struts2 2.3.20 ognl allowStaticMethodAccess

2019-06-17 19:44发布

问题:

I updated my project to Struts2 version 2.3.20 . Now all cases in my JSPs that uses static method access do not work.

ie.

<s:set var="linkEscaped"
 value="@org.apache.commons.lang.StringEscapeUtils@escapeHtml(#attr.myObject.link)" />

I already have set in my struts.properties ->

struts.ognl.allowStaticMethodAccess=true

and tried in struts.xml ->

<constant name="struts.ognl.allowStaticMethodAccess" value="true"/>

with no success. Does anyone know what has changed and what do I need to do to enable them again?

回答1:

Update

Lukasz Lenart commented:

To be clear, in context of 2.3.20 it's a bug and was temporally fixed, see issues.apache.org/jira/browse/WW-4429 but as from 2.5 access to static methods will be dropped.

---

Allowing static method access was never a preferred way of doing things and in 2.3.20 it won't work even if struts.ognl.allowStaticMethodAccess is set to true.

From the wiki:

Accessing static methods

In case you still use static methods in expressions (setting struts.ognl.allowStaticMethodAccess to true) please be aware that this won't work anymore as internal security mechanism consider this as access to java.lang.Class which is on the excluded list of classes (see above). Temporary solution is to copy the above into your struts.xml and remove java.lang.Class from the excluded classes.

Support for accessing static methods from expression will be disabled soon, please consider re-factoring your application to avoid further problems! Please check WW-4348.

Also WW-4429.



回答2:

I made it to work. Copy the following from the struts-default.xml and copy it into your application's struts.xml.

<constant name="struts.excludedClasses"
          value="
            java.lang.Object,
            java.lang.Runtime,
            java.lang.System,
            java.lang.Class,
            java.lang.ClassLoader,
            java.lang.Shutdown,
            ognl.OgnlContext,
            ognl.MemberAccess,
            ognl.ClassResolver,
            ognl.TypeConverter,
            com.opensymphony.xwork2.ActionContext" />

Remove only the the java.lang.Class from above. Save, compile, build, and deploy. Happy days!

But we are doing an exit strategy for this. We are making aware all our developers not to use static access anymore and start removing it (We don't have a lot of places this being used though)!



回答3:

Since static methods will not be able to be used in future releases, I decided to refactor the parts of the project that use them. The sooner the better.

So in y "BaseAction" I have created the methods I need and they call those methods. This way only the "safe" methods I allow can be used in the jsp.