Re: CVE-2023-49735 in Apache Tiles
This is a good idea. I will post to the security group. Am 10.01.2024 um 12:22 schrieb Lukasz Lenart: Hi Sebastian, To be honest I have no idea why this triggers any alert. The vulnerability targets Tiles 2.0 [1] while Struts (even before merging the codebase) is using Tiles 3 which shouldn't be affected. This could be an issue of false positive alert in OWASP. Also the vulnerability report looks suspicious as it mentions of manipulating the session attribute DefaultLocaleResolver.LOCALE_KEY by a user - based on the tiles-test example [2] I can say it's a developer fault not a library vulnerability, report is invalid IMO. We can move this discussion to security@struts.a.o to get support from ASF Security gurus. [1] https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p [2] https://github.com/apache/tiles/blob/TILES_2_1_X/tiles-test/src/main/java/org/apache/tiles/test/servlet/SelectLocaleServlet.java#L81-L102 Cheers Łukasz śr., 10 sty 2024 o 11:08 Sebastian Götz napisał(a): Hi Lukasz, happy new year to you and everyone as well! Unfortunately I had some trouble with the mailing list and thus did not receive your reply. I have found it browsing the group by browser and so I post your reply here for reference: Happy New Year! The Tiles codebase has been copied into the Struts Tiles plugin [1] and it's a part of the Struts 6.3.0 right now. Migrating to this version should solve the problem. And we (Struts) are going to maintain the Tiles codebase under the plugin, so no worries :) [1] https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz I am very glad to hear that we do not have to move away from Tiles as it is a core of our product. We are running the OWASP dependency checker during the build. As we are on Struts 6.3.0.2 already, which shoul dbe the most recent version, I am not quite clear what to do now as the checker still marks struts-tiles-plugin.jar as vulnerable: Dependency-Check Failure: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7,0': struts2-tiles-plugin.jar: CVE-2023-49735 So my question is: can we treat this as a false positive or is the vulnerability still there and we need to wait for fix version? Kind regards Sebastian Am 02.01.2024 um 09:57 schrieb Sebastian Götz: Hello to anybody and an happy new year! Our dependency check startet to fail last year already marking struts2-tiles-plugin as the source of a security issue. As the plugin uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735. Now as we use the struts-tiles-plugin to build our web pages and the Tiles project is already retired, can somebody of the team explain how to mitigate the security issue (besides moving away from Tiles completely)? Kind regards Sebastian -- Mit freundlichen Grüßen iNFORM Technology GmbH Sebastian Götz * iNFORM Technology GmbH Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 s.go...@inform-technology.de http://www.inform-technology.de/ * <https://www.facebook.com/informTechnologyGmbH/> Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712, Amtsgericht Stuttgart | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- Mit freundlichen Grüßen iNFORM Technology GmbH Sebastian Götz * iNFORM Technology GmbH Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 s.go...@inform-technology.de http://www.inform-technology.de/ * <https://www.facebook.com/informTechnologyGmbH/> Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712, Amtsgericht Stuttgart | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mai
Re: CVE-2023-49735 in Apache Tiles
Hi Lukasz, happy new year to you and everyone as well! Unfortunately I had some trouble with the mailing list and thus did not receive your reply. I have found it browsing the group by browser and so I post your reply here for reference: Happy New Year! The Tiles codebase has been copied into the Struts Tiles plugin [1] and it's a part of the Struts 6.3.0 right now. Migrating to this version should solve the problem. And we (Struts) are going to maintain the Tiles codebase under the plugin, so no worries :) [1] https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz I am very glad to hear that we do not have to move away from Tiles as it is a core of our product. We are running the OWASP dependency checker during the build. As we are on Struts 6.3.0.2 already, which shoul dbe the most recent version, I am not quite clear what to do now as the checker still marks struts-tiles-plugin.jar as vulnerable: Dependency-Check Failure: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7,0': struts2-tiles-plugin.jar: CVE-2023-49735 So my question is: can we treat this as a false positive or is the vulnerability still there and we need to wait for fix version? Kind regards Sebastian Am 02.01.2024 um 09:57 schrieb Sebastian Götz: Hello to anybody and an happy new year! Our dependency check startet to fail last year already marking struts2-tiles-plugin as the source of a security issue. As the plugin uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735. Now as we use the struts-tiles-plugin to build our web pages and the Tiles project is already retired, can somebody of the team explain how to mitigate the security issue (besides moving away from Tiles completely)? Kind regards Sebastian -- Mit freundlichen Grüßen iNFORM Technology GmbH Sebastian Götz * iNFORM Technology GmbH Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 s.go...@inform-technology.de http://www.inform-technology.de/ * <https://www.facebook.com/informTechnologyGmbH/> Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712, Amtsgericht Stuttgart | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
