struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yasser Zamani <>
Subject Re: Struts2 login action class seems to be reused
Date Sat, 17 Mar 2018 13:00:07 GMT

On 3/16/2018 11:00 PM, Prasanth Pasala wrote:
> There is only one reference to Util.authenticate in the project and that is in LoginAction.

If (those log record insertions are only possible via
LoginAction.execute method && IP field value of them are different and
are consistent with access log of that POST and GET request) then it
seems you're right! i.e. one specific object of LoginAction has executed
both requests, POST from User2 then GET from User1!!

To confirm these, could you please change your code as below:

                if(censusID == -1) {
                    message = "Invalid username/password specified";
                    result = "failed";
                else {
com.xxxxx.xxxxx.model.Logger().loggedIn(censusID, remoteHost,

i.e. also log the identity hash code of the LoginAction object to see if
both records are inserted via a same action object.

Thanks in advance for your support!

> On 03/16/2018 02:13 PM, Yasser Zamani wrote:
>> And you confirm that those log record insertions are only possible via LoginAction.execute
method? Right? Or util.authenticate are called elsewhere also?
>> On Mar 16, 2018, at 9:45PM, Prasanth Pasala <<>>
>> We have a pretty standard struts.xml just declaration of action and the class along
with the results (tiles results). Nothing other than that.
>> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>>  We do have login time, using that and the IP to correlate that with the access logs.
Not all login entries have corresponding POST entries in access log, so those would be our
problems occurrences.
>>  They actual correspond to a GET entry from a user.
>>  IP of the GET request of User1 matches with the login record in the database (login
would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from
two different IPs
>>  around the same time, which shouldn't be the case.
>>  I'm almost sure Struts always asks object factory to create the action
>>  on each request. This is belong to object factory if create a new one
>>  object of that action, or no, reuse a previous one object of an action.
>>  So have you set any specific object factory via struts.xml?
>> ________________________________
>>  To unsubscribe, e-mail:
>>  For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:
View raw message