Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

struts2 2.3.20 ognl allowStaticMethodAccess

Tags:

java

static-methods

struts2

ognl

I updated my project to Struts2 version 2.3.20 . Now all cases in my JSPs that uses static method access do not work.

ie.

<s:set var="linkEscaped"
 value="@org.apache.commons.lang.StringEscapeUtils@escapeHtml(#attr.myObject.link)" />

I already have set in my struts.properties -> 

struts.ognl.allowStaticMethodAccess=true

and tried in struts.xml -> 

<constant name="struts.ognl.allowStaticMethodAccess" value="true"/>

with no success. Does anyone know what has changed and what do I need to do to enable them again?

like image 810
Panos Avatar asked Dec 16 '14 11:12

Panos

2 Answers

Update

Lukasz Lenart commented:

To be clear, in context of 2.3.20 it's a bug and was temporally fixed, see issues.apache.org/jira/browse/WW-4429 but as from 2.5 access to static methods will be dropped.

---

Allowing static method access was never a preferred way of doing things and in 2.3.20 it won't work even if struts.ognl.allowStaticMethodAccess is set to true.

From the wiki:

Accessing static methods

In case you still use static methods in expressions (setting struts.ognl.allowStaticMethodAccess to true) please be aware that this won't work anymore as internal security mechanism consider this as access to java.lang.Class which is on the excluded list of classes (see above). Temporary solution is to copy the above into your struts.xml and remove java.lang.Class from the excluded classes.

Support for accessing static methods from expression will be disabled soon, please consider re-factoring your application to avoid further problems! Please check WW-4348.

Also WW-4429.

like image 178
Aleksandr M Avatar answered Oct 24 '22 01:10

Aleksandr M

I made it to work. Copy the following from the struts-default.xml and copy it into your application's struts.xml. 

<constant name="struts.excludedClasses"
          value="
            java.lang.Object,
            java.lang.Runtime,
            java.lang.System,
            java.lang.Class,
            java.lang.ClassLoader,
            java.lang.Shutdown,
            ognl.OgnlContext,
            ognl.MemberAccess,
            ognl.ClassResolver,
            ognl.TypeConverter,
            com.opensymphony.xwork2.ActionContext" />

Remove only the the java.lang.Class from above. Save, compile, build, and deploy. Happy days!

But we are doing an exit strategy for this. We are making aware all our developers not to use static access anymore and start removing it (We don't have a lot of places this being used though)!

like image 35
Aneesh Vijendran Avatar answered Oct 24 '22 00:10

Aneesh Vijendran
Sign in to Comment

Related questions

Elastic Search - Boosting/Scoring - Two words with different length
javax.mail.NoSuchProviderException: smtp
Java read JSON input stream
Date Picker GUI component for Java Swing [closed]
Simple CRUD tutorial about Play Framework and MySQL using Ebean?
Inconsistent Fetch From Google App Engine Datastore
sum(1/prime[i]^2) >= 1?
Understanding java heap
In JDBC how does one know if the DDL statement was executed successfully?
UUID.randomUUID().getLeastSignificantBits() always returns negative values?
OpenCV - Java - No match with 2 opposite images using DescriptorMatcher
Is it possible to use wildcards in org.osgi.framework.system.packages.extra in Felix?
Why String created using new operator creates string literal in string pool
cglib throws an IllegalArgumentException when enhancing the java.util.Date class
How to remove xmlns:xsi and xsi:type from JAXB marshalled XML file
Authenticating with an API key in JAX-RS
Authorization header in Http Request in linkedin
Freemarker: iterating nested list in hash
Why we are using interface in spring MVC pattern?
How do I run a file using Java? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!