[jira] [Work started] (WW-5589) Convert remaining UIBean protected fields to private to prevent OGNL warnings

Sun, 23 Nov 2025 04:23:07 -0800 


     [ 
https://issues.apache.org/jira/browse/WW-5589?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on WW-5589 started by Lukasz Lenart.
-----------------------------------------
> Convert remaining UIBean protected fields to private to prevent OGNL warnings
> -----------------------------------------------------------------------------
>
>                 Key: WW-5589
>                 URL: https://issues.apache.org/jira/browse/WW-5589
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Assignee: Lukasz Lenart
>            Priority: Major
>             Fix For: 7.2.0
>
>
> Following WW-5368, which fixed OGNL SecurityMemberAccess warnings for 
> {{label}}, {{name}}, {{value}}, and {{id}} fields by converting them from 
> {{protected}} to {{private}} with public getters, additional protected fields 
> in UIBean should be converted for consistency and to prevent similar warnings.
> h3. Background
> OGNL's expression parser can attempt to access protected fields when 
> evaluating expressions containing field names as tokens (e.g., 
> {{getText('key.something')}}, {{getText('title.page')}}). This triggers 
> SecurityMemberAccess warnings: "Access to non-public [protected String 
> UIBean.xxx] is blocked!"
> By using {{private}} fields with public getters, OGNL's introspection finds 
> the public getter methods instead of attempting direct field access.
> h3. Fields to Convert
> Priority fields (most likely to appear in expressions):
> * {{key}} - Commonly used in resource bundle keys
> * {{title}} - Could appear in page title expressions
> * {{disabled}} - May appear in conditional expressions
> Optional (for JavaBean compliance and consistency):
>   * All remaining protected fields (cssClass, cssStyle, templateDir, theme, 
> etc.)
> h3. Scope
> * Change field visibility from {{protected}} to {{private}}
> * Add public getter methods where missing
> * Update any subclasses that directly access these fields to use getters
> * Add tests to verify OGNL can access fields without warnings
> * Maintain backward compatibility for setter methods
> h3. Related
> * WW-5368: Fixed label, name, value, id fields
> * Follows JavaBean encapsulation best practices
> * Improves framework security posture by eliminating false-positive warnings



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to