CVE-2023-49735 in Apache Tiles
Hello to anybody and an happy new year! Our dependency check startet to fail last year already marking struts2-tiles-plugin as the source of a security issue. As the plugin uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735. Now as we use the struts-tiles-plugin to build our web pages and the Tiles project is already retired, can somebody of the team explain how to mitigate the security issue (besides moving away from Tiles completely)? Kind regards Sebastian - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.5.21 release date
Thank you. Am 25.10.2019 um 10:19 schrieb Lukasz Lenart: śr., 23 paź 2019 o 16:47 Sebastian Götz napisał(a): can you tell us when there will be the next bug fix release for Struts 2.5? Some work has been done towards java 11 compatibility on 2.5.21 but I see no changes lately. According to the project status of Struts2 in the Apache JIRA there is no planned release date either. There is one issue that should be addressed and we good to go. So maybe in a few days/weeks we can prepare a new release. https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20fixVersion%20%3D%202.5.21 Regards Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> PGP-Fingerabdruck: 8B0F A27C 16E2 1EFA 1323 997F 038A 001A A597 F613 http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Struts 2.5.21 release date
Hey guys, can you tell us when there will be the next bug fix release for Struts 2.5? Some work has been done towards java 11 compatibility on 2.5.21 but I see no changes lately. According to the project status of Struts2 in the Apache JIRA there is no planned release date either. Kind regards Sebastian Götz
Re: Java 11 support
Hey guys, I can tell you now that my other problems or not related to the ASM configuration or Java 11. In the Apache JIRA I have created another issues (https://issues.apache.org/jira/browse/WW-5006) which is related to OGNL accessing static fields. Kind regards, Sebastian Am 24.01.2019 um 12:13 schrieb Yasser Zamani: > Hi Sebastian, thanks again for your time to feed back! It's really a > great help. > > Regarding the web app doesn't work, it always a good practice to enable > devMode and set log mode to warn or at next step to debug. > > Kind Regards. > > On 1/24/2019 2:11 PM, Sebastian Götz wrote: >> Hello Yasser, >> >> I have followed your instructions. The exceptions are gone although my >> webapp does not work either. >> But I need more time to figure out whether this is a general >> compatibility issue between struts2 2.5.2 and 2.5.20 or a matter of the >> Java 11 compiler. >> >> >> Am 23.01.2019 um 08:17 schrieb Yasser Zamani: >>>> -Original Message- >>>> From: Sebastian Götz >>>> Sent: Thursday, January 17, 2019 4:41 PM >>>> To: user@struts.apache.org >>>> Subject: Re: Java 11 support >>>> >>>> Hi folks, >>>> >>>> it appears that there is some work left in the convention plugin. As I can >>>> see from >>>> my IVY resolve process this plugin drags in asm 5.2. From its sources it >>>> looks like it >>>> supports class version up to 1.8 (class version 52). >>>> As we compile with JDK 11 already (class version 55) we get a lot of these >>>> exceptions: >>>> >>>> java.lang.IllegalArgumentException >>>> at org.objectweb.asm.ClassReader.(Unknown Source) >>>> at org.objectweb.asm.ClassReader.(Unknown Source) >>>> at org.objectweb.asm.ClassReader.(Unknown Source) >>>> at >>>> org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFind >>>> er.java:461) >>>> at >>>> org.apache.struts2.convention.DefaultClassFinder.(DefaultClassFinder.java: >>>> 93) >>>> at >>>> org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFind >>>> er(PackageBasedActionConfigBuilder.java:395) >>>> at >>>> org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(Pa >>>> ckageBasedActionConfigBuilder.java:377) >>>> at >>>> org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionCo >>>> nfigs(PackageBasedActionConfigBuilder.java:333) >>>> at >>>> org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(Classpat >>>> hPackageProvider.java:52) >>>> at >>>> com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(D >>>> efaultConfiguration.java:206) >>>> at >>>> com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(Con >>>> figurationManager.java:66) >>>> at >>>> org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:957) >>>> at >>>> org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.j >>>> ava:463) >>>> at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) >>>> at >>>> org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:7 >>>> 3) >>>> at >>>> org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrep >>>> areAndExecuteFilter.java:61) >>>> at >>>> eu.inform.servlet.context.URIExcludeFilter.init(URIExcludeFilter.java:37) >>>> at >>>> org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig >>>> .java:270) >>>> at >>>> org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig >>>> .java:251) >>>> at >>>> org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.ja >>>> va:102) >>>> at >>>> org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491) >>>> at >>>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:51 >>>> 35) >>>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >>>> at >>>>
