Hi there, welcome to dev list :) Do you need access to excluded packages in your JSPs? I had similar issue and you can see my solution at [1]. I did not need to rewrite any thing and a find/replace did all needed changes. Please review my solution if also resolves your one. If not, please feel free continue here for a solution :)
[1] https://github.com/apache/struts/pull/125#issuecomment-293608411 On 7/21/2017 2:38 AM, Deborah White wrote: > Please see the content below. Fairly new to Struts and I'm guessing someone > out there has been through this. Any help would be appreciated. > > -----Original Message----- > From: Lukasz Lenart (JIRA) [mailto:j...@apache.org] > Sent: Thursday, July 13, 2017 9:32 PM > To: Deborah White <deborah.wh...@doj.ca.gov> > Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32 > > > [ > https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086832#comment-16086832 > ] > > Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM: > ------------------------------------------------------------ > > The best place to ask such question is to subscribe to the User Mailing list > as there are more eyes to help you http://struts.apache.org/mail.html > > And to answer your question: there is no safe way to modify the exclusion, I > would rather figure out in which expression you use this class and move the > logic to an action. > > > was (Author: lukaszlenart): > The best place to ask such question is to subscribe to the User Mailing list > as there are more eyes to help you http://struts.apache.org/mail.html > > And to answer your question: there is no safe way to modify the exclusion, I > would rather figure in which expression you use this class and move the logic > to an action. > >> Migrating Struts 2.3.16.3 to 2.3.32 >> ----------------------------------- >> >> Key: WW-4815 >> URL: https://issues.apache.org/jira/browse/WW-4815 >> Project: Struts 2 >> Issue Type: Temp >> Components: Core >> Affects Versions: 2.3.16.3 >> Reporter: Deborah White >> Fix For: 2.3.32 >> >> >> I need some assistance and am hoping you can provide some insight. I know >> this is probably not the place to do this, but I'm not finding answers >> elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability. >> The problem is that the excluded classes in the struts-default.xml are being >> used by my application and I certainly do not have time to do a rewrite. >> This is the Warning I get and then my application does not run as it should >> because it seems it is not forwarding the roles: >> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target >> [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of >> member [public boolean >> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] >> are excluded! >> I need to know how I can safely modify the struts-default.xml and still have >> the fix for the vulnerability. Also, if there is something I can instead >> include in my struts.xml file that would override, that would be better. >> Thank you. > > > > -- > This message was sent by Atlassian JIRA > (v6.4.14#64029) > > > CONFIDENTIALITY NOTICE: This communication with its contents may contain > confidential and/or legally privileged information. It is solely for the use > of the intended recipient(s). Unauthorized interception, review, use or > disclosure is prohibited and may violate applicable laws including the > Electronic Communications Privacy Act. If you are not the intended recipient, > please contact the sender and destroy all copies of the communication. > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org