Upgrading Struts 2.3.16.2 libraries caused error

Question

Recently, I need to upgrade Struts2 libraries from 2.3.15.1 to 2.3.16.2.

First all, I upgraded those libraries:

• commons-fileupload-1.3.1.jar
• commons-io-2.2.jar
• struts2-core-2.3.16.2.jar
• struts2-junit-plugin-2.3.16.2.jar
• struts2-tiles-plugin-2.3.16.2.jar
• xwork-core-2.3.16.2.jar

After that I tried to login the website, it didn't work. And I can't get any error messages or logs from the Tomcat console.

Here are some parts of my configuration files:

web.xml

<filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>struts2</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<!--Tiles-->
<listener>
    <listener-class>org.apache.struts2.tiles.StrutsTilesListener</listener-class>
</listener>
<servlet>
    <servlet-name>tiles</servlet-name>
    <servlet-class>org.apache.tiles.web.startup.TilesServlet</servlet-class>
    <init-param>
        <param-name>definitions-config</param-name>
        <param-value>/WEB-INF/tiles.xml</param-value>
    </init-param>
</servlet>

struts.xml

<struts>
  <constant name="struts.custom.i18n.resources" value="ApplicationResources,errors"/>
  <constant name="struts.devMode" value="true" />
  <constant name="struts.configuration.xml.reload" value="true" />
  <constant name="struts.action.extension" value="do" />
  <package name="tiles" extends="tiles-default" namespace="/test">
    <result-types>
        <result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult"/>
    </result-types>
    <default-interceptor-ref name="myStack"/>
    <global-results>
        <result name="input">/error.jsp</result>
        <result name="success" type="tiles">global.setting.successMessage</result>
        <result name="error" type="tiles">global.setting.errorMessage</result>
        <result name="index" type="tiles">global.home.index</result>
    </global-results>
    <action name="Login" class="test.action.LoginAction">
        <result name="index">/index.jsp</result>
    </action>
  </package>
<struts>

login.jsp

<s:form action="Login.do">
    <s:textfield required="true" key="user.account"  />
    <s:password required="true" key="user.password" />
    <s:submit key="normal.login" align="right" method="login"/>
</s:form>

I closed other filters in web.xml, and interceptors in struts.xml.

Finally, I can't login the website and didn't get any error messages or logs from Tomcat console.

Answer 1

If you didn't get any error messages or logs from Tomcat console, then you should try debug the application to find a problem. Fist thing that you should do is to turn on a developer mode: struts.devMode=true then you will see more messages on the console.

Closer to your question: as a security issues published on the site, the DMI (Dynamic Method Invocation) has been turned off by default configuration settings. However you can change this setting to allow method: parameter being accepted by the params interceptor. Or you should refactor your application to use only mapped methods. For example

<action name="Login" class="test.action.LoginAction" method="login">
    <result name="index">/index.jsp</result>
</action>