Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Christoph Nenning]

> From: Lukasz Lenart 
> To: Struts Developers List , 
> Date: 17.09.2015 08:25
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> Great, thanks for testing it!
> 
> 2015-09-16 16:26 GMT+02:00 Christoph Nenning 
:
> > Finally I had some time to play with strict DMI again. Here some 
findings
> > and thoughts:
> >
> >
> > - I realized that in current master branch strict DMI has no effect 
when
> > actions are not configured in xml. I thought that would lead to no 
methods
> > being allowed.
> >
> > - In strict-DMI branch it is same behavior. So I could not get the new
> > annotation @AllowedMethods to have an effect.
> >
> > - When action is configured in xml without  and 
annotated
> > with @AllowedMethods there is just execute() available.
> >
> > - I could not find docs in wiki about the mechanism to invoke a method
> > with a parameter name like "methd:". But the feature got
> > disabled along with DMI. So I think there should be info added to this
> > page: http://struts.apache.org/docs/action-configuration.html
> >
> >
> >
> > Sample for first point (strict DMI has no effect with convention 
plugin)
> >
> >
> > struts.xml:
> >
> >  > strict-method-invocation="true">
> >
> > 
> >
> > 
> >  > "hello-pkg" />
> >
> >
> >
> > Action:
> >
> > @Action("hello")
> > public class HelloAction extends ActionSupport {
> >
> > // all methods can be invoked -> strict DMI has no effect
> > // I would rather expect that just execute() is allowed in this case
> > // and that more methods can be allowed with @AllowedMethods
> >
> > }
> 
> It is only useful when DMI is enabled - some of the users still using
> it. Also did you switch to DTD definition to 2.5?
> 
> 
> 
> then you can call url like this one: index.action!secure
> 
> I have prepared a small demo app
> https://github.com/lukaszlenart/struts2-convention
> 
> 


OK, got it working. The issue was that I had different version of s2 jars 
at runtime. I should learn to use my tools properly ;)


@AllowedMethods does what I want it to do, thanks Łukasz!


There is just one issue left: Setting strict-method-invocation="false"
affects only actions configured in XML. When PackageConfig is created by 
XmlConfigurationProvider that field is set but 
PackageBasedActionConfigBuilder from convention-plugin does not set it.

There could be 2 ways to solve this:
- provide another package-level annotation @StrictMethodInvocation.
- PackageBasedActionConfigBuilder could read existing PackageConfig to 
figure out if it was set in xml.


I know I said just a few weeks ago that I would provide that flag. But 
seeing the current situation I would be OK to drop it. That would force 
users to be more secure :)
But as there is global-allowed-methods people can be lazy.



Regards,
Christoph





> Regards
> -- 
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
> 

This Email was scanned by Sophos Anti Virus

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Christoph Nenning]

> From: Lukasz Lenart 
> To: Struts Developers List , 
> Date: 15.09.2015 09:11
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> I have extended the list of default 'global-allowed-methods' but I am
> wondering if support for 'package-allowed-methods' is needed?
> 'global-allowed-methods' are inherited from package to package where
> 'package-allowed-methods' wouldn't be. WDYT?
> 
> This can always be added later.
> 


I don't think we need support for 'package-allowed-methods'. It would be 
nice but I don't see a real benefit. Just more maintance work.


And yes, if users request it it can be added.



Regards,
Christoph



> 2015-09-04 12:25 GMT+02:00 Lukasz Lenart :
> > I have updated PR description with more detailed info
> > https://github.com/apache/struts/pull/47
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
> 

This Email was scanned by Sophos Anti Virus

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Christoph Nenning]

> From: Greg Huber 
> To: Struts Developers List , 
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> I was testing using:
> 
> 
> 
> and it returned the value in the name field on the bean.
> 

I tested with:



And that was blocked with this exception:

com.opensymphony.xwork2.config.ConfigurationException: This method: 
getBean().key for action login is not allowed!
at com.opensymphony.xwork2.DefaultActionProxy.prepare(
DefaultActionProxy.java:200) ~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
at org.apache.struts2.factory.StrutsActionProxy.prepare(
StrutsActionProxy.java:63) ~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
at 
org.apache.struts2.factory.StrutsActionProxyFactory.createActionProxy(
StrutsActionProxyFactory.java:37) 
~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
.