Re: Java 11 support
Hello Yasser, I have followed your instructions. The exceptions are gone although my webapp does not work either. But I need more time to figure out whether this is a general compatibility issue between struts2 2.5.2 and 2.5.20 or a matter of the Java 11 compiler. Am 23.01.2019 um 08:17 schrieb Yasser Zamani: > >> -Original Message- >> From: Sebastian Götz >> Sent: Thursday, January 17, 2019 4:41 PM >> To: user@struts.apache.org >> Subject: Re: Java 11 support >> >> Hi folks, >> >> it appears that there is some work left in the convention plugin. As I can >> see from >> my IVY resolve process this plugin drags in asm 5.2. From its sources it >> looks like it >> supports class version up to 1.8 (class version 52). >> As we compile with JDK 11 already (class version 55) we get a lot of these >> exceptions: >> >> java.lang.IllegalArgumentException >> at org.objectweb.asm.ClassReader.(Unknown Source) >> at org.objectweb.asm.ClassReader.(Unknown Source) >> at org.objectweb.asm.ClassReader.(Unknown Source) >> at >> org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFind >> er.java:461) >> at >> org.apache.struts2.convention.DefaultClassFinder.(DefaultClassFinder.java: >> 93) >> at >> org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFind >> er(PackageBasedActionConfigBuilder.java:395) >> at >> org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(Pa >> ckageBasedActionConfigBuilder.java:377) >> at >> org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionCo >> nfigs(PackageBasedActionConfigBuilder.java:333) >> at >> org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(Classpat >> hPackageProvider.java:52) >> at >> com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(D >> efaultConfiguration.java:206) >> at >> com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(Con >> figurationManager.java:66) >> at >> org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:957) >> at >> org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.j >> ava:463) >> at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) >> at >> org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:7 >> 3) >> at >> org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrep >> areAndExecuteFilter.java:61) >> at >> eu.inform.servlet.context.URIExcludeFilter.init(URIExcludeFilter.java:37) >> at >> org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig >> .java:270) >> at >> org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig >> .java:251) >> at >> org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.ja >> va:102) >> at >> org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491) >> at >> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:51 >> 35) >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> at >> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432 >> ) >> at >> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422 >> ) >> at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) >> at >> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorServ >> ice.java:75) >> at >> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorS >> ervice.java:140) >> at >> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944) >> at >> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:831) >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> at >> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432 >> ) >> at >> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422 >> ) >> at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) >> at >> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorServ >> ice.java:75) >> at >> java.base/java
Re: Java 11 support
I agree with Lukasz. That's the way to do it. Am 24.01.2019 um 07:58 schrieb Lukasz Lenart: > śr., 23 sty 2019 o 15:49 Yasser Zamani napisał(a): >> I'm not sure if I get your point correctly but I didn't change `target` in >> [1]. >> >> If you meant the user's itself java 11 compiled classes structure, to double >> verify if it works, with [1]'s local branch with a few local changes into >> showcase app, I compiled showcase app into a war file with JDK11. Inside the >> war file, I verified that showcase classes are compiled with JDK11 and >> WEB-INF\lib\struts-convention-plugin.jar classes are compiled with JDK7 (via >> viewing their .class files first 8 bytes) i.e. similar to Sebastian case. I >> then deployed that war into tomcat starting with java 11. I saw it launched >> with no error and I saw it's bean-validation-example.action (a convention >> configured action) works fine. > I think the proper test case scenario is as follow: > - build Struts with JDK7 (or JDK8 as we are going to use Java 8 in Struts > 2.6) > - prepare a Convention based Struts app > - build the app use JDK 11 (with target set to Java 11) > - start the app and see if all the actions were properly initialised > > Issue isn't with building Struts itself under JDK11 but with using > Struts in Java 11 based application (where the source is compiled with > JDK11) > > > Regards -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: Java 11 support
