aspose file tools*
The moose likes Struts and the fly likes java.lang.IllegalArgumentException: No bean specified Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "java.lang.IllegalArgumentException: No bean specified" Watch "java.lang.IllegalArgumentException: No bean specified" New topic
Author

java.lang.IllegalArgumentException: No bean specified

Srinivasa Rao Ammina
Greenhorn

Joined: Jan 24, 2012
Posts: 20
Hi

we are having one web application developed using spring and deployed in jboss application server. And every thing working fine and recently security team team has done audit and found some of the issues.

Here the issue is they formed the URL as and tested and it is working fine.

http://localhost:9001/PPMWeb/doLoginAction.to?username=appscanPC&password=PPMUSER&button=LOGIN&operation=Login&logoutFlg=

But they manipulated the URL as

http://localhost:9001/PPMWeb/doLoginAction.to?username=appscanPC&password=PPMUSER&button=LOGIN&operation=Login&logoutFlg.=

here instead of parameter name logoutFlg (which is a hidden variable in jsp and defined in form bean) they manipulated as logoutFlg. (given one dot at the end) and tried accessing the URL then it is giving the exception

javax.servlet.ServletException: BeanUtils.populate
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:495)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:805)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
com.tcs.telecom.ppm.filter.SessionIdFilter.doFilter(SessionIdFilter.java:73)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)


root cause

java.lang.IllegalArgumentException: No bean specified
org.apache.commons.beanutils.PropertyUtilsBean.getPropertyDescriptor(PropertyUtilsBean.java:751)
org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:937)
org.apache.commons.beanutils.BeanUtilsBean.populate(BeanUtilsBean.java:811)
org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:298)
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:493)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:805)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
com.tcs.telecom.ppm.filter.SessionIdFilter.doFilter(SessionIdFilter.java:73)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)


So would like to know how to handle such manipulation issues and redirect to the user defined page? where exactly I need to handle? We somehow handled this error in one of the customized filter but the issue here if we put the code the images in the pages are not getting loaded properly.

Could you please help us in handling such issues?


Vicky Vijay
Ranch Hand

Joined: Apr 23, 2008
Posts: 125
Hi Srinivasa ,

Do the Necessary Validation for the Parameter available in URL...

Based on the Validation.. you can do the necessary process..
Srinivasa Rao Ammina
Greenhorn

Joined: Jan 24, 2012
Posts: 20
Since the parameter names are not fixed. So how to validate the same? why because they can manipulate the paramter name to any name so how to proceed?

Do you have any code snippet to validate the same?
Vicky Vijay
Ranch Hand

Joined: Apr 23, 2008
Posts: 125
Srinivasa Rao Ammina wrote:Since the parameter names are not fixed. So how to validate the same? why because they can manipulate the paramter name to any name so how to proceed?

Do you have any code snippet to validate the same?



"they can manipulate the paramter name to any name so how to proceed"........

Can you post the code .... which you are using for processing this ?
Shankar Tanikella
Ranch Hand

Joined: Jan 30, 2011
Posts: 329

Hi Srinivasa,
What we need to consider is 1. security 2. functionality
Since the initial problem is security, you would have probably considered OWASP guidelines to manage/validate all the parameters getting using some frameworks or custom filters complying with the application. However, I do not see any concern in this scenario since user doesn't manipulate the parameter values instead he manipulates the parameters(or key) itself.
To my understanding the it is a threat when
1. User bypass the validation process to submit an unusual request to be processed and the application code is capable of finding it out
2. User changes the parameters values to make the system behave in a different way in which is not intended (say for example, if you have a role id of the person as hidden and the user/attacker changes it to be a system admin role id or so)
3. User adds "new" parameters to the request which changes the behavior of the request
4. User manually creates his own request

All the above attacks can be taken care by application code and configurations but not changing the parameter which the application itself cannot understand. Say for example, in your case if I add "loggedInFlag" instead of "logoutFlg" the request should definitely fail and this what is called exception, this is because my application do not understand. If the security raised a concern it should never denote that "exception is the problem" - it is no where a concern. However, it would be concern if the exception from application like above is directly displayed to the end user in the UI - this is a threat. In this case we should be having no loop holes in the exception handling. So please verify what you are defending your application from in terms of security.

When 1. Security is solved efficiently and appropriately the 2. Functionality would be automatically addressed

To the current scenario. Let us know what is logic in your filter that you have mentioned. A code snippet would be quite helpful.

Additionally, since you have posted this in struts forum, I expect this spring application uses struts for view part. If it is Struts then it has a global exception configuration wherein we can handle each exception type specifically

Security forum is the best place for this topic. You would get more help



Have Fun with Java
little,little.. little by little makes a lot..
Srinivasa Rao Ammina
Greenhorn

Joined: Jan 24, 2012
Posts: 20
Dear Shankar Tanikella,

Thank you for the brief email and explanation on the issue.

Here the security concern is we should not display the Odd UI messages and we need to redirect to the respective error page.

I tried with the global exception but unable to forward the pages to custom exception jsp page.

We are using struts 1.2.

Thanks
Srinivasa
Shankar Tanikella
Ranch Hand

Joined: Jan 30, 2011
Posts: 329

What is the point of exception? I mean, when is it happening? After reaching struts action servlet or before that (may be servlet filter)
Srinivasa Rao Ammina
Greenhorn

Joined: Jan 24, 2012
Posts: 20
This is the error generated. As per the logs it is error generation started at ReplyHeaderFilter.

HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: BeanUtils.populate
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:495)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:805)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)


root cause

java.lang.IllegalArgumentException: No bean specified
org.apache.commons.beanutils.PropertyUtilsBean.getPropertyDescriptor(PropertyUtilsBean.java:751)
org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:937)
org.apache.commons.beanutils.BeanUtilsBean.populate(BeanUtilsBean.java:811)
org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:298)
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:493)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:805)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

Shankar Tanikella
Ranch Hand

Joined: Jan 30, 2011
Posts: 329

what i can see from the stack trace is the control reaches Action Servlet, the struts exception configuration should have taken care of this, we are missing something. Anyways, for the safer side are the error pages defined in deployment descriptor? If no, do it, we can do it based on http status code and exception type (ex. throwable) as well. If struts cant catch it this would. For example,
This can never miss
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: java.lang.IllegalArgumentException: No bean specified
 
Similar Threads
ServletException: BeanUtils.populate
file uploading error
execption struts-layout
Struts error
IndexOutOfBounds in BeanUtils.Populate()