Sorry for missing the Struts version. We are on 6.3.0.2 and can't wait to move on to 7 along with JDK 21 😊
I am aware that we could have our own SecurityMemberAccess but as I mentioned, we consider this a bug. Having an own implementation of SecurityMemberAccess would only be a viable workaround. Here is the relevant part of the validation config file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE validators PUBLIC "-//Apache Struts//XWork Validator 1.0.2//EN" "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd"> <validators> ... more validators here ... <field name="employee.birthday"> <field-validator type="fieldexpression" > <param name="expression"><![CDATA[ ( employee.birthday == null || employee.birthday.before(new java.util.Date())) ]]></param> <message key="errors_birthday" /> </field-validator> </field> ... more validators here ... </validators> We are using this a lot throughout the whole software and this used to work in former version. But I cannot tell when it actually broke. -----Ursprüngliche Nachricht----- Von: Lukasz Lenart <lukaszlen...@apache.org> Gesendet: Freitag, 12. April 2024 07:55 An: Struts Users Mailing List <user@struts.apache.org> Betreff: Re: Struts2 Validator failing constructor call czw., 11 kwi 2024 o 17:07 <s.go...@inform-technology.de> napisał(a): > I have a 10 year old struts2 web application that uses validation with rules > defined in XML files. Do you try to migrate to the latest version? What version do you use? > One of these instantiates a java.util.Date to compare the the value of a bean > with the current date: > ( employee.birthday == null || > employee.birthday.before(new java.util.Date())) I assume this is an expression in the XML file? Could you post the whole XML definition (or at least the section)? > When it comes to instantiate the Date object the call fails in > SecurityMemberAccess. isAccessible. Form me it seems that a constructor call > is not handled here properly. > > public boolean isAccessible(Map context, Object target, Member member, > String propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, > property: {}]", target, member, propertyName); > > final int memberModifiers = member.getModifiers(); > final Class<?> memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > > When the method is called target is the class object for java.util.Date, > member is a representation of public java.util.Date() and propertyName is > null. > memberModifiers evaluates to 1 and memberClass to the class object for > java.util.Date. > > This causes the if to resolve to false and throwing the exception. I cannot > see how anyone could call any constructor at all. > > Is this a known issue or am I overseeing something? This logic has improved a lot in newer versions of Struts, I would suggest starting thinking about migration. You can always implement your own SecurityAccessMember. Cheers Łukasz --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org