Hello Yasser, sure I will give that a try and give you the feedback. But I cannot guarantee that I will make it today. Regards Sebastian Am 23.01.2019 um 08:17 schrieb Yasser Zamani: -Original Message- From: Sebastian Götz Sent: Thursday, January 17, 2019 4:41 PM To: user@struts.apache.org Subject: Re: Java 11 support Hi folks, it appears that there is some work left in the convention plugin. As I can see from my IVY resolve process this plugin drags in asm 5.2. From its sources it looks like it supports class version up to 1.8 (class version 52). As we compile with JDK 11 already (class version 55) we get a lot of these exceptions: java.lang.IllegalArgumentException at org.objectweb.asm.ClassReader.(Unknown Source) at org.objectweb.asm.ClassReader.(Unknown Source) at org.objectweb.asm.ClassReader.(Unknown Source) at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFind er.java:461) at org.apache.struts2.convention.DefaultClassFinder.(DefaultClassFinder.java: 93) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFind er(PackageBasedActionConfigBuilder.java:395) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(Pa ckageBasedActionConfigBuilder.java:377) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionCo nfigs(PackageBasedActionConfigBuilder.java:333) at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(Classpat hPackageProvider.java:52) at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(D efaultConfiguration.java:206) at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(Con figurationManager.java:66) at org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:957) at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.j ava:463) at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) at org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:7 3) at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrep areAndExecuteFilter.java:61) at eu.inform.servlet.context.URIExcludeFilter.init(URIExcludeFilter.java:37) at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig .java:270) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig .java:251) at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.ja va:102) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:51 35) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432 ) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422 ) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorServ ice.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorS ervice.java:140) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:831) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432 ) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422 ) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorServ ice.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorS ervice.java:140) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:261) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:422) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:801) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:695) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodA ccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Delegating MethodAccessorImpl.java:43
Re: Java 11 support
Okay, I have filed a JIRA issue: https://issues.apache.org/jira/browse/WW-5005. Am 22.01.2019 um 09:32 schrieb Lukasz Lenart: Ok, thanks. I see your point now, but this can be hard to support as we must support Java 7 (or Java 8 in case of Struts 2.6) and at the same time Java 11 - I think we will have to develop a dedicated plugin that will replace ClassFinder in the Convention plugin in case of Java 11. Would you mind to fill a ticket in JIRA? Regards -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: Java 11 support
In the end: yes. Although we are building with ANT and IVY. But the compiler levels are specified as 11, yes. I do not know how to do it with maven. But it woul dbe relevant for the tests of the convention plugin to analyse some Struts2 action class with class version 55. Am 18.01.2019 um 09:13 schrieb Lukasz Lenart: To clarify, you run your build on JDK11 and you defined source & target in Maven pom as version 11, right? Regards -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: Java 11 support
I took a short look. In Travis I can see that you run the build under OpenJDK7. We compile our sources with JDK 11 and source and target version 11 resulting in class files with class version 55. Thus ASM cannot inspect our class during startup because of the usage of the ASM5 API (restricts class version greater than that of Java 8). This is a runtime exception during container startup, not a compiler problem. Sorry if I cannot describe the problem better. I am not a native speaker ;-) Am 18.01.2019 um 08:50 schrieb Lukasz Lenart: Hm... strange but our builds are passing on JDK 11 https://builds.apache.org/view/S-Z/view/Struts/job/Struts-master-JDK11/ also on Travis https://travis-ci.org/apache/struts pt., 18 sty 2019 o 08:46 Sebastian Götz napisał(a): Okay. I have taken a look at the struts-2-5-x branch in github. There is a global property in the struts-parentof that defines the version for ASM: 5.2 The struts-masterpom of the current github *master branch* has: 7.0 But when I look into