Regards,
Christoph






> public class EventEdit extends EventBase {
> 
> private EventBean bean = null;
> 
> /**
>  * Gets the bean.
>  *
>  * @return the bean
>  */
> public EventBean getBean() {
> return bean;
> }
> 
> }
> 
> I though this was what we were trying to stop?
> 
> 
> On 17 September 2015 at 08:27, Lukasz Lenart 
> wrote:
> 
> > 2015-09-17 9:11 GMT+02:00 Greg Huber :
> > > For my form bean, getBean().getName();
> > >
> > >
> > > edit!getBean().getName
> > >
> > >
> > > For me it shows an exception with the bean Name field value, would a
> > > combination of all public methods in the package and then on 
sensitive
> > > actions like login/payments etc use the action to restrict to 
allowed
> > > methods only?
> > >
> > > [
> > >
> > > edit!getBean().getName() ==
> > >
> > >1. Encountered " ")" ") "" at line 1, column 21. Was expecting 
one of:
> > >":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" 
...
> > >"false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... 
"{"
> > ... "@"
> > >... "new" ...  ...  ... "\'" ... "`" 
...
> > "\"" ...
> > > ...  ...
> > >2. Malformed OGNL expression: getBean().getName()()
> > >
> > > edit!getBean().name ==
> > >
> > > *java.lang.NoSuchMethodException*
> > >
> > > Block set..() and get..()?
> > >
> > > ]
> >
> > Not sure what do you mean by that but DMI works only with top level
> > functions that returns a String, ie. edit!toString
> > It won't work with beans.
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > For additional commands, e-mail: dev-h...@struts.apache.org
> >
> >

This Email was scanned by Sophos Anti Virus

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Christoph Nenning]

> From: Greg Huber 
> To: Struts Developers List , 
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> I was testing using:
> 
> 
> 
> and it returned the value in the name field on the bean.
> 



I don't know how  is implemented but I guess it 
does not use the DMI code path and hence is not secured by strict DMI. It 
surely would make sense to apply the newly configured allowed-methods to 
other code paths as well. How many code paths do we have?




Regards,
Christoph








> public class EventEdit extends EventBase {
> 
> private EventBean bean = null;
> 
> /**
>  * Gets the bean.
>  *
>  * @return the bean
>  */
> public EventBean getBean() {
> return bean;
> }
> 
> }
> 
> I though this was what we were trying to stop?
> 
> 
> On 17 September 2015 at 08:27, Lukasz Lenart 
> wrote:
> 
> > 2015-09-17 9:11 GMT+02:00 Greg Huber :
> > > For my form bean, getBean().getName();
> > >
> > >
> > > edit!getBean().getName
> > >
> > >
> > > For me it shows an exception with the bean Name field value, would a
> > > combination of all public methods in the package and then on 
sensitive
> > > actions like login/payments etc use the action to restrict to 
allowed
> > > methods only?
> > >
> > > [
> > >
> > > edit!getBean().getName() ==
> > >
> > >1. Encountered " ")" ") "" at line 1, column 21. Was expecting 
one of:
> > >":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" 
...
> > >"false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... 
"{"
> > ... "@"
> > >... "new" ...  ...  ... "\'" ... "`" 
...
> > "\"" ...
> > > ...  ...
> > >2. Malformed OGNL expression: getBean().getName()()
> > >
> > > edit!getBean().name ==
> > >
> > > *java.lang.NoSuchMethodException*
> > >
> > > Block set..() and get..()?
> > >
> > > ]
> >
> > Not sure what do you mean by that but DMI works only with top level
> > functions that returns a String, ie. edit!toString
> > It won't work with beans.
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > For additional commands, e-mail: dev-h...@struts.apache.org
> >
> >

This Email was scanned by Sophos Anti Virus

[GitHub] struts pull request: Uniform comparison

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/struts/pull/48


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

jira permission

[Christoph Nenning]

Hi,


as I merged pr48 I wanted to close related JIRA (WW-4544) but it seems I 
don't have permission to do that.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

[GitHub] struts pull request: Improve LocalizedTextUtil.getMessage() defend...

