This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Struts"

From OWASP
Jump to: navigation, search
(Validation framework)
Line 1: Line 1:
 
==Status==
 
==Status==
'''Content to be finalised.  First draft'''
+
'''Content to be finalized.  First draft'''
  
 +
==Overview==
 +
[[Struts]] is an [[Apache]] framework aimed at simplifying the creation of dynamic web applications in [[Java]].
  
==Introduction ==
+
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code.  These are know as a Model, View and Controller. The Model defines the structure of your data being processed.  The View defines everything that a end user can see.  The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.
 
  
==Architecture==
+
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the [http://struts.apache.org/ official website].
The framework provides its own web Controller  component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.
 
  
==Components==
+
==Security in the Model==
===Action===
 
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.
 
  
=== ActionForm ===
+
==Security in the View==
* The ActionForm is much like a java bean. 
 
* There is at least one action for each action that contains post data.
 
* It defines the fields that are passed to the action. 
 
* It has pointers to or contains the validation that occurs before control makes it to the action. 
 
* It is very important that you validate every field no matter how certain you may be about it's inability to cause problems.
 
  
==== Validation in the ActionForm ====
+
==Security in the Controller==
* struts-config.xml
 
<pre>
 
    <struts-config>
 
        <form-beans>
 
            <form-bean name="logonForm" type="net.jcj.LogonForm"/>
 
        </form-beans>
 
        <action-mappings>
 
            <action path="/Logon" forward="/pages/Logon.jsp"/>
 
            <action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm"
 
              scope="request" validate="true" input="/pages/Logon.jsp">
 
                <forward name="success" path="/pages/Welcome.jsp"/>
 
                <forward name="failure" path="/pages/Logon.jsp"/>
 
            </action>
 
        </action-mappings>
 
        <message-resources parameter="resources.application"/>
 
    </struts-config>
 
</pre>
 
* net.jcj.LogonForm
 
<pre>
 
package net.jcj;
 
 
 
import javax.servlet.http.HttpServletRequest;
 
import org.apache.struts.action.*;
 
 
 
public class LogonForm extends ActionForm
 
{
 
  private String userId = null;
 
  private String password = null;
 
 
 
  public void setUserId (String userId){
 
    this.userId = userId ;
 
  }
 
 
 
  public String getUserId(){
 
    return this.userId ;
 
  }
 
 
 
  public void setPassword (String password){
 
    this.password = password;
 
  }
 
 
 
  public String getPassword(){
 
    return this.password;
 
  }
 
 
 
    /**
 
    * Resets all properties to their default values.
 
    */
 
    public void reset(ActionMapping mapping, HttpServletRequest request) {
 
      this.userId = null;
 
      this.password = null;
 
    }
 
 
 
    /**
 
    * Validates the form.  Returns a list of action
 
    * Of course in a production environment, your rules would be far more strict than this.
 
    */
 
  public ActionErrors validate(
 
      ActionMapping mapping, HttpServletRequest request ) {
 
      ActionErrors errors = new ActionErrors();
 
     
 
      if( getUserId() == null || getUserId().length() < 1 ) {
 
        errors.add("userId",new ActionMessage("error.userid.required"));
 
      }
 
      if( getPassword() == null || getPassword().length() < 1 ) {
 
        errors.add("password",new ActionMessage("error.password.required"));
 
      }
 
 
 
      return errors;
 
  }
 
 
 
}
 
</pre>
 
 
 
===Validation framework===
 
* Integration with commons validator
 
* A bit awkward, but it gets the job done.
 
 
 
 
 
* struts-config.xml
 
<pre>
 
    <struts-config>
 
      <form-beans>
 
          <form-bean name="logonForm" type="net.jcj.LogonForm"/>
 
      </form-beans>
 
      <action-mappings>
 
          <action path="/Logon" forward="/pages/Logon.jsp"/>
 
          <action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm"
 
            scope="request" validate="true" input="/pages/Logon.jsp">
 
              <forward name="success" path="/pages/Welcome.jsp"/>
 
              <forward name="failure" path="/pages/Logon.jsp"/>
 
          </action>
 
      </action-mappings>
 
      <message-resources parameter="resources.application"/>
 
        <plug-in className="org.apache.struts.validator.ValidatorPlugIn">
 
        <set-property property="pathnames" value="/technology/WEB-INF/validator-rules.xml, /WEB-INF/validation.xml"/>
 
      </plug-in>
 
    </struts-config>
 
</pre>
 
* net.jcj.LogonForm
 
<pre>
 
package net.jcj;
 
 
 
import javax.servlet.http.HttpServletRequest;
 
import org.apache.struts.action.*;
 
 
 
public class LogonForm extends ActionForm
 
{
 
  private String userId = null;
 
  private String password = null;
 
 
 
  public void setUserId (String userId){
 
    this.userId = userId ;
 
  }
 
 
 
  public String getUserId(){
 
    return this.userId ;
 
  }
 
 
 
  public void setPassword (String password){
 
    this.password = password;
 
  }
 
 
 
  public String getPassword(){
 
    return this.password;
 
  }
 
 
 
    /**
 
    * Resets all properties to their default values.
 
    */
 
    public void reset(ActionMapping mapping, HttpServletRequest request) {
 
      this.userId = null;
 
      this.password = null;
 
    }
 
 
 
    /**
 
    * Validates the form.  Returns a list of action
 
    * Of course in a production environment, your rules would be far more strict than this.
 
    */
 
  public ActionErrors validate(
 
      ActionMapping mapping, HttpServletRequest request ) {
 
      return new ActionErrors();
 
  }
 
 
 
}
 
</pre>
 
 
 
* validation.xml
 
 
 
<pre>
 
<form-validation>
 
  <formset>
 
    <form name="logonForm">
 
      <field property="userId" depends="required">
 
        <arg0 key="prompt.userId"/>
 
      </field>
 
      <field property="password" depends="required">
 
        <arg0 key="prompt.password"/>
 
      </field>
 
    </form>
 
  </formset>
 
</form-validation>
 
</pre>
 
 
 
==Configuration==
 
 
 
==Security==
 
===Roles===
 
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object.  This is pretty much all that you get out of the box. 
 
 
 
<pre>
 
<action
 
    roles="administrator,contributor"
 
    path="/article/Edit"
 
    parameter="org.article.FindByArticle"
 
    name="articleForm" 
 
    scope="request">
 
      <forward
 
            name="success"
 
            path="article.jsp"/>
 
</action>
 
</pre>
 
 
 
===Extending action mappings===
 
If you extend the action mappings, you will be able to satisfy much more complicated security schemes.
 
 
 
<pre>
 
 
 
</pre>
 
[[Category:OWASP Java Project]]
 

Revision as of 15:30, 23 January 2008

Status

Content to be finalized. First draft

Overview

Struts is an Apache framework aimed at simplifying the creation of dynamic web applications in Java.

Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.

I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the official website.

Security in the Model

Security in the View

Security in the Controller