Kevin P Smith

Arh yes it works with the struts2-spring.2.3.8.jar I had the 'reverse' jar spring-struts2.jar

Cheers!

Interesting.

I have the spring-struts-plugin.jar but guess I'm not using it properly.

Another interesting read I just found is this, not tried any of it yet though.

http://www.ibm.com/developerworks/library/j-sr2/index.html

Cheers for the input.

Hi guys,

Spent the past day or so trying to set up a little Struts2, Spring3 (eventually Hibernate4) app with Annotations eg @autowired
but am having a little trouble.

For some reason my Action is always dropping to teh error.jsp, because my TestService is NULL.
Just wondering if anyone can see an obvioius reason why this is the case. I think I have included everything I need to below...

import org.apache.struts2.convention.annotation.Action; import org.apache.struts2.convention.annotation.Result; import org.springframework.beans.factory.annotation.Autowired; import com.opensymphony.xwork2.ActionSupport; import com.test.services.TestService; public class TestAction extends ActionSupport { @Autowired private TestService testService; @Action(value = "/welcome", results = { @Result(name = "success", location = "/successPage.jsp"), @Result(name = "error", location = "/error.jsp") }) public String execute() { if (testService != null) { System.out.println("Injection worked!"); return SUCCESS; } else { System.out.println("Injection failed!"); return ERROR; } } public void setTestService(TestService testService) { this.testService = testService; } }
@Service public interface TestService { ... }
public class TestServiceImpl implements TestService { ... }
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <!-- tx:annotation-driven transaction-manager="txManager"/ --> <!-- context:component-scan base-package="com.test" / --> <context:annotation-config /> <bean class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor"/> <bean id="testService" class="com.test.services.impl.TestServiceImpl" /> </beans>
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>Struts2 First Example </display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/application-context.xml </param-value> </context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <filter> <filter-name>struts2</filter-name> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
commons-fileupload-1.2.1.jar commons-io-1.3.2.jar commons-logging-1.1.1.jar freemarker-2.3.15.jar ognl-2.7.3.jar spring-aspects-3.2.1.RELEASE.jar spring-beans-3.2.1.RELEASE.jar spring-context-3.2.1.RELEASE.jar spring-core-3.2.1.RELEASE.jar spring-expression-3.2.1.RELEASE.jar spring-struts-3.2.1.RELEASE.jar spring-web-3.2.1.RELEASE.jar struts2-convention-plugin-2.1.8.1.jar struts2-core-2.1.8.1.jar struts2tutorial.jar xwork-core-2.1.6.jar

I'm sure it's going to turn out to be something stupid...

Thanks in advance

KS

Hi guys,

Using Struts2 with annotations, I have set up a very simplistic webapp which starts up and I can manually go directly to a JSP (so I know it's working in a basic form)

But when I create a simple Struts2 Action using annotations like the one below
@Namespace("/User") @ResultPath(value="/") public class WelcomeUserAction extends ActionSupport{ @Action(value="Welcome", results={ @Result(name="success",location="pages/welcome_user.jsp") }) public String execute() { return SUCCESS; } }
And go to the URLs:
http://localhost/myApp/User/Welcome http://localhost/myApp/User/Welcome.action

I get the following error:

HTTP Status 404 – There is no Action mapped for namespace /User and action name Welcome.

But if I just go to a URL like
http://localhost/myApp/pages/welcome_user.jsp

It works (finds the page).

Could anyone explain this?

Ref: http://www.mkyong.com/struts2/struts-2-hello-world-annotation-example/

Hi guys,

I'm trying to loop through a simple List<String> imagesList
imageList.add("http:www.awebsite.com/images.firstimage.jpg")
imageList.add("http:www.awebsite.com/images.secondimage.jpg")
imageList.add("http:www.awebsite.com/images.thirdimage.jpg")

I have tried both JSTL & JSF and can't get this to work, on both occasions I get the same issue. Only the final image is displayed.
If I output just the URL (no IMG tag) I get all 3 results, so it's the IMG tag that's breaking it (I guess)


As I say, don;t care if it's JSF (repeat, datagrid) or JSTL (forEach)
My loop (JSTL):
<j:forEach items="${indexView.bannerList}" var="banner"> <img /> </j:forEach>

Any help on how to get this working would be great!