[wolpi]

Github user wolpi commented on the pull request:

https://github.com/apache/struts/pull/50#issuecomment-142278975
  
Usually it is not supported to use struts2 utility classes outside of 
struts context. I would rather not merge this as it increases maintanance 
burden.

That it cannot be built on jenkins seems to be a configuration issue, it 
builds on my box.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Jenkins build became unstable: Struts-JDK7-master #354

[Apache Jenkins Server]

See 


-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Build failed in Jenkins: Struts-JDK8-master #31

[Apache Jenkins Server]

See 

Changes:

[zhouyanming] Uniform comparison

--
[...truncated 2058 lines...]
Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Re: jira permission

[Lukasz Lenart]

Try now

2015-09-22 14:44 GMT+02:00 Christoph Nenning :
> Hi,
>
>
> as I merged pr48 I wanted to close related JIRA (WW-4544) but it seems I
> don't have permission to do that.
>
>
>
> Regards,
> Christoph
>
> This Email was scanned by Sophos Anti Virus

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: jira permission

[Christoph Nenning]

Yay! Issue closed.


> 
> Try now
> 
> 2015-09-22 14:44 GMT+02:00 Christoph Nenning 
:
> > Hi,
> >
> >
> > as I merged pr48 I wanted to close related JIRA (WW-4544) but it seems 
I
> > don't have permission to do that.
> >
> >
> >
> > Regards,
> > Christoph
> >
> > This Email was scanned by Sophos Anti Virus
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
> 

This Email was scanned by Sophos Anti Virus

Re: Build failed in Jenkins: Struts-JDK8-master #31

[Christoph Nenning]

AFAIK jdk8 does not include the apt tool anymore so maven-apt-plugin 
cannot work.


See this error from output:

> [ERROR] Failed to execute goal org.apache.myfaces.tobago:maven-apt-
> plugin:1.0.15:execute (default) on project struts2-core: Error 
> starting apt compiler: com.sun.tools.apt.Main


So the build should be adjusted to work with jdk8.



Regards,
Christoph




Apache Jenkins Server  schrieb am 22.09.2015 
15:05:41:

> From: Apache Jenkins Server 
> To: dev@struts.apache.org, 
> Date: 22.09.2015 15:05
> Subject: Build failed in Jenkins: Struts-JDK8-master #31
> 
> See 
> 
> Changes:
> 
> [zhouyanming] Uniform comparison
> 
> --
> [...truncated 2058 lines...]
> Generating  core/target/apidocs/com/opensymphony/xwork2/ognl/package-use.html...>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/ognl/accessor/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/result/package-use.html...>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/security/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/spring/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/spring/interceptor/
> package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/test/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/classloader/
> package-use.html...>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/util/finder/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/fs/package-use.html...>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/util/location/package-use.html...>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/util/logging/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/logging/commons/
> package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/logging/jdk/
> package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/logging/log4j2/
> package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/util/logging/slf4j/
> package-use.html...>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/util/profiling/package-use.html..
> .>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/util/reflection/package-use.html..
> .>
> Generating  
core/target/apidocs/com/opensymphony/xwork2/validator/package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/validator/annotations/
> package-use.html...>
> Generating  core/target/apidocs/com/opensymphony/xwork2/validator/validators/
> package-use.html...>
> Generating  core/target/apidocs/org/apache/struts2/package-use.html...>
> Generating  core/target/apidocs/org/apache/struts2/components/package-use.html...>
> Generating  
core/target/apidocs/org/apache/struts2/components/template/package-use.html..
> .>
> Generating  core/target/apidocs/org/apache/struts2/config/package-use.html...>
> Generating  core/target/apidocs/org/apache/struts2/dispatcher/package-use.html...>
> Generating  
core/target/apidocs/org/apache/struts2/dispatcher/filter/package-use.html...>
> Generating  
core/target/apidocs/

Re: Build failed in Jenkins: Struts-JDK8-master #31

[Lukasz Lenart]

I treat this build as a remainder that we must add support for JDK8 soon :)


