Versions Compared

Old Version 11

changes.mady.by.user Bruce Phillips

Saved on

compared with

New Version Current

changes.mady.by.user Bruce Phillips

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Info

The example code for this tutorial, HTTP_Session_Struts2_Mvnhttp_session, is available on Google Code - httpat https://code.googlegithub.com/papache/struts2-examples/downloads/listImage Removed. After downloading and unzipping the file, you'll have a folder named HTTP_Session_Struts2_Mvn. In that folder will be a README.txt file with instructions on now to build and run the example application.struts-examples

Introduction

Your Struts 2 application may need to access the HTTP session object. Struts 2 provides an interface, SessionAware, that your Action class should implement to obtain a reference to the HTTP session object.

...

Code Block
java
java
titleHelloWorldAction.java setSession Method


private Map<String, Object> userSession ;

public void setSession(Map<String, Object) session) {

   userSession = session ;

}

...

Code Block
java
java
titleHelloWorldAction.java increaseHelloCount Method


private void increaseHelloCount() {
			
   Integer helloCount = (Integer) userSession.get(HELLO_COUNT);
		
   if (helloCount == null ) {
		
     helloCount = 1;
			
   } else {
			
     helloCount++;

   }
		
   userSession.put(HELLO_COUNT, helloCount);
	
}

...

Struts 2 provides an easy way to get an object stored in the HTTP session from within the view page. In the example application is HelloWorld.jsp with this markup:

Code Block
XMLhtmlXML
html
titleHelloWorld.jsp Get helloCount Value From HTTP Session


   <p>I've said hello to you <s:property value="#session.helloCount" /> times!</p>

...

Code Block
java
java
titleHelloWorldAction.java acceptableParameterName Method


	public boolean acceptableParameterName(String parameterName) {
		
		boolean allowedParameterName = true ;
		
		if ( parameterName.contains("session")  || parameterName.contains("request") ) {
		
			allowedParameterName = false ;
			
		} 
		
		return allowedParameterName;
	}

This method will be called by the Struts 2 framework for each parameter in the request scope. By returning false if the parameter name contains "session" we are telling the Struts 2 framework to ignore that parameter. This will prevent a malicious user from trying to hack the HTTP session object.

Instead of having each action that implements SessionAware also implement the ParameterNameAware interface you can tell the params interceptor to exclude specific request attributes for all actions in a package. In struts.xml configure the struts-default set of interceptors as follows:

Code Block
XMLxmlXML
xml
titlestruts.xml configure params interceptor


	<package name="basicstruts2" extends="struts-default">

 		<interceptors>
	 		<interceptor-stack name="appDefault">
	        	 <interceptor-ref name="defaultStack">
	      			<param name="exception.logEnabled">true</param>
	      			<param name="exception.logLevel">ERROR</param>
	      			<param name="params.excludeParams">dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*</param>
	   			</interceptor-ref>
	 	    </interceptor-stack>
		</interceptors>
		
		<default-interceptor-ref name="appDefault" />

...

When your Action class needs to access the HTTP session object implement the SessionAware interface and override the setSession method. Be sure to also implement the ParameterNameAware interface and override the acceptableParameterName method to mitigate a potential security vulnerability. If you have multiple actions that implement SessionAware then consider modifying the params interceptor's excludeParams value as part of your Struts 2 package setup.