https://wiki.owasp.org/api.php?action=feedcontributions&user=Jeffcityjon&feedformat=atomOWASP - User contributions [en]2024-03-28T14:46:11ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Struts&diff=26671Struts2008-03-13T19:09:45Z<p>Jeffcityjon: /* Output Sanitation */</p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
<ul><br />
<li>A validator-rules.xml file in the WEB-INF folder.</li><br />
<li>A validator.xml in the WEB-INF folder.</li><br />
<li>All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.</li><br />
<li>The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].</li><br />
<li>The Validator plug-in should be enabled in struts-config.xml<br />
<p><pre><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/><br />
</plug-in><br />
</pre></p></li><br />
</ul><br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
[[Output sanitation]] is the process of ensuring that your output does not contain HTML or XML specific characters. So, for example a '<' becomes '&amp;lt;'. This should be used as a secondary [[XSS]] prevention method. Primary method of prevention should be validation. Luckily some Struts tags include output sanitation by default. If you're tag is not here, then you should implement sanitation manually.<br />
<br />
====Sanitized tags====<br />
*bean:Write (may be overwritten by setting filter to false)<br />
*html:Hidden<br />
*html:Messages (if the value is of type String)<br />
*html:Multibox<br />
*html:OptionsCollection (may be overwritten by setting filter to false)<br />
*html:Options (may be overwritten by setting filter to false)<br />
*html:Option '''(you must set filter to true)'''<br />
*html:Radio<br />
*html:TextArea<br />
*html:File<br />
*html:Hidden<br />
*html:Password<br />
*html:Text<br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=26670Struts2008-03-13T18:57:09Z<p>Jeffcityjon: /* Output Sanitation */</p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
<ul><br />
<li>A validator-rules.xml file in the WEB-INF folder.</li><br />
<li>A validator.xml in the WEB-INF folder.</li><br />
<li>All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.</li><br />
<li>The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].</li><br />
<li>The Validator plug-in should be enabled in struts-config.xml<br />
<p><pre><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/><br />
</plug-in><br />
</pre></p></li><br />
</ul><br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
[[Output sanitation]] is the process of ensuring that your output does not contain HTML or XML specific characters. So, for example a '<' becomes '&amp;lt;'. This should be used as a secondary [[XSS]] prevention method. Primary method of prevention should be validation. Luckily some Struts tags include output sanitation by default. <br />
<br />
====Sanitized tags====<br />
*bean:Write (may be overwritten by setting filter to false)<br />
*html:Hidden<br />
*html:Messages (if the value is of type String)<br />
*html:Multibox<br />
*html:OptionsCollection (may be overwritten by setting filter to false)<br />
*html:Options (may be overwritten by setting filter to false)<br />
*html:Option '''(you must set filter to true)'''<br />
*html:Radio<br />
*html:TextArea<br />
*html:File<br />
*html:Hidden<br />
*html:Password<br />
*html:Text<br />
<br />
<pre>TODO: More data here.</pre><br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24641Struts2008-01-23T20:16:58Z<p>Jeffcityjon: /* Validation */</p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
<ul><br />
<li>A validator-rules.xml file in the WEB-INF folder.</li><br />
<li>A validator.xml in the WEB-INF folder.</li><br />
<li>All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.</li><br />
<li>The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].</li><br />
<li>The Validator plug-in should be enabled in struts-config.xml<br />
<p><pre><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/><br />
</plug-in><br />
</pre></p></li><br />
</ul><br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
<pre>TODO: More data here.</pre><br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24640Struts2008-01-23T20:16:22Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
<ul><br />
<li>A validator-rules.xml file in the WEB-INF folder.</li><br />
<li>A validator.xml in the WEB-INF folder.</li><br />
<li>All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.</li><br />
<li>The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].</li><br />
<li>The Validator plug-in should be enabled in struts-config.xml<br />
<p><pre><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/><br />
</plug-in><br />
</pre></p></li><br />
</ul><br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
<pre>TODO: More data here.</pre><br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24639Struts2008-01-23T20:16:01Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
<ul><br />
<li>A validator-rules.xml file in the WEB-INF folder.</li><br />
<li>A validator.xml in the WEB-INF folder.</li><br />
<li>All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.</li><br />
<li>The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].</li><br />
<li>The Validator plug-in should be enabled in struts-config.xml<br />
<p><pre><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/><br />
</plug-in><br />
</pre></p></li><br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
<pre>TODO: More data here.</pre><br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24638Struts2008-01-23T20:14:12Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
