You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by DevaGerald <de...@gmail.com> on 2018/04/07 14:18:45 UTC
Help : Disable Strict Method Invocation for struts 2 rest plugin
I am using Struts 2 with rest plugin and I need to migrate from struts 2.3 to
struts 2.5. My application also has struts 1 with the older apis unmigrated
to struts2.
I have some custom methods in my application other than the default CRUD
operations. As the strict method invocation is enabled now by default, i
cannot use those custom methods now. I am using only the "rest-default"
package and want to disable the *strict method invocation* as I have a
larger number of methods (Adding those many entries might make the code
clumsy).
Thanks in advance.
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Yasser Zamani <ya...@apache.org>.
On 4/11/2018 11:11 AM, Lukasz Lenart wrote:
> 2018-04-09 16:59 GMT+02:00 DevaGerald <de...@gmail.com>:
>> Thanks a lot Lukasz.
>>
>> I have resolved it by adding
>> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
>> struts.xml
>>
>> Do I have any alternative for this?
>
> No but I didn't want to suggest this as this basically opens a
> potential security hole in your app. In this case any public method
> can be called especially when using DMI.
> I wonder if we can introduce another pattern here like "allow methods
> for this class hierarchy":
> <allowed-methods>class:BaseAction</allowed-methods> - wdyt?
>
As Lukasz correctly mentioned, if you would like to keep better
security, then you have to separate or define action methods from other
ones. If defining them in xml might make the code clumsy, then couldn't
you refactor their names to have a common regex e.g. user*? then e.g.
you can define
<global-allowed-methods>regex:user[a-zA-Z]*</global-allowed-methods>
which separates them from other methods to satisfy security.
Regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
Here https://issues.apache.org/jira/projects/WW/issues
2018-04-18 15:04 GMT+02:00 DevaGerald <de...@gmail.com>:
> Sorry if I am so dumb. Where should i file the ticket?
>
>
>
> --
> Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Sorry if I am so dumb. Where should i file the ticket?
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Hi Yasser,
We already have a layer of security(a filter which runs first in our
web-app) which handles allowed url patterns. So in this we have to again add
code for allowed methods. So we are trying to get an option to disable it.
Thanks,
Deva.
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Thanks for the reply. We will use the existing (regex in
global-allowed-methods) solution till that.
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Yasser Zamani <ya...@apache.org>.
On 4/30/2018 11:27 AM, Lukasz Lenart wrote:
> The problem is that we should support existing configurations (like
> automatically define allowed methods for those used in struts.xml).
Sorry, I didn't get again :( AFAIK defined actions with any defined
method in struts.xml are callable. However, in this issue, convention is
used and struts.xml doesn't have any defined action. Did you mean
convention's @action annotation doesn't work with rest i.e. does not
automatically define allowed methods with that annotation?
> The same should happen with the REST plugin but the problem is that i
> tries to guess the method name based on url. I do not see a good
> solution for now.
AFAIK it doesn't guess. It sees if url has a defined method
(action/param/method) elsewhere use defined method according to GET,
PUT, DELETE, POST or etc. right? Did you mean rest+convention plugin
isn't able to call method1 when url is action1/param1/method1?
Elsewhere of above, then I think this issue/thread can be concluded as
"bug: SMI cannot being disabled by user when rest+convention used" i.e.
like https://issues.apache.org/jira/browse/WW-4930.
Regards.
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
2018-04-29 11:24 GMT+02:00 Yasser Zamani <ya...@apache.org>:
> I couldn't understand what's the user expected behavior and what we
> should try to fix. Because of security, SMI is enabled by default and
> user has to annotate or define allowed methods. right? I think there are
> no other solution to keep both security and all methods allowed.
The problem is that we should support existing configurations (like
automatically define allowed methods for those used in struts.xml).
The same should happen with the REST plugin but the problem is that i
tries to guess the method name based on url. I do not see a good
solution for now.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Yasser Zamani <ya...@apache.org>.
On 4/26/2018 4:03 PM, Lukasz Lenart wrote:
> Thinking on solution ... not so easy :(
I couldn't understand what's the user expected behavior and what we
should try to fix. Because of security, SMI is enabled by default and
user has to annotate or define allowed methods. right? I think there are
no other solution to keep both security and all methods allowed.
Regards.
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
Thinking on solution ... not so easy :(
2018-04-26 13:24 GMT+02:00 DevaGerald <de...@gmail.com>:
> Any update on this?
