7

I updated my project to Struts2 version 2.3.20 . Now all cases in my JSPs that uses static method access do not work.

ie.

<s:set var="linkEscaped"
 value="@org.apache.commons.lang.StringEscapeUtils@escapeHtml(#attr.myObject.link)" />

I already have set in my struts.properties -> 

struts.ognl.allowStaticMethodAccess=true

and tried in struts.xml -> 

<constant name="struts.ognl.allowStaticMethodAccess" value="true"/>

with no success. Does anyone know what has changed and what do I need to do to enable them again?

Aleksandr M
  • 24,264
  • 12
  • 69
  • 143
Panos
  • 7,227
  • 13
  • 60
  • 95
  • 3
    https://cwiki.apache.org/confluence/display/WW/Security#Security-Accessingstaticmethods – Aleksandr M Dec 16 '14 at 12:04
  • 3
    @AleksandrM this needs absolutely to be an answer. This is a breaking news, and should be highlighted as much as possible. Post it as an answer so we can upvote it – Andrea Ligios Dec 16 '14 at 12:49
  • 1
    Release notes are your friend. Never update blindly without reading them. That said, IMO this is the wrong place to be cleaning your data. Do this work before the view layer. – Dave Newton Dec 16 '14 at 14:00
  • 2
    To be clear, in context of 2.3.20 it's a bug and was temporally fixed, see https://issues.apache.org/jira/browse/WW-4429 but as from 2.5 access to static methods will be dropped. – Lukasz Lenart Dec 23 '14 at 22:20
  • Please see http://stackoverflow.com/questions/28018861/struts-2-refactoring-code-to-avoid-ognl-static-method-access for a work around – Alireza Fattahi Jan 19 '15 at 13:05

3 Answers3

7

Update

Lukasz Lenart commented:

To be clear, in context of 2.3.20 it's a bug and was temporally fixed, see issues.apache.org/jira/browse/WW-4429 but as from 2.5 access to static methods will be dropped.

---

Allowing static method access was never a preferred way of doing things and in 2.3.20 it won't work even if struts.ognl.allowStaticMethodAccess is set to true.

From the wiki:

Accessing static methods

In case you still use static methods in expressions (setting struts.ognl.allowStaticMethodAccess to true) please be aware that this won't work anymore as internal security mechanism consider this as access to java.lang.Class which is on the excluded list of classes (see above). Temporary solution is to copy the above into your struts.xml and remove java.lang.Class from the excluded classes.

Support for accessing static methods from expression will be disabled soon, please consider re-factoring your application to avoid further problems! Please check WW-4348.

Also WW-4429.

Aleksandr M
  • 24,264
  • 12
  • 69
  • 143
2

I made it to work. Copy the following from the struts-default.xml and copy it into your application's struts.xml. 

<constant name="struts.excludedClasses"
          value="
            java.lang.Object,
            java.lang.Runtime,
            java.lang.System,
            java.lang.Class,
            java.lang.ClassLoader,
            java.lang.Shutdown,
            ognl.OgnlContext,
            ognl.MemberAccess,
            ognl.ClassResolver,
            ognl.TypeConverter,
            com.opensymphony.xwork2.ActionContext" />

Remove only the the java.lang.Class from above. Save, compile, build, and deploy. Happy days!

But we are doing an exit strategy for this. We are making aware all our developers not to use static access anymore and start removing it (We don't have a lot of places this being used though)!

avijendr
  • 3,958
  • 2
  • 31
  • 46
0

Since static methods will not be able to be used in future releases, I decided to refactor the parts of the project that use them. The sooner the better.

So in y "BaseAction" I have created the methods I need and they call those methods. This way only the "safe" methods I allow can be used in the jsp.

Panos
  • 7,227
  • 13
  • 60
  • 95