2015-09-22 15:15 GMT+02:00 Christoph Nenning :
> AFAIK jdk8 does not include the apt tool anymore so maven-apt-plugin
> cannot work.
>
>
> See this error from output:
>
>> [ERROR] Failed to execute goal org.apache.myfaces.tobago:maven-apt-
>> plugin:1.0.15:execute (default) on project struts2-core: Error
>> starting apt compiler: com.sun.tools.apt.Main
>
>
> So the build should be adjusted to work with jdk8.
>
>
>
> Regards,
> Christoph
>
>
>
>
> Apache Jenkins Server  schrieb am 22.09.2015
> 15:05:41:
>
>> From: Apache Jenkins Server 
>> To: dev@struts.apache.org,
>> Date: 22.09.2015 15:05
>> Subject: Build failed in Jenkins: Struts-JDK8-master #31
>>
>> See 
>>
>> Changes:
>>
>> [zhouyanming] Uniform comparison
>>
>> --
>> [...truncated 2058 lines...]
>> Generating > core/target/apidocs/com/opensymphony/xwork2/ognl/package-use.html...>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/ognl/accessor/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/result/package-use.html...>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/security/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/spring/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/spring/interceptor/
>> package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/test/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/classloader/
>> package-use.html...>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/util/finder/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/fs/package-use.html...>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/util/location/package-use.html...>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/util/logging/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/logging/commons/
>> package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/logging/jdk/
>> package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/logging/log4j2/
>> package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/util/logging/slf4j/
>> package-use.html...>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/util/profiling/package-use.html..
>> .>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/util/reflection/package-use.html..
>> .>
>> Generating >
> core/target/apidocs/com/opensymphony/xwork2/validator/package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/validator/annotations/
>> package-use.html...>
>> Generating > core/target/apidocs/com/opensymphony/xwork2/validator/validators/
>> package-use.html...>
>> Generating > core/target/apidocs/org/apache/struts2/package-use.html...>
>> Generating > core/target/apidocs/org/apache/struts2/components/package-use.html...>
>> Generating >
> core/target/apidocs/org/apache/struts2/components/template/package-use.html..
>> .>
>> Generating > core/target/apidocs/org/apache/struts2/config/package-use.html...>
>> Generating > core/target/apidocs/org/apache/struts2/dispatcher/package-use.html...>
>>

Re: Build failed in Jenkins: Struts-JDK8-master #31

[Christoph Nenning]

> I treat this build as a remainder that we must add support for JDK8 soon 
:)

alright ;)

+1




> 
> 
> 2015-09-22 15:15 GMT+02:00 Christoph Nenning 
:
> > AFAIK jdk8 does not include the apt tool anymore so maven-apt-plugin
> > cannot work.
> >
> >
> > See this error from output:
> >
> >> [ERROR] Failed to execute goal org.apache.myfaces.tobago:maven-apt-
> >> plugin:1.0.15:execute (default) on project struts2-core: Error
> >> starting apt compiler: com.sun.tools.apt.Main
> >
> >
> > So the build should be adjusted to work with jdk8.
> >
> >
> >
> > Regards,
> > Christoph
> >
> >
> >
> >
> > Apache Jenkins Server  schrieb am 
22.09.2015
> > 15:05:41:
> >
> >> From: Apache Jenkins Server 
> >> To: dev@struts.apache.org,
> >> Date: 22.09.2015 15:05
> >> Subject: Build failed in Jenkins: Struts-JDK8-master #31
> >>
> >> See 
> >>
> >> Changes:
> >>
> >> [zhouyanming] Uniform comparison
> >>
> >> --
> >> [...truncated 2058 lines...]
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/ognl/package-use.html...>
> >> Generating  >>
> > core/target/apidocs/com/opensymphony/xwork2/ognl/accessor/package-
> use.html...>
> >> Generating  >> 
core/target/apidocs/com/opensymphony/xwork2/result/package-use.html...>
> >> Generating  >>
> > 
core/target/apidocs/com/opensymphony/xwork2/security/package-use.html...>
> >> Generating  >> 
core/target/apidocs/com/opensymphony/xwork2/spring/package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/spring/interceptor/
> >> package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/test/package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/util/package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/util/classloader/
> >> package-use.html...>
> >> Generating  >>
> > 
core/target/apidocs/com/opensymphony/xwork2/util/finder/package-use.html...>
> >> Generating  >> 
core/target/apidocs/com/opensymphony/xwork2/util/fs/package-use.html...>
> >> Generating  >>
> > core/target/apidocs/com/opensymphony/xwork2/util/location/package-
> use.html...>
> >> Generating  >>
> > core/target/apidocs/com/opensymphony/xwork2/util/logging/package-
> use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/util/logging/commons/
> >> package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/util/logging/jdk/
> >> package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/util/logging/log4j2/
> >> package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/util/logging/slf4j/
> >> package-use.html...>
> >> Generating  >>
> > core/target/apidocs/com/opensymphony/xwork2/util/profiling/
> package-use.html..
> >> .>
> >> Generating  >>
> > core/target/apidocs/com/opensymphony/xwork2/util/reflection/
> package-use.html..
> >> .>
> >> Generating  >>
> > 
core/target/apidocs/com/opensymphony/xwork2/validator/package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/validator/annotations/
> >> package-use.html...>
> >> Generating  >> core/target/apidocs/com/opensymphony/xwork2/validator/validators/
> >> package-use.html...>
> >> Generating  >> core/target/apidocs/org/apache/struts2/package-use.html...>
> >> Generating  >> 
core/target/apidocs/org/apache/struts2/components/package-use.html...>
> >> Generating  >>
> > core/target/apidocs/org/apache/struts2/components/template/
> package-use.html..
> >> .>
> >> Generat

