Re: Re: Struts7 Allowlist Capability
czw., 29 maj 2025 o 20:42 Ute Kaiser napisał(a): > > Lukasz, thank you for your advice. > I got rid of almost all by moving logic into the action and passing new flags > to jsp instead. > > e.g. > Migrating struts1 > > > by > > raised > WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default task-2) > Declaring class [class java.util.ArrayList] of member type [public boolean > java.util.ArrayList.isEmpty()] is not allowlisted! > > Solution according to your advice: > - Checking myList in the Action > - passing a new flag hasData=true|false to the jsp > - > worked. Very good, thanks for sharing your thoughts and solution! > One entry remaining in struts.allowlist.classes - the world won't end because > of this :-) That's good, it means your app is very secure :) Cheers Łukasz - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Aw: Re: Struts7 Allowlist Capability
Lukasz, thank you for your advice. I got rid of almost all by moving logic into the action and passing new flags to jsp instead. e.g. Migrating struts1 by raised WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default task-2) Declaring class [class java.util.ArrayList] of member type [public boolean java.util.ArrayList.isEmpty()] is not allowlisted! Solution according to your advice: - Checking myList in the Action - passing a new flag hasData=true|false to the jsp - worked. One entry remaining in struts.allowlist.classes - the world won't end because of this :-) Best regards Ute - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: Struts7 Allowlist Capability
This happens if you use java.util.Locale directly in an expression - SecurityMemberAccess is only involved if an OGNL expression is used. Having said that, I wouldn't use any of java.* jakarta.* in OGNL expressions as this brings a security risk. Moving such logic into actions is the safest option. czw., 29 maj 2025 o 13:17 Ute Kaiser napisał(a): > > It is recommended enabling the allowlist capability with > struts.allowlist.enable. > I added my package names to the struts.allowlist.packageNames. > > But I get these warnings (leading to further errors) > WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default task-2) > Declaring class [class java.util.Locale] of member type [public > java.lang.String java.util.Locale.getLanguage()] is not allowlisted! Add to > 'struts.allowlist.classes' or 'struts.allowlist.packageNames' configuration. > Also for java.util.ArrayList, java.io etc. > > Is this really so restrictive? > And if yes, is it ok to add "java,javax,jakarta"? > > I found this in org.apache.struts2.ognl.SecurityMemberAccess: > private static final Set> ALLOWLIST_REQUIRED_CLASSES = Set.of( > java.lang.Enum.class, > java.lang.String.class, > java.util.Date.class, > java.util.HashMap.class, > java.util.Map.class, > java.util.Map.Entry.class > > Is this really so restrictive? > And if yes, is it ok to add "java,javax,jakarta"? Or is that too much, so I > could as well set struts.allowlist.enable=false? > I am not sure how I identify the required classes (without testing the whole > application) > Unfortunately, I did the migration before I set struts.allowlist.enable=true. > > Best regards > Ute > > > - > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Struts7 Allowlist Capability
It is recommended enabling the allowlist capability with struts.allowlist.enable. I added my package names to the struts.allowlist.packageNames. But I get these warnings (leading to further errors) WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default task-2) Declaring class [class java.util.Locale] of member type [public java.lang.String java.util.Locale.getLanguage()] is not allowlisted! Add to 'struts.allowlist.classes' or 'struts.allowlist.packageNames' configuration. Also for java.util.ArrayList, java.io etc. Is this really so restrictive? And if yes, is it ok to add "java,javax,jakarta"? I found this in org.apache.struts2.ognl.SecurityMemberAccess: private static final Set> ALLOWLIST_REQUIRED_CLASSES = Set.of( java.lang.Enum.class, java.lang.String.class, java.util.Date.class, java.util.HashMap.class, java.util.Map.class, java.util.Map.Entry.class Is this really so restrictive? And if yes, is it ok to add "java,javax,jakarta"? Or is that too much, so I could as well set struts.allowlist.enable=false? I am not sure how I identify the required classes (without testing the whole application) Unfortunately, I did the migration before I set struts.allowlist.enable=true. Best regards Ute - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
