You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/29 11:49:09 UTC
svn commit: r1009301 - in /websites/production/struts/content/docs:
localization.html security.html struts-23-to-25-migration.html
Author: lukaszlenart
Date: Wed Mar 29 11:49:09 2017
New Revision: 1009301
Log:
Updates production
Added:
websites/production/struts/content/docs/security.html
Modified:
websites/production/struts/content/docs/localization.html
websites/production/struts/content/docs/struts-23-to-25-migration.html
Modified: websites/production/struts/content/docs/localization.html
==============================================================================
--- websites/production/struts/content/docs/localization.html (original)
+++ websites/production/struts/content/docs/localization.html Wed Mar 29 11:49:09 2017
@@ -140,29 +140,23 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1488973645845 {padding: 0px;}
-div.rbtoc1488973645845 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1488973645845 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1490686613414 {padding: 0px;}
+div.rbtoc1490686613414 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490686613414 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1488973645845">
+/*]]>*/</style></p><div class="toc-macro rbtoc1490686613414">
<ul class="toc-indentation"><li><a shape="rect" href="#Localization-Overview">Overview</a></li><li><a shape="rect" href="#Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</a>
<ul class="toc-indentation"><li><a shape="rect" href="#Localization-Defaultaction'sclass">Default action's class</a></li><li><a shape="rect" href="#Localization-UsinggetTextfromaTag">Using getText from a Tag</a></li><li><a shape="rect" href="#Localization-Usingthetexttag">Using the text tag</a></li><li><a shape="rect" href="#Localization-UsingtheI18ntag">Using the I18n tag</a></li><li><a shape="rect" href="#Localization-UsingtheKeyattributeofUITags">Using the Key attribute of UI Tags</a></li></ul>
-</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n Interceptor</a></li><li><a shape="rect" href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</a></li><li><a shape="rect" href="#Localization-ComparisonwithStruts1">Comparison with Struts 1</a></li><li><a shape="rect" href="#Localization-Next:">Next: Type Conversion</a></li></ul>
-</div><h2 id="Localization-Overview">Overview</h2><p>The framework supports internationalization (i18n) in the following places:</p><ol><li>the <a shape="rect" href="ui-tags.html">UI Tags</a></li><li>Messages and Errors from the <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAware.html">ValidationAware</a> interface (implemented by <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</a> and <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAwareSupport.html">ValidationAwareSupport</a>)</li><li>Within action classes that extend <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</
a> through the getText() method</li></ol><h2 id="Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</h2><p></p><p></p><p>Resource bundles are searched in the following order:</p>
-
-<p></p><ol><li>ActionClass.properties</li><li>Interface.properties (every interface and sub-interface)</li><li>BaseClass.properties (all the way to Object.properties)</li><li>ModelDriven's model (if implements ModelDriven), for the model object repeat from 1</li><li>package.properties (of the directory where class is located and every parent directory all the way to the root directory)</li><li>search up the i18n message key hierarchy itself</li><li>global resource properties</li></ol>
-For more, see the LocalizedTextUtil class.<div class="confluence-information-macro confluence-information-macro-tip"><p class="title">Package hierarchy</p><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p></p><p></p><p>To clarify #5, while traversing the package hierarchy, Struts 2 will look for a file package.properties:</p>
-com/<br clear="none">
-  acme/<br clear="none">
-    package.properties<br clear="none">
-    actions/<br clear="none">
-      package.properties<br clear="none">
-      FooAction.java<br clear="none">
-      FooAction.properties<br clear="none">
-<p>
-If FooAction.properties does not exist, com/acme/action/package.properties will be searched for, if
-not found com/acme/package.properties, if not found com/package.properties, etc.