Re: Build failed in Jenkins: Struts-JDK8-master #31

[Aaron Johnson]

WW-4402 (https://issues.apache.org/jira/browse/WW-4402) has
patch WW-4402.diff (
https://issues.apache.org/jira/secure/attachment/12734928/WW-4402.diff)
that makes the annotation processor compliant with JDK8. This is a separate
project from the main Struts project. You will have to release a new
version of this project in order to use it in the main Struts project.

The same issue has a second patch, WW-4402-struts-core.diff (
https://issues.apache.org/jira/secure/attachment/12735073/WW-4402-struts-core.diff)
that uses the new processing version in the main Struts project. I think it
uses the SNAPSHOT version since the release is not available.

On Tue, Sep 22, 2015 at 8:28 AM, Christoph Nenning <
christoph.nenn...@lex-com.net> wrote:

> > I treat this build as a remainder that we must add support for JDK8 soon
> :)
>
> alright ;)
>
> +1
>
>
>
>
> >
> >
> > 2015-09-22 15:15 GMT+02:00 Christoph Nenning
> :
> > > AFAIK jdk8 does not include the apt tool anymore so maven-apt-plugin
> > > cannot work.
> > >
> > >
> > > See this error from output:
> > >
> > >> [ERROR] Failed to execute goal org.apache.myfaces.tobago:maven-apt-
> > >> plugin:1.0.15:execute (default) on project struts2-core: Error
> > >> starting apt compiler: com.sun.tools.apt.Main
> > >
> > >
> > > So the build should be adjusted to work with jdk8.
> > >
> > >
> > >
> > > Regards,
> > > Christoph
> > >
> > >
> > >
> > >
> > > Apache Jenkins Server  schrieb am
> 22.09.2015
> > > 15:05:41:
> > >
> > >> From: Apache Jenkins Server 
> > >> To: dev@struts.apache.org,
> > >> Date: 22.09.2015 15:05
> > >> Subject: Build failed in Jenkins: Struts-JDK8-master #31
> > >>
> > >> See 
> > >>
> > >> Changes:
> > >>
> > >> [zhouyanming] Uniform comparison
> > >>
> > >> --
> > >> [...truncated 2058 lines...]
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/ognl/package-use.html...>
> > >> Generating  > >>
> > > core/target/apidocs/com/opensymphony/xwork2/ognl/accessor/package-
> > use.html...>
> > >> Generating  > >>
> core/target/apidocs/com/opensymphony/xwork2/result/package-use.html...>
> > >> Generating  > >>
> > >
> core/target/apidocs/com/opensymphony/xwork2/security/package-use.html...>
> > >> Generating  > >>
> core/target/apidocs/com/opensymphony/xwork2/spring/package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/spring/interceptor/
> > >> package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/test/package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/util/package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/util/classloader/
> > >> package-use.html...>
> > >> Generating  > >>
> > >
>
> core/target/apidocs/com/opensymphony/xwork2/util/finder/package-use.html...>
> > >> Generating  > >>
> core/target/apidocs/com/opensymphony/xwork2/util/fs/package-use.html...>
> > >> Generating  > >>
> > > core/target/apidocs/com/opensymphony/xwork2/util/location/package-
> > use.html...>
> > >> Generating  > >>
> > > core/target/apidocs/com/opensymphony/xwork2/util/logging/package-
> > use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/commons/
> > >> package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/jdk/
> > >> package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/log4j2/
> > >> package-use.html...>
> > >> Generating  > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/slf4j/
> > >> package-use.html...>
> > >> Generating  > >>
> > > core/target/apidocs/com/opensymphony/xwork2/util/profiling/
> > package-use.html..
> > >> .>
> > >> Generating  > >>
> > > core/target/apidocs/com/opensymphony/xwork2/util/reflection/
> > package-use.html..

