I have one login page, with a sign-in pop-up, which has username, password and a captcha. Each time when I try to post the form using ajax ( return value is json ), I will get an error like this:
com.opensymphony.xwork2.ognl.OgnlValueStack - Error setting expression 'struts.token.name' with value '[Ljava.lang.String;#53401791' ognl.OgnlException: source is null for getProperty(null, "token")
and
Form token B4KX7L4ER1FXK5BRJZJ19QTGG4EGRGME does not match the session token null
Login.jsp
<script>
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
</script>
and inside body tag
<s:token/>
Signin.jsp (Popup for login)
<script>
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
</script>
<script>
$(document).ready(function () {
// For making new captcha image
var df = "Captcha?token=" + strutsToken + "&struts.token.name=token";
$("#IMA").attr("src", df); // IMA is id of captcha image
$('#mini').click(function () { // mini is id of submit button
$.post('Auth', {
username: document.getElementById('username').value,
pass: document.getElementById('pass').value,
Captcha: document.getElementById('Captcha').value,
token: strutsToken,
'struts.token.name': "token"
}, function (jsonResponse) {
if (jsonResponse.res == "1") {
console.log('valid');
window.location = "campaign/campaign_dashboard.jsp";
}
else if (jsonResponse.res == "2") {
console.log('valid');
window.location = "Main.jsp";
} else {
$('#result').text(jsonResponse.res);
}
}, 'json');
});
});
</script>
Struts.xml
<interceptor-stack name="myStack">
<interceptor-ref name="authenticationInterceptor" > </interceptor-ref>
<interceptor-ref name="cachingHeadersInterceptor" />
<interceptor-ref name="fileUpload" >
</interceptor-ref>
<interceptor-ref name="token"></interceptor-ref>
<interceptor-ref name="params">
<param name="params.excludeParams">
token,dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*
</param>
</interceptor-ref>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="myStack"/>
What is preventing the token to be correctly passed to the action ?
You need to exclude the token parameters from the ones intercepted by the Parameters Interceptor.
By default, the Parameters Interceptor already excludes them:
This interceptor can be forced to ignore parameters, by setting its excludeParams attribute. This attribute accepts a comma separated list of regular expressions. When any of these expressions match the name of a parameter, such parameter will be ignored by the interceptor. Interceptor stacks defined by Struts already exclude some parameters:
Default List of Parameters Excluded
dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,
^servlet(Request|Response)\..*,parameters\...*
By default, the ^struts\..* part of the regex will excldue struts.token and struts.token.name.
You have most likely overriden the default excluded parameters in your Parameters Interceptor, without extending the original excluded ones.
Then:
Manually add the exclusion for the token parameters:
<interceptor-ref name="params">
<param name="excludeParams">
myStuff\..*,struts.token,struts.token.name
</param>
</interceptor-ref>
or, much better, add your custom exclusion to the original list instead of replacing it:
<interceptor-ref name="params">
<param name="excludeParams">
myStuff\..*,dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,
^servlet(Request|Response)\..*,parameters\...*
</param>
</interceptor-ref>
EDIT
After you added the code, I can see some error:
remove myStuff\..*, I put it as a placeholder to your real customization, it's not needed;
put the whole regex in one line, I've splitted it only to improve readability of the answer;
You are setting the param exclusion on a Parameters Interceptor, then importing the whole defaultStack that itself contains another Parameters Interceptor. You should open the defaultStack tag and set the exclusion there (this however doesn't explain the problem because it means you are not overriding the default exclusion...).
Also the FileUpload Interceptor is already in the defaultStack, so you're running it twice.
Then try with:
<interceptor-stack name="myStack">
<interceptor-ref name="authenticationInterceptor" />
<interceptor-ref name="cachingHeadersInterceptor" />
<interceptor-ref name="token" />
<interceptor-ref name="defaultStack" />
</interceptor-stack>
If it doesn't work, try with:
<interceptor-stack name="myStack">
<interceptor-ref name="authenticationInterceptor" />
<interceptor-ref name="cachingHeadersInterceptor" />
<interceptor-ref name="token" />
<interceptor-ref name="defaultStack">
<param name="params.excludeParams">
token,dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*
</param>
</interceptor-ref>
</interceptor-stack>
Related
I have created an interceptor which I want to map to some particular methods in some action and I don't want to disturb the existing code:
struts.xml:
<package name="francis" namespace="/francis" extends="struts-default,json-default">
<interceptors>
<interceptor name="authentication" class="main.java.com.commdel.commons.struts2.interceptors.AuthenticationInterceptor"/>
<interceptor name="authorization" class="main.java.com.commdel.commons.struts2.interceptors.SecurityInterceptor"/>
The custom interceptor csrf:
<interceptor name="csrf" class="main.java.com.commdel.commons.struts2.interceptors.CsrfTokenInterceptor"/>
<interceptor-stack name="commonStack">
<interceptor-ref name="authentication"/>
<interceptor-ref name="authorization"/>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="commonStack"/>
<global-results>
<result name="error" type="velocity">/results/velocity/common/globalerror.vm</result>
<result name="AUTHORIZATIONERROR" type="velocity">/results/velocity/common/sessionError.vm</result>
</global-results>
Mapping csrf to some action:
<action name="addUpdateClaimHeadMetronic" class="main.java.com.commdel.francis.struts2.actions.ClaimHeadAction" method="addUpdateClaimHead">
<interceptor-ref name="csrf"/>
</action>
</package>
You seem to think that the default Interceptor Stack applies to all actions, and that the eventual interceptor you're specifying for to the single actions are added to the default stack. They're not.
