This capability is indeed similar to strict method invocation but for
request parameters. I'm not against an XML based alternative for those
who prefer it.
It might lose some additional benefit that comes with co-location of
configuration with code though.
With annotations, anyone reading the Act
Going through my parameters, as I share alot of screens in various parts
with different requirements, a struts.xml version on the action, similar to
save,publish,expire
would work well here ie
path,filter
public String getPath() {
return path;
}
public String getFilter() {
re
Yeah good call I'll look into it
On Tue, Jun 18, 2024 at 5:54 PM Greg Huber wrote:
>
> OK thanks.
>
> Can the logging be the same others - Developer Notification rather than
> changing the debug level?
>
> ie for a bad date I get
>
> 024-06-18 08:24:53,696 WARN org.apache.struts2.components.Date
OK thanks.
Can the logging be the same others - Developer Notification rather than
changing the debug level?
ie for a bad date I get
024-06-18 08:24:53,696 WARN org.apache.struts2.components.Date Date:end
- Developer Notification (set struts.devMode to false to disable this
message):
Expr
Good questions
The log messages for these are at the debug level so you will need to
enable logging at the debug level to see these. This was a deliberate
decision as otherwise bad actors would be able to flood your
application logs.
The annotations should only target Action class methods. If you
For the |struts.parameters.requireAnnotations=||true|
If I test my action, there are no log messages for these. ie missing
@StrutsParameter.
It also says Action class, what if I have a bean in the action class, do
I need to do these also?
If I add them to every field/bean is this the same
I've fleshed out the Security section of the migration guide. Open to
any feedback on anything that is still unclear.
https://cwiki.apache.org/confluence/x/wYp3EQ
On Mon, Jun 17, 2024 at 8:14 PM Kusal Kithul-Godage
wrote:
>
> Ah right - yep no objections here
>
> Based on the feedback in this thr
Ah right - yep no objections here
Based on the feedback in this thread, I'm working on a minor
enhancement for the allowlisting capability which will allow it to
continue working at a lesser strictness in environments where
Hibernate entities are used. I'll target M8 for this as well as the
update
pon., 17 cze 2024 o 11:00 Kusal Kithul-Godage
napisał(a):
>
> When you say release officially do you mean as the final Struts 7.0.0?
I meant release -> publish as M7 in the Maven Central - in such a case
we can spread testing to other users as they can use official
artifacts.
Regards
Lukasz
---
When you say release officially do you mean as the final Struts 7.0.0?
On Mon, Jun 17, 2024 at 6:57 PM Lukasz Lenart wrote:
>
> Should I call for a vote to release M7 officially?
>
> Cheers
> Lukasz
>
> -
> To unsubscribe, e-mail
Should I call for a vote to release M7 officially?
Cheers
Lukasz
-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
Folder$HibernateProxy$OVniT9Ol]
struts.xml
-- Original Message --
From "Kusal Kithul-Godage"
To "Struts Developers List"
Date 6/16/2024 9:51:36 AM
Subject Re: [TEST] Apache Struts 7.0.0-M7 test build is ready
So the allowlist configuration is u
Folder$HibernateProxy$OVniT9Ol]
>
> struts.xml
>
> value="false"/>
>
>
>
> -- Original Message ------
> From "Kusal Kithul-Godage"
> To "Struts Developers List"
> Date 6/16/2024 9:51:36 AM
> Subject Re: [TEST] Apache Struts 7.0.0-M7
here--], proxy class
[com.afs.core.entity.Folder$HibernateProxy$OVniT9Ol]
struts.xml
value="false"/>
-- Original Message --
From "Kusal Kithul-Godage"
To "Struts Developers List"
Date 6/16/2024 9:51:36 AM
Subject Re: [TEST] Apache Struts 7.0.0-M7
niedz., 16 cze 2024 o 16:52 Kusal Kithul-Godage
napisał(a):
> Lukasz if you could give me edit permission for the Struts 7.x
> migration guide, I'll add a quick note there too.
You should have access, please login with Apache ID and password
Regards
Łukasz
-
So the allowlist configuration is usually just informed by the
warnings logged during runtime. For most applications this will either
be nothing or some Pojo packages. So for the example log warning
you've provided that would be:
struts.allowlist.packageNames=my.pojo
However, the main issue you're
2024-06-16 11:06:39,002 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target
The docs don't give any hints on what the list should be.
my.pojo.Pojo$HibernateProxy$tEzkTVrG]
This is an inquiry screen.
On 16/06/2024 1
So you've got 2 separate issues here:
* Pojos that are not allowlisted
* OGNL executions against Spring/Hibernate proxied objects
If you have genuine Pojos that need allowlisting, you can do so by
following the documentation:
https://struts.apache.org/security/#ognl-member-access
Allowlisting Pojo
I use both spring and hibernate v6 testing, I would not want to make any
drastic changes to these as they are painful.
Here is one (of many)
2024-06-16 09:26:21,419 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:checkAllowlist - Declaring class [class
my.pojo.Poj
That suggests the target is proxied by Spring or Hibernate, which
Pojos should not be by definition. You'll need to attach a debugger to
investigate why this is the case
On Sun, Jun 16, 2024 at 7:19 PM Greg Huber wrote:
>
> The text looks ok, but I get this in the log also:
>
> 2024-06-16 10:15:1
The text looks ok, but I get this in the log also:
2024-06-16 10:15:12,587 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target [][
Where the target is my pojo, which I have alot of.
On 16/06/2024 10:15, Kusal Kithul-Go
I didn't do much testing with the Struts JSP integration beyond the
examples in the showcase app so it's possible I've missed some
packages/classes that should be allowed by default.
Could you share the warnings you are receiving? Perhaps deduplicate
the warnings first if there are many repetitive
Sorry checked the wrong log file, it was this one, needed to be false.
Is there any docs on this? ie and example of what would go in the list,
as its excluding struts default stuff.
On 16/06/2024 10:01, Kusal Kithul-Godage wrote:
All of the mentioned options should log issues at warn level
All of the mentioned options should log issues at warn level or
greater, except for 'struts.parameters.requireAnnotations' which will
log at debug level.
Using the following PR as a reference, you can revert settings to
their previous value one by one, to isolate which option may be
causing your a
I tried this and there is alot of text missing on my jsp pages
it mentions these:
|struts.ognl.allowStaticFieldAccess=||false|
|struts.ognl.expressionMaxLength=||150|
|struts.disallowDefaultPackageAccess=||true|
|struts.disallowProxyMemberAccess=||true|
|struts.parameters.requireAnnotations=||tr
Hello,
This is another milestone of Struts 7.x series, which is based on
JakartaEE 6. Please take the time and test the bits - any help is
appreciated. Please report any problems you will spot.
Please read the Migration guide as this version includes stronger
security options
https://cwiki.apache
26 matches
Mail list logo