>
>
>
> --
> Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Any update on this?
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts
Configuration 2.5//EN"
"http://struts.apache.org/dtds/struts-2.5.dtd">
<struts>
<constant name="struts.convention.action.suffix" value="Controller"/>
<constant name="struts.convention.action.mapAllMatches" value="true"/>
<constant name="struts.convention.default.parent.package"
value=“my-default"/>
<constant name="struts.convention.package.locators" value="client"/>
<constant name="struts.convention.action.includeJars"
value=“.*?/AZC.*?jar(!/)?"/>
<constant name="struts.rest.defaultExtension" value="json"/>
<constant name="struts.rest.content.restrictToGET" value="false"/>
<constant name="struts.multipart.maxSize" value="153600000" />
<bean name="strutsjsonhandler"
type="org.apache.struts2.rest.handler.ContentTypeHandler"
class="com.struts2.StrutsJSONHandler"/>
<constant name="struts.rest.handlerOverride.json"
value="strutsjsonhandler"/>
<constant name="struts.rest.handlerOverride.xml"
value="strutsjsonhandler"/>
<constant name="struts.rest.handlerOverride.xhtml"
value="strutsjsonhandler"/>
<package name=“my-default" extends="rest-default">
<global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods>
</package>
</struts>
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
2018-04-19 8:58 GMT+02:00 DevaGerald <de...@gmail.com>:
> Just a clarification. May be my point was misunderstood.
>
> Ex : /resource/resource_id/hello
> This will call the hello method of my controller.
> REST plugin directly maps to my custom method. In this case, it calls the
> hello method of my ResourceController.
>
> What will be the best solution for this case?
>
> P.S. I am not using struts 2 DMI.
Can you share your struts.xml config?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Just a clarification. May be my point was misunderstood.
Ex : /resource/resource_id/hello
This will call the hello method of my controller.
REST plugin directly maps to my custom method. In this case, it calls the
hello method of my ResourceController.
What will be the best solution for this case?
P.S. I am not using struts 2 DMI.
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
2018-04-18 9:15 GMT+02:00 DevaGerald <de...@gmail.com>:
> Yes i have configured rest plugin for that
Ach... so we must fix allowed-methods to include those REST methods,
could you fill a ticket?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Yes i have configured rest plugin for that
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
2018-04-14 11:58 GMT+02:00 DevaGerald <de...@gmail.com>:
> I don't use DMI. I have the following configured in struts.xml.
> <constant name="struts.enable.DynamicMethodInvocation" value="false"/>
>
> So is there any other way for me to disable strict method invocation? I am
> just using struts 2 rest plugin.
Hm... so how do you call those custom methods? Did you configure them
as REST methods?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
I don't use DMI. I have the following configured in struts.xml.
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
So is there any other way for me to disable strict method invocation? I am
just using struts 2 rest plugin.
Thanks & Regards
Deva.
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
2018-04-09 16:59 GMT+02:00 DevaGerald <de...@gmail.com>:
> Thanks a lot Lukasz.
>
> I have resolved it by adding
> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
> struts.xml
>
> Do I have any alternative for this?
No but I didn't want to suggest this as this basically opens a
potential security hole in your app. In this case any public method
can be called especially when using DMI.
I wonder if we can introduce another pattern here like "allow methods
for this class hierarchy":
<allowed-methods>class:BaseAction</allowed-methods> - wdyt?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest
plugin
Posted by DevaGerald <de...@gmail.com>.
Thanks a lot Lukasz.
I have resolved it by adding
<global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my
struts.xml
Do I have any alternative for this?
Thanks & Regards,
Deva Gerald.
--
Sent from: http://struts.1045723.n5.nabble.com/Struts-User-f3426046.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Help : Disable Strict Method Invocation for struts 2 rest plugin
Posted by Lukasz Lenart <lu...@apache.org>.
2018-04-07 16:18 GMT+02:00 DevaGerald <de...@gmail.com>:
> I am using Struts 2 with rest plugin and I need to migrate from struts 2.3 to
> struts 2.5. My application also has struts 1 with the older apis unmigrated
> to struts2.
>
> I have some custom methods in my application other than the default CRUD
> operations. As the strict method invocation is enabled now by default, i
> cannot use those custom methods now. I am using only the "rest-default"
> package and want to disable the *strict method invocation* as I have a
> larger number of methods (Adding those many entries might make the code
> clumsy).
This looks similar to https://issues.apache.org/jira/browse/WW-4930
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org