* The Validator plug-in should be enabled in struts-config.xml<br />
** <p><pre><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/><br />
</plug-in><br />
</pre></p><br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
<pre>TODO: More data here.</pre><br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24636Struts2008-01-23T20:04:27Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
===Output Sanitation===<br />
<br />
<pre>TODO: More data here.</pre><br />
<br />
==Security in the Controller==<br />
<br />
===Roles===<br />
<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Custom Action Mappings===<br />
<br />
It is possible to implement far more complex security models if you extend the action mappings.<br />
<br />
<pre>TODO: Lots more detail here.</pre><br />
<br />
===Error Handling===<br />
<br />
<pre>TODO: Put some info here</pre><br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts_Validation_in_validator.xml_using_an_ActionForm&diff=24635Struts Validation in validator.xml using an ActionForm2008-01-23T19:57:54Z<p>Jeffcityjon: New page: * Integration with commons validator * A bit awkward, but it gets the job done. * struts-config.xml <pre> <struts-config> <form-beans> <form-bean name="logonForm" typ...</p>
<hr />
<div>* Integration with commons validator<br />
* A bit awkward, but it gets the job done.<br />
<br />
<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/technology/WEB-INF/validator-rules.xml, /WEB-INF/validation.xml"/><br />
</plug-in><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
return new ActionErrors();<br />
}<br />
<br />
}<br />
</pre><br />
<br />
* validation.xml <br />
<br />
<pre><br />
<form-validation><br />
<formset><br />
<form name="logonForm"><br />
<field property="userId" depends="required"><br />
<arg0 key="prompt.userId"/><br />
</field><br />
<field property="password" depends="required"><br />
<arg0 key="prompt.password"/><br />
</field><br />
</form><br />
</formset><br />
</form-validation><br />
</pre><br />
<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts_Validation_in_an_ActionForm&diff=24634Struts Validation in an ActionForm2008-01-23T19:56:26Z<p>Jeffcityjon: New page: * struts-config.xml <pre> <struts-config> <form-beans> <form-bean name="logonForm" type="net.jcj.LogonForm"/> </form-beans> <action-mappings> ...</p>
<hr />
<div>* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
ActionErrors errors = new ActionErrors();<br />
<br />
if( getUserId() == null || getUserId().length() < 1 ) {<br />
errors.add("userId",new ActionMessage("error.userid.required"));<br />
}<br />
if( getPassword() == null || getPassword().length() < 1 ) {<br />
errors.add("password",new ActionMessage("error.password.required"));<br />
}<br />
<br />
return errors;<br />
}<br />
<br />
}<br />
</pre><br />
<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24633Struts2008-01-23T19:54:42Z<p>Jeffcityjon: /* Examples */</p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
====Examples====<br />
<br />
[[Struts Validation in an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24632Struts2008-01-23T19:54:26Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
====Examples====<br />
[[Struts Validation in an ActionForm]]<br />
[[Struts Validation in validator.xml using an ActionForm]]<br />
[[Struts Validation in validator.xml using a DynaValidatorForm]]<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24631Struts2008-01-23T19:35:18Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
==Common errors and vulnerabilities==<br />
<br />
[[Struts: Form Field Without Validator|Form Field Without Validator]]<br />
<br />
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]<br />
<br />
[[Struts: Unused Validation Form|Unused Validation Form]]<br />
<br />
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]<br />
<br />
[[Struts: Validator Turned Off|Validator Turned Off]]<br />
<br />
[[Struts: Validator Without Form Field|Validator Without Form Field]]<br />
<br />
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]<br />
<br />
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]<br />
<br />
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]<br />
<br />
==Auditing Tools==<br />
<br />
[[Struts XSLT Viewer]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24630Struts2008-01-23T19:25:23Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
[[Struts: Form Field Without Validator]]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24629Struts2008-01-23T19:23:59Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
[Form Field Without Validator]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24628Struts2008-01-23T19:23:43Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
[Struts: Form Field Without Validator]<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24627Struts2008-01-23T19:23:25Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
==Known Vulnerabilities==<br />
<br />
[Struts: Form Field Without Validator]<br />
<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24626Struts2008-01-23T15:50:54Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
===Validation===<br />
<br />
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...<br />
<br />
* A validator-rules.xml file in the WEB-INF folder.<br />
* A validator.xml in the WEB-INF folder.<br />
* All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.<br />
