I updated my project to Struts2 version 2.3.20 . Now all cases in my JSPs that uses static method access do not work.
ie.
<s:set var="linkEscaped"
value="@org.apache.commons.lang.StringEscapeUtils@escapeHtml(#attr.myObject.link)" />
I already have set in my struts.properties ->
struts.ognl.allowStaticMethodAccess=true
and tried in struts.xml ->
<constant name="struts.ognl.allowStaticMethodAccess" value="true"/>
with no success. Does anyone know what has changed and what do I need to do to enable them again?
Update
Lukasz Lenart commented:
To be clear, in context of 2.3.20 it's a bug and was temporally fixed, see issues.apache.org/jira/browse/WW-4429 but as from 2.5 access to static methods will be dropped.
---
Allowing static method access was never a preferred way of doing things and in 2.3.20
it won't work even if struts.ognl.allowStaticMethodAccess
is set to true
.
From the wiki:
Accessing static methods
In case you still use static methods in expressions (setting struts.ognl.allowStaticMethodAccess
to true
) please be aware that this won't work anymore as internal security mechanism consider this as access to java.lang.Class
which is on the excluded list of classes (see above). Temporary solution is to copy the above into your struts.xml
and remove java.lang.Class
from the excluded classes.
Support for accessing static methods from expression will be disabled soon, please consider re-factoring your application to avoid further problems! Please check WW-4348.
Also WW-4429.
I made it to work. Copy the following from the struts-default.xml and copy it into your application's struts.xml.
<constant name="struts.excludedClasses"
value="
java.lang.Object,
java.lang.Runtime,
java.lang.System,
java.lang.Class,
java.lang.ClassLoader,
java.lang.Shutdown,
ognl.OgnlContext,
ognl.MemberAccess,
ognl.ClassResolver,
ognl.TypeConverter,
com.opensymphony.xwork2.ActionContext" />
Remove only the the java.lang.Class from above. Save, compile, build, and deploy. Happy days!
But we are doing an exit strategy for this. We are making aware all our developers not to use static access anymore and start removing it (We don't have a lot of places this being used though)!
Since static methods will not be able to be used in future releases, I decided to refactor the parts of the project that use them. The sooner the better.
So in y "BaseAction" I have created the methods I need and they call those methods. This way only the "safe" methods I allow can be used in the jsp.