This happens if you use java.util.Locale directly in an expression - SecurityMemberAccess is only involved if an OGNL expression is used. Having said that, I wouldn't use any of java.* jakarta.* in OGNL expressions as this brings a security risk. Moving such logic into actions is the safest option.
czw., 29 maj 2025 o 13:17 Ute Kaiser <ut...@web.de.invalid> napisaĆ(a): > > It is recommended enabling the allowlist capability with > struts.allowlist.enable. > I added my package names to the struts.allowlist.packageNames. > > But I get these warnings (leading to further errors) > WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default task-2) > Declaring class [class java.util.Locale] of member type [public > java.lang.String java.util.Locale.getLanguage()] is not allowlisted! Add to > 'struts.allowlist.classes' or 'struts.allowlist.packageNames' configuration. > Also for java.util.ArrayList, java.io etc. > > Is this really so restrictive? > And if yes, is it ok to add "java,javax,jakarta"? > > I found this in org.apache.struts2.ognl.SecurityMemberAccess: > private static final Set<Class<?>> ALLOWLIST_REQUIRED_CLASSES = Set.of( > java.lang.Enum.class, > java.lang.String.class, > java.util.Date.class, > java.util.HashMap.class, > java.util.Map.class, > java.util.Map.Entry.class > > Is this really so restrictive? > And if yes, is it ok to add "java,javax,jakarta"? Or is that too much, so I > could as well set struts.allowlist.enable=false? > I am not sure how I identify the required classes (without testing the whole > application) > Unfortunately, I did the migration before I set struts.allowlist.enable=true. > > Best regards > Ute > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