DefaultClassFinder$InfoBuildingVisitorclass (line 461) of the *master branch* there is still ASM 5 used: public class InfoBuildingVisitor extends ClassVisitor { private Info info; private ClassFinder classFinder; public InfoBuildingVisitor(ClassFinder classFinder) { *super(Opcodes.ASM5);* this.classFinder = classFinder; } So first step would be to change this coupling to ASM's version 7 API. And if possible back-porting this to the struts-2-5-x branch. Right? As I am not familiar with ASM at all, I cannot even estimate whether this is that has to be done or not. But I offer any support I can give to have Java 11 ready as soon as possible. Kind regards Sebastain Am 17.01.2019 um 14:45 schrieb Lukasz Lenart: Hm... I thought we switched to ASM 7.0 in struts-2-5-x branch - at least in the master branch we have it which means Struts 2.6 supports JDK 11 czw., 17 sty 2019 o 14:11 Sebastian Götz napisał(a): Hi folks, it appears that there is some work left in the convention plugin. As I can see from my IVY resolve process this plugin drags in asm 5.2. From its sources it looks like it supports class version up to 1.8 (class version 52). As we compile with JDK 11 already (class version 55) we get a lot of these exceptions: java.lang.IllegalArgumentException at org.objectweb.asm.ClassReader.(Unknown Source) at org.objectweb.asm.ClassReader.(Unknown Source) at org.objectweb.asm.ClassReader.(Unknown Source) at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:461) at org.apache.struts2.convention.DefaultClassFinder.(DefaultClassFinder.java:93) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFinder(PackageBasedActionConfigBuilder.java:395) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:377) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:333) at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:52) at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:206) at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:66) at org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:957) at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:463) at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) at org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:73) at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:61) at eu.inform.servlet.context.URIExcludeFilter.init(URIExcludeFilter.java:37) at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:270) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:251) at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:102) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.ex
Re: Java 11 support
Okay. I have taken a look at the struts-2-5-x branch in github. There is a global property in the struts-parentof that defines the version for ASM: 5.2 The struts-masterpom of the current github *master branch* has: 7.0 But when I look into DefaultClassFinder$InfoBuildingVisitorclass (line 461) of the *master branch* there is still ASM 5 used: public class InfoBuildingVisitor extends ClassVisitor { private Info info; private ClassFinder classFinder; public InfoBuildingVisitor(ClassFinder classFinder) { * super(Opcodes.ASM5);* this.classFinder = classFinder; } So first step would be to change this coupling to ASM's version 7 API. And if possible back-porting this to the struts-2-5-x branch. Right? As I am not familiar with ASM at all, I cannot even estimate whether this is that has to be done or not. But I offer any support I can give to have Java 11 ready as soon as possible. Kind regards Sebastain Am 17.01.2019 um 14:45 schrieb Lukasz Lenart: Hm... I thought we switched to ASM 7.0 in struts-2-5-x branch - at least in the master branch we have it which means Struts 2.6 supports JDK 11 czw., 17 sty 2019 o 14:11 Sebastian Götz napisał(a): Hi folks, it appears that there is some work left in the convention plugin. As I can see from my IVY resolve process this plugin drags in asm 5.2. From its sources it looks like it supports class version up to 1.8 (class version 52). As we compile with JDK 11 already (class version 55) we get a lot of these exceptions: java.lang.IllegalArgumentException at org.objectweb.asm.ClassReader.(Unknown Source) at org.objectweb.asm.ClassReader.(Unknown Source) at org.objectweb.asm.ClassReader.(Unknown Source) at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:461) at org.apache.struts2.convention.DefaultClassFinder.(DefaultClassFinder.java:93) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFinder(PackageBasedActionConfigBuilder.java:395) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:377) at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:333) at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:52) at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:206) at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:66) at org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:957) at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:463) at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) at org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:73) at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:61) at eu.inform.servlet.context.URIExcludeFilter.init(URIExcludeFilter.java:37) at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:270) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:251) at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:102) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:831) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1432) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1422) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
