You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Darrell <sk...@rogers.com> on 2003/06/10 08:12:55 UTC
Call action from link
I have read alot of the previous posts in the archives, but still can't
get the link to call an action.
<a href="inventory.do" onmouseover="P7_trigMM2('p7TBim40')"><img
src="images/hbnb4.gif" alt="menu 4" name="p7TBim40" id="p7TBim40"
width="96" height="26" border="0"></a>
I get this error:
ERROR action.RequestProcessor - Invalid path /CSSMasters/inventory was
requested
Is there something wrong with the way I am calling the action?
This is my action mapping:
<action-mappings>
<action name="emerReqForm" type="metokoteca.action.RequestAction"
validate="true" input="/CSSMasters/emergReq.htm" scope="request"
path="/request">
<forward name="forward" path="/CSSMasters/formSubmit.htm" />
</action>
<action type="metokoteca.action.InventoryAction" validate="false"
scope="request" path="/inventory">
<forward name="forward" path="/CSSMasters/formSubmit.htm" />
</action>
</action-mappings>
--
Darrell Bechtel, B.G.S., MCSE
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Call action from link
Posted by Andrew Hill <an...@gridnode.com>.
Hmm. I can never remember how all this relative path stuff works.
What happens if you make it
<a href="/inventory.do" ...etc...
?
-----Original Message-----
From: Darrell [mailto:skipp@rogers.com]
Sent: Tuesday, 10 June 2003 14:13
To: Struts
Subject: Call action from link
I have read alot of the previous posts in the archives, but still can't
get the link to call an action.
<a href="inventory.do" onmouseover="P7_trigMM2('p7TBim40')"><img
src="images/hbnb4.gif" alt="menu 4" name="p7TBim40" id="p7TBim40"
width="96" height="26" border="0"></a>
I get this error:
ERROR action.RequestProcessor - Invalid path /CSSMasters/inventory was
requested
Is there something wrong with the way I am calling the action?
This is my action mapping:
<action-mappings>
<action name="emerReqForm" type="metokoteca.action.RequestAction"
validate="true" input="/CSSMasters/emergReq.htm" scope="request"
path="/request">
<forward name="forward" path="/CSSMasters/formSubmit.htm" />
</action>
<action type="metokoteca.action.InventoryAction" validate="false"
scope="request" path="/inventory">
<forward name="forward" path="/CSSMasters/formSubmit.htm" />
</action>
</action-mappings>
--
Darrell Bechtel, B.G.S., MCSE
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Call action from link
Posted by Darrell <sk...@rogers.com>.
Problem Solved...still had the <html> tags in my jsp page and it was
causing a problem? doh!
Darrell wrote:
> I am not sure the syntax of this html:link is correct, because it does
> not allow me to click the image as though it's a hyperlink? What am I
> missing??
>
>
>
> <html:link page="/inventory.do"><img src="images/hbnb4.gif" alt="menu 4"
> name="p7TBim40" id="p7TBim40" width="96" height="26"
> border="0"></html:link>
>
> Steve Raeburn wrote:
>
>> You have defined your action as /inventory. This path is a context
>> relative
>> path so you should be linking to it with something like <a
>> href="/mycontext/inventory.do">...
>>
>> What you have done to link to /mycontext/CSSMasters/inventory.do because
>> you've used a link relative to your page. That's why it can't be found.
>>
>> To avoid having to explicitly define the context name I would suggest you
>> look at the <html:link> tag which can use a context relative path or,
>> of you
>> have a recent struts build, an action. In your case this would be:
>>
>> <html:link page="/inventory.do"> or <html:link action="/inventory">.
>>
>> Note that you don't include the .do extension when you specify an action.
>> Use the path value exactly as defined in your struts-config file.
>>
>> Steve
>>
>>
>>
>>> -----Original Message-----
>>> From: Darrell [mailto:skipp@rogers.com]
>>> Sent: June 9, 2003 11:13 PM
>>> To: Struts
>>> Subject: Call action from link
>>>
>>>
>>>
>>> I have read alot of the previous posts in the archives, but still can't
>>> get the link to call an action.