Thanks

You've touched on point 2 with this person too.

https://coderanch.com/t/441617/Servlets/java/security-check-login

I think if you go directly to the login page and login, you get redirected to.... the login page! :-)

So I thought maybe my login link could actually try to take the user to their ./secure/homepage page, that would sort of work around it.

Hi Ulf,

Yes I noticed you replied to my post a few weeks back about JAAS and if it was worth the effort.

I think j_security_check would be the closest fi to what I'm looking for (basically a simple login, but with some 'roles' witin the the admin side of things).

There are although, a couple of issues I have with j_security_check.

1:
Plain text! Now maybe this isn't an issue at all, but I have always encrypted (MessageDigest) passwords. I can't see a way to do this with j_security_check, in fact it seems to work with clear text passwords.

2:
Going straight to a login page. j_security_checker is great for attempting to access a secure page, but if the user goes to a login form?


NOTE:
Actually on point 2, I suppose my 'login' link could try to take the user to their 'homepage', then it would goto the login screen first and then redirect to the 'homepage'.

OK, this is more an general enquiry than anything...

This isn't fully working code; in fact it was written quickly so is more pseudo code than real code.

I'm just wondering, from a 'stupidly simple' user login point-of-view; what do JAAS, j_security_checker, Shiro etc do
which this doesn't (excluding Realms for now, will look at that later.)?
Why would (if at all) this be an unsecure (ineffective) method of simply checking a user's username/password and allowing them
to a secure page if authenticated, else redirecting them to the login screen. By that I mean is there a way you could do XYZ and always be authenticated.


The URL
http://localhost/myApp/secure/mySecurePage.jsp
web.xml
<filter> <filter-name>stupidlySimpleLoginFilter</filter-name> <filter-class>.../StupidlySimpleLoginFilter</filter-class> </filter> <filter-mapping> <filter-name>stupidlySimpleLoginFilter</filter-name> <url-pattern>/secure/*</url-pattern> </filter-mapping>
Example Filter
public class StupidlySimpleLoginFilter { private FilterConfig filterConfig; public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { boolean isAuthenticated = false; HttpServletRequest request = (HttpServletRequest) req; String username = request.getParameter("usr_username"); if (username != null) { User user = new User(); user.setUserName(username); username = null; // trashed! StupidlySimpleLoginJdbcLookUp loginJdbcLookUp = new StupidlySimpleLoginJdbcLookUp(); User user2 = loginJdbcLookUp.findUser(user); user = null; // trashed! if (user2 != null) { String password = request.getParameter("usr_password"); if (password != null) { StupidlySimpleMessageDigester msgDigst = new StupidlySimpleMessageDigester(); String encryptedPassword = msgDigest.digestSHA512(user2.getSalt(),password); password = null; // trashed! if (user2.getPassword().equals(encryptedPassword)) { isAuthenticated = true; HttpSession session = request.getSession(); session.setAttribute("isAuthenticated", isAuthenticated ); encryptedPassword = null; // trashed! user2 = null; // trashed! } } } } if (isAuthenticated) { chain.doFilter(req, res); } else { filterConfig.getServletContext().getRequestDispatcher("./stupidlySimpleLogin.jsp"); } } public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } //... }

Cheers in advance

Fantastic, cool & cheers all rolled into one!

Hi guys,

I have the following code for generating and reading a secretKey file which I use for encode/decode.

Just wondering if anyone could shed any light onto why I get the

java.security.NoSuchAlgorithmException: AES SecretKeyFactory not available at javax.crypto.SecretKeyFactory.<init>(DashoA13*..) at javax.crypto.SecretKeyFactory.getInstance(DashoA13*..)

