Geek Answers Handbook

Struts2 2.3.20 ognl allowStaticMethodAccess

I updated my project to version Struts2 2.3.20. Now, all cases in my JSP that use static method access don't work.

t

<s:set var="linkEscaped" value="@ org.apache.commons.lang.StringEscapeUtils@escapeHtml (#attr.myObject.link)" />

I already installed in my struts.properties ->

 struts.ognl.allowStaticMethodAccess=true

and tried in struts.xml ->

 <constant name="struts.ognl.allowStaticMethodAccess" value="true"/>

without success. Does anyone know what has changed and what I need to do to turn them back on?

+7
java static-methods struts2 ognl
source share
3 answers

Since static methods cannot be used in future releases, I decided to reorganize those parts of the project that use them. The sooner the better.

So, in y "BaseAction" I created the methods that I need, and they call these methods. Thus, in jsp you can only use the "safe" methods that I allow.

0
source share

Update

Lukas Lenart commented:

To be clear, in the context of 2.3.20 this is a bug and was temporarily fixed, see .apache.org / jira / browse / WW-4429 problems, but starting from version 2.5 access to static methods will be removed.

---

Allowing access to a static method has never been the preferred way to perform actions, and in 2.3.20 it will not work even if struts.ognl.allowStaticMethodAccess set to true .

From the wiki :

Access to static methods

If you are still using static methods in expressions (setting struts.ognl.allowStaticMethodAccess is true ), keep in mind that this will no longer work, as the internal security mechanism considers this as access to java.lang.Class , which is in the excluded class list (see above). The workaround is to copy the above into your struts.xml and remove java.lang.Class from the excluded classes.

Support for accessing static methods from an expression will be disabled soon, please consider re-factorizing your application to avoid further problems! Please check out WW-4348 .

Also WW-4429 .

+7
source share

I did it to work. Copy the following from struts-default.xml and copy it into your struts.xml application .

 <constant name="struts.excludedClasses" value=" java.lang.Object, java.lang.Runtime, java.lang.System, java.lang.Class, java.lang.ClassLoader, java.lang.Shutdown, ognl.OgnlContext, ognl.MemberAccess, ognl.ClassResolver, ognl.TypeConverter, com.opensymphony.xwork2.ActionContext" />

Remove only java.lang.Class from above. Saving, compiling, building, and deploying. Happy Days!

But for this we are making an exit strategy. We inform all our developers that they no longer use static access and begin to delete it (we do not have many places that are used)!

+2
source share

More articles:


All Articles