[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user aleksandr-m commented on the issue: https://github.com/apache/struts/pull/142 @lukaszlenart > The simplest solution is to add a flag, a constant that by default should turn off this check, but the Spring Plugin should have this flag set on to enable additional scanning. I'll create a PR implementing this in a few days. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 Yes, you must branch off from the `support-2-3` branch and open a PR against that branch after all --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/142 @lukaszlenart , Yes with pleasure. I should come with a new PR but on branch support-2-3, right? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 @yasserzamani do you want to port some of those changes to 2.3.33? Or at least implement what @aleksandr-m mentioned in a comment? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user cnenning commented on the issue: https://github.com/apache/struts/pull/142 IMO this can be merged --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 If no objections I am going to merge this PR, btw. I have created a task to implement Voters https://issues.apache.org/jira/browse/WW-4807 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 Yeah I understand but still this affects non-Spring users. And I think this can go in as is and we can improve and think about the Voters mechanism in 2.6. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/142 Thank you @lukaszlenart , I got your point but what about when user uses Spring but not S2's Spring Plugin? i.e. when user does not want to define his/her actions as Spring beans but wants to use AOP on them. However, now, after my forth commit, I don't think we should be worry. I tested WW-4805's scenario heavily with hundreds concurrent users via JMeter while profiling via YourKit. All of `ProxyUtil` methods just consume 186ms of the whole execution time, 137000ms, i.e. 0.001% ~= 0%. Before caching it was 7%. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 With the flag in place you can always disable it in your {{struts.xml}} event it the Spring Plugin is present. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user aleksandr-m commented on the issue: https://github.com/apache/struts/pull/142 @lukaszlenart Sounds good. Still, it would be nice to allow to turn this checking completely off even when spring plugin is presented. The issue then can be avoided with addition of a simple pattern which should be faster. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
[GitHub] struts issue #142: WW-4805 Blocks ognl access to class members of Spring pro...
Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 The case with those changes is that they will affect everyone even if you don't use Spring so its scope should be narrowed just to the Spring Plugin. The simplest solution is to add a flag, a constant that by default should turn off this check, but the Spring Plugin should have this flag set on to enabled additional scanning. The ultimate solution would be a voter mechanism injectable by the internal DI mechanism but this requires a bit more work. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org