Thanks! Don't use empty value, this is better: <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />
2014-12-15 11:25 GMT+01:00 Alireza Fattahi <afatt...@yahoo.com.invalid>: > Thanks. Issue created https://issues.apache.org/jira/browse/WW-4432 > ~Regards, > ~~Alireza Fattahi > From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Users Mailing List <user@struts.apache.org> > Sent: Monday, 15 December 2014, 12:00 > Subject: Re: The %{#attr.counter.index} is not working in 2.3.20 > > 2014-12-15 9:15 GMT+01:00 Lukasz Lenart <lukaszlen...@apache.org>: >> 2014-12-15 9:04 GMT+01:00 Alireza Fattahi <afatt...@yahoo.com.invalid>: >>> Below code is not working in struts 2.3.20 >>> <c:forTokens items="${images}" delims="," var="imagevar" >>> varStatus="counter" begin="1"> <s:text >>> name="site.intro.intro%{#attr.counter.index}.caption"/> >>> </c:forTokens> >>> The %{#attr.counter.index} is not returning any value and no exception is >>> thrown in the log the below message is shown: >>> WARN ognl.SecurityMemberAccess Package of target >>> [javax.servlet.jsp.jstl.core.LoopTagSupport$1Status@680cabbd] or package of >>> member [public int >>> javax.servlet.jsp.jstl.core.LoopTagSupport$1Status.getIndex()] are excluded! >>> >>> When I set struts.excludedPackageNamePatterns to empty, it works: >>> Is it correct ?! >>> It was working with 2.3.16. ~Regards, >>> ~~Alireza Fattahi >> >> It's related to the new security mechanism introduced with 2.3.20 [1] >> - but package and class don't match the excluded set :\ >> >> [1] >> http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism > > javax.* is an excluded package ;-) > > You can simply redefine the excluded packages - please also register a > bug to change the default "struts.excludedPackageNamePatterns" > > <constant name="struts.excludedPackageNamePatterns" > value="^java\.lang\..*,^ognl.*" /> > > > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
