Let me take a look, I think I overlooked testing the OGNL allowlist with the Convention plugin - created WW-5440 to track.
On Sat, Jul 13, 2024 at 3:04 PM Lukasz Lenart <lukaszlen...@apache.org> wrote: > > Hi, > > I'm playing a bit with our Showcase App and noticed a few issues > related to the latest security changes. Here is an example method > annotated as follow: > > @Action(value = "bean-validation", results = { > @Result(name = "success", location = "bean-validation.jsp") > }) > @SkipValidation > public String beanValidation() { > return SUCCESS; > } > > I assumed this should be automatically detected by AllowList mechanism > to add such class to allowed classes list, yet it didn't happen: > > [WARN ] ognl.SecurityMemberAccess (SecurityMemberAccess.java:245) - > Declaring class [class > org.apache.struts2.showcase.validation.BeanValidationExampleAction] of > member type [public java.lang.String > org.apache.struts2.showcase.validation.BeanValidationExampleAction.beanValidation()] > is not allowlisted! Add to 'struts.allowlist.classes' or > 'struts.allowlist.packageNames' configuration. > > This can be a blocker for users to migrate to the latest version. > > > Cheers > Łukasz > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org