Sorry for missing the Struts version. We are on 6.3.0.2 and can't wait to move 
on to 7 along with JDK 21 ­čśŐ

I am aware that we could have our own SecurityMemberAccess but as I mentioned, 
we consider this a bug.
Having an own implementation of SecurityMemberAccess would only be a viable 
workaround.

Here is the relevant part of the validation config file:

<?xml version="1.0" encoding="UTF-8"?>
 
<!DOCTYPE validators PUBLIC 
                "-//Apache Struts//XWork Validator 1.0.2//EN"
                "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd";>

<validators>
... more validators here ...
        <field name="employee.birthday">
                <field-validator type="fieldexpression"  >
                        <param name="expression"><![CDATA[
                                ( employee.birthday == null || 
employee.birthday.before(new java.util.Date()))
                        ]]></param>
                        <message key="errors_birthday" />
                </field-validator>
        </field>
... more validators here ...
</validators>

We are using this a lot throughout the whole software and this used to work in 
former version. But I cannot tell when it actually broke.

-----Urspr├╝ngliche Nachricht-----
Von: Lukasz Lenart <lukaszlen...@apache.org> 
Gesendet: Freitag, 12. April 2024 07:55
An: Struts Users Mailing List <user@struts.apache.org>
Betreff: Re: Struts2 Validator failing constructor call

czw., 11 kwi 2024 o 17:07 <s.go...@inform-technology.de> napisał(a):
> I have a 10 year old struts2 web application that uses validation with rules 
> defined in XML files.

Do you try to migrate to the latest version? What version do you use?

> One of these instantiates a java.util.Date to compare the the value of a bean 
> with the current date:
>             ( employee.birthday == null || 
> employee.birthday.before(new java.util.Date()))

I assume this is an expression in the XML file? Could you post the whole XML 
definition (or at least the section)?

> When it comes to instantiate the Date object the call fails in 
> SecurityMemberAccess. isAccessible. Form me it seems that a constructor call 
> is not handled here properly.
>
>     public boolean isAccessible(Map context, Object target, Member member, 
> String propertyName) {
>         LOG.debug("Checking access for [target: {}, member: {}, 
> property: {}]", target, member, propertyName);
>
>         final int memberModifiers = member.getModifiers();
>         final Class<?> memberClass = member.getDeclaringClass();
>         // target can be null in case of accessing static fields, since OGNL 
> 3.2.8
>         final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? 
> memberClass : target.getClass();
>         if (!memberClass.isAssignableFrom(targetClass)) {
>             throw new IllegalArgumentException("Target does not match 
> member!");
>         }
>
> When the method is called target is the class object for java.util.Date, 
> member is a representation of public java.util.Date() and propertyName is 
> null.
> memberModifiers evaluates to 1 and memberClass to the class object for 
> java.util.Date.
>
> This causes the if to resolve to false and throwing the exception. I cannot 
> see how anyone could call any constructor at all.
>
> Is this a known issue or am I overseeing something?

This logic has improved a lot in newer versions of Struts, I would suggest 
starting thinking about migration. You can always implement your own 
SecurityAccessMember.


Cheers
Łukasz

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to