Hi,
I'm playing a bit with our Showcase App and noticed a few issues
related to the latest security changes. Here is an example method
annotated as follow:
@Action(value = "bean-validation", results = {
@Result(name = "success", location = "bean-validation.jsp")
})
@SkipValidation
public String beanValidation() {
return SUCCESS;
}
I assumed this should be automatically detected by AllowList mechanism
to add such class to allowed classes list, yet it didn't happen:
[WARN ] ognl.SecurityMemberAccess (SecurityMemberAccess.java:245) -
Declaring class [class
org.apache.struts2.showcase.validation.BeanValidationExampleAction] of
member type [public java.lang.String
org.apache.struts2.showcase.validation.BeanValidationExampleAction.beanValidation()]
is not allowlisted! Add to 'struts.allowlist.classes' or
'struts.allowlist.packageNames' configuration.
This can be a blocker for users to migrate to the latest version.
Cheers
Ćukasz
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
