That is just an example. For your need, in more detail, you should try
something like these:
1. Add following method to class MyUtil:
public boolean isUserInRole (String user) {
HttpServletRequest httpsr = ((HttpServletRequest) ActionContext.getContext()
.get(StrutsStatics.HTTP_REQUEST));
return httpsr.isUserInRole (user); }
2. Your struts filters in web.xml should looks like:
<filter>
<filter-name>struts-prepare</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>
<filter>
<filter-name> MYStrutsPrepareFilter</filter-name>
<filter-class>my.package. MYStrutsPrepareFilter</filter-class>
</filter>
<filter>
<filter-name>struts-execute</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>
3. Finally find and replace all of
<s:if test='request.isUserInRole("UserAdmin")' >
With
<s:if test=' #request['MYUtils']. .isUserInRole("UserAdmin")' >
I think something like these resolve your issue :) please try and let me know.
Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>This is what I currently have in my jsp:
><s:if test='request.isUserInRole("UserAdmin")' >
>
>Where would I put
>"#request['MYUtils'].requestURI?
>
>-----Original Message-----
>From: Yasser Zamani [mailto:yasser.zam...@live.com]
>Sent: Friday, July 21, 2017 10:53 AM
>To: Struts Developers List <dev@struts.apache.org>
>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>to 2.3.32
>
>You are welcome :) In this solution, by ognl, you only access the MyUtil
>object and you add what you need from excluded packages into MyUtil class as
>java getters. While MyUtil is not in excluded packages, so, you can get what
>you need from excluded packages via ognl then it.
>
>Deborah White <deborah.wh...@doj.ca.gov> نوشت:
>
>>Sorry, as I said I'm new. Will this allow access to the excluded packages
>>(ognl)?
>>
>>-----Original Message-----
>>From: Yasser Zamani [mailto:yasser.zam...@live.com]
>>Sent: Thursday, July 20, 2017 10:55 PM
>>To: Struts Developers List <dev@struts.apache.org>
>>Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts
>>2.3.16.3 to 2.3.32
>>
>>Hi there, welcome to dev list :)
>>
>>Do you need access to excluded packages in your JSPs? I had similar
>>issue and you can see my solution at [1]. I did not need to rewrite any
>>thing and a find/replace did all needed changes. Please review my
>>solution if also resolves your one. If not, please feel free continue
>>here for a solution :)
>>
>>[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
>>
>>On 7/21/2017 2:38 AM, Deborah White wrote:
>>> Please see the content below. Fairly new to Struts and I'm guessing
>>> someone out there has been through this. Any help would be appreciated.
>>>
>>> -----Original Message-----
>>> From: Lukasz Lenart (JIRA) [mailto:j...@apache.org]
>>> Sent: Thursday, July 13, 2017 9:32 PM
>>> To: Deborah White <deborah.wh...@doj.ca.gov>
>>> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
>>> to 2.3.32
>>>
>>>
>>> [
>>> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
>>>
>>>plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1608683
>>> 2#comment-16086832 ]
>>>
>>> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
>>> ------------------------------------------------------------
>>>
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion,
>>> I would rather figure out in which expression you use this class and move
>>> the logic to an action.
>>>
>>>
>>> was (Author: lukaszlenart):
>>> The best place to ask such question is to subscribe to the User
>>> Mailing list as there are more eyes to help you
>>> http://struts.apache.org/mail.html
>>>
>>> And to answer your question: there is no safe way to modify the exclusion,
>>> I would rather figure in which expression you use this class and move the
>>> logic to an action.
>>>
>>>> Migrating Struts 2.3.16.3 to 2.3.32
>>>> -----------------------------------
>>>>
>>>> Key: WW-4815
>>>> URL: https://issues.apache.org/jira/browse/WW-4815
>>>> Project: Struts 2
>>>> Issue Type: Temp
>>>> Components: Core
>>>> Affects Versions: 2.3.16.3
>>>> Reporter: Deborah White
>>>> Fix For: 2.3.32
>>>>
>>>>
>>>> I need some assistance and am hoping you can provide some insight. I know
>>>> this is probably not the place to do this, but I'm not finding answers
>>>> elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.
>>>> The problem is that the excluded classes in the struts-default.xml are
>>>> being used by my application and I certainly do not have time to do a
>>>> rewrite.
>>>> This is the Warning I get and then my application does not run as it
>>>> should because it seems it is not forwarding the roles:
>>>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of
>>>> target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or
>>>> package of member [public boolean
>>>> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
>>>> are excluded!
>>>> I need to know how I can safely modify the struts-default.xml and still
>>>> have the fix for the vulnerability. Also, if there is something I can
>>>> instead include in my struts.xml file that would override, that would be
>>>> better. Thank you.
>>>
>>>
>>>
>>> --
>>> This message was sent by Atlassian JIRA
>>> (v6.4.14#64029)
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>> confidential and/or legally privileged information. It is solely for the
>>> use of the intended recipient(s). Unauthorized interception, review, use or
>>> disclosure is prohibited and may violate applicable laws including the
>>> Electronic Communications Privacy Act. If you are not the intended
>>> recipient, please contact the sender and destroy all copies of the
>>> communication.
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For
>>additional commands, e-mail: dev-h...@struts.apache.org
>>
>>
>>CONFIDENTIALITY NOTICE: This communication with its contents may contain
>>confidential and/or legally privileged information. It is solely for the use
>>of the intended recipient(s). Unauthorized interception, review, use or
>>disclosure is prohibited and may violate applicable laws including the
>>Electronic Communications Privacy Act. If you are not the intended recipient,
>>please contact the sender and destroy all copies of the communication.
>B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [ X
>ܚX KK[XZ[
>] ][ X ܚX P ]˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[
>] Z[ ]˘\X K ܙ B B
>
>CONFIDENTIALITY NOTICE: This communication with its contents may contain
>confidential and/or legally privileged information. It is solely for the use
>of the intended recipient(s). Unauthorized interception, review, use or
>disclosure is prohibited and may violate applicable laws including the
>Electronic Communications Privacy Act. If you are not the intended recipient,
>please contact the sender and destroy all copies of the communication.
