false") in your application-context.xml
If you are using the 2.x version use scope="prototype" in your
application-context.xml
If you are not using the spring plugin or using the spring object
factory to autowire the beans (via the autowire by name or type of the
spring plugin configured in struts.xml), you can allways create a
preparable bean (implements Preparable) and in the prepare() method,
clear what you need; or you can additionally use the
ParamsPrepareParams stack to do more complicated stuff.
Si quieres ser más positivo, pierde un electrón
Miguel Ruiz Velasco S.
On Sat, Jul 26, 2008 at 23:21, Piero Sartini <li...@pierosartini.de> wrote:
> Am Sonntag, 27. Juli 2008 06:04:46 schrieb Arun M:
>> Yes , we are using spring and hibernate also along with struts.
>> Could you suggest us, where to configure to resue the beans ??
>
> The spring plugin is described in detail at
> http://struts.apache.org/2.x/docs/spring-plugin.html
> I am not using spring and do not know it very well.
>
> If you do not create your action with struts2 but with Spring, try s.th. like
> <bean id="bar" class="com.my.BarAction" singleton="false"/>
> oin your applicationContext.xml
>
> Piero
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Piero Sartini <li...@pierosartini.de>.
Am Sonntag, 27. Juli 2008 06:04:46 schrieb Arun M:
> Yes , we are using spring and hibernate also along with struts.
> Could you suggest us, where to configure to resue the beans ??
The spring plugin is described in detail at
http://struts.apache.org/2.x/docs/spring-plugin.html
I am not using spring and do not know it very well.
If you do not create your action with struts2 but with Spring, try s.th. like
<bean id="bar" class="com.my.BarAction" singleton="false"/>
oin your applicationContext.xml
Piero
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Miguel <mi...@gmail.com>.
Be shure that your web beans are marked scope="propotype" in the
spring configuration files; that makes spring create a new bean each
time you need one instead of providing a pointer to the existing
instance.
Spring defaults to singletons so don't mark prototype things like DAOs
or service classes that don't have persistence state between methods.
Si quieres ser más positivo, pierde un electrón
Miguel Ruiz Velasco S.
On Sat, Jul 26, 2008 at 23:04, Arun M <ma...@gmail.com> wrote:
>
> Yes , we are using spring and hibernate also along with struts.
> Could you suggest us, where to configure to resue the beans ??
>
>
> Piero Sartini-3 wrote:
>>
>> Struts2 does create a new Action for every request.
>> Do you use Spring? I think you can configure it to reuse the beans...
>>
>> Piero
>>
>> Am Samstag, 26. Juli 2008 19:48:47 schrieb Arun M:
>>> We are using struts 2.0.11
>>>
>>> We have lots of action class. Say one of them is CustomerRegisterAction
>>> (which extends ActionSupport ) . When a say user X registers himself on
>>> the website; this CustomerRegisterAction is populated (using OGNL) and
>>> the
>>> customer data is saved to DB. But after sometime some other user Y from
>>> some other PCcomes and clicks the Register link, then the data entered by
>>> X
>>> is prefilled now.
>>> I think the CustomerRegisterAction is reused, instead of creating new
>>> instance every request. we want to setup such that new
>>> CustomerRegisterAction is created every httprequest, so that data is not
>>> leaking between users.
>>>
>>> Please help us.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18673188.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Arun M <ma...@gmail.com>.
Yes , we are using spring and hibernate also along with struts.
Could you suggest us, where to configure to resue the beans ??
Piero Sartini-3 wrote:
>
> Struts2 does create a new Action for every request.
> Do you use Spring? I think you can configure it to reuse the beans...
>
> Piero
>
> Am Samstag, 26. Juli 2008 19:48:47 schrieb Arun M:
>> We are using struts 2.0.11
>>
>> We have lots of action class. Say one of them is CustomerRegisterAction
>> (which extends ActionSupport ) . When a say user X registers himself on
>> the website; this CustomerRegisterAction is populated (using OGNL) and
>> the
>> customer data is saved to DB. But after sometime some other user Y from
>> some other PCcomes and clicks the Register link, then the data entered by
>> X
>> is prefilled now.
>> I think the CustomerRegisterAction is reused, instead of creating new
>> instance every request. we want to setup such that new
>> CustomerRegisterAction is created every httprequest, so that data is not
>> leaking between users.
>>
>> Please help us.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18673188.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Piero Sartini <li...@pierosartini.de>.
Struts2 does create a new Action for every request.
Do you use Spring? I think you can configure it to reuse the beans...
Piero
Am Samstag, 26. Juli 2008 19:48:47 schrieb Arun M:
> We are using struts 2.0.11
>
> We have lots of action class. Say one of them is CustomerRegisterAction
> (which extends ActionSupport ) . When a say user X registers himself on
> the website; this CustomerRegisterAction is populated (using OGNL) and the
> customer data is saved to DB. But after sometime some other user Y from
> some other PCcomes and clicks the Register link, then the data entered by X
> is prefilled now.
> I think the CustomerRegisterAction is reused, instead of creating new
> instance every request. we want to setup such that new
> CustomerRegisterAction is created every httprequest, so that data is not
> leaking between users.
>
> Please help us.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Arun M <ma...@gmail.com>.
Thanks a lot...
We included singleton="false" in the applicationContext.xml
Now it works perfectly ...
Arun M wrote:
>
>
> we use STRUTS2 - SPRING- HIBERNATE in our project
> here is a sample piece of code...
