That suggests the target is proxied by Spring or Hibernate, which Pojos should not be by definition. You'll need to attach a debugger to investigate why this is the case
On Sun, Jun 16, 2024 at 7:19 PM Greg Huber <gregh3...@gmail.com> wrote: > > The text looks ok, but I get this in the log also: > > 2024-06-16 10:15:12,587 WARN > com.opensymphony.xwork2.ognl.SecurityMemberAccess > SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target [][ > > Where the target is my pojo, which I have alot of. > > On 16/06/2024 10:15, Kusal Kithul-Godage wrote: > > I didn't do much testing with the Struts JSP integration beyond the > > examples in the showcase app so it's possible I've missed some > > packages/classes that should be allowed by default. > > > > Could you share the warnings you are receiving? Perhaps deduplicate > > the warnings first if there are many repetitive ones > > > > On Sun, Jun 16, 2024 at 7:10 PM Greg Huber<gregh3...@gmail.com> wrote: > >> Sorry checked the wrong log file, it was this one, needed to be false. > >> > >> <constant name="struts.allowlist.enable" value="false" /> > >> > >> Is there any docs on this? ie and example of what would go in the list, > >> as its excluding struts default stuff. > >> > >> On 16/06/2024 10:01, Kusal Kithul-Godage wrote: > >>> All of the mentioned options should log issues at warn level or > >>> greater, except for 'struts.parameters.requireAnnotations' which will > >>> log at debug level. > >>> > >>> Using the following PR as a reference, you can revert settings to > >>> their previous value one by one, to isolate which option may be > >>> causing your application issues. > >>> https://github.com/apache/struts/pull/919/files > >>> > >>> Once you have isolated and corrected any issues, please re-enable the > >>> options as they offer significant protection against vulnerabilities. > >>> > >>> On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com> wrote: > >>>> I tried this and there is alot of text missing on my jsp pages > >>>> > >>>> it mentions these: > >>>> > >>>> |struts.ognl.allowStaticFieldAccess=||false| > >>>> |struts.ognl.expressionMaxLength=||150| > >>>> |struts.disallowDefaultPackageAccess=||true| > >>>> |struts.disallowProxyMemberAccess=||true| > >>>> |struts.parameters.requireAnnotations=||true| > >>>> |struts.ognl.disallowCustomOgnlMap=||true| > >>>> |struts.allowlist.enable=||true| > >>>> | > >>>> | > >>>> |I tried > >>>> | > >>>> | > >>>> | > >>>> |struts.ognl.allowStaticFieldAccess=true > >>>> | > >>>> | > >>>> | > >>>> |but it made no difference.| > >>>> | > >>>> | > >>>> |There are no warning in the logs. > >>>> | > >>>> > >>>> On 12/06/2024 07:12, Lukasz Lenart wrote: > >>>>> Hello, > >>>>> > >>>>> This is another milestone of Struts 7.x series, which is based on > >>>>> JakartaEE 6. Please take the time and test the bits - any help is > >>>>> appreciated. Please report any problems you will spot. > >>>>> > >>>>> Please read the Migration guide as this version includes stronger > >>>>> security options > >>>>> https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration > >>>>> > >>>>> Here are the changes from the previous version: > >>>>> https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7 > >>>>> > >>>>> Staging Maven repo > >>>>> https://repository.apache.org/content/groups/staging/ > >>>>> > >>>>> * please read our guideline how to setup your Maven build to include > >>>>> the Staging repository > >>>>> https://struts.apache.org/builds.html#test-builds > >>>>> > >>>>> Standalone artifacts > >>>>> https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/ > >>>>> > >>>>> Release notes > >>>>> https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7 > >>>>> > >>>>> > >>>>> Have fun! > >>>>> Łukasz > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >>>>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>> For additional commands,e-mail:dev-h...@struts.apache.org > >>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > > For additional commands, e-mail:dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