-</p></div></div><h3 id="Localization-Defaultaction'sclass">Default action's class</h3><p>If you configure action as follow</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n Interceptor</a></li><li><a shape="rect" href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</a></li><li><a shape="rect" href="#Localization-ComparisonwithStruts1">Comparison with Struts 1</a></li><li><a shape="rect" href="#Localization-CustomTextProviderandTextProviderFactory">Custom TextProvider and TextProviderFactory</a></li><li><a shape="rect" href="#Localization-Next:">Next: Type Conversion</a></li></ul>
+</div><h2 id="Localization-Overview">Overview</h2><p>The framework supports internationalization (i18n) in the following places:</p><ol><li>the <a shape="rect" href="ui-tags.html">UI Tags</a></li><li>Messages and Errors from the <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAware.html">ValidationAware</a> interface (implemented by <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</a> and <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAwareSupport.html">ValidationAwareSupport</a>)</li><li>Within action classes that extend <a shape="rect" class="external-link" href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html">ActionSupport</
a> through the getText() method</li></ol><h2 id="Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</h2><p>Resource bundles are searched in the following order:</p><ol><li><code>ActionClass</code>.properties</li><li><code>Interface</code>.properties (every interface and sub-interface)</li><li><code>BaseClass</code>.properties (all the way to Object.properties)</li><li>ModelDriven's model (if implements ModelDriven), for the model object repeat from 1</li><li>package.properties (of the directory where class is located and every parent directory all the way to the root directory)</li><li>search up the i18n message key hierarchy itself</li><li>global resource properties</li></ol><p>This is how it is implemented in a default implementation of the <code>LocalizedTextProvider</code> interface. You can provide your own implementation using <code>TextProvider</code> and <code>TextProviderFactory</code> interfaces.</p><div class="confluence-information-m
acro confluence-information-macro-tip"><p class="title">Package hierarchy</p><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>To clarify #5, while traversing the package hierarchy, Struts 2 will look for a file package.properties:</p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+<pre>com/
+ acme/
+ package.properties
+ actions/
+ package.properties
+ FooAction.java
+ FooAction.properties</pre>
+</div></div><p>If <code>FooAction</code>.properties does not exist, <code>com/acme/action/package.properties</code> will be searched for, if not found <code>com/acme/package.properties</code>, if not found <code>com/package.properties</code>, etc.</p></div></div><h3 id="Localization-Defaultaction'sclass">Default action's class</h3><p>If you configure action as follow</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><action name="index">
<result>/index.jsp</result>
</action></pre>
@@ -194,9 +188,7 @@ not found com/acme/package.properties, i
]]></script>
</div></div><div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Internationalizing SiteMesh decorators is possible, but there are quirks. See <a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33343">SiteMesh Plugin</a> for more.</p></div></div><h3 id="Localization-UsingtheKeyattributeofUITags">Using the Key attribute of UI Tags</h3><p>The key attribute of most UI tags can be used to retrieve a message from a resource bundle:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><s:textfield key="some.key" name="textfieldName"/></pre>
-</div></div><h2 id="Localization-I18nInterceptor">I18n Interceptor</h2><p>Essentially, the i18n Interceptor pushes a locale into the ActionContext map upon every request. The framework components that support localization all utilize the ActionContext locale. See <a shape="rect" href="i18n-interceptor.html">I18n Interceptor</a> for details.</p><h2 id="Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global Resources (struts.custom.i18n.resources) in <code>struts.properties</code></h2><p></p><p></p><p>
-A global resource bundle could be specified programmatically, as well as the locale.
-</p><h2 id="Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</h2><p>See <a shape="rect" href="formatting-dates-and-numbers.html">Formatting Dates and Numbers</a> for more details and examples.</p><h2 id="Localization-ComparisonwithStruts1">Comparison with Struts 1</h2><p>Struts 1 users should be familiar with the application.properties resource bundle, where you can put all the messages in the application that are going to be translated. Struts 2, though, splits the resource bundles per action or model class, and you may end up with duplicated messages in those resource bundles. A quick fix for that is to create a file called ActionSupport.properties in com/opensymphony/xwork2 and put it on your classpath. This will only work well if all your actions subclass XWork2's ActionSupport.</p><h2 id="Localization-Next:">Next: <a shape="rect" href="type-conversion.html">Type Conversion</a></h2></div>
+</div></div><h2 id="Localization-I18nInterceptor">I18n Interceptor</h2><p>Essentially, the i18n Interceptor pushes a locale into the ActionContext map upon every request. The framework components that support localization all utilize the ActionContext locale. See <a shape="rect" href="i18n-interceptor.html">I18n Interceptor</a> for details.</p><h2 id="Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global Resources (struts.custom.i18n.resources) in <code>struts.properties</code></h2><p>A global resource bundle could be specified programmatically, as well as the locale.</p><h2 id="Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</h2><p>See <a shape="rect" href="formatting-dates-and-numbers.html">Formatting Dates and Numbers</a> for more details and examples.</p><h2 id="Localization-ComparisonwithStruts1">Comparison with Struts 1</h2><p>Struts 1 users should be familiar with the application.properties resource bundle, where you can pu
