I'm working on bringing a Struts2 application up to date because of a reported security issue. Currently it's using 2.5.29 and it needs to use the latest, 2.5.33. This is an older application using Ant for building, so I'm having to figure out all the dependent JARs by hand. However, whenever I try to hit the application I get an internal 500 error with a pretty huge stack trace. I've included here just the part of the stack trace that I think is relevant:
Caused by: com.opensymphony.xwork2.inject.DependencyException: com.opensymphony.xwork2.inject.ContainerImpl$MissingDependencyException: No mapping found for dependency [type=com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker, name='default'] in public void org.apache.struts2.components.Component.setNotExcludedAcceptedPatterns(com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker).
at com.opensymphony.xwork2.inject.ContainerImpl.addInjectorsForMembers(ContainerImpl.java:140) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.addInjectorsForMethods(ContainerImpl.java:111) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.addInjectors(ContainerImpl.java:89) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.addInjectors(ContainerImpl.java:85) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.addInjectors(ContainerImpl.java:85) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl$1.create(ContainerImpl.java:70) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl$1.create(ContainerImpl.java:66) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.util.ReferenceCache$CallableCreate.call(ReferenceCache.java:155) ~[struts2-core-2.5.33.jar:2.5.33]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_392]
at com.opensymphony.xwork2.inject.util.ReferenceCache.internalCreate(ReferenceCache.java:79) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.util.ReferenceCache.get(ReferenceCache.java:123) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.inject(ContainerImpl.java:466) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl$6.call(ContainerImpl.java:505) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl$6.call(ContainerImpl.java:503) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.callInContext(ContainerImpl.java:558) ~[struts2-core-2.5.33.jar:2.5.33]
at com.opensymphony.xwork2.inject.ContainerImpl.inject(ContainerImpl.java:503) ~[struts2-core-2.5.33.jar:2.5.33]
at org.apache.struts2.views.jsp.ComponentTagSupport.doStartTag(ComponentTagSupport.java:48) ~[struts2-core-2.5.33.jar:2.5.33]
at org.apache.jsp.WEB_002dINF.jsp.layout.sftaLayoutNoTitle_jsp._jspx_meth_s_005fhead_005f0(xLayoutNoTitle_jsp.java:423) ~[?:?]
at org.apache.jsp.WEB_002dINF.jsp.layout.sftaLayoutNoTitle_jsp._jspService(xLayoutNoTitle_jsp.java:192) ~[?:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) ~[jasper.jar:9.0.84]
Digging into the JSP that seems to be having the problem, the error seems to happen at the point where it hits a <s:head /> tag in that JSP. I've checked all the dependent JARs but I'm not seeing the problem at all and I'm wondering if anyone else has seen this. My thinking at the moment is that either I have a too-old version of one of the dependencies, or I've completely missed a dependency. The JARs I have at the moment include these:
Incidentally, as a test I tried using 2.5.30 (i.e. one step up from the original 2.5.29) and the problem happens there too; it seems the problem is being caused by something that happened at that release and not specifically something in 2.5.33.
The Struts configuration for the initial URL I'm hitting has no Action method - it just goes directly to a Tiles definition that renders the JSP. With 2.5.29, it works fine. With 2.5.30 and up, 500 error. I've been on this for something like six hours and I'm stumped.
You have a problem with interface NotExcludedAcceptedPatternsChecker. It is missed to initialize by Struts container from the configuration contained in struts2-core-2.5.3x. Since you managing dependencies by hand, it's error-prone approach. The beans are configured in the struts-default.xml which is included in the struts2-core-2.5.3x.jar. You are right that the new interface and implementation classes appeared from Struts 2.5.30. But your application somehow using old configuration file probably from the same jar with a different version. Looks like both jars are found on the classpath while your application is deployed.