This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Struts"

From OWASP
Jump to: navigation, search
(Validation in the ActionForm)
m (Validation in the ActionForm)
Line 40: Line 40:
 
* net.jcj.LogonForm
 
* net.jcj.LogonForm
 
<pre>
 
<pre>
package roseindia.net;
+
package net.jcj;
  
 
import javax.servlet.http.HttpServletRequest;
 
import javax.servlet.http.HttpServletRequest;
 
 
import org.apache.struts.action.*;
 
import org.apache.struts.action.*;
  
 
+
public class LogonForm extends ActionForm
/**
 
* @author Deepak Kumar
 
* @Web http://www.roseindia.net
 
 
*/
 
 
 
/**
 
* Form bean for the Address Entry Screen.
 
*
 
*/
 
public class AddressForm extends ActionForm
 
 
{
 
{
   private String name=null;
+
   private String userId = null;
   private String address=null;
+
   private String password = null;
  private String emailAddress=null;
 
 
 
  public void setName(String name){
 
    this.name=name;
 
  }
 
  
   public String getName(){
+
   public void setUserId (String userId){
     return this.name;
+
     this.userId = userId ;
 
   }
 
   }
  
   public void setAddress(String address){
+
   public String getUserId(){
     this.address=address;
+
     return this.userId ;
 
   }
 
   }
  
   public String getAddress(){
+
   public void setPassword (String password){
     return this.address;
+
     this.password = password;
 
   }
 
   }
  
 
+
   public String getPassword(){
   public void setEmailAddress(String emailAddress){
+
     return this.password;
     this.emailAddress=emailAddress;
 
 
   }
 
   }
 
  public String getEmailAddress(){
 
    return this.emailAddress;
 
  }
 
 
  
 
     /**
 
     /**
     * Reset all properties to their default values.
+
     * Resets all properties to their default values.
    *
 
    * @param mapping The mapping used to select this instance
 
    * @param request The servlet request we are processing
 
 
     */
 
     */
 
     public void reset(ActionMapping mapping, HttpServletRequest request) {
 
     public void reset(ActionMapping mapping, HttpServletRequest request) {
    this.name=null;
+
      this.userId = null;
    this.address=null;
+
      this.password = null;
    this.emailAddress=null;
 
 
     }
 
     }
  
 
     /**
 
     /**
     * Reset all properties to their default values.
+
     * Validates the form. Returns a list of action
     *
+
     * Of course in a production environment, your rules would be far more strict than this.
    * @param mapping The mapping used to select this instance
 
    * @param request The servlet request we are processing
 
  * @return errors
 
 
     */
 
     */
 
   public ActionErrors validate(  
 
   public ActionErrors validate(  
Line 112: Line 82:
 
       ActionErrors errors = new ActionErrors();
 
       ActionErrors errors = new ActionErrors();
 
        
 
        
       if( getName() == null || getName().length() < 1 ) {
+
       if( getUserId() == null || getUserId().length() < 1 ) {
         errors.add("name",new ActionMessage("error.name.required"));
+
         errors.add("userId",new ActionMessage("error.userid.required"));
      }
 
      if( getAddress() == null || getAddress().length() < 1 ) {
 
        errors.add("address",new ActionMessage("error.address.required"));
 
 
       }
 
       }
       if( getEmailAddress() == null || getEmailAddress().length() < 1 ) {
+
       if( getPassword() == null || getPassword().length() < 1 ) {
         errors.add("emailaddress",new ActionMessage("error.emailaddress.required"));
+
         errors.add("password",new ActionMessage("error.password.required"));
 
       }
 
       }
  

Revision as of 05:24, 15 January 2008

Status

Content to be finalised. First draft


Introduction

This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.

Architecture

The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.

Components

Action

  • No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.

ActionForm

  • The ActionForm is much like a java bean.
  • There is at least one action for each action that contains post data.
  • It defines the fields that are passed to the action.
  • It has pointers to or contains the validation that occurs before control makes it to the action.
  • It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.

Validation in the ActionForm

  • struts-config.xml
    <struts-config>
        <form-beans>
            <form-bean name="logonForm" type="net.jcj.LogonForm"/>
        </form-beans>
        <action-mappings>
            <action path="/Logon" forward="/pages/Logon.jsp"/>
            <action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm" 
               scope="request" validate="true" input="/pages/Logon.jsp">
                <forward name="success" path="/pages/Welcome.jsp"/>
                <forward name="failure" path="/pages/Logon.jsp"/>
            </action>
        </action-mappings>
        <message-resources parameter="resources.application"/>
    </struts-config>
  • net.jcj.LogonForm
package net.jcj;

import javax.servlet.http.HttpServletRequest;
import org.apache.struts.action.*;

public class LogonForm extends ActionForm
{
  private String userId = null;
  private String password = null;

  public void setUserId (String userId){
    this.userId = userId ;
  }

  public String getUserId(){
    return this.userId ;
  }

  public void setPassword (String password){
    this.password = password;
  }

  public String getPassword(){
    return this.password;
  }

    /**
     * Resets all properties to their default values.
     */
    public void reset(ActionMapping mapping, HttpServletRequest request) {
      this.userId = null;
      this.password = null;
    }

    /**
     * Validates the form.  Returns a list of action
     * Of course in a production environment, your rules would be far more strict than this.
     */
  public ActionErrors validate( 
      ActionMapping mapping, HttpServletRequest request ) {
      ActionErrors errors = new ActionErrors();
      
      if( getUserId() == null || getUserId().length() < 1 ) {
        errors.add("userId",new ActionMessage("error.userid.required"));
      }
      if( getPassword() == null || getPassword().length() < 1 ) {
        errors.add("password",new ActionMessage("error.password.required"));
      }

      return errors;
  }

}

Validation

  • Integration with commons validator

Configuration

Security

Roles

In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box.

<action
     roles="administrator,contributor"
     path="/article/Edit"
     parameter="org.article.FindByArticle"
     name="articleForm"  
     scope="request">
       <forward
             name="success"
             path="article.jsp"/>
</action>

Extending action mappings

If you extend the action mappings, you will be able to satisfy much more complicated security schemes.