Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
pon., 18 gru 2023 o 19:45 Ralph Grove napisał(a): > Ok, so you use the bootstrap plugin so this the problem https://github.com/struts-community-plugins/struts2-bootstrap/pull/109 yet this isn't released yet and we should do it Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
> On Dec 17, 2023, at 10:04 AM, Lukasz Lenart wrote: > > sob., 16 gru 2023 o 19:10 Ralph Grove napisał(a): >> The setup action declares it this way: >> >>private HashMap statuses; >> >>statuses = User.getStatusMap(); >> >> >> And in the User class it’s created in the get method: >> >>public static HashMap getStatusMap() { >>HashMap statusMap = new HashMap<>(); >>statusMap.put(User.ACTIVE, "Active"); >>statusMap.put(User.INACTIVE, "Inactive"); >>return statusMap; >>} > > Do you use a custom template? Maybe you have your own radiomap.ftl? I > just tested the Showcase app and didn't notice such problems. > Basically you shouldn't notice such warning as it means someone is > trying to access a protected property of your bean > > > Cheers > Łukasz > Here’s a stripped-down version of the code that still generates the warning messages. Maybe you could try this and see if you get the same messages: [WARN ] 2023-12-18 13:40:24 [https-jsse-nio-8443-exec-81] SecurityMemberAccess - Access to non-public [protected java.lang.String org.apache.struts2.components.UIBean.disabled] is blocked! [WARN ] 2023-12-18 13:40:24 [https-jsse-nio-8443-exec-81] SecurityMemberAccess - Access to non-public [protected java.lang.String org.apache.struts2.components.UIBean.disabled] is blocked! [WARN ] 2023-12-18 13:40:24 [https-jsse-nio-8443-exec-81] SecurityMemberAccess - Access to non-public [protected java.lang.String org.apache.struts2.components.UIBean.disabled] is blocked! [WARN ] 2023-12-18 13:40:24 [https-jsse-nio-8443-exec-81] SecurityMemberAccess - Access to non-public [protected java.lang.String org.apache.struts2.components.UIBean.disabled] is blocked! In struts.xml: /WEB-INF/jsp/test.jsp TestSetupAction.java: import static com.opensymphony.xwork2.Action.ERROR; import static com.opensymphony.xwork2.Action.SUCCESS; import com.opensymphony.xwork2.ActionSupport; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; import java.util.Map; import java.sql.SQLException; import java.util.HashMap; import static java.util.Map.entry; public class TestSetupAction extends ActionSupport { private static final Logger logger = LogManager.getLogger(UserSetupAction.class); private Map statuses; @Override public String execute() throws SQLException { try { statuses = Map.ofEntries( entry('A', "Active"), entry('I', "Inactive") ); return SUCCESS; } catch (Exception e) { logger.error("TSA.execute(): ", e); return ERROR; } } public Map getStatuses() { return statuses; } } test.jsp: <%@page contentType="text/html" pageEncoding="UTF-8" %> <%@taglib prefix="s" uri="/struts-tags" %> <%@taglib prefix="sj" uri="/struts-jquery-tags" %> http://www.w3.org/1999/xhtml;> User Update User Update - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
2023-12-18 11:51:43,756 WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (default task-1075) Access to non-public [private java.lang.String LoginAction.username] is blocked! 2023-12-18 11:51:43,757 WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] (default task-1075) Access to non-public [private java.lang.String LoginAction.password] is blocked! I do see these messages in my log. Should we be looking into our code? Thanks, Prasanth On 12/17/23 9:04 AM, Lukasz Lenart wrote: sob., 16 gru 2023 o 19:10 Ralph Grove napisał(a): The setup action declares it this way: private HashMap statuses; statuses = User.getStatusMap(); And in the User class it’s created in the get method: public static HashMap getStatusMap() { HashMap statusMap = new HashMap<>(); statusMap.put(User.ACTIVE, "Active"); statusMap.put(User.INACTIVE, "Inactive"); return statusMap; } Do you use a custom template? Maybe you have your own radiomap.ftl? I just tested the Showcase app and didn't notice such problems. Basically you shouldn't notice such warning as it means someone is trying to access a protected property of your bean Cheers Łukasz - To unsubscribe, e-mail:user-unsubscr...@struts.apache.org For additional commands, e-mail:user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
sob., 16 gru 2023 o 19:10 Ralph Grove napisał(a): > The setup action declares it this way: > > private HashMap statuses; > > statuses = User.getStatusMap(); > > > And in the User class it’s created in the get method: > > public static HashMap getStatusMap() { > HashMap statusMap = new HashMap<>(); > statusMap.put(User.ACTIVE, "Active"); > statusMap.put(User.INACTIVE, "Inactive"); > return statusMap; > } Do you use a custom template? Maybe you have your own radiomap.ftl? I just tested the Showcase app and didn't notice such problems. Basically you shouldn't notice such warning as it means someone is trying to access a protected property of your bean Cheers Łukasz - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
