struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <>
Subject [jira] [Commented] (WW-4815) Struts to 2.3.32
Date Fri, 14 Jul 2017 04:31:00 GMT


Lukasz Lenart commented on WW-4815:

The best place to ask such question is to subscribe to the User Mailing list as there are
more eyes to help you

And to answer your question: there is no safe way to modify the exclusion, I would rather
figure in which expression you use this class and move the logic to an action.

> Struts to 2.3.32
> -------------------------
>                 Key: WW-4815
>                 URL:
>             Project: Struts 2
>          Issue Type: Temp
>          Components: Core
>    Affects Versions:
>            Reporter: Deborah White
>             Fix For: 2.3.32
> I need some assistance and am hoping you can provide some insight.  I know this is probably
not the place to do this, but I'm not finding answers elsewhere. I am updating from
to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml
are being used by my application and I certainly do not have time to do a rewrite. 
> This is the Warning I get and then my application does not run as it should because it
seems it is not forwarding the roles:
> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f]
or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
are excluded!
> I need to know how I can safely modify the struts-default.xml and still have the fix
for the vulnerability.  Also, if there is something I can instead include in my struts.xml
file that would override, that would be better.  Thank you.

This message was sent by Atlassian JIRA

View raw message