(struts-site) 01/01: WW-5407 WW-5408 Update additional security options section

Fri, 12 Apr 2024 03:37:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

kusal pushed a commit to branch WW-5407-docs
in repository https://gitbox.apache.org/repos/asf/struts-site.git

commit e99d7d05bcf24ee7c2e47a6605eae0124ce97731
Author: Kusal Kithul-Godage <g...@kusal.io>
AuthorDate: Fri Apr 12 20:34:58 2024 +1000

    WW-5407 WW-5408 Update additional security options section
---
 source/security/index.md | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/source/security/index.md b/source/security/index.md
index ab5c64f8e..2be6cc53f 100644
--- a/source/security/index.md
+++ b/source/security/index.md
@@ -433,10 +433,16 @@ with other known dangerous classes or packages in your 
application.
 
 We additionally recommend enabling the following options (enabled by default 
in 7.0).
 
- * `struts.ognl.allowStaticFieldAccess=false` - static methods are always 
blocked, but static fields can also optionally be blocked
- * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from 
being used in OGNL expressions as they may present a security risk
- * `struts.disallowDefaultPackageAccess=true` - disallow access to classes in 
the default package which should not be used in production
- * `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom 
OGNL maps which can be used to bypass the SecurityMemberAccess policy
+* `struts.ognl.allowStaticFieldAccess=false` - static field values which 
aren't a primitive type can be used to access
+  classes that wouldn't otherwise be accessible
+* `struts.disallowProxyObjectAccess=true` - disallow proxied objects from 
being used in OGNL expressions as these often
+  represent application beans or database entities which are sensitive
+* `struts.disallowDefaultPackageAccess=true` - disallow access to classes in 
the default package which should not be
+  used in production
+* `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom 
OGNL maps which can be used to bypass the
+  SecurityMemberAccess policy
+* `struts.actionConfig.fallbackToEmptyNamespace=false` - prevent Actions in 
the empty namespace from being accessed from
+  alternative endpoints
 
 #### Allowlist Capability

Reply via email to