>>> <a href="inventory.do" onmouseover="P7_trigMM2('p7TBim40')"><img
>>> src="images/hbnb4.gif" alt="menu 4" name="p7TBim40" id="p7TBim40"
>>> width="96" height="26" border="0"></a>
>>>
>>> I get this error:
>>> ERROR action.RequestProcessor - Invalid path /CSSMasters/inventory was
>>> requested
>>>
>>> Is there something wrong with the way I am calling the action?
>>>
>>> This is my action mapping:
>>> <action-mappings>
>>> <action name="emerReqForm" type="metokoteca.action.RequestAction"
>>> validate="true" input="/CSSMasters/emergReq.htm" scope="request"
>>> path="/request">
>>> <forward name="forward" path="/CSSMasters/formSubmit.htm" />
>>> </action>
>>> <action type="metokoteca.action.InventoryAction" validate="false"
>>> scope="request" path="/inventory">
>>> <forward name="forward" path="/CSSMasters/formSubmit.htm" />
>>> </action>
>>> </action-mappings>
>>>
>>>
>>> --
>>> Darrell Bechtel, B.G.S., MCSE
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>>
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
>
>
--
Darrell Bechtel, B.G.S., MCSE
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [OT] Application Security
Posted by Paul Thomas <pa...@tmsl.demon.co.uk>.
On 11/06/2003 14:15 Denis Avdic wrote:
> What our site is basically about is that people can access some
> information retrieved from a database. This person registered and
> basically went and accessed all of the profiles stored on our server,
> sequentialy, using an automated process (2 per second). This was in
> violation of our acceptable use policy. My question is what do people
> use if something like this happens, or how do they handle any other
> intrusions on all other levels.
>
Maybe you could limit the number of times per minute the user can execute
actions. Store some kind of "time of last request" object in the user's
session and if the last action was less that x seconds ago then just sleep
for a while.
--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants |
http://www.thomas-micro-systems-ltd.co.uk |
+------------------------------+---------------------------------------------+
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [OT] Application Security
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Your problem is that you are seeking to clamp down on a user's
behaviour, rather than implement any particular kind of security roles
or authorization scheme, is that correct? Rather similar to monitoring
posts on a message board to make sure posts are on topic, not obscene,
non-abusive etc etc.
Sounds like you just have to define exactly what you want to ban (e.g.
automated access to your profiles at a rate of 2 per second) and then
code something to prevent it or alert you to it.
I can't imagine that there is any widely-used solution to something like
this. Perhaps you should start logging your users' actions with triggers
that send emails to the administrators when limits are exceeded.
Denis Avdic wrote:
> What our site is basically about is that people can access some
> information retrieved from a database. This person registered and
> basically went and accessed all of the profiles stored on our server,
> sequentialy, using an automated process (2 per second). This was in
> violation of our acceptable use policy. My question is what do people
> use if something like this happens, or how do they handle any other
> intrusions on all other levels.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [OT] Application Security
Posted by Max Cooper <ma...@maxcooper.com>.
If the information was not supposed to be available to that user, that is
the first thing to fix, and it sounds like you did that already. It may be
worth doing an audit on the app to find what other holes might be there.
Programming with security in mind is not something that comes naturally to
many programmers. Presenting the manner in which your site was hacked, and
perhaps some other holes that were found in the audit might be a good way to
familiarize the team with the topic. It is important for developers to
understand that users can make any HTTP request they want, including
fiddling with parameters in ways that the HTML pages it produces would never
do. This seems to be a common point of confusion -- users don't have to use
your UI to make requests, and the UI in fact gives many clues as to how they
might be able to mis-use the app. Typing things into the browser's address
bar, or using the curl and wget command line tools are easy ways to make
"bad" requests. The only thing you can control as a developer is how your
app responds to such requests -- you can't prevent people from making them.
I post on a web forum site that limits the rate at which you can do some
things. For instance, you can only post once every 30 seconds. They have the
same rate restriction for searches, though I suspect that is mostly to keep
the server load in check more than anything else. If you try to post or
search too quickly, you just get a page that informs you of the rate limit
and encourages you to use the Back button and try again after a short wait.