The default stack is the stack used for all the actions that does not specify any stack (or single interceptor, like in your case).
If you want to add an interceptor, then specify also the stack it should add to,
<action name="addUpdateClaimHeadMetronic"
class="main.java.com.commdel.francis.struts2.actions.ClaimHeadAction"
method="addUpdateClaimHead">
<interceptor-ref name="commonStack"/>
<interceptor-ref name="csrf"/>
</action>
or define a new stack and use it:
<interceptor-stack name="commonStack">
<interceptor-ref name="authentication"/>
<interceptor-ref name="authorization"/>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
<interceptor-stack name="csrfStack">
<interceptor-ref name="authentication"/>
<interceptor-ref name="authorization"/>
<interceptor-ref name="defaultStack"/>
<interceptor-ref name="csrf"/>
</interceptor-stack>
....
<default-interceptor-ref name="commonStack"/>
....
<action name="addUpdateClaimHeadMetronic"
class="main.java.com.commdel.francis.struts2.actions.ClaimHeadAction"
method="addUpdateClaimHead">
<interceptor-ref name="csrfStack"/>
</action>
Note that the first approach violates DRY if you have a lot of actions sharing the secondary interceptor stack configuration, and it can be used only if your Interceptor is good to be placed as first or as last. If you need it in the middle (eg. after param, but before workflow) you have to define a stack by exploding the defaultStack, copying it from struts-default.xml.
If you add a custom interceptor to the action configuration like
<action name="addUpdateClaimHeadMetronic" class="main.java.com.commdel.francis.struts2.actions.ClaimHeadAction" method="addUpdateClaimHead">
<interceptor-ref name="csrf"/>
</action>
then only csrf interceptor will be configured to this action mapping. Other interceptor's included in the commonStack will be omitted even if you use
<default-interceptor-ref name="commonStack"/>
Struts allows to override the action configuration which will not use the default-interceptor-ref, it you add a custom interceptor to the action mapping. By overriding the action configuration you can use a custom set of interceptors.
You might be missing some important interceptors from the defaultStack that drive the Struts2 framework if you forget to include all references of interceptors in the custom action mapping.
Note: interceptors in Struts2 add additional functionality to the action before or after the action is executed. But missing some important interceptors might break the action execution.
If you want to add a custom interceptor reference to the existed action, then you should add, along with your custom interceptor, a reference to the default stack in your action mapping before or after depends on your code.
<action name="addUpdateClaimHeadMetronic" class="main.java.com.commdel.francis.struts2.actions.ClaimHeadAction" method="addUpdateClaimHead">
<interceptor-ref name="csrf"/>
<interceptor-ref name="commonStack"/>
</action>
Note: interceptors are invoked by the order they are used in the xml configuration.
I need to do very basic file upload operation, but in my case setter methods are not called by file upload interceptor.
I have checked the solution of similar questions like this on stackoverflow but they didnot resolve my issue.
Please let me know what mistake i am doing in code.
