I am a beginner to struts2. i am using struts2 token interceptor to prevent CSRF. the token interceptor in working for the login page, but it is not working for the second page. the second page is just a JSP with hyperlinks, and when i change the token value it says "Could not find token name in params" . this is my code
Jsp
<div style="margin: 0 auto; font-size: 16px;">
<s:token />
<a href="<s:url value="view" />" >Click Here to View and Search Data</a>
<br/><br/>
<a href="<s:url value="Upload.jsp" />" >Click here to Upload Data (CSV format)</a>
<br/><br/>
<a href="<s:url value="Register.jsp" />" >Click here to Upload Data (FORM)</a>
</div>
Struts.xml
<package name="default" extends="struts-default, json-default">
<!-- CREATING INTERCEPTOR -->
<interceptors>
<interceptor-stack name="myStack">
<interceptor-ref name="defaultStack" />
<interceptor-ref name="tokenSession" />
<interceptor-ref name="timer"/>
<interceptor-ref name="logger"/>
<interceptor-ref name="fileUpload" />
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="myStack"/>
<global-results>
<result name="invalid.token">/error.jsp</result>
</global-results>
<action name="login" class="action.loginAction">
<result name="input">/Login.jsp</result>
<result name="success">/Main.jsp</result>
<result name="error">/error.jsp</result>
</action>
how do i implement token intercepto for this jsp.
please suggest
Try changing order of interceptors , keep defaultStack in last.
<interceptors>
<interceptor-stack name="myStack">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="timer"/>
<interceptor-ref name="logger"/>
<interceptor-ref name="fileUpload" />
<interceptor-ref name="defaultStack" />
</interceptor-stack>
</interceptors>
Try using token instead of tokenSession.
<interceptor-ref name="token" />
Also post the struts mapping for second page submit.
Related
It is possible to map multiple actions url in a single action configuration with wildcard ? I can able to do like */* */*/* in action names. But I don't know exactly how many nested path will come.
Since all my urls load render CommonLayout. So, I don't want to add multiple entries.
What I am doing now
<package name="myapp" extends="default" namespace="/">
<global-results>
<result type="tiles">CommonLayout</result>
</global-results>
<action name="a" />
<action name="a/create" />
<action name="b" />
<action name="b/customize" />
<action name="b/customize/app" />
<action name="d/create" />
<action name="d/view" />
<action name="d/view/list" />
</package>
Below is the configuration which I want to have, But It is not working for all nested actions.
<package name="myapp" extends="default" namespace="/">
<global-results>
<result type="tiles">CommonLayout</result>
</global-results>
<action name="*" />
</package>
I have an action which I should protect it from CSRF attack. I have used Strut's tokenSession Interceptor to achieve this.
<action name="showBranchSelection" class="action.Request.BranchSelectionAction"
method="showBranchSelection">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="basicStack" />
<result name="success">
/jsp/customer/request/branchSelection.jsp
</result>
</action>
and works great where this action has been called directly from jsp.
<s:form id="frmRequestShowBranchSelection" action="../../showBranchSelection" method="post" theme="simple" onsubmit="return false;">
<s:token name="tknRequestShowBranchSelection" />
<s:submit />
</s:form>
But I also have other actions (protected and not protected) which will be chained to this action in some situations.
<!-- not protected action chains to protected one -->
<action name="entranceCustomerLoginAction" class="action.Request.CustomerLoginAction"
method="entrance">
<result name="success">/jsp/login/success.jsp</result>
<result name="showBranchSelection" type="chain"> showBranchSelection
</result>
</action>
<!-- protected action chains to another protected one -->
<action name="continueReimTable" class="action.Request.ReimburseTableControllerAction"
method="continueReimTable">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="basicStack" />
<result name="showBranchSelection" type="chain">
showBranchSelection
</result>
<result name="success" type="chain">
showBranchPage
</result>
</action>
What's the proper way to use token in such chains?! i.e. in both, when a not protected action chains to a protected action and when a protected action chains to another protected action.
