Lukasz Lenart created WW-5589:
---------------------------------
Summary: Convert remaining UIBean protected fields to private to
prevent OGNL warnings
Key: WW-5589
URL: https://issues.apache.org/jira/browse/WW-5589
Project: Struts 2
Issue Type: Improvement
Components: Core
Reporter: Lukasz Lenart
Fix For: 7.2.0
Following WW-5368, which fixed OGNL SecurityMemberAccess warnings for
{{label}}, {{name}}, {{value}}, and {{id}} fields by converting them from
{{protected}} to {{private}} with public getters, additional protected fields
in UIBean should be converted for consistency and to prevent similar warnings.
h3. Background
OGNL's expression parser can attempt to access protected fields when evaluating
expressions containing field names as tokens (e.g.,
{{getText('key.something')}}, {{getText('title.page')}}). This triggers
SecurityMemberAccess warnings: "Access to non-public [protected String
UIBean.xxx] is blocked!"
By using {{private}} fields with public getters, OGNL's introspection finds the
public getter methods instead of attempting direct field access.
h3. Fields to Convert
Priority fields (most likely to appear in expressions):
* {{key}} - Commonly used in resource bundle keys
* {{title}} - Could appear in page title expressions
* {{disabled}} - May appear in conditional expressions
Optional (for JavaBean compliance and consistency):
* All remaining protected fields (cssClass, cssStyle, templateDir, theme,
etc.)
h3. Scope
* Change field visibility from {{protected}} to {{private}}
* Add public getter methods where missing
* Update any subclasses that directly access these fields to use getters
* Add tests to verify OGNL can access fields without warnings
* Maintain backward compatibility for setter methods
h3. Related
* WW-5368: Fixed label, name, value, id fields
* Follows JavaBean encapsulation best practices
* Improves framework security posture by eliminating false-positive warnings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
