I am a bit lost on the current state of this question chain, but I found this 
message in one of your previous logs, which was not commented:

14:56:11,289 WARN  [org.apache.struts2.ognl.SecurityMemberAccess] (default 
task-1) Access to non-public [private java.lang.String 
gov.ca.doj.sotas.databean.UserData.userFirstName] is blocked!

Does this field also have getters/setters? If yes: maybe a setter has to be 
annotated with "@StrutsParameter" so that Struts can set it:

@StrutsParameter
public void setUserFirstName(...) {
  this.userFirstName = ...;
}

See 
https://struts.apache.org/security/#defining-and-annotating-your-action-parameters

You can switch off this check globally, but it is not suggested. Anyway, you 
could switch off the checks get at running application, then add the annotation 
afterwards.

Best regards

Wolfgang


> Gesendet: Samstag, 10. Mai 2025 um 00:49
> Von: "Dave Newton" <davelnew...@gmail.com>
> An: "Struts Users Mailing List" <user@struts.apache.org>
> Betreff: Re: Struts 7 problem
>
> Tangential, but I’d consider wrapping up long OGNL excursions somewhere
> else besides the view layer.
> 
> em: davelnew...@gmail.com
> mo: 908-380-8699
> gh: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
> 
> 
> 
> On Fri, May 9, 2025 at 17:27 Deborah White <deborah.wh...@doj.ca.gov.invalid>
> wrote:
> 
> > That took care of that one. Now I have this:
> > 14:23:09,654 ERROR [org.apache.struts2.ognl.OgnlValueStack] (default
> > task-1) Could not evaluate this expression due to security constraints:
> > [#request["MYUtils"].isUserInRole("Program_Manager") ||
> > #request["MYUtils"].isUserInRole("Audit_Supervisor") ||
> > #request["MYUtils"].isUserInRole("Audit_Staff") ||
> > #request["MYUtils"].isUserInRole("Level_1_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_2_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_3_Processor")]: ognl.OgnlException:
> > Parsing blocked due to security reasons! [java.lang.SecurityException: This
> > expression exceeded maximum allowed length:
> > #request["MYUtils"].isUserInRole("Program_Manager") ||
> > #request["MYUtils"].isUserInRole("Audit_Supervisor") ||
> > #request["MYUtils"].isUserInRole("Audit_Staff") ||
> > #request["MYUtils"].isUserInRole("Level_1_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_2_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_3_Processor")]
> > Caused by: java.lang.SecurityException: This expression exceeded maximum
> > allowed length: #request["MYUtils"].isUserInRole("Program_Manager") ||
> > #request["MYUtils"].isUserInRole("Audit_Supervisor") ||
> > #request["MYUtils"].isUserInRole("Audit_Staff") ||
> > #request["MYUtils"].isUserInRole("Level_1_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_2_Processor") ||
> > #request["MYUtils"].isUserInRole("Level_3_Processor")
> > -----Original Message-----
> > From: Wolfgang Knauf <wolfgang.kn...@gmx.de.INVALID>
> > Sent: Friday, May 9, 2025 12:46 PM
> > To: user@struts.apache.org
> > Subject: Re: Struts 7 problem
> >
> > EXTERNAL EMAIL: This message was sent from outside DOJ. Please do not
> > click links or open attachments that appear suspicious.
> >
> >
> > Hi Deborah,
> >
> > could be a matter of casing - the attribute is "escapeHtml":
> >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__struts.apache.org_tag-2Ddevelopers_property-2Dtag.html&d=DwIFaQ&c=uASjV29gZuJt5_5J5CPRuQ&r=nKDP-dawHhLZnXgTPWFen5qvRPMWAdYO6bsGXhaJOzk&m=aXgukS-NkcL78Ng5156UQDZ1fKg7z3s0u-KxFyK8W8_IIC6p6Xajb4cncqEYoZao&s=neyEKqpoeWVLnnm_nLLFQXpVYotkMnjLQGVy7BeloeY&e=
> >
> > Does this help?
> >
> > Wolfgang
> >
> > Am 09.05.25 um 20:15 schrieb Deborah White:
> > > I am getting this error after migrating to Struts 7.0.0.
> > >
> > > JBWEB004251: An error occurred at line: 5 column: 57) JBWEB004197:
> > Attribute escape invalid for tag property according to TLD
> > >
> > > I have found maybe related to this <s:property escape="false" />"?
> > >
> > > I tried changing to escapeHTML but that didn't seem to work.
> > >
> > > Any ideas?
> > >
> > > CONFIDENTIALITY NOTICE: This communication with its contents may contain
> > confidential and/or legally privileged information. It is solely for the
> > use of the intended recipient(s). Unauthorized interception, review, use or
> > disclosure is prohibited and may violate applicable laws including the
> > Electronic Communications Privacy Act. If you are not the intended
> > recipient, please contact the sender and destroy all copies of the
> > communication.
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> > For additional commands, e-mail: user-h...@struts.apache.org
> >
> >
> > CONFIDENTIALITY NOTICE: This communication with its contents may contain
> > confidential and/or legally privileged information. It is solely for the
> > use of the intended recipient(s). Unauthorized interception, review, use or
> > disclosure is prohibited and may violate applicable laws including the
> > Electronic Communications Privacy Act. If you are not the intended
> > recipient, please contact the sender and destroy all copies of the
> > communication.
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to