Re: Facings issues while migrating from Struts 2.5.x to 6.7

Sun, 26 Jan 2025 02:50:10 -0800 

Hii Heikki Hyyro,

Could you please provide us small project that contain your problem,
so all of us in here can help you up.

Thank you

On Sun, Jan 26, 2025 at 5:26 PM Heikki Hyyrö <heikki.hy...@tuni.fi> wrote:
>
> Thanks Lukasz,
>
> and sorry about the confusion! Yes, I did browse through some of the
> release notes after your and Wolfgang's comments regarding xwork2
> packages. At that point I then added <constant
> name="struts.allowlist.enable" value="false"/> in struts.xml. But it
> seems I at the same time also accidentally added another setting
> <constant name="struts.ognl.valueStackFallbackToContext"
> value="false"/>, which was of course the root cause for many problems!
> After removing that, the main (or at least one of them) problem seems to
> concern JSP expressions. Now this works
>
> <s:iterator value="subjects" var="subject">
>      <h2><s:property value="#subject.name" /></h2>
> </s:iterator>
>
> but the same with JSP expression does not show names in 7.0.0 (in
> 6.3.0.2 this works ok):
>
> <s:iterator value="subjects" var="subject">
>      <h2>${subject.name}</h2>
> </s:iterator>
>
> What setting am I missing to get the latter to work? The code base
> relies very heavily on this type of JSP expressions so stopping using
> them is not a realistic option.
>
> Best regards
> Heikki
>
> Lukasz Lenart kirjoitti 26.1.2025 klo 8.32:
> > Did you read through the Migration guide? It looks like one of the
> > security factors blocks executions of your expression
> > https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration#Struts6.x.xto7.x.xmigration-Strongersecurity
> >
> > Take a look on the allowlist capability
> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=293046977#Struts6.x.xto7.x.xmigration-OGNLallowlistcapability
> >
> >
> > Cheers
> > Łukasz
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > For additional commands, e-mail: user-h...@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to