struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prasanth <dbad...@pangburngroup.com>
Subject Re: Struts2 login action class seems to be reused
Date Mon, 05 Mar 2018 16:18:10 GMT
Yes, login page is accessible always. Direct jsp access is not allowed, it has to go through
the actions. When a user requests /Login.action login jsp page is displayed. When the user
submits username
and password (Post to Login.action) the user is authenticated and home page is displayed by
Login.action. Since the same action handles both displaying login page and validating, if
the values are
already present (username, password, value of the button clicked) the action will authenticate
the user and display home page as it does this it will make a database entry saying xyz user
has logged in.

Actual Setup:
Application 1: /context1   --- User can login here and they will be forwarded to context2.
This application uses struts 2.5.14
Application 2: /context2   --- User can login directly in /context 2 (in which case no forwarding).
This application uses struts 2.3.34 for login and other actions. There are few actions in
struts1 also.

For replicating the issue I was directly accessing /context2/Login.action. So /context1 was
not used in testing. But the Login filter had the below lines to make sure forwarded requests
from /context1
would work.

request.setAttribute("struts.actionMapping", new ActionMapping());
request.setAttribute("struts.valueStack", null);

The request object type is io.undertow.servlet.spec.HttpServletRequestImpl

Thanks,
Prasanth


On 03/03/2018 04:14 AM, Yasser Zamani wrote:
> On 3/3/2018 12:37 AM, Prasanth Pasala wrote:
>> I was able to replicate the issue today. Asked few users to keep logging in and ran
jmeter to access login page, with out putting any username or password. Out of the 100 attempts
2 attempts were
>> successful in getting in with out username/password. I am seeing database login entries
for these two. Which would happen only if a valid session is not present and user has provided
username/password.
> Shouldn't login page being accessible always? How do you try access
> login page, calling directly to jsp? Or action? How do you authenticate
> that access try, via session values? Via request parameters and querying
> database?
>
>> Not sure if the behavior is a side effect of having the below lines.
>>
>>             request.setAttribute("struts.actionMapping", new ActionMapping());  
    
>>             request.setAttribute("struts.valueStack", null);
> Not these lines but I guess you may also remove more things from
> forwarded request (e.g. session). Could you please print
> request.toString before these lines to see what type is it? Could you
> serialize request to a xml to see all values stored in that request?
> Anyway, like you, I also think this issue is because of forwarding the
> request from Struts1 to Struts2.
>
> Regards.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message