top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Struts2: Is it safe to re-enable DMI ?

+1 vote
793 views

Just after updating struts to 2.3.15.2, all of ours applications stop working. Some of ours applications uses struts-convention-plugin, so only url can be used to access action's methods.

We are using a lot of url with "!input" methods, especially to manage form input and form validation.

"S2-019 - Dynamic Method Invocation disabled by default", seems to be a big security issue. So, is it safe to re-enable back DMI to true ? If not, how is it possible to not use DMI ?

posted Sep 25, 2013 by Salil Agrawal

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

It isn't if you know what you doing - a small example: login!getPassword ;-) You can also switch to Strict DMI but only via XML - I'm working on solution to have it also for annotations.

And in the future I'm planning to have only Strict DMI which means white-listing which actions/methods can be access via DMI

answer Sep 25, 2013 by Garima Jain
+1 vote

See - http://struts.apache.org/release/2.3.x/docs/getting-started.html - the tutorial on using Wildcard Method Selection may be helpful.

Using the ! (bang) operator and dynamic method invocation is a security problem. See:
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation

answer Sep 25, 2013 by Jagan Mishra
Similar Questions
+1 vote

We are in the beginning of the migration to struts2 and it seems like there will be some period when both frameworks will be active at the same time..the only problem now is accessing the session beans managed by struts2 in struts1 and vice-versa form beans from strut1 mapped in struts2 . Half of the jsp would use struts1 tags and other half struts2 tags. So there should be beans instantiated in both frameworks.

Probably struts2 bean can be injected to struts1 action with struts1 form still accessible as execute() argument, but what about other way? accessing struts1 form bean (not just data, but managed bean) in struts2 execute() ?

+7 votes

I have an Interceptor that wants to put something in the session after the action has executed.

But if the session doesn't already exist I get an exception:

java.lang.IllegalStateException: Cannot create a session after the response has been committed

How can I determine if the session already exists from within an Interceptor?

 public String doIntercept(ActionInvocation invocation) throws Exception
 {
 String result = invocation.invoke();
 Map session = invocation.getInvocationContext().getSession();
 session.put(key, value); // throws exception if session doesn't exist
 return result;
 }
+1 vote

I am migrating an application from Struts 1 to Struts 2 and frequently I am facing scenarios where I need to use request.getSession to set/get attributes. As far as my knowledge goes, this is not considered to be a best practice in Struts 2. What is the best was way to handle this scenario?

+1 vote

We are using struts2 latest distribution, where we are using tokenSession interceptor for duplicate submission. Duplicate request processing is working fine but its not showing result page for duplicate
form submission which we have defined in strust.xml as below.

/error/accessDenied.jsp
/error/invalidRequest.jsp

+1 vote

Will it restrict the information being stored at the browser cache.

...