* The commons-validator.jar in WEB-INF. This can be obtained [http://commons.apache.org/validator/ here].<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
<br />
[[Category:OWASP Java Project]]<br />
[[Category:Struts]]<br />
[[Category:Java]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24625Struts2008-01-23T15:37:52Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project Struts] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==<br />
<br />
<br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24624Struts2008-01-23T15:36:05Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[https://www.owasp.org/index.php/Category:OWASP_Java_Project [Struts]] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24623Struts2008-01-23T15:30:38Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalized. First draft'''<br />
<br />
==Overview==<br />
[[Struts]] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].<br />
<br />
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.<br />
<br />
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].<br />
<br />
==Security in the Model==<br />
<br />
==Security in the View==<br />
<br />
==Security in the Controller==</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24492Struts2008-01-15T05:36:28Z<p>Jeffcityjon: /* Validation framework */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
ActionErrors errors = new ActionErrors();<br />
<br />
if( getUserId() == null || getUserId().length() < 1 ) {<br />
errors.add("userId",new ActionMessage("error.userid.required"));<br />
}<br />
if( getPassword() == null || getPassword().length() < 1 ) {<br />
errors.add("password",new ActionMessage("error.password.required"));<br />
}<br />
<br />
return errors;<br />
}<br />
<br />
}<br />
</pre><br />
<br />
===Validation framework===<br />
* Integration with commons validator<br />
* A bit awkward, but it gets the job done.<br />
<br />
<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/technology/WEB-INF/validator-rules.xml, /WEB-INF/validation.xml"/><br />
</plug-in><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
return new ActionErrors();<br />
}<br />
<br />
}<br />
</pre><br />
<br />
* validation.xml <br />
<br />
<pre><br />
<form-validation><br />
<formset><br />
<form name="logonForm"><br />
<field property="userId" depends="required"><br />
<arg0 key="prompt.userId"/><br />
</field><br />
<field property="password" depends="required"><br />
<arg0 key="prompt.password"/><br />
</field><br />
</form><br />
</formset><br />
</form-validation><br />
</pre><br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24491Struts2008-01-15T05:33:43Z<p>Jeffcityjon: /* Validation framework */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
ActionErrors errors = new ActionErrors();<br />
<br />
if( getUserId() == null || getUserId().length() < 1 ) {<br />
errors.add("userId",new ActionMessage("error.userid.required"));<br />
}<br />
if( getPassword() == null || getPassword().length() < 1 ) {<br />
errors.add("password",new ActionMessage("error.password.required"));<br />
}<br />
<br />
return errors;<br />
}<br />
<br />
}<br />
</pre><br />
<br />
===Validation framework===<br />
* Integration with commons validator<br />
* A bit awkward, but it gets the job done.<br />
<br />
<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
<plug-in className="org.apache.struts.validator.ValidatorPlugIn"><br />
<set-property property="pathnames" value="/technology/WEB-INF/validator-rules.xml, /WEB-INF/validation.xml"/><br />
</plug-in><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
return new ActionErrors();<br />
}<br />
<br />
}<br />
</pre><br />
<br />
*<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24490Struts2008-01-15T05:30:32Z<p>Jeffcityjon: /* Validation */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
ActionErrors errors = new ActionErrors();<br />
<br />
if( getUserId() == null || getUserId().length() < 1 ) {<br />
errors.add("userId",new ActionMessage("error.userid.required"));<br />
}<br />
if( getPassword() == null || getPassword().length() < 1 ) {<br />
errors.add("password",new ActionMessage("error.password.required"));<br />
}<br />
<br />
return errors;<br />
}<br />
<br />
}<br />
</pre><br />
<br />
===Validation framework===<br />
* Integration with commons validator<br />
* A bit awkward, but it gets the job done.<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24489Struts2008-01-15T05:24:12Z<p>Jeffcityjon: /* Validation in the ActionForm */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package net.jcj;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
import org.apache.struts.action.*;<br />
<br />
public class LogonForm extends ActionForm<br />
{<br />
private String userId = null;<br />
private String password = null;<br />
<br />
public void setUserId (String userId){<br />
this.userId = userId ;<br />
}<br />
<br />
public String getUserId(){<br />
return this.userId ;<br />
}<br />
<br />
public void setPassword (String password){<br />
this.password = password;<br />
}<br />
<br />
public String getPassword(){<br />
return this.password;<br />
}<br />
<br />
/**<br />
* Resets all properties to their default values.<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.userId = null;<br />
this.password = null;<br />
}<br />
<br />
/**<br />
* Validates the form. Returns a list of action<br />
* Of course in a production environment, your rules would be far more strict than this.<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
ActionErrors errors = new ActionErrors();<br />
<br />
