[jira] [Work logged] (WW-5589) Convert remaining UIBean protected fields to private to prevent OGNL warnings

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5589?focusedWorklogId=993010&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-993010
 ]

ASF GitHub Bot logged work on WW-5589:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Nov/25 16:15
            Start Date: 23/Nov/25 16:15
    Worklog Time Spent: 10m 
      Work Description: sonarqubecloud[bot] commented on PR #1421:
URL: https://github.com/apache/struts/pull/1421#issuecomment-3568117709

   ## [![Quality Gate 
Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png
 'Quality Gate 
Failed')](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=1421) 
**Quality Gate failed**  
   Failed conditions  
   
![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png
 '') [65.8% Coverage on New 
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1421&metric=new_coverage&view=list)
 (required ≥ 80%)  
     
   [See analysis details on SonarQube 
Cloud](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=1421)
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 993010)
    Time Spent: 20m  (was: 10m)

> Convert remaining UIBean protected fields to private to prevent OGNL warnings
> -----------------------------------------------------------------------------
>
>                 Key: WW-5589
>                 URL: https://issues.apache.org/jira/browse/WW-5589
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Assignee: Lukasz Lenart
>            Priority: Major
>             Fix For: 7.2.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Following WW-5368, which fixed OGNL SecurityMemberAccess warnings for 
> {{label}}, {{name}}, {{value}}, and {{id}} fields by converting them from 
> {{protected}} to {{private}} with public getters, additional protected fields 
> in UIBean should be converted for consistency and to prevent similar warnings.
> h3. Background
> OGNL's expression parser can attempt to access protected fields when 
> evaluating expressions containing field names as tokens (e.g., 
> {{getText('key.something')}}, {{getText('title.page')}}). This triggers 
> SecurityMemberAccess warnings: "Access to non-public [protected String 
> UIBean.xxx] is blocked!"
> By using {{private}} fields with public getters, OGNL's introspection finds 
> the public getter methods instead of attempting direct field access.
> h3. Fields to Convert
> Priority fields (most likely to appear in expressions):
> * {{key}} - Commonly used in resource bundle keys
> * {{title}} - Could appear in page title expressions
> * {{disabled}} - May appear in conditional expressions
> Optional (for JavaBean compliance and consistency):
>   * All remaining protected fields (cssClass, cssStyle, templateDir, theme, 
> etc.)
> h3. Scope
> * Change field visibility from {{protected}} to {{private}}
> * Add public getter methods where missing
> * Update any subclasses that directly access these fields to use getters
> * Add tests to verify OGNL can access fields without warnings
> * Maintain backward compatibility for setter methods
> h3. Related
> * WW-5368: Fixed label, name, value, id fields
> * Follows JavaBean encapsulation best practices
> * Improves framework security posture by eliminating false-positive warnings



--
This message was sent by Atlassian Jira
(v8.20.10#820010)