I am a bit lost on the current state of this question chain, but I found this
message in one of your previous logs, which was not commented:
14:56:11,289 WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default
task-1) Access to non-public [private java.lang.String
gov.ca.doj.sotas.databean.UserData.userFirstName] is blocked!
Does this field also have getters/setters? If yes: maybe a setter has to be
annotated with "@StrutsParameter" so that Struts can set it:
@StrutsParameter
public void setUserFirstName(...) {
this.userFirstName = ...;
}
See
https://struts.apache.org/security/#defining-and-annotating-your-action-parameters
You can switch off this check globally, but it is not suggested. Anyway, you
could switch off the checks get at running application, then add the annotation
afterwards.
Best regards
Wolfgang
> Gesendet: Samstag, 10. Mai 2025 um 00:49
> Von: "Dave Newton" <[email protected]>
> An: "Struts Users Mailing List" <[email protected]>
> Betreff: Re: Struts 7 problem
>
> Tangential, but I’d consider wrapping up long OGNL excursions somewhere
> else besides the view layer.
>
> em: [email protected]
> mo: 908-380-8699
> gh: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
>
>
>
> On Fri, May 9, 2025 at 17:27 Deborah White <[email protected]>
> wrote:
>
> > That took care of that one. Now I have this:
> > 14:23:09,654 ERROR [org.apache.struts2.ognl.OgnlValueStack] (default
> > task-1) Could not evaluate this expression due to security constraints:
> > [#request["MYUtils"].isUserInRole("Program_Manager") ||
> > #request["MYUtils"].isUserInRole("Audit_Supervisor") ||
> > #request["MYUtils"].isUserInRole("Audit_Staff") ||
> > #request["MYUtils"].isUserInRole("Level_1_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_2_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_3_Processor")]: ognl.OgnlException:
> > Parsing blocked due to security reasons! [java.lang.SecurityException: This
> > expression exceeded maximum allowed length:
> > #request["MYUtils"].isUserInRole("Program_Manager") ||
> > #request["MYUtils"].isUserInRole("Audit_Supervisor") ||
> > #request["MYUtils"].isUserInRole("Audit_Staff") ||
> > #request["MYUtils"].isUserInRole("Level_1_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_2_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_3_Processor")]
> > Caused by: java.lang.SecurityException: This expression exceeded maximum
> > allowed length: #request["MYUtils"].isUserInRole("Program_Manager") ||
> > #request["MYUtils"].isUserInRole("Audit_Supervisor") ||
> > #request["MYUtils"].isUserInRole("Audit_Staff") ||
> > #request["MYUtils"].isUserInRole("Level_1_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_2_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_3_Processor")
> > -----Original Message-----
> > From: Wolfgang Knauf <[email protected]>
> > Sent: Friday, May 9, 2025 12:46 PM
> > To: [email protected]
> > Subject: Re: Struts 7 problem
> >
> > EXTERNAL EMAIL: This message was sent from outside DOJ. Please do not
> > click links or open attachments that appear suspicious.
> >
> >
> > Hi Deborah,
> >
> > could be a matter of casing - the attribute is "escapeHtml":
> >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__struts.apache.org_tag-2Ddevelopers_property-2Dtag.html&d=DwIFaQ&c=uASjV29gZuJt5_5J5CPRuQ&r=nKDP-dawHhLZnXgTPWFen5qvRPMWAdYO6bsGXhaJOzk&m=aXgukS-NkcL78Ng5156UQDZ1fKg7z3s0u-KxFyK8W8_IIC6p6Xajb4cncqEYoZao&s=neyEKqpoeWVLnnm_nLLFQXpVYotkMnjLQGVy7BeloeY&e=
> >
> > Does this help?
> >
> > Wolfgang
> >
> > Am 09.05.25 um 20:15 schrieb Deborah White:
> > > I am getting this error after migrating to Struts 7.0.0.
> > >
> > > JBWEB004251: An error occurred at line: 5 column: 57) JBWEB004197:
> > Attribute escape invalid for tag property according to TLD
> > >
> > > I have found maybe related to this <s:property escape="false" />"?
> > >
> > > I tried changing to escapeHTML but that didn't seem to work.
> > >
> > > Any ideas?
> > >
> > > CONFIDENTIALITY NOTICE: This communication with its contents may contain
> > confidential and/or legally privileged information. It is solely for the
> > use of the intended recipient(s). Unauthorized interception, review, use or
> > disclosure is prohibited and may violate applicable laws including the
> > Electronic Communications Privacy Act. If you are not the intended
> > recipient, please contact the sender and destroy all copies of the
> > communication.
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
> >
> > CONFIDENTIALITY NOTICE: This communication with its contents may contain
> > confidential and/or legally privileged information. It is solely for the
> > use of the intended recipient(s). Unauthorized interception, review, use or
> > disclosure is prohibited and may violate applicable laws including the
> > Electronic Communications Privacy Act. If you are not the intended
> > recipient, please contact the sender and destroy all copies of the
> > communication.
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
