You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Rustad, Aaron" <AR...@Online-can.com> on 2003/10/18 17:39:58 UTC
Strange Security Problem
I am encountering a strange security problem when trying to submit a form to
an action. This JSP is as follows:
<%= request.getUserPrincipal().getName() %>
<form action="/edm/ebb/upload.do" method="POST">
<table width="75%" border="1">
<tr>
<td><bean:message key="upload.from"/></td>
<td><input type="text" name="from"/></td>
</tr>
<tr>
<td><bean:message key="upload.to"/></td>
<td><input type="text" name="to"/></td>
</tr>
<tr>
<td><bean:message key="upload.version"/></td>
<td><input type="text" name="version"/></td>
</tr>
<tr>
<td><bean:message key="upload.file"/></td>
<td><input type="file" name="input-data"></td>
</tr>
</table>
<input type="submit" value="Submit"/>
</form>
<html:link forward="ups">upload</html:link>
The strange thing is this:
When this page is loaded, and I am ligitimatly logged in, the name of the
UserPrincipal is displayed as it should be. However, if I submit the form,
the appropriate action class is called, but when I invoke
request.getUserPrincipal()...it returns null. Notice the last line of the
HTML, it has a link that points to the same action class...when it is
clicked, the principal is propogated to action and it is NOT null.
Can anyone help me out with this? I would like the post to work correctly.
Thanks!
Aaron.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Strange Security Problem
Posted by Carlos Sánchez <ap...@cousas.net>.
If you want the user name stored in the request (bad idea) it must be sent
in the form using a hidden field.
You should store it in the session. Only submitted form fields will be in
the request.
> -----Mensaje original-----
> De: Rustad, Aaron [mailto:ARustad@Online-can.com]
> Enviado el: sábado, 18 de octubre de 2003 17:40
> Para: 'struts-user@jakarta.apache.org'
> Asunto: Strange Security Problem
>
>
> I am encountering a strange security problem when trying to
> submit a form to an action. This JSP is as follows:
>
> <%= request.getUserPrincipal().getName() %>
> <form action="/edm/ebb/upload.do" method="POST">
> <table width="75%" border="1">
> <tr>
> <td><bean:message key="upload.from"/></td>
> <td><input type="text" name="from"/></td>
> </tr>
> <tr>
> <td><bean:message key="upload.to"/></td>
> <td><input type="text" name="to"/></td>
> </tr>
> <tr>
> <td><bean:message key="upload.version"/></td>
> <td><input type="text" name="version"/></td>
> </tr>
> <tr>
> <td><bean:message key="upload.file"/></td>
> <td><input type="file" name="input-data"></td>
> </tr>
> </table>
> <input type="submit" value="Submit"/>
> </form>
> <html:link forward="ups">upload</html:link>
>
> The strange thing is this:
>
> When this page is loaded, and I am ligitimatly logged in, the
> name of the UserPrincipal is displayed as it should be.
> However, if I submit the form, the appropriate action class
> is called, but when I invoke request.getUserPrincipal()...it
> returns null. Notice the last line of the HTML, it has a link
> that points to the same action class...when it is clicked,
> the principal is propogated to action and it is NOT null.
>
> Can anyone help me out with this? I would like the post to
> work correctly.
>
> Thanks!
> Aaron.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org