2014-12-15 9:15 GMT+01:00 Lukasz Lenart <lukaszlen...@apache.org>:
> 2014-12-15 9:04 GMT+01:00 Alireza Fattahi <afatt...@yahoo.com.invalid>:
>> Below code is not working in struts 2.3.20
>> <c:forTokens items="${images}" delims="," var="imagevar"
>> varStatus="counter" begin="1"> <s:text
>> name="site.intro.intro%{#attr.counter.index}.caption"/> </c:forTokens>
>> The %{#attr.counter.index} is not returning any value and no exception is
>> thrown in the log the below message is shown:
>> WARN ognl.SecurityMemberAccess Package of target
>> [javax.servlet.jsp.jstl.core.LoopTagSupport$1Status@680cabbd] or package of
>> member [public int
>> javax.servlet.jsp.jstl.core.LoopTagSupport$1Status.getIndex()] are excluded!
>>
>> When I set struts.excludedPackageNamePatterns to empty, it works:
>> Is it correct ?!
>> It was working with 2.3.16. ~Regards,
>> ~~Alireza Fattahi
>
> It's related to the new security mechanism introduced with 2.3.20 [1]
> - but package and class don't match the excluded set :\
>
> [1]
> http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism
javax.* is an excluded package ;-)
You can simply redefine the excluded packages - please also register a
bug to change the default "struts.excludedPackageNamePatterns"
<constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*" />
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
