On 2 December 2014 at 20:24, Lukasz Lenart <lukaszlen...@apache.org> wrote:
> 2014-12-02 10:00 GMT+01:00 Joseph Walton <jwal...@atlassian.com>: > > I have OGNL expressions where I’m invoking static methods, and I’m > specifically setting 'struts.ognl.allowStaticMethodAccess’ to allow that. > > > > Now, in 2.3.20, these invocations are checked by > SecurityMemberAccess.isClassExcluded with Class.class as the first > argument. Since this appears on the default struts.excludedClasses, these > invocations are blocked. > ... > > It's rather an unintended behaviour but support for static methods > will be removed anyway - this is source of many security problems :( > > https://issues.apache.org/jira/browse/WW-4348 > The workaround (copying struts.excludedClasses across from the defaults and removing java.lang.Class) works for me for now. I'll consider this another warning about static methods going away rather than looking at a fix or opening a WW. This might be worth a note in the release notes, for anyone else still using struts.ognl.allowStaticMethodAccess.
