On 16.01.25 19:03, Lukasz Lenart wrote:
Both defining struts.allowlist.packageNames or struts.allowlist.enable=false does not change the behaviour.Could you try to define struts.allowlist.packageNames or disable it struts.allowlist.enable=false? I meant we are probably missing something around this when loading actions from JARs, as the allowlist are dynamically updated based on convention mechanism
My current setup to recreate the issue is:
Simple Maven (war) application with the only dependencies struts2-core:7.0.0 and struts2-convention-plugin:7.0.0 and no parent pom.
The struts.xml only contains: <struts> <constant name="struts.devMode" value="true"/><constant name="struts.convention.action.includeJars" value=".*?/myjar.*?jar(!/)?" />
<constant name="struts.allowlist.enable" value="false" /> </struts>The referenced jar file is not present but this does not matter, the important thing is to define the constant struts.convention.action.includeJars at all with any value.
There is one dummy action in the project but it's not necessary.I use a JBoss EAP 8 for deployment of the war file but I am pretty sure that this doesn't matter either. Starting up of the application server is fine but on visiting http://localhost:8080/struts-example the error occurs (Error loading class [org.apache.struts2.XWorkTestCase]: java.lang.NoClassDefFoundError: Failed to link org/apache/struts2/XWorkTestCase (Module "deployment.struts-example.war" from Service Module Loader): junit/framework/TestCase).
But when I add<constant name="struts.convention.exclude.packages" value="org.apache.struts2.*, org.apache.struts2" /> to struts.xml, it works. It adds "org.apache.struts2" (without ".*" at the end) to the excludePackages field in PackageBasedActionConfigBuilder which will be used in PackageBasedActionConfigBuilder.includeClassNameInActionScan.
I think this does make sense, since the package org.apache.struts2 itself contain classes (like XWorkTestCase) which shouldn't be scanned, not only the subpackages of org.apache.struts2, should they?
Regards, Florian
smime.p7s
Description: S/MIME Cryptographic Signature
