[
https://issues.apache.org/jira/browse/WW-5368?focusedWorklogId=992994&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-992994
]
ASF GitHub Bot logged work on WW-5368:
--------------------------------------
Author: ASF GitHub Bot
Created on: 23/Nov/25 12:05
Start Date: 23/Nov/25 12:05
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #1420:
URL: https://github.com/apache/struts/pull/1420
## Summary
Fixes false-positive OGNL SecurityMemberAccess warnings when using resource
bundle keys that start with component field names (label, name, value, id).
Previously, expressions like `getText('label.reasonOfTransaction.'+top)`
would trigger warnings:
```
Access to non-public [protected java.lang.String
org.apache.struts2.components.UIBean.label] is blocked!
```
This occurred because OGNL's expression parser attempted to access
`protected` fields directly when evaluating property names, even when those
names were part of string literals in `getText()` calls.
## Changes
- **UIBean.java**: Changed `label`, `name`, `value`, `id` fields from
`protected` to `private` and added public getter methods
- **Bean.java, Param.java, Text.java, I18n.java**: Changed `name`/`value`
fields to `private` with public getters
- **Updated all UIBean subclasses**: Modified to use getter methods instead
of direct field access
- Form.java, FormButton.java, Submit.java, Label.java, Reset.java,
Token.java, ServletUrlRenderer.java
- **Added comprehensive test**: `testNoOgnlWarningsForProtectedFields()` in
UIBeanTest.java
By using `private` fields with public getters, OGNL's introspection finds
the public getter methods instead of attempting direct field access,
eliminating the warnings while maintaining full functionality.
## Test Plan
- [x] All existing tests pass (UIBeanTest and related component tests)
- [x] New test verifies OGNL can access fields via public getters without
warnings
- [x] Verified expressions like `getText('label.key')`,
`getText('name.key')`, `getText('value.key')` work correctly
- [x] Confirmed no regression in tag rendering functionality
- [x] Build completes successfully with no compilation errors
## Related
Fixes [WW-5368](https://issues.apache.org/jira/browse/WW-5368)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Issue Time Tracking
-------------------
Worklog Id: (was: 992994)
Time Spent: 0.5h (was: 20m)
> Access warning when get resource bundle which its name starts with "label"
> --------------------------------------------------------------------------
>
> Key: WW-5368
> URL: https://issues.apache.org/jira/browse/WW-5368
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 6.3.0
> Reporter: Alireza Fattahi
> Assignee: Lukasz Lenart
> Priority: Critical
> Fix For: 7.2.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The below:
> {code:java}
> <s:select name="reasonOfTransactionCode" list="reasonOfTransactionList"Â Â Â
> listKey="top" listValue="%{getText('label.reasonOfTransaction.'+top)}"/>
> {code}
> generates this warning for each item in the list, so if the
> `reasonOfTransactionList` has seven items I see this error seven time:
> {code:java}
> ognl.SecurityMemberAccess: Access to non-public [protected java.lang.String
> org.apache.struts2.components.UIBean.label] is blocked!
> Â
> {code}
> Â
> But this works fine If IÂ just rename resource bundle and removes `label`
> from its name
> Â
> {code:java}
> <s:select name="reasonOfTransactionCode" list="reasonOfTransactionList"Â Â Â
> listKey="top" listValue="%{getText('reasonOfTransaction.'+top)}"/>Â {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
