struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bobby Mitch <>
Subject Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
Date Wed, 10 Sep 2008 21:01:14 GMT
Applying the workaround with Struts and XWorks 2.0.4, and modifying struts.xml by
adding the interceptor-ref tag does not work:

22:58:02,671 ERROR [[default]] Servlet.service() for servlet default threw exception
java.lang.IllegalArgumentException: URI scheme is not "file"
    at<init>(Unknown Source)
    at com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators(
    at com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(
    at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(
    at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(
    at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(
    at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(

I guess it is game over until a new working release comes out ...

--- On Wed, 9/10/08, Struts Two <> wrote:
From: Struts Two <>
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
To: "Struts Users Mailing List" <>
Date: Wednesday, September 10, 2008, 9:09 AM

I believe the issue should be fixed on 2.1.2 (for Websphere at least), but it
still remains an issue for Struts (for Websphere users). See the email

----- Original Message ----
From: Rene Gielen <>
To: Struts Users Mailing List <>
Sent: Wednesday, July 16, 2008 2:40:38 AM
Subject: [ANN] Struts General Availability Release with Important
Security Fix
Apache Struts 2.0..11.2 is now available from
This release is a fast track security fix release, including a security
fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
ParametersInterceptor allowing malicious users to remotely change server
side context objects. For more information about the exploit, visit our
security bulletins page at
There are two known issues with this release:
1. the integrated XWork 2.0.5 jar may cause problems when used in a
combination of WebSphere 6.1 runtime environments with validation
configuration via XML files.
Possible Workarounds:
- use annotation based validation definition instead XML based
- stay with Struts 2.0..11.1 including XWork 2.0.4, applying the
  following exclude rule to your parameter interceptor refs in
  <interceptor-ref name="params">
2. the filtering mechanism implemeted in XWork's ParametersInterceptor
to fix the described security issue does not completely avoid any
possible malicious parameter name.
Possible Workaround:
- apply the following exclude rule to your parameter interceptor refs in
  struts.xml to avoid the usage of backslash characters in parameter
  <interceptor-ref name="params">
Both issues will be addressed in a soon upcoming XWork 2..0.6 release,
followed by a new Struts 2.0 GA release including this new XWork version.
* All developers are advised to either update Struts 2 applications to
Struts or manually exchange usages of xwork-2.0.x.jar with the
fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.
For the complete release notes for Struts, see

- The Apache Struts Team.

Connect with friends from any web browser - no download required. Try the new
Yahoo! Canada Messenger for the Web BETA at

To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message