Struts2 folks,
The Intrinsic Security Working Group (ISWG) at OWASP (http://www.owasp.org) has
been researching what security countermeasures an application architect or
technical lead must plan for when creating a Struts2 application. The result of
this research is a document that we are look
ent: Tuesday, September 19, 2006 9:37 AM
Subject: Web Application Security -- Help needed
HI All..,
I am developing the Application in Struts+Hibernate, it is an Web
Application.I need to apply the security for this applicaiton like
--> If Session Timeout over that should redirect to Login pa
lease respond to "Struts Users Mailing List"
To: "Struts Users Mailing List"
cc:
Subject:Web Application Security -- Help needed
HI All..,
I am developing the Application in Struts+Hibernate, it is an Web
Application.I need to apply th
HI All..,
I am developing the Application in Struts+Hibernate, it is an Web Application.I
need to apply the security for this applicaiton like
--> If Session Timeout over that should redirect to Login page
--> After login if we copy the url and open it in new browser, that should
redirect to log
> >}
> >catch (Exception e) {
> > System.out.println("Error\n" + e);
> >}
> >
> >%>
> >
> >
> >On Tue, 8 Feb 2005 20:17:49 -0500, David G. Friedman
> ><[EMAIL PROTECTED]> wrote:
> >
> >
> >>Tim,
ion host/port/URL.
Regards,
David
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 5:45 PM
To: Struts Users Mailing List
Subject: Re: Application Security
I managed to solve the first error by reordering the elements within
the server.xm
Original Message-
> From: Tim Christopher [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 08, 2005 5:45 PM
> To: Struts Users Mailing List
> Subject: Re: Application Security
>
> I managed to solve the first error by reordering the elements within
> the s
, February 08, 2005 5:45 PM
To: Struts Users Mailing List
Subject: Re: Application Security
I managed to solve the first error by reordering the elements within
the server.xml file, however I'm now stuck with the following error
(which occurs when the server is started):
JDBCRealm[Catalina]: Exce
5 12:07:16 -0500, David G. Friedman
<[EMAIL PROTECTED]> wrote:
> Tim,
>
> Have you also updated your web.xml and Tomcat conifgurations?
>
> -Original Message-
> From: Tim Christopher [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 08, 2005 12:05 PM
> T
Tim,
Have you also updated your web.xml and Tomcat conifgurations?
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 12:05 PM
To: Struts Users Mailing List
Subject: Re: Application Security
Cheers for all your advice.
I've just
Cheers for all your advice.
I've just tried implementing the JDBCRealm, though unfortunaltly it
does not work. The Log4j error file contains the following:
http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
JAASRealm.java:269 Unexpected error
java.lang.SecurityException: Unable to loc
hould be pretty simple...
> -Original Message-
> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Siggelkow
> Sent: Monday, February 07, 2005 10:02 PM
> To: user@struts.apache.org
> Subject: Re: Application Security
>
> Tim,
>
> The first problem of popul
hould be pretty simple...
> -Original Message-
> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Siggelkow
> Sent: Monday, February 07, 2005 10:02 PM
> To: user@struts.apache.org
> Subject: Re: Application Security
>
> Tim,
>
> The first problem of popul
The forms for container managed security don't have to be plain html - you
can configure in the web.xml custom "Logon" and "Logon Error" pages which
can be jsps, not just plain html. I have a custom tag on each of these pages
which writes the fact that a user has arrived at that page to log4j alon
Tim,
The first problem of populating a form bean with user data can be
handled by populating/creating a UserBean using techniques such as a
servlet filter. Alternatively, you can extend the RequestProcessor.
Other techniques that work, but are not as global in nature, are using a
base action. T
Hi,
I've recently discovered that it is not possible to map an action to
j_security_check. Given this situation how is it possible to populate
a form bean with user data, or create a log of any failed login
attempts (bad username / password) if the container takes control of
the entire login proc
What errorthat looks like the normal startup messages of tomcat to
me.
Nathan
On Apr 18, 2004, at 6:15 AM, [EMAIL PROTECTED] wrote:
Hi All,
I have installed Tomcat server on my machine and tried to start it
using startup.bat im getting following error
C:\Tomcat\catalina\src\bin>st
Hi All,
I have installed Tomcat
server on my machine and tried to start it using startup.bat
im getting following error
C:\Tomcat\catalina\src\bin>startup
Using CATALINA_BASE: C:\Tomcat\catalina\src
Using CATALINA_HOME: C:\Tomcat\catalina\src
Using CATALINA_TMPDIR: C:\Tomcat\catalin
tes may be added to the Action element in the StrutsConfig file, but
I'm not sure.
Please let me know your thoughts. Everyone else is also free to comment.
Regards,
Josh
-Original Message-
From: Joe Germuska [mailto:[EMAIL PROTECTED]
Sent: Friday, April 16, 2004 9:07 AM
To: Struts
t
> I'm not sure.
>
> Please let me know your thoughts. Everyone else is also free to comment.
>
> Regards,
>
> Josh
>
> -Original Message-
> From: Joe Germuska [mailto:[EMAIL PROTECTED]
> Sent: Friday, April 16, 2004 9:07 AM
> To: Struts Users Maili
The way to configure this flexibly for each action would be to define
an extension of ActionMapping that was a bean with whatever config
properties you need (for instance, a role or list of roles permitted
to access the action.) Of course, since each path gets only one
ActionMapping, you may n
If your container supports servlet 2.3, use a filter. That's really the
best place for a check like that.
Jason
Josh Holtzman wrote:
Hello all,
I'm working on a Struts application that contains 2 modules.
Module 1 (default): a public website.
Module 2: a user and administrative logi
Josh Holtzman wrote:
Module 2 obviously needs to be secure. To secure Module 2 I intend to build
2 measures into take the following steps: a) Before any action is executed
check that the user is logged in by looking for a "User" object in the
session. b) check that all connections are via the htt
15, 2004 11:31 AM
To: Struts Users Mailing List
Subject: Re: Struts Application Security within the Controller Layer
>As a novice, but rapidly learning, Struts developer, I believe the logical
>place to put these checks is to subclass the RequestProcessor and override
>the processPreprocess() met
As a novice, but rapidly learning, Struts developer, I believe the logical
place to put these checks is to subclass the RequestProcessor and override
the processPreprocess() method with this logic?
I think your analysis is right on; it's not *wrong* to implement the
security with a base abstract a
Hello all,
I'm working on a Struts application that contains 2 modules.
Module 1 (default): a public website.
Module 2: a user and administrative login.
Module 2 obviously needs to be secure. To secure Module 2 I intend to build
2 measures into take the following steps: a) Before an
26 matches
Mail list logo
