1

Due to the recent security vulnerability identified in Struts, we are upgrading application from struts version 2.3.16 to 2.3.31.

One of the major issues being the naming convention of getter and setter in Action classes.

Example: For instance variable of String aType, given below are the setters and getters used earlier which had no issues with Struts 2.3.16.

public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getAType() {
        return aType;
    }

    public void setAType(String type) {
        this.aType = type;
    }
}

But with Struts 2.3.31, expectation of setter and getter for same instance should be in below format.

public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getaType() {
        return aType;
    }

    public void setaType(String aType) {
        this.aType = aType;
    }
}

I have many number of such action classes where these kind of issues (setter/getter naming convention) are found after applying 2.3.31 jars listed below.

commons-lang3-3.2.jar, commons-fileupload-1.3.2.jar,commons-io-2.2.jar
freemarker-2.3.22.jar, ognl-3.0.19.jar, struts2-core-2.3.31.jar
exwork-core-2.3.31.jar, commons-logging-1.1.3.jar, javassist-3.11.0.GA.jar

Can someone please suggest a solution at configuration level that does not require setter/getter changes in each and every Action classes ?

Roman C
  • 49,761
  • 33
  • 66
  • 176
Abhishek verma
  • 25
  • 4
  • As a note for the future: avoid variables with a one-letter first word. Just saying... – Andrea Ligios Nov 17 '16 at 10:07
  • Why do you think such solution exists? – Roman C Nov 17 '16 at 15:30
  • It appears that OgnlRuntime class has modified implementation of loading setter/getter for a given class that extends ActionSupport in 2.3.31 – Abhishek verma Nov 17 '16 at 19:38
  • @Abhishekverma So what is the implementation? – Roman C Nov 18 '16 at 12:37
  • I went on to debug OgnlRuntime class and found that method `public static List getDeclaredMethods(Class targetClass, String propertyName, boolean findSets)` has new code to handle java bean. Version 2.3.16 : `String baseName = Character.toUpperCase(propertyName.charAt(0)) + propertyName.substring(1)` Version 2.3.31 : `String baseName = capitalizeBeanPropertyName(propertyName)` . – Abhishek verma Nov 21 '16 at 12:35

0 Answers0