Let me take a look, I think I overlooked testing the OGNL allowlist
with the Convention plugin - created WW-5440 to track.
On Sat, Jul 13, 2024 at 3:04 PM Lukasz Lenart <lukaszlen...@apache.org> wrote:
>
> Hi,
>
> I'm playing a bit with our Showcase App and noticed a few issues
> related to the latest security changes. Here is an example method
> annotated as follow:
>
> @Action(value = "bean-validation", results = {
> @Result(name = "success", location = "bean-validation.jsp")
> })
> @SkipValidation
> public String beanValidation() {
> return SUCCESS;
> }
>
> I assumed this should be automatically detected by AllowList mechanism
> to add such class to allowed classes list, yet it didn't happen:
>
> [WARN ] ognl.SecurityMemberAccess (SecurityMemberAccess.java:245) -
> Declaring class [class
> org.apache.struts2.showcase.validation.BeanValidationExampleAction] of
> member type [public java.lang.String
> org.apache.struts2.showcase.validation.BeanValidationExampleAction.beanValidation()]
> is not allowlisted! Add to 'struts.allowlist.classes' or
> 'struts.allowlist.packageNames' configuration.
>
> This can be a blocker for users to migrate to the latest version.
>
>
> Cheers
> Łukasz
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
