This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Struts"
Jeffcityjon (talk | contribs) (→ActionForm) |
Jeffcityjon (talk | contribs) (→Validation in the ActionForm) |
||
| Line 29: | Line 29: | ||
<action-mappings> | <action-mappings> | ||
<action path="/Logon" forward="/pages/Logon.jsp"/> | <action path="/Logon" forward="/pages/Logon.jsp"/> | ||
| − | <action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" scope="request" validate="true" input="/pages/Logon.jsp"> | + | <action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" |
| + | scope="request" validate="true" input="/pages/Logon.jsp"> | ||
<forward name="success" path="/pages/Welcome.jsp"/> | <forward name="success" path="/pages/Welcome.jsp"/> | ||
<forward name="failure" path="/pages/Logon.jsp"/> | <forward name="failure" path="/pages/Logon.jsp"/> | ||
Revision as of 05:17, 15 January 2008
Status
Content to be finalised. First draft
Introduction
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.
Architecture
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.
Components
Action
- No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.
ActionForm
- The ActionForm is much like a java bean.
- There is at least one action for each action that contains post data.
- It defines the fields that are passed to the action.
- It has pointers to or contains the validation that occurs before control makes it to the action.
- It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.
Validation in the ActionForm
- struts-config.xml
<struts-config>
<form-beans>
<form-bean name="logonForm" type="net.jcj.LogonForm"/>
</form-beans>
<action-mappings>
<action path="/Logon" forward="/pages/Logon.jsp"/>
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm"
scope="request" validate="true" input="/pages/Logon.jsp">
<forward name="success" path="/pages/Welcome.jsp"/>
<forward name="failure" path="/pages/Logon.jsp"/>
</action>
</action-mappings>
<message-resources parameter="resources.application"/>
</struts-config>
Validation
- Integration with commons validator
Configuration
Security
Roles
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box.
<action
roles="administrator,contributor"
path="/article/Edit"
parameter="org.article.FindByArticle"
name="articleForm"
scope="request">
<forward
name="success"
path="article.jsp"/>
</action>
Extending action mappings
If you extend the action mappings, you will be able to satisfy much more complicated security schemes.
