Struts 2 security vulnerability issue - ajax

We have projects using Struts 2.0 and 2.1.
We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:
This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes.
Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most recent version: Struts v2.3.16.1
After research, we found there're consistent upgrades:
http://struts.apache.org/announce.html
Therefore, we tried to upgrade our Struts2 to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts2, since everything doesn't work, including AJAX tags, AJX form submit, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.
One example is that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag. We don't want to re-write all the codes just because of the upgrade.
We want to know if we don't upgrade Struts2 to the latest version, what kind of vulnerabilities our web application will face. Could anyone give us more details or any hint for solutions based on our situation? Thanks so much.

You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.

One example is that whenever we submit our ajax form, the result will
be in a new page instead of in the targets field defined in the
sx:submit or sj:submit tag.
It seems you are using struts2 and struts 2 jquery plugin, so try to update to struts 2 jquery 3.7.0 too.
I recommend to accept some reworks and upgrade as some security issues are high.
There are some key parts which has changed and may need to be considered during upgrade like acceptableParameterName. Also review your param interceptor stack and list of exclude parameters.

Related

Spring 4 vs Grails - Open Source Plugins

I have used spring 3 but not sure what is the equivalent of a grails plugin. And now need to suggest a stack for a new app. Looking at grails it seems to be great for making data base models and has a lot of plugins. but it seems its more expensive at runtime.
So my question is that is there a equal or better repo of spring for every little thing you can need like facebook login or other social actions, ajax upload, joda etc or is this what we call a dependency and some code from a blog/ stack?
Is there any repo of small reusable code like we have on grails plug ins for regular spring mvc projects?
I know that your question is about pure spring alternatives, but I would honestly recommend just using Grails. I've done projects in both stacks. If you want to get rid of the configuration headaches and get started quickly on a new project while staying within the Spring stack, it is the way to go. It is a great framework and some of my employers have many production Grails applications supporting thousands of customers.
You can also upgrade to Grails 3 when it comes out next year and take advantage of the leaner code they provide in it due to Spring Boot!
You may need to check into Spring Boot. It does not provide a full stack framework, but it is hiding much of the extra coding you may need to do for a spring application. There are some new projects that enable you to get the benefits of spring boot. Check the below projects:
1- http://jhipster.github.io/ , use it if you need to make SPA with AngularJS also have commands to generate Entities for you using Yeoman
2- http://lightadmin.org/ , use it if you want to create CRUD pages based on Spring Data Entities
For both, you may have to use Spring Data and maybe even Spring Data REST. These may be helpful too.

Migrate jsf application to Glassfish 4 and JSF 2.2

I moved a JSF application from Galssfish 3.1.2 to Glassfish 4.0 and I thought the new server release was completely back compatible.
I found out it is not.
I used an outdated library, Primefaces 2.X, and some components stopped working properly, at least <p:tabview>. Common sense suggests to pass to a newer library such as Primafaces 3.5, but that way I have to modify my xhtml pages. Cannot find a compatibility matrix anywhere, nor a migration tutorial. Can you help ?
There is at least another weird problem outside those related to the Primefaces library.
I have a quite complex page and till now I couldn't isolate the problem to a simpler scenario.
In this page I have an <ui:repeat> tag and then a form with a button.
The button is configured to send Ajax request and update (render) only a single ui component.
At the 3rd Ajax request it stops working and I get an error saying there is a duplicate ID corresponding to the <ui:repeat> tag.
Any idea ?
Is there a migration guide from Glassfish 3.1.2 to Glassfish 4.0 which gives hints on what has changed and how to modify existing applications ?
Update
I found the following post which deals about the last problem I'm talkin about
Component ID xxx has already been found in the view.
Unfortunately I cannot understand how to solve it despite it has an accepted answer !
This is one of the many bugs that were released with GF4.
I would suggest either waiting for the next release of GF (if you need a released version) or update GF to the latest JSF release (Currently 2.2.8 I think).
JSF implementation jars
JEE7 APIs
JSF current and older bugs

