> >> 1. OGNL security blocking (https://github.com/apache/struts/pull/11) > >> I'm actually hit by this. So it means: it really works ;) > >> I have JSPs that create a ViewModel Object with ognl which is blocked now. > >> (new is used in ognl expression) > >> The question here is how to enable the new whitelist? > >> There should be a link on the Version Notes page. > > > > Did you get a WARN in the logs?
Yes, exactly the message as in the wiki: WARN opensymphony.xwork2.ognl.SecurityMemberAccess - Target class [class my.package.MyClass] or declaring class of member type [public my.package.MyClass(my.package.MyClass)] are excluded! > > Added a note to docs (I thought there was one already) - in your case > the problem is with a constructor, its target is evaluated to > java.lang.Class which is on the excluded list of classes. > > https://cwiki.apache.org/confluence/display/WW/Security#Security- > Internalsecuritymechanism > > Allowing java.lang.Class by removing it from struts.excludedClasses solved it. But I will rather follow the advice in wiki and redesign :) regards, Christoph This Email was scanned by Sophos Anti Virus
