struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Hook" <hoo...@hotmail.com>
Subject Struts File Not Found (404) Behavior or Lack of...
Date Wed, 06 Jun 2007 16:15:54 GMT
I've run into a problem.

If a user either accidentally or maliciously enters an incorrect path that 
has a struts extension the user will receive an Exception and a Stack Trace.

For example if we have the path www.xxx.com/login.do mapped like so...

<action path="/login"
        type="com.xxx.actions.LoginAction" >
   <forward name="success" path="/message.do" redirect="true" />
   <forward name="failure" path="/login_error.jsp" redirect="true" />
   <forward name="new_user" path="/new_user.do" redirect="true" />
   <forward name="user_not_active" path="/user_not_active.jsp"  
redirect="true"/>
</action>

and the user types in www.xxx.com/login2.do they will receive an Exception 
with the following Stack Trace...

javax.servlet.ServletException: No action config found for the specified 
url.
	org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:286)
	org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
	org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	com.kf.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
	com.kf.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
	com.kf.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)

Root Cause

org.apache.struts.chain.commands.InvalidPathException: No action config 
found for the specified url.
	org.apache.struts.chain.commands.AbstractSelectAction.execute(AbstractSelectAction.java:71)
	org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
	org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
	org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:304)
	org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
	org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
	org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
	org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	com.xxx.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:44)
	com.xxx.servlet.TrackingFilter.doFilter(TrackingFilter.java:36)
	com.xxx.servlet.HibernateSessionFilter.doFilter(HibernateSessionFilter.java:34)


Instead of a user receiving a nice 404 File Not Found message they are 
displayed an Exception.  In my mind making the company look bad.  Also, a 
malicious user now knows our underlying technology, the flow of our 
application, and specific class names.

Is there any configuration settings that we can set to make these exceptions 
return a 404 page instead of a Exception?  Notice that this error fails WAY 
before any of the <global-exceptions> are used.

As of right now I'm planning on Extending the 
org.apache.struts.action.ActionServlet class to check to see if we receive 
an org.apache.struts.chain.commands.InvalidPathException and if so then show 
a 404 page, but I'm not excited about extended super basic Struts behavior.

Does anyone have any thoughts on this subject and what do you think the 
behavior or Struts should be in this case?  I do like the fail fast aspect 
of what is happening, but there should be a more elegant way of handling the 
Exception.

Looking forward to any and all response.

Thank you for your time.

_________________________________________________________________
Donít miss your chance to WIN $10,000 and other great prizes from Microsoft 
Office Live http://clk.atdmt.com/MRT/go/aub0540003042mrt/direct/01/


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message