struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Deborah White (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4815) Struts 2.3.16.3 to 2.3.32
Date Thu, 13 Jul 2017 20:30:00 GMT
Deborah White created WW-4815:
---------------------------------

             Summary: Struts 2.3.16.3 to 2.3.32
                 Key: WW-4815
                 URL: https://issues.apache.org/jira/browse/WW-4815
             Project: Struts 2
          Issue Type: Temp
          Components: Other
    Affects Versions: 2.3.32
            Reporter: Deborah White


I need some assistance and am hoping you can provide some insight.  I know this is probably
not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3
to 2.3.32 due to the vulnerability.  The problem is that the excluded classes in the struts-default.xml
are being used by my application and I certainly do not have time to do a rewrite. 

This is the Warning I get and then my application does not run as it should because it seems
it is not forwarding the roles:
WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f]
or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)]
are excluded!

I need to know how I can safely modify the struts-default.xml and still have the fix for the
vulnerability.  Also, if there is something I can instead include in my struts.xml file that
would override, that would be better.  Thank you.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message