You could also keep a count of the number of items accessed in some period
of time and lock an offending account if it exceeds the limit. For instance,
if a user accesses more than 100 profiles in a day, you could lock the
account. Or you could just limit them to X number of profile views in a 24
hour period without locking the account, etc. Or you could raise an alert
for human review if the number of views exceeds some limit in some period of
time.
-Max
----- Original Message -----
From: "Denis Avdic" <de...@betterway.net>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Wednesday, June 11, 2003 6:15 AM
Subject: Re: [OT] Application Security
> Paul Thomas wrote:
>
> >
> > On 10/06/2003 17:47 Denis Avdic wrote:
> >
> >> Hello,
> >>
> >> This is really off topic, but since everyone is working in similar
> >> conditions I though I'd ask you all a question.
> >>
> >> How is everyone handling security in your applications?
> >>
> >> More specifically, we have a site where someone violated our
> >> acceptable use policy and basically tried to retrieve all our data
> >> through a previously unseen hole. Now, we patched it and we can
> >> definitely go on and keep patching holes when we find them, but I
> >> would like to set up something to prevent that from happening in the
> >> first place. I am talking about setting up an Intrusion detection
> >> system or something similar, where I could be at least alerted in
> >> real time that something funky is happening, and that I don't have to
> >> accidentaly stumble across the action in the log file. How are you
> >> (if you are) handling this? Are there open source tools to set this
> >> up? Commercial?
> >
> >
> >
> > Sounds like you're following the M$ security model - throw any old
> > crap out of the door then patch, patch, patch ... Still, Bill Gates
> > has done very nicely out of it so maybe this method has commercial
> > benefits.
> >
> > Seriously though, how do you expect anyone to be able to give an
> > answer to this? At what level did the intrusion take place? OS?
> > Service? Application server? Application?
> >
> I'll ignore the thinly veiled insult there.
>
> What our site is basically about is that people can access some
> information retrieved from a database. This person registered and
> basically went and accessed all of the profiles stored on our server,
> sequentialy, using an automated process (2 per second). This was in
> violation of our acceptable use policy. My question is what do people
> use if something like this happens, or how do they handle any other
> intrusions on all other levels.
>
> Denis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [OT] Application Security
Posted by Denis Avdic <de...@betterway.net>.
Paul Thomas wrote:
>
> On 10/06/2003 17:47 Denis Avdic wrote:
>
>> Hello,
>>
>> This is really off topic, but since everyone is working in similar
>> conditions I though I'd ask you all a question.
>>
>> How is everyone handling security in your applications?
>>
>> More specifically, we have a site where someone violated our
>> acceptable use policy and basically tried to retrieve all our data
>> through a previously unseen hole. Now, we patched it and we can
>> definitely go on and keep patching holes when we find them, but I
>> would like to set up something to prevent that from happening in the
>> first place. I am talking about setting up an Intrusion detection
>> system or something similar, where I could be at least alerted in
>> real time that something funky is happening, and that I don't have to
>> accidentaly stumble across the action in the log file. How are you
>> (if you are) handling this? Are there open source tools to set this
>> up? Commercial?
>
>
>
> Sounds like you're following the M$ security model - throw any old
> crap out of the door then patch, patch, patch ... Still, Bill Gates
> has done very nicely out of it so maybe this method has commercial
> benefits.
>
> Seriously though, how do you expect anyone to be able to give an
> answer to this? At what level did the intrusion take place? OS?
> Service? Application server? Application?
>
I'll ignore the thinly veiled insult there.
What our site is basically about is that people can access some
information retrieved from a database. This person registered and
basically went and accessed all of the profiles stored on our server,
sequentialy, using an automated process (2 per second). This was in
violation of our acceptable use policy. My question is what do people
use if something like this happens, or how do they handle any other
intrusions on all other levels.
Denis
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [OT] Application Security
Posted by Paul Thomas <pa...@tmsl.demon.co.uk>.
On 10/06/2003 17:47 Denis Avdic wrote:
> Hello,
>
> This is really off topic, but since everyone is working in similar
> conditions I though I'd ask you all a question.
