[Esapi-user] Fwd: ESAPI.httpUtilities().sendForward() Help

augustd augustd at codemagi.com
Fri Aug 26 16:25:20 EDT 2011


I really hope that is not your real, production SA password...



On Thu, Aug 25, 2011 at 5:49 AM, John Melton <jtmelton at gmail.com> wrote:

> Sorry, but am I missing something? The stack trace shows the same exact
> issue that was answered yesterday. The jsp being forwarded to doesn't start
> w/ "WEB-INF/". That's why the AccessControlException is being thrown. Move
> the JSP to the WEB-INF directory and you should be good.
> Thanks,
> John
>
>
> On Thu, Aug 25, 2011 at 8:07 AM, Jeff Williams <
> jeff.williams at aspectsecurity.com> wrote:
>
>> What happens?  Do you get an error?  Sounds like a classpath or import
>> problem, but you can't devug problems without information.
>>
>> --Jeff
>>
>>
>>
>> On Aug 25, 2011, at 7:47 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
>> wrote:
>>
>> > Anyone have any ideas?
>> > Asish, please post these to the ESAPI users list and do not send
>> > to indivuals. Thanks.
>> >
>> > -kevin
>> >
>> > ---------- Forwarded message ----------
>> > From: ashish kumar gautam <gautamashishkumar at gmail.com>
>> > Date: Thu, Aug 25, 2011 at 3:36 AM
>> > Subject: Re: ESAPI.httpUtilities().sendForward() Help
>> > To: "Kevin W. Wall" <kevin.w.wall at gmail.com>
>> >
>> >
>> > Dear Sir,
>> >
>> > I am able to call ESAPI.httpUtilities().sendForward(); from jsp file
>> > But sir
>> > I am not able to call ESAPI.httpUtilities().sendForward(); from Servlet
>> file
>> >
>> > thanks for Reply
>> >
>> >
>> > On Wed, Aug 24, 2011 at 7:27 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>> wrote:
>> >>
>> >> I meant your log4j *output* file, not the config file. In your case,
>> you are
>> >> using ConsoleAppender, so the output should be going to stdout or
>> stderr
>> >> and will probably end up in catalina.out or wherever Tomcat dumps it.
>> >> Also, set the log level for all ESAPI classes to 'debug'.
>> >>
>> >> -kevin
>> >>
>> >> On Wed, Aug 24, 2011 at 8:54 AM, ashish kumar gautam
>> >> <gautamashishkumar at gmail.com> wrote:
>> >>>
>> >>> Hi.......
>> >>> i am using ESAPI.httpUtilities().sendForward();
>> >>> but i have got exception :
>> >>> Exception massage :
>> >>> org.owasp.esapi.errors.AccessControlException: Forward failed
>> >>> at
>> >>>
>> org.owasp.esapi.reference.DefaultHTTPUtilities.sendForward(DefaultHTTPUtilities.java:791)
>> >>> at DataBaseConnection.doPost(DataBaseConnection.java:107)
>> >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>> >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>> >>> at
>> >>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>> >>> at
>> >>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> >>> at
>> >>>
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>> >>> at
>> >>>
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>> >>> at
>> >>>
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>> >>> at
>> >>>
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> >>> at
>> >>>
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> >>> at
>> >>>
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>> >>> at
>> >>>
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
>> >>> at
>> >>>
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>> >>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>> >>> at java.lang.Thread.run(Unknown Source)
>> >>>
>> >>> My Code Like This:
>> >>> if(role==1)
>> >>> {
>> >>>          session.setAttribute("SERVERToken",str);
>> >>>
>> >>>
>>  ESAPI.httpUtilities().sendForward(request,response,"useraccount.jsp");
>> >>>
>> >>> }
>> >>> else if(role==2)
>> >>> {
>> >>> session.setAttribute("SERVERToken",str);
>> >>>
>> ESAPI.httpUtilities().sendForward(request,response,"adminaccount.jsp");
>> >>> }
>> >>> }
>> >>> else
>> >>> {
>> >>> ESAPI.httpUtilities().sendForward(request,response,"loginfail.jsp");
>> >>> }
>> >>>
>> >>>
>> >>> web.xml file content:
>> >>> <?xml version="1.0" encoding="UTF-8"?>
>> >>> <web-app id="WebApp_ID" version="2.4"
>> >>> xmlns="http://java.sun.com/xml/ns/j2ee"
>> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> >>> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>> >>> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
>> >>> <display-name>
>> >>> infosystem</display-name>
>> >>> <welcome-file-list>
>> >>> <welcome-file>index.html</welcome-file>
>> >>> <welcome-file>index.htm</welcome-file>
>> >>> <welcome-file>index.jsp</welcome-file>
>> >>> <welcome-file>default.html</welcome-file>
>> >>> <welcome-file>default.htm</welcome-file>
>> >>> <welcome-file>default.jsp</welcome-file>
>> >>> </welcome-file-list>
>> >>> <!-- Database Configration Seeting -->
>> >>> <context-param>
>> >>>         <param-name>datasource</param-name>
>> >>>         <param-value>csgcirt</param-value>
>> >>>     </context-param>
>> >>>     <context-param>
>> >>>         <param-name>dbuser</param-name>
