2014-09-30 8:36 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>: > 2014-09-29 17:38 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: >> 1. OGNL security blocking (https://github.com/apache/struts/pull/11) >> I'm actually hit by this. So it means: it really works ;) >> I have JSPs that create a ViewModel Object with ognl which is blocked now. >> (new is used in ognl expression) >> The question here is how to enable the new whitelist? >> There should be a link on the Version Notes page. > > Did you get a WARN in the logs?
Added a note to docs (I thought there was one already) - in your case the problem is with a constructor, its target is evaluated to java.lang.Class which is on the excluded list of classes. https://cwiki.apache.org/confluence/display/WW/Security#Security-Internalsecuritymechanism Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