Error when running my encryption/decryption code.

below is the code for generating the key and reading the key and encryption/decryption...

public final class SecretKeyUtil { public static String SECRET_KEY_DAT = "C:/development/secretkey_aes256.dat"; public static String SECRET_KEY_TYPE = "AES"; public static int KEYSIZE = 256; public static String UTF_8 = "UTF8"; public static void main(String args[]) { try { SecretKeyUtil.generateSecretKey(); System.out.println("Key file created!"); } catch (Exception ex) { ex.printStackTrace(); } } public static void generateSecretKey() throws NoSuchAlgorithmException, InvalidKeySpecException, IOException { KeyGenerator keyGen = KeyGenerator.getInstance(SECRET_KEY_TYPE); keyGen.init(KEYSIZE); SecretKey secretKey = keyGen.generateKey(); byte[] secretKeyBytes = secretKey.getEncoded(); //SecretKeyFactory keyfactory = SecretKeyFactory.getInstance(SECRET_KEY_TYPE); //DESedeKeySpec keyspec = (DESedeKeySpec) keyfactory.getKeySpec(key, DESedeKeySpec.class); SecretKeySpec key = new SecretKeySpec(secretKeyBytes, SECRET_KEY_TYPE); //byte[] rawkey = key.getKey(); byte[] encoded = key.getEncoded(); // Write the raw key to the file File keyfile = new File(SECRET_KEY_DAT); FileOutputStream fos = new FileOutputStream(keyfile); fos.write(encoded); fos.close(); } public static SecretKey getSecretkey() throws NoSuchAlgorithmException, InvalidKeySpecException, IOException, InvalidKeyException { boolean exists = new File(SECRET_KEY_DAT).exists(); if (!exists) { SecretKeyUtil.generateSecretKey(); } return SecretKeyUtil.readSecretKey(); } public static SecretKey readSecretKey() throws IOException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException { // Read the raw bytes from the keyfile File keyfile = new File(SECRET_KEY_DAT); DataInputStream input = new DataInputStream(new FileInputStream(keyfile)); byte[] rawkey = new byte[(int) keyfile.length()]; input.readFully(rawkey); input.close(); // Convert the raw bytes to a secret key like this SecretKeySpec keyspec = new SecretKeySpec(rawkey,SECRET_KEY_TYPE); SecretKeyFactory keyfactory = SecretKeyFactory.getInstance(SECRET_KEY_TYPE); SecretKey key = keyfactory.generateSecret(keyspec); return key; } }

Encryption
public static String encrypter(String value) { try { SecretKey secretKey = SecretKeyUtil.getSecretkey(); Cipher cipher = Cipher.getInstance(SecretKeyUtil.SECRET_KEY_TYPE); cipher.init(Cipher.ENCRYPT_MODE, secretKey); byte[] bytes = value.getBytes(); byte[] bytesEncrypted = cipher.doFinal(bytes); return new String(bytesEncrypted); } catch (Exception ex) { ex.printStackTrace(); return value; } }

Decryption
public static String decrypter(String value) { try { SecretKey secretKey = SecretKeyUtil.getSecretkey(); Cipher cipher = Cipher.getInstance(SecretKeyUtil.SECRET_KEY_TYPE); cipher.init(Cipher.DECRYPT_MODE, secretKey); byte[] bytes = value.getBytes(); byte[] bytesDecrypted = cipher.doFinal(bytes); return new String(bytesDecrypted); } catch (Exception ex) { ex.printStackTrace(); return value; } }

Cheers in advance

KS

Hi Ulf

Thanks for the response, I thought maybe I was missing something obvious with JAAS when I read it.

I have had a little look at Shiro (although haven't got it working yet); just wondering where does Shiro compare to j_security_check? More-or-less the same, an extension or totally independent new framework?
Can you use j_security_check with digest (something like SHA512)?

Been looking into security in regards to webapps; which until now I have just used handwritten classes for simple
username/password lookups.