t all the messages in the application that are going to be translated. Struts 2, though, splits the resource bundles per action or model class, and you may end up with duplicated messages in those resource bundles. A quick fix for that is to create a file called ActionSupport.properties in com/opensymphony/xwork2 and put it on your classpath. This will only work well if all your actions subclass XWork2's ActionSupport.</p><h2 id="Localization-CustomTextProviderandTextProviderFactory">Custom TextProvider and TextProviderFactory</h2><p>If you want use a different logic to search for localized messages, or you want to use a database or just want to search default bundles, you must implement both those interfaces (or subclass the existing implementations). You can check a small <a shape="rect" class="external-link" href="https://github.com/apache/struts-examples/tree/master/text-provider" rel="nofollow">example app</a> how to use both. Please remember that the <code>TextProvider</c
ode> interface is implemented by the <code>ActioSupport</code> class, that's why an extra layer - <code>TextProviderFactory</code> - is needed.</p><h2 id="Localization-Next:">Next: <a shape="rect" href="type-conversion.html">Type Conversion</a></h2></div>
</div>
Added: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (added)
+++ websites/production/struts/content/docs/security.html Wed Mar 29 11:49:09 2017
@@ -0,0 +1,247 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>Security</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="guides.html">Guides</a> > <a href="core-developers-guide.html">Core Developers Guide</a> > <a href="security.html">Security</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">Security</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34024409">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34024409">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=34024409">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=34024409">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=34024409">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=34024409">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490788003243 {padding: 0px;}
+div.rbtoc1490788003243 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490788003243 li {margin-left: 0px;padding-left: 0px;}
+
+/*]]>*/</style></p><div class="toc-macro rbtoc1490788003243">
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-Securitytips">Security tips</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</a></li><li><a shape="rect" href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</a></li><li><a shape="rect" href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable devMode</a></li><li><a shape="rect" href="#Security-Reducelogginglevel">Reduce logging level</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 encoding</a></li><li><a shape="rect" href="#Security-Donotdefinesetterswhennotneeded">Do not define setters when not needed</a></li><li><a shape="rect" href="#Security-Donotuseincomingvaluesasaninputforlocalisationlogic">Do not use incoming values as an input for localisation logic</a></li></ul>
+</li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal security mechanism</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-Accessingstaticmethods">Accessing static methods</a></li><li><a shape="rect" href="#Security-OGNLisusedtocallaction'smethods">OGNL is used to call action's methods</a></li><li><a shape="rect" href="#Security-Accepted/Excludedpatterns">Accepted / Excluded patterns</a></li><li><a shape="rect" href="#Security-StrictMethodInvocation">Strict Method Invocation</a></li></ul>
+</li></ul>
+</div><h3 id="Security-Securitytips">Security tips</h3><p>The Apache Struts 2 doesn't provide any security mechanism - it is just a pure web framework. Below are few tips you should consider during application development with the Apache Struts 2.</p><h4 id="Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</h4><p><a shape="rect" href="config-browser-plugin.html">Config Browser Plugin</a> exposes internal configuration and should be used only during development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use  Basic Authentication or any other security mechanism (e.g. <a shape="rect" class="external-link" href="http://shiro.apache.org/">Apache Shiro</a>)</p><h4 id="Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</h4><p>Very often access to different resources is controlled based on URL patterns, see snippet below. Becaus
e of that you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace by security level.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>admin</web-resource-name>
+ <url-pattern>/secure/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>admin</role-name>
+ </auth-constraint>
+ </security-constraint>
+</pre>
+</div></div><h4 id="Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</h4><p>You must always hide JSP file behind an action, you cannot allow for direct access to the JSP files as this can leads to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files under the <code>WEB-INF</code> folder - most of the JEE containers restrict access to files placed under the <code>WEB-INF</code> folder. Second option is to add security constraint to the <code>web.xml</code> file:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><!-- Restricts access to pure JSP files - access available only via Struts action -->
+<security-constraint>
+ <display-name>No direct JSP access</display-name>
