disallowProxyMemberAccess

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

disallowProxyMemberAccess

Britta Katzenbach
Hi,

We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We use spring plugin. No the question how should the property be set? What is the idea of this property? Do you think it will have other impacts if we leave it to false? Do you recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any perspective when it will be available?

Best regards and thanks for the help,

Britta

Britta Katzenbach

_____________________________________________________
[hidden email]

Dr. Lippke & Dr. Wagner GmbH
Nassauische Str. 25
10717 Berlin
Tel./Fax: +49 30 2147309-0 / 2

Geschäftsführer: Dr. Andreas Lippke und Florian Schlittgen
Registergericht: Amtsgericht Berlin HRB 25607



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: disallowProxyMemberAccess

Lukasz Lenart
wt., 16 kwi 2019 o 16:11 Britta Katzenbach <[hidden email]> napisał(a):
> We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We use spring plugin. No the question how should the property be set? What is the idea of this property? Do you think it will have other impacts if we leave it to false? Do you recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any perspective when it will be available?

The idea behind this property is to block access to proxified
beans/properties. As you know, Spring will wrap any bean with a proxy
to control access to the bean's propertie (this is required to inject
dependencies). This property disables access to proxie's itself
properties with an OGNL expression. I'm don't know how much your
application is exposed to the internet because this is purely a
possible security flaw that can be used by attackers. Downgrading OGNL
can be a good idea instead of disabling this property.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: disallowProxyMemberAccess

Lukasz Lenart
And I hope 2.5.21 will be available very soon, in few weeks :)

śr., 17 kwi 2019 o 09:40 Lukasz Lenart <[hidden email]> napisał(a):

>
> wt., 16 kwi 2019 o 16:11 Britta Katzenbach <[hidden email]> napisał(a):
> > We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We use spring plugin. No the question how should the property be set? What is the idea of this property? Do you think it will have other impacts if we leave it to false? Do you recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any perspective when it will be available?
>
> The idea behind this property is to block access to proxified
> beans/properties. As you know, Spring will wrap any bean with a proxy
> to control access to the bean's propertie (this is required to inject
> dependencies). This property disables access to proxie's itself
> properties with an OGNL expression. I'm don't know how much your
> application is exposed to the internet because this is purely a
> possible security flaw that can be used by attackers. Downgrading OGNL
> can be a good idea instead of disabling this property.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]