DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
...
Access to proxied objects, specifically Spring beans and Hibernate entities, from OGNL expressions has been restricted. In the case of an exploit (usually a server-side template injection), access to such objects can be used to escalate the severity by modifying application state or database records.
If your application relies on invoking Spring bean proxied methods directly via OGNL, you should create we recommend creating new methods on your Action class that calls which call the desired proxied methods instead. You may then call these new Actions methods from your expressions rather than invoking the Spring bean proxy method directly.
If your application relies on accessing Hibernate entities via OGNL, we recommend introducing an intermediary layer which provides proper separation between your persistence layer and view layer.
...
| Note |
|---|
If you choose to revert this option, the OGNL allowlist capability (see below) will continue functioning with an exemption for Hibernate entities (and Spring from Struts 7.1) proxies so that such applications can still obtain some security benefit from the allowlist. |
...