Action class
public class ResultFileUploadAction extends ActionSupport {
private File upload;
private String uploadFileName;
private String uploadContentType;
private Logger logger = Logger.getRootLogger();
#Override
public String execute() throws Exception {
logger.info("ResultFileUploadAction->execute");
String destPath = "C:/work/";
try {
System.out.println("Src File name: " + upload);
System.out.println("Dst File name: " + uploadFileName);
File destFile = new File(destPath, uploadFileName);
FileUtils.copyFile(upload, destFile);
} catch (IOException e) {
e.printStackTrace();
return ERROR;
}
return super.execute();
}
public void setUpload(File upload) {
this.upload = upload;
}
public void setUploadContentType(String uploadContentType) {
this.uploadContentType = uploadContentType;
}
public void setUploadFileName(String uploadFileName) {
this.uploadFileName = uploadFileName;
}
}
Jsp file
<body>
<s:form action="upload" method="post" enctype="multipart/form-data">
<input type="file" name="upload" id="uploadfile" />
<input type="submit" id="submit" />
</s:form>
</body>
Struts.xml
<interceptors>
<interceptor name="fileupload"
class="org.apache.struts2.interceptor.FileUploadInterceptor"></interceptor>
<interceptor name="servletConfig"
class="org.apache.struts2.interceptor.ServletConfigInterceptor" />
<interceptor name="authenticationinterceptor"
class="interceptors.common.AuthenticationInterceptor"></interceptor>
<interceptor-stack name="securestack">
<interceptor-ref name="authenticationinterceptor"></interceptor-ref>
<interceptor-ref name="servletConfig"></interceptor-ref>
</interceptor-stack>
</interceptors>
<action name="upload" class="actions.result.ResultFileUploadAction"
method="execute">
<interceptor-ref name="securestack"></interceptor-ref>
<interceptor-ref name="fileupload"></interceptor-ref>
<result name="success" type="dispatcher">/AddResultBullk.jsp</result>
</action>
Since, setters are not called therefore i am getting NPE in execute().
As stated in the fileUpload interceptor docs:
It adds the following parameters, where [File Name] is the name given to the file uploaded by the HTML form. [fileName, contentType]
When mucking with interceptor stacks there are always two plans of attack:
Try a non-custom stack
Don't mess with the stack unless you know precisely why you're doing it, and what you're doing.
Also, actions that are configured to use almost no interceptors, as yours is, are almost always suspect, because they eliminate the bulk of framework functionality. Params in particular is key to essentially every form-based action.
When you want to implements a new interceptors, it is a good idea to add them to the default stack in front or back of the chain, i faced the same problem before when I am trying to add an interceptor for authentication and ended with the following practice, I will update your
code to mention my idea:
...
<interceptors>
<interceptor name="authenticationinterceptor" class="your.class.name" />
<interceptor-stack name="securestack">
<interceptor-ref name="authenticationinterceptor" />
<interceptor-ref name="defaultStack" />
</interceptor-stack>
</interceptors>
<!--
Implicitly use securestack for all actions.
-->
<default-interceptor-ref name="securestack" />
....
<!--
and if you want some actions to pass from secureStack and use defaultStack
(ex login page), you can state that explicitly, See:
-->
<action name="GetLoginPageAction" class="your.class.name">
<interceptor-ref name="defaultStack" />
...
</action>
<!--
for upload action you can use interceptor without define
it in the interceptors tag only in the action,
Note that you should explicitly use securestack below
-->
<action name="upload" class="actions.result.ResultFileUploadAction">
<!-- You can remove the below refs because fileUpload is already
included in defaultStack that is included in the securestack
and securestack is default interceptor for all actions.
<interceptor-ref name="securestack"/>
<interceptor-ref name="fileUpload"/>
-->
...
</action>
I hope these notes help you.
I am having an issue with the Message Store Interceptor in Struts 2. I have the following action in my struts.xml file:
<action name="rfi" method="add" class="org.test.action.RfiAction">
<interceptor-ref name="store">
<param name="operationMode">AUTOMATIC</param>
</interceptor-ref>
<interceptor-ref name="defaultStack" />
<result name="error">../display/irrt/rfi.jsp</result>
<result name="input">../display/irrt/rfi.jsp</result>
<result name="success" type="redirectAction">
<param name="actionName">rfis</param>
<param name="namespace">/irrt</param>
</result>
</action>
When the action returns successfully, it redirects to the action listed and the success message is properly saved and retrieved by the interceptor.
However, when an error occurs, there is no redirect and it goes to the listed JSP page but the error doesn't show up (all other data does). It's like the MessageStoreInterceptor wipes out the contents of the error variables when it runs so that if no redirect occurs, the current action no longer has the error message.
This happens when the interceptor is set to either STORE or AUTOMATIC mode (even though the interceptor shouldn't even run if it's in AUTOMATIC mode and the result doesn't include a redirect).
My code only ever adds errors or messages. It never deletes them. The action code is below:
private String add()
{
try
{
// add the rfi entry
this.rfiService.addRfi(this.rfiEntry, this.getLoggedInUser());
}
catch(ConnectionException e)
{
this.addActionError("Could not add RFI entry.");
e.printStackTrace();
return ERROR;
}
// set success message
this.addActionMessage("RFI entry added.");
return SUCCESS;
}
This is the code in the JSP being used to display the messages:
<s:if test="hasActionErrors() == true">
<s:iterator value="actionErrors">
<p class="text"><b><font color="red"><s:property /></font></b></p>
</s:iterator>
</s:if>
<s:elseif test="hasActionMessages() == true">
<s:iterator value="actionMessages">
<p class="text"><b><font color="green"><s:property /></font></b></p>
</s:iterator>
</s:elseif>
Any help with this issue would be greatly appreciated.
