Thanks. Issue created https://issues.apache.org/jira/browse/WW-4432 ~Regards, ~~Alireza Fattahi From: Lukasz Lenart <[email protected]> To: Struts Users Mailing List <[email protected]> Sent: Monday, 15 December 2014, 12:00 Subject: Re: The %{#attr.counter.index} is not working in 2.3.20 2014-12-15 9:15 GMT+01:00 Lukasz Lenart <[email protected]>: > 2014-12-15 9:04 GMT+01:00 Alireza Fattahi <[email protected]>: >> Below code is not working in struts 2.3.20 >> <c:forTokens items="${images}" delims="," var="imagevar" >>varStatus="counter" begin="1"> <s:text >>name="site.intro.intro%{#attr.counter.index}.caption"/> </c:forTokens> >> The %{#attr.counter.index} is not returning any value and no exception is >> thrown in the log the below message is shown: >> WARN ognl.SecurityMemberAccess Package of target >> [javax.servlet.jsp.jstl.core.LoopTagSupport$1Status@680cabbd] or package of >> member [public int >> javax.servlet.jsp.jstl.core.LoopTagSupport$1Status.getIndex()] are excluded! >> >> When I set struts.excludedPackageNamePatterns to empty, it works: >> Is it correct ?! >> It was working with 2.3.16. ~Regards, >> ~~Alireza Fattahi > > It's related to the new security mechanism introduced with 2.3.20 [1] > - but package and class don't match the excluded set :\ > > [1] > http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism
javax.* is an excluded package ;-) You can simply redefine the excluded packages - please also register a bug to change the default "struts.excludedPackageNamePatterns" <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*" /> Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