Primefaces 3.5 versus 4.0

What are the major differences between primefaces version 3.5.x and 4.x besides the obvious java-ee-7 compliance in the 4.x versions? Has version 4.x been rewritten internally? If so what are the differences? I am currently using primefaces 3.5.20, so many of the new or updated components are already available. Has there been any work to streamline ajax throughput?
There are many improvements:
The main one is the integration with jsf-2.2 specification. As JSF 2.2 is servlet 3.x compatible, the file upload system has changed in order to take advantage of servlet 3.x features and make it in html 5 way. It also includes support for HTML pass through attributes, included at JSF 2.2 and able to include non-JSF attributes at the rendered page.
Client Side Validation Framework: I still have to try that, but one of the lacks of vanilla-plain JSF is the absence of client side validation. JSF is known for being a server side framework. However, sometimes client validation is also convenient in order to bring the end user a greater experience. Primefaces 4 is supposed to include that (in fact they've been working to adapt their aproach to HTML5 standards).
Search expressions: Something in JSF that can puzzle you is searching the component ids at client side. JSF uses its own preffixed identifiers, so sometimes it is difficult to search for what you want. JSF 2.2 provides a set of keywords: "#this", "#form", "#all", "#none", in order to simplify what you want to make a reference to. In primefaces 4 apart from that, you've got #composite which resolves the closest CompositeComponent parent, #widgetVar(name) which resolves a component by its widgetVar and #child(index) which resolves the nth child.
Lots of bug fixes and component improvements, some of them have been done in parallel with 3.5.x series.
About ajax perfomance, I know there have been some issues in concrete cases, but apart from fixing them and adding new capabilities to their jquery-ajax utilities, I'm not aware about more improvements.
See also:
Primefaces 4 improvements
Default text (placeholder) in InputText component
Search expressions in PrimeFaces 4

What does it means that the partial response writer is not integrated with PPRResponseWriter?

I'm trying to develop an application using JSF, primefaces, Tomcat7.
When I execute an ajax event, I get this warning:
17-ott-2012 9.26.04 org.apache.myfaces.trinidadinternal.context.PartialViewContextImpl getPartialResponseWriter
AVVERTENZA: getPartialResponseWriter() called during render_reponse. The returned writer is not integrated with PPRResponseWriter
What does it means? What do I have to do to integrate it?
In my server log, on startup, I find some messages about some web context parameters not found. May it be related to the previous warning?
Thanks for your help!!
This class is specific to MyFaces Trinidad. Apparently you're mixing Trinidad with PrimeFaces and it's not working very well. Since you didn't mention anything about Trinidad in your question, it's perhaps a leftover of previous experiments to play around with several component libraries. You might want to remove it before using PrimeFaces.

Migrating from Struts2 to Spring MVC

Scenario: A fairly mature project uses Struts2 and Spring and Hibernate. I say mature because it has been going on a for a while and there are many struts actions written already.
Suppose we wanted to remove Struts2 from the project and instead depend entirely on Spring MVC without rewriting the entire project.
Is this something that should even be considered?
Are there any migration guides out there?
Has anyone done this before and would like to warn me against it?
If it ain't broke, don't fix it. You have very likely better things to do than a migration that won't add any value to the product (and will certainly introduce some bugs). If I were the business, I would never buy such a migration (with close to zero benefits).
I have to ask: What advantages do you see with Spring MVC that aren't being fulfilled by Struts 2?
If there's not at least a handful of "smoking hot" features, or the amount of time saved is more than enough to overcome the time taken for the migration in the first place then it's probably best to stick with what you have.
You can do it slowly. Struts is a MVC framework. The rest of your application (business and data tiers) are classes which can be invoked by action classes. Struts is a plugin based architecture and it is easy for you to define a plugin in struts configuration file.
Take a look at this link. This may help.
With Struts2 security vulnerabilities being exposed and reported often, this task takes on more importance.

Resources