if( getUserId() == null || getUserId().length() < 1 ) {<br />
errors.add("userId",new ActionMessage("error.userid.required"));<br />
}<br />
if( getPassword() == null || getPassword().length() < 1 ) {<br />
errors.add("password",new ActionMessage("error.password.required"));<br />
}<br />
<br />
return errors;<br />
}<br />
<br />
}<br />
</pre><br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24488Struts2008-01-15T05:18:49Z<p>Jeffcityjon: /* Validation in the ActionForm */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
* net.jcj.LogonForm<br />
<pre><br />
package roseindia.net;<br />
<br />
import javax.servlet.http.HttpServletRequest;<br />
<br />
import org.apache.struts.action.*;<br />
<br />
<br />
/**<br />
* @author Deepak Kumar<br />
* @Web http://www.roseindia.net<br />
* @Email roseindia_net@yahoo.com<br />
*/<br />
<br />
/**<br />
* Form bean for the Address Entry Screen.<br />
*<br />
*/<br />
public class AddressForm extends ActionForm<br />
{<br />
private String name=null;<br />
private String address=null;<br />
private String emailAddress=null;<br />
<br />
public void setName(String name){<br />
this.name=name;<br />
}<br />
<br />
public String getName(){<br />
return this.name;<br />
}<br />
<br />
public void setAddress(String address){<br />
this.address=address;<br />
}<br />
<br />
public String getAddress(){<br />
return this.address;<br />
}<br />
<br />
<br />
public void setEmailAddress(String emailAddress){<br />
this.emailAddress=emailAddress;<br />
}<br />
<br />
public String getEmailAddress(){<br />
return this.emailAddress;<br />
}<br />
<br />
<br />
/**<br />
* Reset all properties to their default values.<br />
*<br />
* @param mapping The mapping used to select this instance<br />
* @param request The servlet request we are processing<br />
*/<br />
public void reset(ActionMapping mapping, HttpServletRequest request) {<br />
this.name=null;<br />
this.address=null;<br />
this.emailAddress=null;<br />
}<br />
<br />
/**<br />
* Reset all properties to their default values.<br />
*<br />
* @param mapping The mapping used to select this instance<br />
* @param request The servlet request we are processing<br />
* @return errors<br />
*/<br />
public ActionErrors validate( <br />
ActionMapping mapping, HttpServletRequest request ) {<br />
ActionErrors errors = new ActionErrors();<br />
<br />
if( getName() == null || getName().length() < 1 ) {<br />
errors.add("name",new ActionMessage("error.name.required"));<br />
}<br />
if( getAddress() == null || getAddress().length() < 1 ) {<br />
errors.add("address",new ActionMessage("error.address.required"));<br />
}<br />
if( getEmailAddress() == null || getEmailAddress().length() < 1 ) {<br />
errors.add("emailaddress",new ActionMessage("error.emailaddress.required"));<br />
}<br />
<br />
return errors;<br />
}<br />
<br />
}<br />
</pre><br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24487Struts2008-01-15T05:17:17Z<p>Jeffcityjon: /* Validation in the ActionForm */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" <br />
scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24486Struts2008-01-15T05:16:43Z<p>Jeffcityjon: /* ActionForm */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
=== ActionForm ===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
==== Validation in the ActionForm ====<br />
* struts-config.xml<br />
<pre><br />
<struts-config><br />
<form-beans><br />
<form-bean name="logonForm" type="net.jcj.LogonForm"/><br />
</form-beans><br />
<action-mappings><br />
<action path="/Logon" forward="/pages/Logon.jsp"/><br />
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" scope="request" validate="true" input="/pages/Logon.jsp"><br />
<forward name="success" path="/pages/Welcome.jsp"/><br />
<forward name="failure" path="/pages/Logon.jsp"/><br />
</action><br />
</action-mappings><br />
<message-resources parameter="resources.application"/><br />
</struts-config><br />
</pre><br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24485Struts2008-01-15T04:59:48Z<p>Jeffcityjon: /* ActionForm */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
* The ActionForm is much like a java bean. <br />
* There is at least one action for each action that contains post data.<br />
* It defines the fields that are passed to the action. <br />
* It has pointers to or contains the validation that occurs before control makes it to the action. <br />
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24484Struts2008-01-15T04:56:11Z<p>Jeffcityjon: /* ActionForm */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
The ActionForm is much like a java bean. This bean defines the fields that are passed to the action. It also has pointers to or contains the validation that occurs before control makes it to the action. It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24483Struts2008-01-15T04:52:22Z<p>Jeffcityjon: </p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
<br />
===Extending action mappings===<br />
If you extend the action mappings, you will be able to satisfy much more complicated security schemes. <br />
<br />
<pre><br />
<br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjonhttps://wiki.owasp.org/index.php?title=Struts&diff=24482Struts2008-01-15T04:50:52Z<p>Jeffcityjon: /* Roles */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
<br />
<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. <br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
[[Category:OWASP Java Project]]</div>Jeffcityjon