Re: Java 11 support
15.01.2019 um 09:45 schrieb Sebastian Götz: Great to hear that! Am 15.01.2019 um 09:37 schrieb Yasser Zamani: Hi Sebastian, Yes the release will be ready this month hopefully this week already ☺ Kind Regards. From: Sebastian Götz Sent: Tuesday, January 15, 2019 10:51 AM To: Yasser Zamani Subject: Re: Java 11 support Hi Yasser, sure! We are not in a hurry :-) but really looking forward to this release. I tried with the 2.5.18 yesterday. But then I will await the 2.5.20 release with pleasure. I know this sort of question sucks but will the release be ready this month already or will it take somewhat longer. Kind regards, Sebastian Am 14.01.2019 um 19:06 schrieb Yasser Zamani: Hi Sebastian, I'm pleased to announce it seems we were able to add both java 9 and 11 supports into Struts 2.5.20. Could you please wait a few days for its release and then test the bits? It currently can pass all tests with all jdks (see [1]) but it's so great if you will be able to test it in production also. Thanks for using Struts! Kind Regards. [1]https://travis-ci.org/apache/struts/builds/456910100 On 1/14/2019 11:13 AM, Sebastian Götz wrote: Hello all. I searched through the website and the issue tracker to find any roadmap info concerning Java 11 support. At the moment I try upgrading our webapp to Tomcat 9 with OpenJDK 11. I now from past upgrades that we had to use a Java8-support-plugin for a while. Now with JDK 11 it looks a bit more complex getting the Java 9 module stuff together correctly. But I think someone must have a plan for this migration. So the question is: how and when is it going to be possible to use struts2 with Java 11? Kind regards Sebastian Götz - To unsubscribe, e-mail:user-unsubscr...@struts.apache.org<mailto:user-unsubscr...@struts.apache.org> For additional commands, e-mail:user-h...@struts.apache.org<mailto:user-h...@struts.apache.org> -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de<mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Ges
Re: Java 11 support
Great to hear that! Am 15.01.2019 um 09:37 schrieb Yasser Zamani: Hi Sebastian, Yes the release will be ready this month hopefully this week already ☺ Kind Regards. From: Sebastian Götz Sent: Tuesday, January 15, 2019 10:51 AM To: Yasser Zamani Subject: Re: Java 11 support Hi Yasser, sure! We are not in a hurry :-) but really looking forward to this release. I tried with the 2.5.18 yesterday. But then I will await the 2.5.20 release with pleasure. I know this sort of question sucks but will the release be ready this month already or will it take somewhat longer. Kind regards, Sebastian Am 14.01.2019 um 19:06 schrieb Yasser Zamani: Hi Sebastian, I'm pleased to announce it seems we were able to add both java 9 and 11 supports into Struts 2.5.20. Could you please wait a few days for its release and then test the bits? It currently can pass all tests with all jdks (see [1]) but it's so great if you will be able to test it in production also. Thanks for using Struts! Kind Regards. [1] https://travis-ci.org/apache/struts/builds/456910100 On 1/14/2019 11:13 AM, Sebastian Götz wrote: Hello all. I searched through the website and the issue tracker to find any roadmap info concerning Java 11 support. At the moment I try upgrading our webapp to Tomcat 9 with OpenJDK 11. I now from past upgrades that we had to use a Java8-support-plugin for a while. Now with JDK 11 it looks a bit more complex getting the Java 9 module stuff together correctly. But I think someone must have a plan for this migration. So the question is: how and when is it going to be possible to use struts2 with Java 11? Kind regards Sebastian Götz - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org<mailto:user-unsubscr...@struts.apache.org> For additional commands, e-mail: user-h...@struts.apache.org<mailto:user-h...@struts.apache.org> -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de<mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- Mit freundlichen Grüßen Sebastian Götz iNFORM Technology GmbH Niederlassung Albstadt Berliner Straße 24 72458 Albstadt-Ebingen Tel: +49 7431 9816090 Fax: +49 7431 9816092 s.go...@inform-technology.de <mailto:s.go...@inform-technology.de> http://www.inform-technology.de/ * Zentrale Stockach: Bodenseeallee 18 D-78333 Stockach Tel: +49 7771 9282 494 * Geschäftsführer: Dipl.-Ing. (FH) Heinz Roth | Handelsregister: HRB 715948, Amtsgericht Freiburg | USt-ID Nr.: DE312290945 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Java 11 support
Hello all. I searched through the website and the issue tracker to find any roadmap info concerning Java 11 support. At the moment I try upgrading our webapp to Tomcat 9 with OpenJDK 11. I now from past upgrades that we had to use a Java8-support-plugin for a while. Now with JDK 11 it looks a bit more complex getting the Java 9 module stuff together correctly. But I think someone must have a plan for this migration. So the question is: how and when is it going to be possible to use struts2 with Java 11? Kind regards Sebastian Götz