>> >>>         <param-value>sa</param-value>
>> >>>     </context-param>
>> >>>     <context-param>
>> >>>         <param-name>dbpassword</param-name>
>> >>>         <param-value>sa123</param-value>
>> >>> </context-param>
>> >>> <context-param>
>> >>>         <param-name>dbip</param-name>
>> >>>         <param-value>10.1.10.129:1433</param-value>
>> >>>     </context-param>
>> >>> <context-param>
>> >>>         <param-name>dbname</param-name>
>> >>>         <param-value>INFORMATIONSYSTEM</param-value>
>> >>>     </context-param>
>> >>>
>> >>>     <!-- Mapping for DataBaseConnection.java Servlet -->
>> >>> <servlet>
>> >>> <servlet-name>DataBaseConnection</servlet-name>
>> >>> <servlet-class>DataBaseConnection</servlet-class>
>> >>> </servlet>
>> >>> <servlet-mapping>
>> >>>     <servlet-name>DataBaseConnection</servlet-name>
>> >>>       <url-pattern>/servlet/DataBaseConnection</url-pattern>
>> >>> </servlet-mapping>
>> >>>
>> >>>
>> >>>     <!-- Mapping for DataBaseConnection.java Servlet -->
>> >>> <servlet>
>> >>> <servlet-name>DataBaseConnection2</servlet-name>
>> >>> <servlet-class>DataBaseConnection2</servlet-class>
>> >>> </servlet>
>> >>> <servlet-mapping>
>> >>>     <servlet-name>DataBaseConnection2</servlet-name>
>> >>>       <url-pattern>/servlet/DataBaseConnection2</url-pattern>
>> >>> </servlet-mapping>
>> >>> <!-- Mapping for DataBaseConnection.java Servlet -->
>> >>> <servlet>
>> >>> <servlet-name>Logout</servlet-name>
>> >>> <servlet-class>Logout</servlet-class>
>> >>> </servlet>
>> >>> <servlet-mapping>
>> >>>     <servlet-name>Logout</servlet-name>
>> >>>       <url-pattern>/servlet/Logout</url-pattern>
>> >>> </servlet-mapping>
>> >>>
>> >>>
>> >>>     <servlet>
>> >>> <servlet-name>ActiveDeactiveNews</servlet-name>
>> >>> <servlet-class>ActiveDeactiveNews</servlet-class>
>> >>> </servlet>
>> >>> <servlet-mapping>
>> >>>     <servlet-name>ActiveDeactiveNews</servlet-name>
>> >>>       <url-pattern>/servlet/ActiveDeactiveNews</url-pattern>
>> >>> </servlet-mapping>
>> >>> </web-app>
>> >>>
>> >>>
>> >>> log4j.xml
>> >>> <?xml version="1.0" encoding="UTF-8" ?>
>> >>> <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
>> >>> <!-- main resources -->
>> >>> <log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
>> >>>   <appender name="console" class="org.apache.log4j.ConsoleAppender">
>> >>>     <param name="Target" value="System.out"/>
>> >>>     <layout class="org.apache.log4j.PatternLayout">
>> >>>       <param name="ConversionPattern" value="%-5p %m%n"/>
>> >>>     </layout>
>> >>>   </appender>
>> >>>     <appender name="file" class="org.apache.log4j.FileAppender">
>> >>>         <param name="File" value="target/unit-tests.log"/>
>> >>>         <layout class="org.apache.log4j.PatternLayout">
>> >>>           <param name="ConversionPattern" value="%-5p %m%n"/>
>> >>>         </layout>
>> >>>     </appender>
>> >>>   <logger name="org.owasp.esapi.reference.TestTrace">
>> >>>     <level value="trace"/>
>> >>>   </logger>
>> >>>   <logger name="org.owasp.esapi.reference.TestDebug">
>> >>>     <level value="debug"/>
>> >>>   </logger>
>> >>>   <logger name="org.owasp.esapi.reference.TestInfo">
>> >>>     <level value="info"/>
>> >>>  </logger>
>> >>>   <logger name="org.owasp.esapi.reference.TestWarning">
>> >>>     <level value="warn"/>
>> >>>   </logger>
>> >>>   <logger name="org.owasp.esapi.reference.TestError">
>> >>>     <level value="error"/>
>> >>>   </logger>
>> >>>   <logger name="org.owasp.esapi.reference.TestFatal">
>> >>>     <level value="fatal"/>
>> >>>   </logger>
>> >>>   <logger name="org.owasp.esapi.reference">
>> >>>     <level value="info"/>
>> >>>   </logger>
>> >>>   <root>
>> >>>     <priority value="debug" />
>> >>>     <appender-ref ref="file" />
>> >>>   </root>
>> >>>   <loggerFactory
>> class="org.owasp.esapi.reference.Log4JLoggerFactory"/>
>> >>> </log4j:configuration>
>> >>>
>> >>> --
>> >>> Best regards,
>> >>> Ashish K. Gautam
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Blog: http://off-the-wall-security.blogspot.com/
>> >> "The most likely way for the world to be destroyed, most experts agree,
>> >> is by accident. That's where we come in; we're computer professionals.
>> >> We *cause* accidents."        -- Nathaniel Borenstein
>> >
>> >
>> >
>> > --
>> > Best regards,
>> > Ashish K. Gautam
>> >
>> >
>> >
>> > --
>> > Blog: http://off-the-wall-security.blogspot.com/
>> > "The most likely way for the world to be destroyed, most experts agree,
>> > is by accident. That's where we come in; we're computer professionals.
>> > We *cause* accidents."        -- Nathaniel Borenstein
>> > _______________________________________________
>> > Esapi-user mailing list
>> > Esapi-user at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/esapi-user
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110826/465af227/attachment.html 


More information about the Esapi-user mailing list