<result name="success" type="redirectAction">
<param name="actionName">rfis</param>
<param name="namespace">/irrt</param>
</result>
The redirectAction rfis should also go through the store interceptor.
<action name="rfis" class="..." method="...">
<interceptor-ref name="store">
<param name="operationMode">AUTOMATIC</param>
</interceptor-ref>
<interceptor-ref name="defaultStack" />
<result ..../>
</action>
I was missing the include on this particular page that included the errors.
Moral of the story: don't assume code that's on every single other page is on the one that's not working.
I've used the Struts 2 framework and I have created a web application which has a Login Page. I have three different Action classes named Action1, Action2, Action3, and different views for JSP pages which are rendered by running some business logic in the Action classes.
Now, I want to check whether a user has logged in before the Action class carries out processing. So,
I created an interceptor below that works fine:
public String intercept(ActionInvocation invocation) throws Exception
{
HttpServletRequest request = ServletActionContext.getRequest();
HttpServletResponse response = ServletActionContext.getResponse();
HttpSession session = request.getSession();
if(session.isNew())
{
response.sendRedirect("Login.action");
}
System.out.println("Interceptor Fired");
String result = invocation.invoke();
return result;
}
What I want to be in struts.xml is instead of adding an interceptor for all the actions like the one below
<interceptor-ref name="newStack"/>
My struts.xml file has:
<package name="default" extends="struts-default">
<interceptors>
<interceptor name="printMsgInterceptor" class="LoginInterceptor"></interceptor>
<interceptor-stack name="newStack">
<interceptor-ref name="printMsgInterceptor"/>
<interceptor-ref name="defaultStack" />
</interceptor-stack>
</interceptors>
<action name="actone" class="Action1">
<result name="success">/success.jsp</result>
<interceptor-ref name="newStack"/>
</action>
<action name="acttwo" class="Action2">
<result name="success">/success.jsp</result>
<interceptor-ref name="newStack"/>
</action>
<action name="actthree" class="Action3">
<result name="success">/success.jsp</result>
<interceptor-ref name="newStack"/>
</action>
</package>
For every action I want to have some definition written in struts.xml which runs the interceptor rather than manually adding
<interceptor-ref name="newStack"/>
<interceptor name="test" class="Full path for LoginInterceptor" />
<interceptor-stack name="testStack">
<interceptor-ref name="test"/>
<interceptor-ref name="defaultStack"/> //here you are including default stack
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="testStack"></default-interceptor-ref>
Now testStack will execute for every request
Use
<default-interceptor-ref name="newStack"/>
If you not putting interceptor-ref manually for each action you could use the default-interceptor-ref to intercept all actions that has not explicitly defined interceptors configuration. See How do we configure an Interceptor to be used with every Action.
We can create our own named stacks and even declare a new default interceptor stack for a package
<package name="default" extends="struts-default" >
<interceptors>
<interceptor-stack name="myStack">
<interceptor-ref name="timer"/>
<interceptor-ref name="logger"/>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
</interceptors>
However, if you say that the interceptor above works fine I will encourage you to be cautious about a business logic that the login action will not be executed if it fails on the first execution. Instead of checking for the new session you should check for results of the authenticated user and save these results in the session that you could check in the interceptor. See this question for example.
The example of writing the interceptor that use the authenticated user information with the session you could find here.
In Struts 2,
I am trying to skip validation on method base on XML configuration.
As per my application I can not use annotation. So I cannot use #SkipValidation annotation. Is there any alternative for this?
I have one action class which has five methods create, update, delete, search, and view. I want to validate only two methods create and update.
You should configure in the struts.xml package with interceptors
<interceptors>
<interceptor-stack name="validateWorkflowStack">
<interceptor-ref name="basicStack"/>
<!-- ... whatever interceptors -->
<interceptor-ref name="validation">
<param name="excludeMethods">delete, search, view</param>
</interceptor-ref>
<interceptor-ref name="workflow"/>
</interceptor-stack>
</interceptors>
then use action configuration
<action name="create" class="your.package.CreateAction" method="create">
<result name="input">/path/to/form.jsp</result>
<interceptor-ref name="validateWorkflowStack"/>
</action>
apply interceptor to each action that has a validation interceptor referenced explicitly on action or implicitly via <default-interceptor-ref on the package.
You must configure validation interceptor for your action to exclude methods names that you do not want to be validated.
<action name="..." class="...">
<interceptor-ref name="defaultStack">
<param name="validation.excludeMethods">input,back,cancel,browse,delete,search,view</param>
</interceptor-ref>
<result>...</result>
</action>