I'm using Struts 1.3.10 with Websphere 8. This is related to the recently identified class loader vulnerability in Struts 1 & 2 frameworks. I was trying to implement a fix recoginised by Apache org as correct. This is the fix that I applied in my application
I tried testing the fix by providing urls with parameters like "?class.classLoader.defaultAssertionStatus=true", or "class.classLoader.resource.dircontext.docBase=someText" either case all such urls are permitted into my application. I see those urls inside the finalParameters returned by the by getParameters(). Am I testing correctly or am I missing something here?
Thanks.
