[PR] WW-5368 Eliminate OGNL warnings for component field access in resource bundle expressions [struts]

Sun, 23 Nov 2025 04:06:03 -0800 


lukaszlenart opened a new pull request, #1420:
URL: https://github.com/apache/struts/pull/1420

   ## Summary
   
   Fixes false-positive OGNL SecurityMemberAccess warnings when using resource 
bundle keys that start with component field names (label, name, value, id).
   
   Previously, expressions like `getText('label.reasonOfTransaction.'+top)` 
would trigger warnings:
   ```
   Access to non-public [protected java.lang.String 
org.apache.struts2.components.UIBean.label] is blocked!
   ```
   
   This occurred because OGNL's expression parser attempted to access 
`protected` fields directly when evaluating property names, even when those 
names were part of string literals in `getText()` calls.
   
   ## Changes
   
   - **UIBean.java**: Changed `label`, `name`, `value`, `id` fields from 
`protected` to `private` and added public getter methods
   - **Bean.java, Param.java, Text.java, I18n.java**: Changed `name`/`value` 
fields to `private` with public getters
   - **Updated all UIBean subclasses**: Modified to use getter methods instead 
of direct field access
     - Form.java, FormButton.java, Submit.java, Label.java, Reset.java, 
Token.java, ServletUrlRenderer.java
   - **Added comprehensive test**: `testNoOgnlWarningsForProtectedFields()` in 
UIBeanTest.java
   
   By using `private` fields with public getters, OGNL's introspection finds 
the public getter methods instead of attempting direct field access, 
eliminating the warnings while maintaining full functionality.
   
   ## Test Plan
   
   - [x] All existing tests pass (UIBeanTest and related component tests)
   - [x] New test verifies OGNL can access fields via public getters without 
warnings
   - [x] Verified expressions like `getText('label.key')`, 
`getText('name.key')`, `getText('value.key')` work correctly
   - [x] Confirmed no regression in tag rendering functionality
   - [x] Build completes successfully with no compilation errors
   
   ## Related
   
   Fixes [WW-5368](https://issues.apache.org/jira/browse/WW-5368)
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to