Struts 1.2 ActionForms & isTokenValid CSRF - java

I have an issue currently that the validate method of the actionform happens before the execute method of the action.
The reason this is an issue is that a user can submit their own request and should they have all required fields completed the validate passes and using the isTokenValid(request) method I can see that the request is invalid. and forward them to an "access denied" page. However if they do not complete all required fields in their forged request the validate method returns errors and they are forwarded to the actual page(.jsp) with error messages displayed.
Any idea how to prevent this?

To implement CSRF prevention in Struts1 using using tokens you should not allow direct access to your JSP pages.
A user should get to your forms through Struts Actions and the action will call saveToken(request) before they are forwarded to the form in the JSP page.
Where you usually forward directly to a JSP you can change to forward to an action that inherits from ActionForward. Within the execute it can then forward by calling parent ActionForward execute method. You could also implement additional logic restrictions in your new action class.
This answer to Struts CSRF question on separate thread may also be useful:
https://stackoverflow.com/a/5339391/6136697

Related

Displaying Error Messages from a Web Service Call to JSP

I am calling a web service to validate an email address. In case of an invalid email address this service returns messages and I need to display them in a JSP. I am using Jersey with Struts2 and I have a form which submits to an action which takes care of this logic at the back end. I am not using a servlet to get the messages from the HttpServletRequest object.
I get a list of messages and I need to display the error message text on the screen but I am not sure how to do it. On click I get the form id which goes to the back end using struts2 action.
Thanks...
I'd strongly recommend using the Struts2 validation interceptor. The documentation is very straight forward and it's very robust.
https://struts.apache.org/docs/basic-validation.html
https://struts.apache.org/docs/email-validator.html
You simply need to call the interceptor stack in your action in struts.xml, then specify what validations you want. You can then display your error on the JSP should the validation fail.
You can either use the default validators provided by the XML validation or set your own by creating a validate method in the action class that is called by the stack, or both.
http://www.simplecodestuffs.com/struts-2-fielderror-example/
Here is an example for you to work with.

How to redirect all new user requests to front page in Spring MVC?

I want to secure (temporarily) my application by create front page with captcha and simple form. I suppose Spring Security is too complicated for this task. How can I catch all requests and check if some attribute in session is set? If it is set then all these #RequestMapping methods should be executed, otherwise redirect to one front page.
Have a handler interceptor defined and applied to all the handlers. The example in that link shows you also how to perform the redirect. Also check the mvc:interceptors for the Spring 3 - like configuration.
You can simply configure a Filter for this

Spring-MVC: How can I display errors while using an AbstractCommandController?

I have ajax requests that come into my controller and my validation is working great. In the controller I call a failure jsp page if there is a failure. The only problem is that I have no idea how I can output the errors to the user on the failure.jsp page. I don't have access to the form tags of spring obviously. What should you do in this scenario?
Edit: All I really want to know is how I can access the binding errors on a JSP page when I'm using an AbstractCommandController.
What I've done in the past is use HTTP headers to send back messages to the AJAX requester (the XMLHTTPRequest object). You will not get a full binding and validation support this way, but it's a simple way to pass messages.
Another option that will give you the full power of Spring binding and validation is as follows. I'm assuming you're submitting a form via AJAX. You could do the standard spring binding and validation, and in the case of an error, send back and replace the form with the exception messages next to the problem input. This way you can leverage the full power of Spring binding and validation while getting the AJAX goodness that you want. This would require you to separate your form into a separate JSP page, so you could just return that form on AJAX submission and error.
In response the comment
My issue is just how to access the
BindingErrors from a JSP if I'm using
an AbstractCommandController. Ajax
isn't really that important in the
equation. I just didn't want to use a
formController because it didn't make
sense.
I think you can simply set a variable in your model like this:
ModelAndView.addObject(this.getCommandName(), errors)
This would be done in AbstractCommandController's
protected abstract ModelAndView handle(
HttpServletRequest request,
HttpServletResponse response,
Object command,
BindException errors)
throws Exception
method. Be sure the name of the model attribute is the name of your command (set in the setCommandName method).
This is untested and from memory.
You can check the BindException object for errors (and also catch and handle exceptions), and return information about them in your Ajax response. If you're using JSON, you could pair a list of error information with an "errors" key. The front-end would then need to check for and display these errors.

JSF Servlet Arch Help needed

i want a mechanism in my web app as described below:
user will enter mydomain.com/CompanyName , depending upon the CompanyNameit will show its logo and its customized page, and i will take that parsed parameter in session again upon each request i will compare the parsed CompanyName and one stored in session , and if they matched then application will show the requested page with user's data.else it will be redirected to login page.
and the main thing is i want this thing in JSF arch.
i tried taking a servlet that will resolve all request and it will parse and then will dispatch the request to prefered servlet,but problem is it goes in loop as again it resolves to the same controller servlet,
You can do this via a phase listener. You can define a global one in faces-config.xml (or using annotations, if JSF 2.0 is used)
<lifecycle>
<phase-listener>com.yourcompany.CompanyPhaseListener</phase-listener>
</lifecycle>
There you have access to the FacesContext, from which you can obtain the current request URI. Parse it and store the appropriate attributes in the request, which you can later read on your pages.
The phase listener is executed on the specified phase(s), and perhaps you should choose RENDER_RESPONSE
For affecting the way your URLs appear in the browser, check PrettyFaces.
i tried taking a servlet that will resolve all request and it will parse and then will dispatch the request to prefered servlet,but problem is it goes in loop as again it resolves to the same controller servlet,
Use a Filter instead. It by default doesn't listen on forwarded requests, so you won't get an infinite loop on forwarding.

How to get a Struts form bean in an Action class using AJAX

I'm currently developing with Struts 1 a web application. I've recently started to use AJAX technology and I'm stuck with something.
I call an action method (via AJAX) to validate my form but no values are changed in the form bean when it gets to the action method. I suppose this is because calling the action via AJAX doesn't submit the form to the action method. Am I right? I've tried to send form values as a JSON object, but I can't parse it in the action class because; as far as I know, I need an external library to do so and, unfortunately, company policies doesn't allow me to use external libraries. Is there any other way to send the form?
Thanks in advance,
Carlos
Yes, you are correct. All that's happening with AJAX is a request is being sent to a particular URL, not a form submission.
The easiest way to deal with this is to add the fields you want validated as parameters in the URL then simply pull them off the HTTP request in the server (can't remember how easy that is with Struts).
I think this will do for you.
request = $.ajax({
url :'/your_action.do',
type :'post',
cache:false,
data :$("#formId").serialize()
});
the data field will send the required actionForm attributes.

Categories