struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yasser Zamani <yasserzam...@apache.org>
Subject Re: Struts2 login action class seems to be reused
Date Sat, 03 Mar 2018 10:14:19 GMT


On 3/3/2018 12:37 AM, Prasanth Pasala wrote:
> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter
to access login page, with out putting any username or password. Out of the 100 attempts 2
attempts were
> successful in getting in with out username/password. I am seeing database login entries
for these two. Which would happen only if a valid session is not present and user has provided
username/password.

Shouldn't login page being accessible always? How do you try access
login page, calling directly to jsp? Or action? How do you authenticate
that access try, via session values? Via request parameters and querying
database?

> Not sure if the behavior is a side effect of having the below lines.
> 
>             request.setAttribute("struts.actionMapping", new ActionMapping());      

>             request.setAttribute("struts.valueStack", null);

Not these lines but I guess you may also remove more things from
forwarded request (e.g. session). Could you please print
request.toString before these lines to see what type is it? Could you
serialize request to a xml to see all values stored in that request?
Anyway, like you, I also think this issue is because of forwarding the
request from Struts1 to Struts2.

Regards.

Mime
View raw message