I am trying to change default url in my application using below code,
struts.xml :
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
"http://struts.apache.org/dtds/struts-2.3.dtd">
<struts>
<constant name="struts.action.extension" value="htm"/>
<package name="default" namespace="/" extends="struts-default" >
<action name="LoginClass" class="com.struts2.LoginCheckingClass" method="execute">
<result name="input">/Home.jsp</result>
<result name="success" type="dispatcher">/LoginSuccessPage.jsp</result>
<result name="error">/Home.jsp</result>
</action>
</package>
</struts>
Home.jsp :
<s:actionerror/><s:fielderror />
<br>
<s:form action="LoginClass" method="post" validate="true">
<s:textfield name="Uname" label="User Name" />
<s:textfield name="Pwd" label="Password" />
<s:submit validate="true" type="image" src="button-login2.png"/>
</s:form>
But when submit in Home.jsp the page always goes to 404 error page.I saw all tutorials and doing that same way but still i am getting same error.
If i remove the <constant name="struts.action.extension" value="htm"/> from struts.xml then page redirecting to represented page correctly.
someone help me out where am i doing wrong?
I am using Liferay6 with Struts2 .
This is the LOgin.jsp
<%# taglib prefix="s" uri="/struts-tags" %>
<html>
<head>
<title>Struts 2 Login Application!</title>
</head>
<body>
<s:form action="login" method="POST" validate="true">
<tr>
<td colspan="2">
Login
</td>
</tr>
<s:actionerror />
<s:fielderror />
<s:textfield name="username" label="Login name"/>
<s:password name="password" label="Password"/>
<s:submit value="Login" align="center"/>
</s:form>
</body>
</html>
This is struts.xml file
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
<constant name="struts.devMode" value="true" />
<package name="default" extends="struts-default" namespace="/view">
<action name="login"
class="net.LoginAction">
<result name="success">/Welcome.jsp</result>
<result name="error">/view.jsp</result>
</action>
</package>
</struts>
This is exception stacktrace
9:51:52,109 ERROR [Jsr168Dispatcher:27] Could not find action
There is no Action mapped for action name default. - [unknown location]
at com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:177)
at org.apache.struts2.impl.StrutsActionProxy.prepare(StrutsActionProxy.java:61)
at org.apache.struts2.impl.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:39)
at com.opensymphony.xwork2.DefaultActionProxyFactory.createActionProxy(DefaultActionProxyFactory.java:47)
at com.opensymphony.xwork2.DefaultActionProxyFactory.createActionProxy(DefaultActionProxyFactory.java:36)
at org.apache.struts2.portlet.dispatcher.Jsr168Dispatcher.serviceAction(Jsr168Dispatcher.java:446)
at org.apache.struts2.portlet.dispatcher.Jsr168Dispatcher.render(Jsr168Dispatcher.java:323)
at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:100)
at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:64)
at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:93)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:639)
There is no Action mapped for action name default.
But your action name login
<action name="login" class="net.LoginAction">
Your actions url must be sitename/youapp/view/login.action
In addition for loggining your hava two actions.
<action name="prepareLogin" class="net.LoginAction" method="input">
<result name="success">/login.jsp</result>
</action>
prepareLogin - this action only view login page
<action name="login" class="net.LoginAction" method="execute">
<result name="success">/Welcome.jsp</result>
<result name="error">/login.jsp</result>
</action>
login - this action get loggining
I have a following interceptor stack defined
<interceptor-stack name="applicationStack">
<interceptor-ref name="exception"/>
<interceptor-ref name="alias"/>
<interceptor-ref name="servletConfig"/>
<interceptor-ref name="i18n"/>
<interceptor-ref name="prepare"/>
<interceptor-ref name="chain"/>
<interceptor-ref name="debugging"/>
<interceptor-ref name="scopedModelDriven"/>
<interceptor-ref name="modelDriven"/>
<interceptor-ref name="fileUpload"/>
<interceptor-ref name="checkbox"/>
<interceptor-ref name="multiselect"/>
<interceptor-ref name="staticParams"/>
<interceptor-ref name="actionMappingParams"/>
<interceptor-ref name="params">
<param name="excludeParams">dojo\..*,^struts\..*</param>
</interceptor-ref>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="validation">
<param name="excludeMethods">input,back,cancel,browse</param>
</interceptor-ref>
<interceptor-ref name="workflow">
<param name="excludeMethods">input,back,cancel,browse</param>
</interceptor-ref>
<interceptor-ref name="contextSecurityInterceptor" />
</interceptor-stack>
with this values from the UI are not getting submitted to the action, because of which "required" validation always fails.