Jenkins build is back to stable : Struts-JDK7-master #355

[Apache Jenkins Server]

See 


-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Build failed in Jenkins: Struts-JDK8-master #32

[Apache Jenkins Server]

See 

Changes:

[cnenning] fixes broken tests due to WW-4544 / #48

--
[...truncated 2053 lines...]
Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Re: Build failed in Jenkins: Struts-JDK8-master #31

[Johannes Geppert]

+1 would be great! :-)

#
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep


2015-09-22 16:18 GMT+02:00 Aaron Johnson :

> WW-4402 (https://issues.apache.org/jira/browse/WW-4402) has
> patch WW-4402.diff (
> https://issues.apache.org/jira/secure/attachment/12734928/WW-4402.diff)
> that makes the annotation processor compliant with JDK8. This is a separate
> project from the main Struts project. You will have to release a new
> version of this project in order to use it in the main Struts project.
>
> The same issue has a second patch, WW-4402-struts-core.diff (
>
> https://issues.apache.org/jira/secure/attachment/12735073/WW-4402-struts-core.diff
> )
> that uses the new processing version in the main Struts project. I think it
> uses the SNAPSHOT version since the release is not available.
>
> On Tue, Sep 22, 2015 at 8:28 AM, Christoph Nenning <
> christoph.nenn...@lex-com.net> wrote:
>
> > > I treat this build as a remainder that we must add support for JDK8
> soon
> > :)
> >
> > alright ;)
> >
> > +1
> >
> >
> >
> >
> > >
> > >
> > > 2015-09-22 15:15 GMT+02:00 Christoph Nenning
> > :
> > > > AFAIK jdk8 does not include the apt tool anymore so maven-apt-plugin
> > > > cannot work.
> > > >
> > > >
> > > > See this error from output:
> > > >
> > > >> [ERROR] Failed to execute goal org.apache.myfaces.tobago:maven-apt-
> > > >> plugin:1.0.15:execute (default) on project struts2-core: Error
> > > >> starting apt compiler: com.sun.tools.apt.Main
> > > >
> > > >
> > > > So the build should be adjusted to work with jdk8.
> > > >
> > > >
> > > >
> > > > Regards,
> > > > Christoph
> > > >
> > > >
> > > >
> > > >
> > > > Apache Jenkins Server  schrieb am
> > 22.09.2015
> > > > 15:05:41:
> > > >
> > > >> From: Apache Jenkins Server 
> > > >> To: dev@struts.apache.org,
> > > >> Date: 22.09.2015 15:05
> > > >> Subject: Build failed in Jenkins: Struts-JDK8-master #31
> > > >>
> > > >> See 
> > > >>
> > > >> Changes:
> > > >>
> > > >> [zhouyanming] Uniform comparison
> > > >>
> > > >> --
> > > >> [...truncated 2058 lines...]
> > > >> Generating  > > >>
> core/target/apidocs/com/opensymphony/xwork2/ognl/package-use.html...>
> > > >> Generating  > > >>
> > > > core/target/apidocs/com/opensymphony/xwork2/ognl/accessor/package-
> > > use.html...>
> > > >> Generating  > > >>
> > core/target/apidocs/com/opensymphony/xwork2/result/package-use.html...>
> > > >> Generating  > > >>
> > > >
> > core/target/apidocs/com/opensymphony/xwork2/security/package-use.html...>
> > > >> Generating  > > >>
> > core/target/apidocs/com/opensymphony/xwork2/spring/package-use.html...>
> > > >> Generating  > > >> core/target/apidocs/com/opensymphony/xwork2/spring/interceptor/
> > > >> package-use.html...>
> > > >> Generating  > > >>
> core/target/apidocs/com/opensymphony/xwork2/test/package-use.html...>
> > > >> Generating  > > >>
> core/target/apidocs/com/opensymphony/xwork2/util/package-use.html...>
> > > >> Generating  > > >> core/target/apidocs/com/opensymphony/xwork2/util/classloader/
> > > >> package-use.html...>
> > > >> Generating  > > >>
> > > >
> >
> >
> core/target/apidocs/com/opensymphony/xwork2/util/finder/package-use.html...>
> > > >> Generating  > > >>
> > core/target/apidocs/com/opensymphony/xwork2/util/fs/package-use.html...>
> > > >> Generating  > > >>
> > > > core/target/apidocs/com/opensymphony/xwork2/util/location/package-
> > > use.html...>
> > > >> Generating  > > >>
> > > > core/target/apidocs/com/opensymphony/xwork2/util/logging/package-
> > > use.html...>
> > > >> Generating  > > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/commons/
> > > >> package-use.html...>
> > > >> Generating  > > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/jdk/
> > > >> package-use.html...>
> > > >> Generating  > > >> core/target/apidocs/com/opensymphony/xwork2/util/logging/log4j2/
> > > >> package-use.html...>
> > > >> Generating  > > >> cor