+ <web-resource-collection>
+ <web-resource-name>No-JSP</web-resource-name>
+ <url-pattern>*.jsp</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>no-users</role-name>
+ </auth-constraint>
+</security-constraint>
+
+<security-role>
+ <description>Don't assign users to this role</description>
+ <role-name>no-users</role-name>
+</security-role></pre>
+</div></div><p>The best approach is to used the both solutions.</p><h4 id="Security-DisabledevMode">Disable devMode</h4><p>The <code style="line-height: 1.4285715;">devMode</code> is a very useful option during development time, allowing for deep introspection and debugging into you app.</p><p>However, in production it exposes your application to be presenting too many informations on application's internals or to evaluating risky parameter expressions. Please <strong>always disable <code>devMode</code></strong> before deploying your application to a production environment. While it is disabled by default, your <code>struts.xml</code> might include a line setting it to <code>true</code>. The best way is to ensure the following setting is applied to our <code>struts.xml</code> for production deployment:</p><div class="confluence-information-macro confluence-information-macro-note"><p class="title">How to disable devMode in production</p><span class=
"aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><span><</span><span style="color: rgb(0,0,128);">constant </span><span style="color: rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode" </span><span style="color: rgb(0,0,255);">value</span><span style="color: rgb(0,128,0);">="false"</span><span>/></span></p></div></div><h4 id="Security-Reducelogginglevel">Reduce logging level</h4><p>It's a good practice to reduce logging level from <strong>DEBUG</strong> to <strong>INFO</strong> or less. Framework's classes can produce a lot of logging entries which will pollute the log file. You can even set logging level to <strong>WARN</strong> for classes that belongs to the framework, see example Log4j2 configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+ <Appenders>
+ <Console name="STDOUT" target="SYSTEM_OUT">
+ <PatternLayout pattern="%d %-5p [%t] %C{2} (%F:%L) - %m%n"/>
+ </Console>
+ </Appenders>
+ <Loggers>
+ <Logger name="com.opensymphony.xwork2" level="warn"/>
+ <Logger name="org.apache.struts2" level="warn"/>
+ <Root level="info">
+ <AppenderRef ref="STDOUT"/>
+ </Root>
+ </Loggers>
+</Configuration></pre>
+</div></div><h4 id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always use <code>UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following header to each JSP file</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><%@ page contentType="text/html; charset=UTF-8" %></pre>
+</div></div><h4 id="Security-Donotdefinesetterswhennotneeded">Do not define setters when not needed</h4><p>You should carefully design your actions without exposing anything via setters and getters, thus can leads to potential security vulnerabilities. Any action's setter can be used to set incoming untrusted user's value which can contain suspicious expression. Some Struts <code>Result</code>s automatically populate params based on values in <code>ValueStack</code> (action in most cases is the root) which means incoming value will be evaluated as an expression during this process.</p><h4 id="Security-Donotuseincomingvaluesasaninputforlocalisationlogic">Do not use incoming values as an input for localisation logic</h4><p>All <code>TextProvider</code>'s <code>getText(...) </code>methods (e.g in <code>ActionSupport</code>) perform evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with
0;<code>getText(...)</code> methods is potentially dangerous and should be avoided. See example below, assuming that an action implements getter and setter for property <code>message</code>, the below code allows inject an OGNL expression:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public String execute() throws Exception {
+ setMessage(getText(getMessage()));
+ return SUCCESS;
+}</pre>
+</div></div><p>Never use value of incoming request parameter as part of your localisation logic.</p><h3 id="Security-Internalsecuritymechanism">Internal security mechanism</h3><p>The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it's a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions used in JSPs, etc.</p><p>There are three options that can be used to configure excluded packages and classes:</p><ul style="list-style-type: square;"><li><code>struts.excludedClasses</code> - comma-separated list of excluded classes</li><li><code>struts.excludedPackageNamePatterns</code> - patterns used to exclude packages based on RegEx - this option is slower than simple string comparison but it's more flexible</li><li><code>struts.excludedPackageNames</code> - comma-separated list of excluded packages, it is used with simple string comparison via <code>startWith</code> an
d <code>equals</code></li></ul><p>The defaults are as follow:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.excludedClasses"
+ value="com.opensymphony.xwork2.ActionContext" />
+
+<!-- this must be valid regex, each '.' in package name must be escaped! -->
+<!-- it's more flexible but slower than simple string comparison -->
+<!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / -->
+
+<!-- this is simpler version of the above used with string comparison -->
+<constant name="struts.excludedPackageNames" value="java.lang,ognl,javax" /></pre>
+</div></div><p>Any expression or target which evaluates to one of these will be blocked and you see a WARN in logs:</p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+<pre>[WARNING] Target class [class example.MyBean] or declaring class of member type [public example.MyBean()] are excluded!</pre>
