0

This is my first project with Struts2. I'm using the convention plugin and running the whole thing on Wildfly. I've created a few actions, like a user-registration.action, and they work fine. However, once I added security, I started getting the error in the title of this. It happens when I try to log in. The login page never appears and instead I get the error.

Here's the relevant part of my web.xml

<welcome-file-list>
  <welcome-file>/index.action</welcome-file>
</welcome-file-list>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>SecurePages</web-resource-name>
    <description>All secure pages</description>
    <url-pattern>/secure/*</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Security Admin</role-name>
  </auth-constraint>
  <user-data-constraint>
    <description>SSL not required</description>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<security-constraint>
  <display-name>No direct JSP access</display-name>
  <web-resource-collection>
      <web-resource-name>No-JSP</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>no-users</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login.action</form-login-page>
    <form-error-page>/login-failed.action</form-error-page>
  </form-login-config>
</login-config>

Here's the Struts2 action to display the home page. It works. It's mapped to /context/index.action, which is in my welcome file list in the web.xml

@Result(name = "success", type = "tiles", location = "index")
public class IndexAction extends ActionSupport
{
  public String execute() throws Exception
  {
    return SUCCESS;
  }
}

Here's the code for displaying the login page. If I access it directly, like /context/login.action, it successfully displays the login page. However, it does not get displayed if I'm actually trying to log in.

@Result(name = "success", type = "tiles", location = "login")
public class LoginAction extends ActionSupport
{
  public String execute()
  {
    return SUCCESS;
  }
}

Here's the Struts2 action to be executed after login. This is mapped to /context/secure/secure-index.action. This is the href of the "Login" menu item on the home page's menu bar.

@Result(name = "success", type = "tiles", location = "secure_index")
public class SecureIndexAction extends ActionSupport
{
  public String execute() throws Exception
  {
    return SUCCESS;
  }
}

Here's the stack trace:

ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /campaigner-security/login.action: java.lang.IllegalStateException: UT010019: Response already commited
at io.undertow.servlet.spec.HttpServletResponseImpl.sendError(HttpServletResponseImpl.java:124) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.spec.HttpServletResponseImpl.sendError(HttpServletResponseImpl.java:167) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_71]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_71]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_71]

If used directly, the login.action and login-failed.action work fine.

What do I need to do to fix this?

Roman C
  • 49,761
  • 33
  • 66
  • 176
Gary Kephart
  • 4,860
  • 5
  • 39
  • 52
  • 1
    Possible duplicate of [java.lang.IllegalStateException: Cannot forward / sendRedirect after response has been committed](http://stackoverflow.com/questions/2123514/java-lang-illegalstateexception-cannot-forward-sendredirect-after-response-ha) – Roman C Apr 09 '16 at 07:27
  • Edited to show that it's not. I'm not using any forwards or redirects. – Gary Kephart Apr 09 '16 at 16:11
  • It is not actually true especially using Tiles with Struts2. – Roman C Apr 09 '16 at 16:21
  • It's definitely related to the "" element in the web.xml file because when I commented it out, I was able to get to the secured pages. Could it be the security domain that I defined in Wildfly? It seems to look good, but there's no way to test it except deploy an app that uses it. – Gary Kephart Apr 10 '16 at 06:38
  • When you did it the pages that you got were no longer secured. You should use better security in your app whatever your app server is regardless of if it's testing or deploying. – Roman C Apr 10 '16 at 07:05
  • I know that I saw them because I removed the security. I was just double-checking that it was indeed related to the problem. I still want to use the declarative security that's available via the web.xml. But now I need to find out why adding security causes this issue. Not sure how to do that. I've downloaded the Wildfly source code and am running it in debug mode, so while painful, it might be the way to determine the source of the problem. – Gary Kephart Apr 10 '16 at 18:16
  • Not sure if you find something there, because you are doing principally wrong. – Roman C Apr 10 '16 at 18:37
  • I'm not saying that there's something wrong in Wildfly. I'm hoping to find the problem in my code by understanding what's happening in Wildfly. – Gary Kephart Apr 10 '16 at 20:29
  • https://issues.apache.org/jira/browse/WW-2025 seems to suggest that because Struts2 uses filters to do its work, you can't use it for any of the web.xml elements. Maybe. – Gary Kephart Apr 11 '16 at 06:59
  • 1
    To exclude Struts from being the cause, try a plain vanilla JSP page. It that works, move your focus to Struts. Perhaps it threw an exception while initializing the page/bean which unintentionally got swallowed somewhere in server's internals. – BalusC Apr 11 '16 at 07:26
  • @GaryKephart While debugging you can check what was the original request and when it has committed the response. From the stacktrace that you have posted Struts2 even not involved. – Roman C Apr 11 '16 at 08:06
  • Here's what I've learned. I went back to using plain JSPs with no tiles for the main pages and that worked. Then I started adding code back in. The results are that 1) you can use a Struts2 action for the welcome-file and for the target page that you're going to after login, complete with Tiles. 2) You cannot use a Struts2 action for either form-login-page or form-error-page. They must be JSPs 3) Those JSP cannot contain Tiles, since that uses Struts2 4) Those JSPs cannot be in WEB-INF/content because that again uses Struts2. – Gary Kephart Apr 13 '16 at 06:29

1 Answers1

0
  1. You can use a Struts2 action for the welcome-file and for the target page that you're going to after login (e.g. secure/index.action), complete with Tiles.
  2. You cannot use a Struts2 action for either form-login-page or form-error-page. They must be JSPs
  3. Those JSPs cannot contain Tiles, since that uses Struts2
  4. Those JSPs cannot be in WEB-INF/content because that again uses Struts2.
Gary Kephart
  • 4,860
  • 5
  • 39
  • 52