It is recommended enabling the allowlist capability with
struts.allowlist.enable.
I added my package names to the struts.allowlist.packageNames.
But I get these warnings (leading to further errors)
WARN [org.apache.struts2.ognl.SecurityMemberAccess] (default task-2) Declaring
class [class java.util.Locale] of member type [public java.lang.String
java.util.Locale.getLanguage()] is not allowlisted! Add to
'struts.allowlist.classes' or 'struts.allowlist.packageNames' configuration.
Also for java.util.ArrayList, java.io etc.
Is this really so restrictive?
And if yes, is it ok to add "java,javax,jakarta"?
I found this in org.apache.struts2.ognl.SecurityMemberAccess:
private static final Set<Class<?>> ALLOWLIST_REQUIRED_CLASSES = Set.of(
java.lang.Enum.class,
java.lang.String.class,
java.util.Date.class,
java.util.HashMap.class,
java.util.Map.class,
java.util.Map.Entry.class
Is this really so restrictive?
And if yes, is it ok to add "java,javax,jakarta"? Or is that too much, so I
could as well set struts.allowlist.enable=false?
I am not sure how I identify the required classes (without testing the whole
application)
Unfortunately, I did the migration before I set struts.allowlist.enable=true.
Best regards
Ute
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
