You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Kusal Kithul-Godage (Jira)" <ji...@apache.org> on 2023/06/21 07:04:00 UTC

[jira] [Closed] (WW-5313) Struts default class exclusion list is not compatible with JRE21

     [ https://issues.apache.org/jira/browse/WW-5313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kusal Kithul-Godage closed WW-5313.
-----------------------------------
    Fix Version/s:     (was: 6.2.0)
       Resolution: Invalid

Incorrectly filed - `java.lang.Compiler` is not included in `struts-excluded-classes.xml`

> Struts default class exclusion list is not compatible with JRE21
> ----------------------------------------------------------------
>
>                 Key: WW-5313
>                 URL: https://issues.apache.org/jira/browse/WW-5313
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 6.1.2
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>
> Following [JDK-8205129|https://bugs.openjdk.org/browse/JDK-8205129], `java.lang.Compiler` no longer exists and causes a Struts application using the default class exclusion list to fail to start.
> Whilst that class can be removed from the exclusion list, the application will then be less secure when run on JREs older than 21.
> Perhaps we can keep, but silently ignore the `java.lang.Compiler` exclusion when the detected JRE version is 21 or greater.
> This will allow a Struts application to be run on any JRE without having to change the exclusion list depending on the JRE on which it is intended to run.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)