>
> How is everyone handling security in your applications?
>
> More specifically, we have a site where someone violated our acceptable
> use policy and basically tried to retrieve all our data through a
> previously unseen hole. Now, we patched it and we can definitely go on
> and keep patching holes when we find them, but I would like to set up
> something to prevent that from happening in the first place. I am
> talking about setting up an Intrusion detection system or something
> similar, where I could be at least alerted in real time that something
> funky is happening, and that I don't have to accidentaly stumble across
> the action in the log file. How are you (if you are) handling this?
> Are there open source tools to set this up? Commercial?
Sounds like you're following the M$ security model - throw any old crap
out of the door then patch, patch, patch ... Still, Bill Gates has done
very nicely out of it so maybe this method has commercial benefits.
Seriously though, how do you expect anyone to be able to give an answer to
this? At what level did the intrusion take place? OS? Service? Application
server? Application?
--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants |
http://www.thomas-micro-systems-ltd.co.uk |
+------------------------------+---------------------------------------------+
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: [OT] Application Security
Posted by Chip Paul <ch...@ethreat.com>.
On the free end you could install Snort on the server and add a rule for
detecting improper use of your app, but this is the same problem you had
before. In order to write the rule you have to know at least at a general
level how the app could be misused, and if you knew that you would fix the
holes. Snort has general rules that can detect attempted webserver exploits
but I imagine app specific stuff might be tricky to generalize. You might
also set up alerts on bandwidth/db usage to detect when someone is mining
you.
As far as SQL Injection style attacks go, you can handle this by wrapping
your data access in a layer that detects improper parameters. I haven't yet
examined how the Jakarta OJB handles attempted SQL Injection that gets
passed through the Query mechanism, but in general systems that rewrite the
SQL from a template (such as the normal JDBC mechanism) stop at least some
injection attacks by forcing a typecast - then you only have to worry about
string parameters.
Another approach I've seen used is to mask what server you are running to
send exploiters on a wild goose chase. i.e. make Tomcat report that it's
IIS or something similar, and try to not make your struts actions look like
actions (*.do). That at least makes more work for them.
The best approach to App security is of course to build it in from the
beginning, and not by patching it in later.
-Chip
-----Original Message-----
From: Denis Avdic [mailto:denis@betterway.net]
Sent: Tuesday, June 10, 2003 11:48 AM
To: Struts Users Mailing List
Subject: [OT] Application Security
Hello,
This is really off topic, but since everyone is working in similar
conditions I though I'd ask you all a question.
How is everyone handling security in your applications?
More specifically, we have a site where someone violated our acceptable
use policy and basically tried to retrieve all our data through a
previously unseen hole. Now, we patched it and we can definitely go on
and keep patching holes when we find them, but I would like to set up
something to prevent that from happening in the first place. I am
talking about setting up an Intrusion detection system or something
similar, where I could be at least alerted in real time that something
funky is happening, and that I don't have to accidentaly stumble across
the action in the log file. How are you (if you are) handling this?
Are there open source tools to set this up? Commercial?
TIA,
Denis
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
[OT] Application Security
Posted by Denis Avdic <de...@betterway.net>.
Hello,
This is really off topic, but since everyone is working in similar
conditions I though I'd ask you all a question.
How is everyone handling security in your applications?
More specifically, we have a site where someone violated our acceptable
use policy and basically tried to retrieve all our data through a
previously unseen hole. Now, we patched it and we can definitely go on
and keep patching holes when we find them, but I would like to set up
something to prevent that from happening in the first place. I am
talking about setting up an Intrusion detection system or something
similar, where I could be at least alerted in real time that something
funky is happening, and that I don't have to accidentaly stumble across
the action in the log file. How are you (if you are) handling this?
Are there open source tools to set this up? Commercial?
TIA,
Denis
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Call action from link
Posted by Darrell <sk...@rogers.com>.
I am not sure the syntax of this html:link is correct, because it does
not allow me to click the image as though it's a hyperlink? What am I
missing??