Build failed in Jenkins: Struts-JDK8-master #33

[Apache Jenkins Server]

See 

Changes:

[jogep] WW-4549 - Extend Struts Test Case to support tests for REST plugin 
actions

--
[...truncated 2058 lines...]
Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

[VOTE][FASTRACK] Struts 2.3.24.1

[Lukasz Lenart]

The Struts 2.3.24.1 test build is now available. It includes the
latest security patch which fixes one possible vulnerabilities:
- Special top object can be used to access Struts' internals

For details and the rationale behind these changes, please consult the
corresponding security bulletins:
* https://cwiki.apache.org/confluence/display/WW/S2-026

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.24.1

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.24.1/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

This is a "fast-track" release vote. If we have a positive vote after
24 hours (at least three binding +1s and more +1s than -1s),  the
release may be submitted for mirroring and announced to the usual
channels.

The website download link will include the mirroring timestamp
parameter [1], which limits the selection of mirrors to those that
have been refreshed since the indicated time and date. (After 24
hours, we *must* remove the timestamp parameter from the website link,
to avoid unnecessary server load.) In the case of a fast-track
release, the email announcement will not link directly to
, but to , so that we can control use of
the timestamp parameter.

[1] http://apache.org/dev/mirrors.html#use

- The Apache Struts group.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[GitHub] struts pull request: Improve LocalizedTextUtil.getMessage() defend...

[quaff]

Github user quaff commented on the pull request:

https://github.com/apache/struts/pull/50#issuecomment-142492307
  
@wolpi , It's a very very simple and safe improvement, It doesn't increases 
maintenance burden, It make struts more robust.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: Git Push Summary

[Lukasz Lenart]

2015-09-23 8:01 GMT+02:00  :
> Repository: struts
> Updated Branches:
>   refs/heads/support-2-3 [created] bfe51fcb7

I'm going to use this branch to release one more 2.3.x version - some
minor fixes


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Lukasz Lenart]

2015-09-22 13:52 GMT+02:00 Christoph Nenning :
> OK, got it working. The issue was that I had different version of s2 jars
> at runtime. I should learn to use my tools properly ;)

Great!

> @AllowedMethods does what I want it to do, thanks Łukasz!

My pleasure :)

> There is just one issue left: Setting strict-method-invocation="false"
> affects only actions configured in XML. When PackageConfig is created by
> XmlConfigurationProvider that field is set but
> PackageBasedActionConfigBuilder from convention-plugin does not set it.
>
> There could be 2 ways to solve this:
> - provide another package-level annotation @StrictMethodInvocation.
> - PackageBasedActionConfigBuilder could read existing PackageConfig to
> figure out if it was set in xml.