> as metioned earlier... SCRAPTEXT variable once set by a request is being
> reused (that is) gets prefilled in the
> textarea of someother user in someother PC.
>
> ............. Action Class ----------------------------
> public class SocialDetailAction extends
> com.opensymphony.xwork2.ActionSupport{
>
> private com.jujubi.services.ProductService productService;
>
>
> private String scrapText;
> private int toId;
> private String scrapFromName;
> private boolean secure;
>
>
>
> public String postCustomerScrap() throws Exception {
>
> /*****
> ....
>
> // HERE WE HAVE THE CODE THAT USES THE GETTER SETTER OF THE MEMEBERS
> ...
> return SUCCESS;
>
> }
> }
>
>
>
>
> //GETTER SETTTER FOR THE MEMBERS
>
> }
>
>
>
> ------------ jSP ----------------------------
> .......
> ....
> ..
> <s:form namespace="/jap" action="scrappost">
> <s:textarea name="scrapText" cols="60" rows="3"/>
> <s:checkbox name="secure" label="secure" value="false"></s:checkbox>
> <s:submit value="post scrap" theme="ajax" targets="addScrap" />
> </s:form>
> .........
> .....
> ...
>
> ----------------------- Struts.xml for the action -----------------------
>
> ..
> .
>
> <action name="scrappost" class="socialDetailAction"
> method="postCustomerScrap">
> <result name="success">/views/social/ReturnMsg.jsp</result>
> <result name="input">/views/social/PeopsScrapbook.jsp</result>
> </action>
>
> ...
> ..
>
>
>
>
>
> Richard Yee wrote:
>>
>> Why don't you post your code. It seems that it might have a threading
>> issue.
>>
>> -R
>>
>> Arun M wrote:
>>> We are using struts 2.0.11
>>>
>>> We have lots of action class. Say one of them is CustomerRegisterAction
>>> (which extends ActionSupport ) . When a say user X registers himself
>>> on
>>> the website; this CustomerRegisterAction is populated (using OGNL) and
>>> the
>>> customer data is saved to DB. But after sometime some other user Y from
>>> some
>>> other PCcomes and clicks the Register link, then the data entered by X
>>> is
>>> prefilled now.
>>> I think the CustomerRegisterAction is reused, instead of creating new
>>> instance every request. we want to setup such that new
>>> CustomerRegisterAction is created every httprequest, so that data is not
>>> leaking between users.
>>>
>>> Please help us.
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18674388.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Arun M <ma...@gmail.com>.
we use STRUTS2 - SPRING- HIBERNATE in our project
here is a sample piece of code...
as metioned earlier... SCRAPTEXT variable once set by a request is being
reused (that is) gets prefilled in the
textarea of someother user in someother PC.
............. Action Class ----------------------------
public class SocialDetailAction extends
com.opensymphony.xwork2.ActionSupport{
private com.jujubi.services.ProductService productService;
private String scrapText;
private int toId;
private String scrapFromName;
private boolean secure;
public String postCustomerScrap() throws Exception {
/*****
....
// HERE WE HAVE THE CODE THAT USES THE GETTER SETTER OF THE MEMEBERS
...
return SUCCESS;
}
}
//GETTER SETTTER FOR THE MEMBERS
}
------------ jSP ----------------------------
.......
....
..
<s:form namespace="/jap" action="scrappost">
<s:textarea name="scrapText" cols="60" rows="3"/>
<s:checkbox name="secure" label="secure" value="false"></s:checkbox>
<s:submit value="post scrap" theme="ajax" targets="addScrap" />
</s:form>
.........
.....
...
----------------------- Struts.xml for the action -----------------------
..
.
<action name="scrappost" class="socialDetailAction"
method="postCustomerScrap">
<result name="success">/views/social/ReturnMsg.jsp</result>
<result name="input">/views/social/PeopsScrapbook.jsp</result>
</action>
...
..
Richard Yee wrote:
>
> Why don't you post your code. It seems that it might have a threading
> issue.
>
> -R
>
> Arun M wrote:
>> We are using struts 2.0.11
>>
>> We have lots of action class. Say one of them is CustomerRegisterAction
>> (which extends ActionSupport ) . When a say user X registers himself on
>> the website; this CustomerRegisterAction is populated (using OGNL) and
>> the
>> customer data is saved to DB. But after sometime some other user Y from
>> some
>> other PCcomes and clicks the Register link, then the data entered by X is
>> prefilled now.
>> I think the CustomerRegisterAction is reused, instead of creating new
>> instance every request. we want to setup such that new
>> CustomerRegisterAction is created every httprequest, so that data is not
>> leaking between users.
>>
>> Please help us.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18674276.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Data Leakage in Struts 2
Posted by Richard Yee <ry...@cruzio.com>.
Why don't you post your code. It seems that it might have a threading issue.
-R
Arun M wrote:
> We are using struts 2.0.11
>
> We have lots of action class. Say one of them is CustomerRegisterAction
> (which extends ActionSupport ) . When a say user X registers himself on
> the website; this CustomerRegisterAction is populated (using OGNL) and the
> customer data is saved to DB. But after sometime some other user Y from some
> other PCcomes and clicks the Register link, then the data entered by X is
> prefilled now.
> I think the CustomerRegisterAction is reused, instead of creating new
> instance every request. we want to setup such that new
> CustomerRegisterAction is created every httprequest, so that data is not
> leaking between users.
>
> Please help us.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org