[
https://issues.apache.org/jira/browse/WW-5589?focusedWorklogId=993009&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-993009
]
ASF GitHub Bot logged work on WW-5589:
--------------------------------------
Author: ASF GitHub Bot
Created on: 23/Nov/25 16:09
Start Date: 23/Nov/25 16:09
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #1421:
URL: https://github.com/apache/struts/pull/1421
## Summary
This PR completes the comprehensive encapsulation of all UIBean fields by
converting ALL remaining protected fields to private with public getter
methods. This extends the fix from WW-5368 ([PR
#1420](https://github.com/apache/struts/pull/1420)) to cover all protected
fields in UIBean.
Closes [WW-5589](https://issues.apache.org/jira/browse/WW-5589)
## Background
WW-5368 identified that OGNL triggers false-positive security warnings when
resource bundle keys or expressions contain tokens matching protected UIBean
field names (e.g., "label", "name", "value"). The root cause was OGNL
attempting to access protected fields during expression evaluation before
realizing they should be treated as string literals.
PR #1420 fixed the immediate issue by converting just the four most
problematic fields (label, name, value, id) from protected to private with
public getters. This PR extends that solution to ALL remaining protected fields
for consistency and to prevent similar issues with other common field names
like "key", "title", "disabled", "template", etc.
## Changes
### Core Changes to UIBean.java
Converted **ALL** remaining protected fields to private with public getters:
**Template-related fields:**
- `templateSuffix`, `template`, `templateDir`, `theme`
**Style/CSS fields:**
- `cssClass`, `cssStyle`, `cssErrorClass`, `cssErrorStyle`
**Form attribute fields:**
- `key`, `disabled`, `tabindex`, `title`, `accesskey`
**Label attribute fields:**
- `labelPosition`, `labelSeparator`, `requiredPosition`, `errorPosition`,
`requiredLabel`
**Event handler fields:**
- `onclick`, `ondblclick`, `onmousedown`, `onmouseup`, `onmouseover`,
`onmousemove`, `onmouseout`
- `onfocus`, `onblur`, `onkeypress`, `onkeydown`, `onkeyup`, `onselect`,
`onchange`
**Tooltip fields (deprecated):**
- `tooltip`, `tooltipConfig`, `javascriptTooltip`, `tooltipDelay`,
`tooltipCssClass`, `tooltipIconPath`
**Other:**
- `dynamicAttributes` Map
Added comprehensive public getter methods with JavaDoc for all fields.
### Subclass Fixes
Updated UIBean subclasses to use getters instead of direct field access:
- **Anchor.java**: `template` → `getTemplate()`
- **DoubleSelect.java**: `onchange` → `getOnchange()`
- **Link.java**: `disabled` → `getDisabled()`, `title` → `getTitle()`
- **Submit.java**: `key` → `getKey()`, `template` → `getTemplate()`
- **Label.java**: `key` → `getKey()`
- **Reset.java**: `key` → `getKey()`
### Test Coverage
Added new test `testNoOgnlWarningsForAdditionalFields()` in UIBeanTest that:
- Tests OGNL access to newly converted fields (key, title, disabled,
cssClass, template, theme, tabindex, event handlers)
- Verifies all public getters are accessible
- Confirms no OGNL security warnings are triggered
## Test Results
- ✅ All 26 UIBeanTest tests pass
- ✅ All 103 component tests pass with no failures or errors
- ✅ Clean compilation with no errors
## Benefits
1. **Consistency**: All UIBean fields now follow JavaBean conventions
(private fields, public getters)
2. **Security**: Prevents OGNL from attempting direct field access,
eliminating false-positive warnings
3. **Future-proof**: Prevents similar issues with resource bundle keys or
expressions matching any field name
4. **Better encapsulation**: Follows Java best practices for class design
## Migration Impact
This is a **binary-compatible** change:
- All public setter methods remain unchanged
- New public getter methods are added
- Only internal subclasses needed updates (all included in this PR)
- External code using setters is unaffected
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
Issue Time Tracking
-------------------
Worklog Id: (was: 993009)
Remaining Estimate: 0h
Time Spent: 10m
> Convert remaining UIBean protected fields to private to prevent OGNL warnings
> -----------------------------------------------------------------------------
>
> Key: WW-5589
> URL: https://issues.apache.org/jira/browse/WW-5589
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Following WW-5368, which fixed OGNL SecurityMemberAccess warnings for
> {{label}}, {{name}}, {{value}}, and {{id}} fields by converting them from
> {{protected}} to {{private}} with public getters, additional protected fields
> in UIBean should be converted for consistency and to prevent similar warnings.
> h3. Background
> OGNL's expression parser can attempt to access protected fields when
> evaluating expressions containing field names as tokens (e.g.,
> {{getText('key.something')}}, {{getText('title.page')}}). This triggers
> SecurityMemberAccess warnings: "Access to non-public [protected String
> UIBean.xxx] is blocked!"
> By using {{private}} fields with public getters, OGNL's introspection finds
> the public getter methods instead of attempting direct field access.
> h3. Fields to Convert
> Priority fields (most likely to appear in expressions):
> * {{key}} - Commonly used in resource bundle keys
> * {{title}} - Could appear in page title expressions
> * {{disabled}} - May appear in conditional expressions
> Optional (for JavaBean compliance and consistency):
> * All remaining protected fields (cssClass, cssStyle, templateDir, theme,
> etc.)
> h3. Scope
> * Change field visibility from {{protected}} to {{private}}
> * Add public getter methods where missing
> * Update any subclasses that directly access these fields to use getters
> * Add tests to verify OGNL can access fields without warnings
> * Maintain backward compatibility for setter methods
> h3. Related
> * WW-5368: Fixed label, name, value, id fields
> * Follows JavaBean encapsulation best practices
> * Improves framework security posture by eliminating false-positive warnings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
