Deborah White created WW-4815:
---------------------------------
Summary: Struts 2.3.16.3 to 2.3.32
Key: WW-4815
URL: https://issues.apache.org/jira/browse/WW-4815
Project: Struts 2
Issue Type: Temp
Components: Other
Affects Versions: 2.3.32
Reporter: Deborah White
I need some assistance and am hoping you can provide some insight. I know this
is probably not the place to do this, but I'm not finding answers elsewhere. I
am updating from 2.3.16.3 to 2.3.32 due to the vulnerability. The problem is
that the excluded classes in the struts-default.xml are being used by my
application and I certainly do not have time to do a rewrite.
This is the Warning I get and then my application does not run as it should
because it seems it is not forwarding the roles:
WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target
[org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of
member [public boolean
javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
are excluded!
I need to know how I can safely modify the struts-default.xml and still have
the fix for the vulnerability. Also, if there is something I can instead
include in my struts.xml file that would override, that would be better. Thank
you.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