> On Dec 16, 2023, at 1:41 PM, Dale Newfield wrote: > > Unrelated to your question, but why do you create redundant maps every time > your static getter method is called? (And note they're mutable.) > > You can eliminate all that syntax, remove the getter side-effects, and add > the safety of immutability with Lombok and the Map static constructors: > > @Getter > private static final Map statusMap = Map.ofEntries( > Map.entry(User.ACTIVE, "Active"), > Map.entry(User.INACTIVE, "Inactive")); > > I've found "declarative-looking" code to be MUCH more concise and > comprehensible, and thus more maintainable. > > -Dale > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > Thanks for the suggestion - I will check that out. Ralph - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
Unrelated to your question, but why do you create redundant maps every time your static getter method is called? (And note they're mutable.) You can eliminate all that syntax, remove the getter side-effects, and add the safety of immutability with Lombok and the Map static constructors: @Getter private static final Map statusMap = Map.ofEntries( Map.entry(User.ACTIVE, "Active"), Map.entry(User.INACTIVE, "Inactive")); I've found "declarative-looking" code to be MUCH more concise and comprehensible, and thus more maintainable. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
> On Dec 16, 2023, at 11:29 AM, Lukasz Lenart wrote: > > pt., 15 gru 2023 o 16:34 Grove, Ralph - groverf napisał(a): >> >> After upgrading from Struts 6.1.1 to 6.3.0.2, these messages began appearing >> in the log, always four at a time: >> >> [WARN ] 2023-12-15 07:33:15 [https-jsse-nio-8443-exec-109] >> SecurityMemberAccess - Access to non-public [protected java.lang.String >> org.apache.struts2.components.UIBean.disabled] is blocked! >> >> The problem seems to be related to this radio button tag in a JSP. When I >> remove it from the JSP, the messages disappear. >> >> >> >> "statuses" refers to a HashMap that is placed on the ValueStack by a >> preceding setup action, where it is a private attribute: >> >> private HashMap statuses; >> >> public HashMap getStatuses() { return statuses; } >> >> Can anyone explain why the messages appear, and if it's safe to ignore them? > > What values do you have in "statuses"? > > > Regards > -- > Łukasz > mobile +48 606 323 122 http://www.lenart.org.pl/ > The setup action declares it this way: private HashMap statuses; statuses = User.getStatusMap(); And in the User class it’s created in the get method: public static HashMap getStatusMap() { HashMap statusMap = new HashMap<>(); statusMap.put(User.ACTIVE, "Active"); statusMap.put(User.INACTIVE, "Inactive"); return statusMap; } - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
pt., 15 gru 2023 o 16:34 Grove, Ralph - groverf napisał(a): > > After upgrading from Struts 6.1.1 to 6.3.0.2, these messages began appearing > in the log, always four at a time: > > [WARN ] 2023-12-15 07:33:15 [https-jsse-nio-8443-exec-109] > SecurityMemberAccess - Access to non-public [protected java.lang.String > org.apache.struts2.components.UIBean.disabled] is blocked! > > The problem seems to be related to this radio button tag in a JSP. When I > remove it from the JSP, the messages disappear. > > > > "statuses" refers to a HashMap that is placed on the ValueStack by a > preceding setup action, where it is a private attribute: > > private HashMap statuses; > > public HashMap getStatuses() { return statuses; } > > Can anyone explain why the messages appear, and if it's safe to ignore them? What values do you have in "statuses"? Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
New warning message appearing with version 6.3 - SecurityMemberAccess - Access to non-public ... is blocked!
After upgrading from Struts 6.1.1 to 6.3.0.2, these messages began appearing in the log, always four at a time: [WARN ] 2023-12-15 07:33:15 [https-jsse-nio-8443-exec-109] SecurityMemberAccess - Access to non-public [protected java.lang.String org.apache.struts2.components.UIBean.disabled] is blocked! The problem seems to be related to this radio button tag in a JSP. When I remove it from the JSP, the messages disappear. "statuses" refers to a HashMap that is placed on the ValueStack by a preceding setup action, where it is a private attribute: private HashMap statuses; public HashMap getStatuses() { return statuses; } Can anyone explain why the messages appear, and if it's safe to ignore them? Thanks, Ralph Grove