if i change the order of interceptor to "workflow" first then "validation" as, values does get submitted and action gets executed without validating values.
what should be order of interceptors to keep the validation and data submission in order.
struts.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
<constant name="struts.objectFactory" value="spring" />
<constant name="struts.devMode" value="false" />
<constant name="struts.action.extension" value="action" />
<constant name="struts.custom.i18n.resources" value="global" />
<package name="org" namespace="/"
extends="struts-default,json-default">
<result-types>
<result-type name="tiles"
class="org.apache.struts2.views.tiles.TilesResult" />
</result-types>
<global-results>
<result name="welcome" type="tiles">welcome</result>
</global-results>
</package>
<package name="org.unsecureActions" extends="org">
<!--
This package contains such a actions which doesn't need user logged
in.
-->
<action name="welcome" method="forwardAction" class="baseAction">
<result name="success" type="tiles">welcome</result>
</action>
<action name="logoutCandidate" method="logoutCandidate" class="logoutAction">
<result name="success" type="tiles">welcome</result>
</action>
<action name="loadAdvanceSearchForm" method="loadAdvanceSearch"
class="advanceSearchAction">
<result name="success" type="tiles">advanceSearch</result>
</action>
<!--Candidate workflow actions -->
<action name="registerCandidateStep1" class="candidateAction"
method="registerCandidateStep1">
<result name="input" type="tiles">registerCandidate</result>
<result name="success" type="tiles">registerCandidate</result>
</action>
<action name="registerCandidateStep2" class="candidateAction"
method="registerCandidateStep2">
<result name="input" type="tiles">registerCandidate</result>
<result name="success" type="tiles">registerCandidate</result>
</action>
<action name="registerCandidateStep3" class="candidateAction"
method="registerCandidateStep3">
<result name="input" type="tiles">registerCandidate</result>
<result name="success" type="chain">
<param name="actionName">loginCandidate</param>
<param name="namespace">/org.unsecureActions</param>
</result>
</action>
<action name="loadCandidateRegistrationForm" class="loadCandidateFromAction"
method="loadCandidateRegistrationForm">
<result name="success" type="tiles">registerCandidate</result>
</action>
<!--Candidate workflow actions -->
<action name="loginCandidate" class="loginAction" method="loginCandidate">
<result name="success" type="tiles">home</result>
<result name="input" type="tiles">welcome</result>
</action>
</package>
<package name="org.secureActions" extends="org">
<!--
This package contains such a actions which needs user must logged in
before executing these.
-->
<action name="home" method="forwardAction" class="baseAction">
<result name="success" type="tiles">home</result>
</action>
<action name="loadAdvanceSearchForm" method="loadAdvanceSearch"
class="advanceSearchAction">
<result name="success" type="tiles">advanceSearch</result>
</action>
<action name="simpleSearch" method="simpleSearch" class="simpleSearchAction">
<result name="success" type="tiles">search</result>
<result name="input" type="tiles">home</result>
</action>
<action name="advanceSearch" method="advanceSearch" class="advanceSearchAction">
<result name="success" type="tiles">search</result>
</action>
<action name="loadImage" method="loadImage" class="imageAction">
<result name="imageData" type="stream">
<param name="contentType">${imageContentType}</param>
<param name="inputName">imageStream</param>
<param name="contentDisposition">filename="candidate.jpeg"</param>
<param name="bufferSize">${myBufferSize}</param>
</result>
</action>
</package>
</struts>
Neither the "validation" nor "workflow" interceptors are responsible for setting parameters on the action, that's done by the "params" interceptor.
"Workflow" only makes sense after "validation" because it checks to see if any errors are present on the action, and if there are, goes to the input result (by default).
The configuration you show is the default configuration plus your interceptor (which is suspiciously towards the end for something called "security").
If you're not seeing values being set on the action then something else is wrong, because the default configuration works as-is--so it's either something with your interceptor, the existing application flow, etc.