I have had a play around with j_security_check/Realms with Tomcat and this all seems pretty straight forward (but nbot sure what it gives you, that doing this yourself doesn't).

But recently started looking into J2EE JAAS and got to thinking... WHat is actually that good about JAAS?


Looking at a simple example I see that it (for this example) reads in your username/password
Passes them into a LoginContext (what?) which uses a hand written CallbackHandler class which in turn calls a
LoginModule (a lot of classes going on here)

The CallbackHandler then just seems to take the username/password and set something called NameCallback & PasswordCallback
which then get passed into the LoginModule.login method which (again) sets a NameCallback & PasswordCallback
but ultimately all it then does is a simplest of simple 'isEquals' checks:

if (dbName.equals(name) && dbPwd.equals(password)) { System.out.println("Success! You get to log in!"); succeeded = true; return succeeded; } else { System.out.println("Failure! You don't get to log in"); succeeded = false; throw new FailedLoginException("Sorry! No login for you."); }
So what has JAAS actually done that a simple handwritten class which passes in a username/password encrypts the password to something like SHA-512 and then does a simple lookup of the username, gets the User object, gets the salt (however you fancy doing that) for that User and encrypts the passed in password and compares to the password related to the found username, doesn't?

Whenever I try to find an answer into why you should use JAAS, I usually just find some copy-n-pasted reference that's clearly come from the Java offical description of what JAAS is, but not actual hand-on experience of it benefits.
What makes JAAS more secure, easier, benefitial in the real World, is it more secure than a DIY authentication, or is it just a way of saying "Our website used J2EE JAAS security".

I have Dynamic Web Project (web-app) and standard java Project (common-app)

What I was hoping to do, I get web project to use the standard project as a location for all common classes, so if I have multiple web-apps they can all access classes from this common location

I have set-up a the Projects link in ‘Configure Build Path > Projects’ in my web-app to use the common-app, and this works as development; but as soon as I deploy I get a ‘Class not found’ on any class from the common-app which is used in the web-app.

The problems are thrown on sever start-up in my application-context.xml where I have things like:

<bean id="sessionFactory" class="org.springframework.orm.hibernate4.LocalSessionFactoryBean"> <property name="dataSource" ref="dataSource" /> <property name="annotatedClasses"> <list> <value>com.myapp.common.model.User</value> </list> ... Or<bean id="User" class="com. myapp.common.model.User"/>

How can I set up my web-app so it uses the common-app, as I don’t particularly want to replicate things like my ‘model’ package if I can avoid it

Cheers in advance

So I guess in the above senario a @ViewScoped would be suited?


This is the example I built this on (but I use Spring/Hib instead of EJB/JPA)

http://code.google.com/p/javaee6-crud-example/source/browse

I goto index.jsf

In doing so, my app passed through a @PostConstruct method in Index class and 'gets' my List and displays it to my view (index.xhtml)

Here I can edit/delete/add rows (user_edit.xhtml). When happy with my changes I click 'save' call the save method which
sends updated List to DB then returns to a confirm screen (which I guess would then re-get the new List from the DB)

And a similar method could be used to display a confirmation view, as with calling the user_edit.xhtml view, I guess.

Will take some getting used to but think I'll get it. I'll expand my testApp and see how it goes.

Cheers

Hmmm, OK. Just wondering though, why I can pass an Object like String, Integer or custom Object back, but not a collection.

But in regards to how JSF 'should' work. What would be the best way of handling the senario.

- testMethod1() sets a List of values
- List is displayed in my xhtml page
- I edit one value from the list and click 'save'
- testMethod2() does stuff.

By the time I get to testMethod2() List is null again. So I'll end up re-init it from something like @PostConstrut and have to do a load of
logic to find the updated entry etc... Would be a lot easier to just pass the updated List back to the Bean like you can with other objects.

Doesn't seem to be doing much more than a bulk standard Servlet httpRequest to me.