[
https://issues.apache.org/jira/browse/WW-5589?focusedWorklogId=993322&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-993322
]
ASF GitHub Bot logged work on WW-5589:
--------------------------------------
Author: ASF GitHub Bot
Created on: 25/Nov/25 18:11
Start Date: 25/Nov/25 18:11
Worklog Time Spent: 10m
Work Description: lukaszlenart closed pull request #1421: WW-5589
Complete UIBean field encapsulation with private fields and public getters
URL: https://github.com/apache/struts/pull/1421
Issue Time Tracking
-------------------
Worklog Id: (was: 993322)
Time Spent: 0.5h (was: 20m)
> Convert remaining UIBean protected fields to private to prevent OGNL warnings
> -----------------------------------------------------------------------------
>
> Key: WW-5589
> URL: https://issues.apache.org/jira/browse/WW-5589
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Following WW-5368, which fixed OGNL SecurityMemberAccess warnings for
> {{label}}, {{name}}, {{value}}, and {{id}} fields by converting them from
> {{protected}} to {{private}} with public getters, additional protected fields
> in UIBean should be converted for consistency and to prevent similar warnings.
> h3. Background
> OGNL's expression parser can attempt to access protected fields when
> evaluating expressions containing field names as tokens (e.g.,
> {{getText('key.something')}}, {{getText('title.page')}}). This triggers
> SecurityMemberAccess warnings: "Access to non-public [protected String
> UIBean.xxx] is blocked!"
> By using {{private}} fields with public getters, OGNL's introspection finds
> the public getter methods instead of attempting direct field access.
> h3. Fields to Convert
> Priority fields (most likely to appear in expressions):
> * {{key}} - Commonly used in resource bundle keys
> * {{title}} - Could appear in page title expressions
> * {{disabled}} - May appear in conditional expressions
> Optional (for JavaBean compliance and consistency):
> * All remaining protected fields (cssClass, cssStyle, templateDir, theme,
> etc.)
> h3. Scope
> * Change field visibility from {{protected}} to {{private}}
> * Add public getter methods where missing
> * Update any subclasses that directly access these fields to use getters
> * Add tests to verify OGNL can access fields without warnings
> * Maintain backward compatibility for setter methods
> h3. Related
> * WW-5368: Fixed label, name, value, id fields
> * Follows JavaBean encapsulation best practices
> * Improves framework security posture by eliminating false-positive warnings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