+</div></div><p>In that case <code>new MyBean()</code> was used to create a new instance of class (inside JSP) - it's blocked because <code>target</code> of such expression is evaluated to <code>java.lang.Class</code></p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is possible to redefine the above constants in <code>struts.xml</code> but try to avoid this and rather change design of your application!</p></div></div><h4 id="Security-Accessingstaticmethods">Accessing static methods</h4><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Support for accessing static methods from expression will be disabled soon, please
consider re-factoring your application to avoid further problems! Please check <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4348">WW-4348</a>.</p></div></div><h4 id="Security-OGNLisusedtocallaction'smethods">OGNL is used to call action's methods</h4><p>This can impact actions which have large inheritance hierarchy and use the same method's name throughout the hierarchy, this was reported as an issue <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4405">WW-4405</a>. See the example below:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public class RealAction extends BaseAction {
+ @Action("save")
+ public String save() throws Exception {
+ super.save();
+ return SUCCESS;
+ }
+}
+ 
+public class BaseAction extends AbstractAction {
+ public String save() throws Exception {
+ save(Double.MAX_VALUE);
+ return SUCCESS;
+ }
+}
+ 
+public abstract class AbstractAction extends ActionSupport {
+ protected void save(Double val) {
+ // some logic
+ }
+}</pre>
+</div></div><p>In such case OGNL cannot properly map which method to call when request is coming. This is do the OGNL limitation. To solve the problem don't use the same method's names through the hierarchy, you can simply change the action's method from <code>save()</code> to <code>saveAction()</code> and leaving annotation as is to allow <span style="line-height: 1.4285715;">call this action via </span><code style="line-height: 1.4285715;">/save.action</code><span style="line-height: 1.4285715;"> request.</span></p><h4 id="Security-Accepted/Excludedpatterns"><span style="line-height: 1.4285715;">Accepted / Excluded patterns</span></h4><p><span style="line-height: 1.4285715;">As from version 2.3.20 the framework provides two new interfaces which are used to accept / exclude param names and values - <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.htm
l">AcceptedPatternsChecker</a> and <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a> with default implementations. These two interfaces are used by <a shape="rect" href="parameters-interceptor.html">Parameters Interceptor</a> and <a shape="rect" href="cookie-interceptor.html">Cookie Interceptor</a> to check if param can be accepted or must be excluded. If you were using <code>excludeParams</code> previously please compare patterns used by you with these provided by the framework in default implementation.</span></p><h4 id="Security-StrictMethodInvocation"><span style="line-height: 1.4285715;">Strict Method Invocation</span></h4><p><span style="line-height: 1.4285715;">This mechanism was introduced in version 2.5. It allows control what methods can be accessed with the bang "!" operator via <a shape="rect" href="action-configurat
ion.html">Dynamic Method Invocation</a>. Please read more in Strict Method Invocation section of <a shape="rect" href="action-configuration.html">Action Configuration</a>.</span></p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/struts-23-to-25-migration.html
==============================================================================
--- websites/production/struts/content/docs/struts-23-to-25-migration.html (original)
+++ websites/production/struts/content/docs/struts-23-to-25-migration.html Wed Mar 29 11:49:09 2017
@@ -139,13 +139,13 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h3 id="Struts2.3to2.5migration-/*<![CDATA[*/div.rbtoc1490016579651{padding:0px;}div.rbtoc1490016579651ul{list-style:disc;margin-left:0px;}div.rbtoc1490016579651li{margin-left:0px;padding-left:0px;}/*]]>*/#Struts2.3to2.5migration-Dependencies#Struts2.3to2.5migrat"><style type="text/css">/*<![CDATA[*/
-div.rbtoc1490016579651 {padding: 0px;}
-div.rbtoc1490016579651 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1490016579651 li {margin-left: 0px;padding-left: 0px;}
+ <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490686616575 {padding: 0px;}
+div.rbtoc1490686616575 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490686616575 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></h3><div class="toc-macro rbtoc1490016579651">
-<ul class="toc-indentation"><li><a shape="rect" href="#Struts2.3to2.5migration-"></a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags attributes</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work directory of ApplicationServer/ServletContainer</a></li></ul>
+/*]]>*/</style></p><div class="toc-macro rbtoc1490686616575">
+<ul class="toc-indentation"><li><a shape="rect" href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags attributes</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work directory of ApplicationServer/ServletContainer</a></li></ul>
</div><h3 id="Struts2.3to2.5migration-Dependencies">Dependencies</h3><p>Update Struts dependencies to 2.5.<br clear="none"><br clear="none">Remove the following plugin dependencies because they were dropped and aren't supported anymore.</p><ul><li>Dojo Plugin</li><li>Codebehind Plugin</li><li>JSF Plugin</li><li>Struts1 Plugin</li></ul><h3 id="Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</h3><p>The <code>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</code> was moved to <code>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</code>.<br clear="none"><br clear="none">In web.xml replace this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><filter>
<filter-name>struts2</filter-name>