[ERROR] 2022-03-29 08:26:35 [https-jsse-nio-8443-exec-54] OgnlValueStack -
Could not evaluate this expression due to security constraints:
[participant.checklist >= 2
&& participant.surveyResponse ==
null]
ognl.OgnlException: Parsing blocked due to security reasons!
at ognl.Ognl.parseExpression(Ognl.java:172) ~[ognl-3.1.29.jar:?]
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:515)
~[struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.ognl.OgnlUtil.getValue(OgnlUtil.java:498)
~[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.getValue(OgnlValueStack.java:371)
~[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValue(OgnlValueStack.java:359)
~[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValueWhenExpressionIsNotNull(OgnlValueStack.java:328)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.findValue(OgnlValueStack.java:312)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.components.Component.findValue(Component.java:381)
[struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.components.If.start(If.java:83)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.views.jsp.ComponentTagSupport.doStartTag(ComponentTagSupport.java:51)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.jsp.WEB_002dINF.jsp.project_005ffeedback_jsp._jspx_meth_s_005fif_005f2(project_005ffeedback_jsp.java:1315)
[personalitypad/:?]
at
org.apache.jsp.WEB_002dINF.jsp.project_005ffeedback_jsp._jspService(project_005ffeedback_jsp.java:378)
[personalitypad/:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
[jasper.jar:9.0.43]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[servlet-api.jar:4.0.FR]
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:467)
[jasper.jar:9.0.43]
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:378)
[jasper.jar:9.0.43]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:326)
[jasper.jar:9.0.43]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[servlet-api.jar:4.0.FR]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[catalina.jar:9.0.43]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
[tomcat-websocket.jar:9.0.43]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:710)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:457)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
[catalina.jar:9.0.43]
at
org.apache.struts2.result.ServletDispatcherResult.doExecute(ServletDispatcherResult.java:169)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.result.StrutsResultSupport.execute(StrutsResultSupport.java:206)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:375)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:279)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:250)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:179)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:49)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:142)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:133)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:89)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:101)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:142)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:160)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:175)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:121)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:167)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:207)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:196)
[struts2-core-2.5.27.jar:2.5.27]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:48)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:574)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:141)
[struts2-core-2.5.27.jar:2.5.27]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
[catalina.jar:9.0.43]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:667)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
[catalina.jar:9.0.43]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[catalina.jar:9.0.43]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
[catalina.jar:9.0.43]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
[catalina.jar:9.0.43]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
[catalina.jar:9.0.43]
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
[tomcat-coyote.jar:9.0.43]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
[tomcat-coyote.jar:9.0.43]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887)
[tomcat-coyote.jar:9.0.43]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684)
[tomcat-coyote.jar:9.0.43]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote.jar:9.0.43]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[?:?]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[?:?]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:9.0.43]
at java.lang.Thread.run(Thread.java:835) [?:?]
Caused by: java.lang.SecurityException: This expression exceeded maximum
allowed length: participant.checklist >= 2
&& participant.surveyResponse ==
null
... 99 more
> On Mar 29, 2022, at 2:06 AM, Lukasz Lenart <[email protected]> wrote:
>
> pon., 28 mar 2022 o 20:33 Ralph Grove <[email protected]> napisał(a):
>>
>> I’m experimenting with enhancing security by setting a value for
>> struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in
>> the application, and the longest expression length is 65, so I set the max
>> to 99:
>>
>> <constant name="struts.ognl.expressionMaxLength" value="99" />
>>
>>
>> At run-time, that expression (with length 65) fails with this error message:
>>
>> OgnlValueStack - Could not evaluate this expression due to security
>> constraints: [participant.checklist >= 2 && participant.surveyResponse ==
>> null]
>
> Do you have a stack trace?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