Thanks, I will try to figure out if it is possible

> I know I said just a few weeks ago that I would provide that flag. But
> seeing the current situation I would be OK to drop it. That would force
> users to be more secure :)
> But as there is global-allowed-methods people can be lazy.

We can always drop this flag with next major release (2.6 or 3.0)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Lukasz Lenart]

2015-09-22 14:05 GMT+02:00 Christoph Nenning :
> 

Ok, but this is something that you as a developer did, so you did that
on purpose, you had a special requirement so it's up to you to
configure Struts to allow such action name. But maybe I am wrong and
this is ok, that the such method was blocked?


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[GitHub] struts pull request: Improve LocalizedTextUtil.getMessage() defend...

[wolpi]

Github user wolpi commented on the pull request:

https://github.com/apache/struts/pull/50#issuecomment-142507218
  
> It make struts more robust.

When LocalizedTextUtil is used as intended and supported it is already 
robust :wink: 


>  It doesn't increases maintenance burden

Well, this small patch itself does not. But the idea that struts code 
should work even when no ValueStack is available. There are surley many more 
places in the code base where such null checks are necessary to really support 
Util classes outside of struts context. And the maintanance burden comes over 
time. Even when your use case would work right now, with every change any 
struts developer does, or external contributers are doing, they must remember 
to make their changes working even outside of struts context.

Or put it another way: LocalizedTextUtil is not part of public API. It is a 
struts internal utility.

What acutally is your use case? Can't you use java resource bundle API?



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Christoph Nenning]

> From: Lukasz Lenart 
> To: Struts Developers List , 
> Date: 23.09.2015 08:20
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> 2015-09-22 14:05 GMT+02:00 Christoph Nenning 
:
> > 
> 
> Ok, but this is something that you as a developer did, so you did that
> on purpose, you had a special requirement so it's up to you to
> configure Struts to allow such action name. But maybe I am wrong and
> this is ok, that the such method was blocked?
> 
> 


I wanted this to be blocked. It was my test that blocking 
non-allowed-methdos really works ;)


This Email was scanned by Sophos Anti Virus

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Lukasz Lenart]

2015-09-22 14:16 GMT+02:00 Christoph Nenning :
>> From: Greg Huber 
>> To: Struts Developers List ,
>> Date: 17.09.2015 09:37
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> I was testing using:
>>
>>  />
>>
>> and it returned the value in the name field on the bean.
>
> I don't know how  is implemented but I guess it
> does not use the DMI code path and hence is not secured by strict DMI. It
> surely would make sense to apply the newly configured allowed-methods to
> other code paths as well. How many code paths do we have?

It's a tag so it's internal staff which can be used by developer to
fulfil his special requirements. And this "action" attribute as any
other is evaluated against a ValueStack, so it's very hard to predict
what was the developer's intention. Please remember that tags are used
to generate HTML, not to control framework's behaviour. And this piece
of code will be returned to a browser and after user submits it back
this will be governed by Strict DMI.

Also when you want to use DMI here you should use "method" attribute:



Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [GitHub] struts pull request: WW-4540: Strict DMI

[Lukasz Lenart]

2015-09-23 8:27 GMT+02:00 Christoph Nenning :
>> From: Lukasz Lenart 
>> To: Struts Developers List ,
>> Date: 23.09.2015 08:20
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> 2015-09-22 14:05 GMT+02:00 Christoph Nenning
> :
>> > 
>>
>> Ok, but this is something that you as a developer did, so you did that
>> on purpose, you had a special requirement so it's up to you to
>> configure Struts to allow such action name. But maybe I am wrong and
>> this is ok, that the such method was blocked?
>
> I wanted this to be blocked. It was my test that blocking
> non-allowed-methdos really works ;)

Ach! So I assume it's ok :)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[GitHub] struts pull request: Improve LocalizedTextUtil.getMessage() defend...

[lukaszlenart]

Github user lukaszlenart commented on the pull request:

https://github.com/apache/struts/pull/50#issuecomment-142507814
  
> It doesn't increases maintenance burden

It does as my plan is to drop all those static beans (static classes with a 
lot of dependencies passed in methods) and convert them in to fully injectable 
beans. Thus will allow to simplify its logic and allow for custom 
implementation (ie. DB based resources)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org