I have OGNL expressions where I’m invoking static methods, and I’m specifically setting 'struts.ognl.allowStaticMethodAccess’ to allow that.
Now, in 2.3.20, these invocations are checked by SecurityMemberAccess.isClassExcluded with Class.class as the first argument. Since this appears on the default struts.excludedClasses, these invocations are blocked. The obvious workaround is to partially revert struts.excludedClasses, but I would have expected the implementation class to be the one checked. Is this intentional, or an unintended consequence?