<html:link page="/inventory.do"><img src="images/hbnb4.gif" alt="menu 4"
name="p7TBim40" id="p7TBim40" width="96" height="26" border="0"></html:link>
Steve Raeburn wrote:
> You have defined your action as /inventory. This path is a context relative
> path so you should be linking to it with something like <a
> href="/mycontext/inventory.do">...
>
> What you have done to link to /mycontext/CSSMasters/inventory.do because
> you've used a link relative to your page. That's why it can't be found.
>
> To avoid having to explicitly define the context name I would suggest you
> look at the <html:link> tag which can use a context relative path or, of you
> have a recent struts build, an action. In your case this would be:
>
> <html:link page="/inventory.do"> or <html:link action="/inventory">.
>
> Note that you don't include the .do extension when you specify an action.
> Use the path value exactly as defined in your struts-config file.
>
> Steve
>
>
>
>>-----Original Message-----
>>From: Darrell [mailto:skipp@rogers.com]
>>Sent: June 9, 2003 11:13 PM
>>To: Struts
>>Subject: Call action from link
>>
>>
>>
>>I have read alot of the previous posts in the archives, but still can't
>>get the link to call an action.
>><a href="inventory.do" onmouseover="P7_trigMM2('p7TBim40')"><img
>>src="images/hbnb4.gif" alt="menu 4" name="p7TBim40" id="p7TBim40"
>>width="96" height="26" border="0"></a>
>>
>>I get this error:
>>ERROR action.RequestProcessor - Invalid path /CSSMasters/inventory was
>>requested
>>
>>Is there something wrong with the way I am calling the action?
>>
>>This is my action mapping:
>><action-mappings>
>> <action name="emerReqForm" type="metokoteca.action.RequestAction"
>>validate="true" input="/CSSMasters/emergReq.htm" scope="request"
>>path="/request">
>> <forward name="forward" path="/CSSMasters/formSubmit.htm" />
>> </action>
>> <action type="metokoteca.action.InventoryAction" validate="false"
>>scope="request" path="/inventory">
>> <forward name="forward" path="/CSSMasters/formSubmit.htm" />
>> </action>
>> </action-mappings>
>>
>>
>>--
>>Darrell Bechtel, B.G.S., MCSE
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
--
Darrell Bechtel, B.G.S., MCSE
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Call action from link
Posted by Steve Raeburn <st...@ninsky.com>.
You have defined your action as /inventory. This path is a context relative
path so you should be linking to it with something like <a
href="/mycontext/inventory.do">...
What you have done to link to /mycontext/CSSMasters/inventory.do because
you've used a link relative to your page. That's why it can't be found.
To avoid having to explicitly define the context name I would suggest you
look at the <html:link> tag which can use a context relative path or, of you
have a recent struts build, an action. In your case this would be:
<html:link page="/inventory.do"> or <html:link action="/inventory">.
Note that you don't include the .do extension when you specify an action.
Use the path value exactly as defined in your struts-config file.
Steve
> -----Original Message-----
> From: Darrell [mailto:skipp@rogers.com]
> Sent: June 9, 2003 11:13 PM
> To: Struts
> Subject: Call action from link
>
>
>
> I have read alot of the previous posts in the archives, but still can't
> get the link to call an action.
> <a href="inventory.do" onmouseover="P7_trigMM2('p7TBim40')"><img
> src="images/hbnb4.gif" alt="menu 4" name="p7TBim40" id="p7TBim40"
> width="96" height="26" border="0"></a>
>
> I get this error:
> ERROR action.RequestProcessor - Invalid path /CSSMasters/inventory was
> requested
>
> Is there something wrong with the way I am calling the action?
>
> This is my action mapping:
> <action-mappings>
> <action name="emerReqForm" type="metokoteca.action.RequestAction"
> validate="true" input="/CSSMasters/emergReq.htm" scope="request"
> path="/request">
> <forward name="forward" path="/CSSMasters/formSubmit.htm" />
> </action>
> <action type="metokoteca.action.InventoryAction" validate="false"
> scope="request" path="/inventory">
> <forward name="forward" path="/CSSMasters/formSubmit.htm" />
> </action>
> </action-mappings>
>
>
> --
> Darrell Bechtel, B.G.S., MCSE
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org