public class ParametersInterceptor extends MethodFilterInterceptor
Modifier and Type | Field and Description |
---|---|
protected boolean |
ordered |
protected static int |
PARAM_NAME_MAX_LENGTH |
protected boolean |
requireAnnotations |
protected boolean |
requireAnnotationsTransitionMode |
protected ThreadAllowlist |
threadAllowlist |
excludeMethods, includeMethods
Constructor and Description |
---|
ParametersInterceptor() |
Modifier and Type | Method and Description |
---|---|
protected boolean |
acceptableName(String name)
Deprecated.
since 6.4.0, use
isAcceptableName(java.lang.String) |
protected boolean |
acceptableValue(String name,
String value)
Deprecated.
since 6.4.0, use
isAcceptableValue(java.lang.String, java.lang.String) |
protected void |
addParametersToContext(ActionContext ac,
Map<String,?> newParams)
Adds the parameters into context's ParameterMap
|
protected void |
allowlistClass(Class<?> clazz) |
protected void |
allowlistFieldIfParameterized(Field field) |
protected void |
allowlistParameterizedTypeArg(Type genericType) |
protected void |
allowlistParamType(Type paramType) |
protected void |
allowlistReturnTypeIfParameterized(Method method) |
protected void |
applyMemberAccessProperties(ValueStack stack) |
protected void |
applyParameters(Object action,
ValueStack stack,
HttpParameters parameters) |
protected void |
applyParametersOnStack(ValueStack stack,
Map<String,Parameter> parameters,
Object action) |
protected void |
batchApplyReflectionContextState(Map<String,Object> context,
boolean value) |
String |
doIntercept(ActionInvocation invocation)
Subclasses must override to implement the interceptor logic.
|
protected BeanInfo |
getBeanInfo(Object action) |
protected Comparator<String> |
getOrderedComparator()
Gets an instance of the comparator to use for the ordered sorting.
|
protected StrutsParameter |
getParameterAnnotation(AnnotatedElement element)
Annotation retrieval logic.
|
protected String |
getParameterLogMap(HttpParameters parameters) |
protected int |
getPermittedInjectionDepth(AnnotatedElement element) |
protected boolean |
hasValidAnnotatedField(Object action,
String fieldName,
long paramDepth) |
protected boolean |
hasValidAnnotatedMember(String rootProperty,
Object action,
long paramDepth)
Note that we check for a public field last or only if there is no valid, annotated property descriptor.
|
protected boolean |
hasValidAnnotatedPropertyDescriptor(Object action,
PropertyDescriptor propDesc,
long paramDepth) |
protected boolean |
hasValidAnnotatedPropertyDescriptor(PropertyDescriptor propDesc,
long paramDepth)
Deprecated.
since 6.5.0, use
hasValidAnnotatedPropertyDescriptor(Object, PropertyDescriptor, long)
instead. |
protected HttpParameters |
initNewHttpParameters(HttpParameters parameters) |
protected Map<String,Parameter> |
initParameterMap() |
protected boolean |
isAcceptableName(String name)
Validates the name passed is:
* Within the max length of a parameter name
* Is not excluded
* Is accepted
|
protected boolean |
isAcceptableParameter(String name,
Object action)
Checks if name of parameter can be accepted or thrown away
|
protected boolean |
isAcceptableParameterNameAware(String name,
Object action) |
protected boolean |
isAcceptableParameterValue(Parameter param,
Object action)
Checks if parameter value can be accepted or thrown away
|
protected boolean |
isAcceptableParameterValueAware(Parameter param,
Object action) |
protected boolean |
isAcceptableValue(String name,
String value)
Validates:
* Value is null/blank
* Value is not excluded
* Value is accepted
|
protected boolean |
isAccepted(String paramName) |
protected boolean |
isExcluded(String paramName) |
boolean |
isOrdered()
Whether to order the parameters or not
|
protected boolean |
isParameterAnnotatedAndAllowlist(String name,
Object action)
Checks if the Action class member corresponding to a parameter is appropriately annotated with
StrutsParameter and OGNL allowlists any necessary classes. |
protected boolean |
isParamValueAccepted(String value) |
protected boolean |
isParamValueExcluded(String value) |
protected boolean |
isWithinLengthLimit(String name) |
protected void |
notifyDeveloperParameterException(Object action,
String property,
String message) |
protected HttpParameters |
retrieveParameters(ActionContext actionContext)
Gets the parameter map to apply from wherever appropriate
|
void |
setAcceptedPatterns(AcceptedPatternsChecker acceptedPatterns) |
void |
setAcceptedValuePatterns(String commaDelimitedPatterns)
Sets a comma-delimited list of regular expressions to match
values of parameters that should be accepted and included in the parameter map.
|
void |
setAcceptParamNames(String commaDelim)
Sets a comma-delimited list of regular expressions to match
parameters that are allowed in the parameter map (aka whitelist).
|
void |
setDevMode(String mode) |
protected void |
setDynamicMethodInvocation(String dmiEnabled) |
void |
setExcludedPatterns(ExcludedPatternsChecker excludedPatterns) |
void |
setExcludedValuePatterns(String commaDelimitedPatterns)
Sets a comma-delimited list of regular expressions to match
values of parameters that should be removed from the parameter map.
|
void |
setExcludeParams(String commaDelim)
Sets a comma-delimited list of regular expressions to match
parameters that should be removed from the parameter map.
|
void |
setOrdered(boolean ordered)
Set whether to order the parameters by object depth or not
|
protected void |
setParameters(Object action,
ValueStack stack,
HttpParameters parameters)
|
void |
setParamNameMaxLength(int paramNameMaxLength)
If the param name exceeds the configured maximum length it will not be
accepted.
|
void |
setRequireAnnotations(String requireAnnotations) |
void |
setRequireAnnotationsTransitionMode(String transitionMode)
When 'Transition Mode' is enabled, parameters that are not 'nested' will be accepted without annotations.
|
void |
setThreadAllowlist(ThreadAllowlist threadAllowlist) |
void |
setValueStackFactory(ValueStackFactory valueStackFactory) |
protected Map<String,Parameter> |
toAcceptableParameters(HttpParameters parameters,
Object action) |
protected ValueStack |
toNewStack(ValueStack stack) |
applyInterceptor, getExcludeMethodsSet, getIncludeMethodsSet, intercept, setExcludeMethods, setIncludeMethods
destroy, init, setDisabled, shouldIntercept
protected static final int PARAM_NAME_MAX_LENGTH
protected boolean ordered
protected boolean requireAnnotations
protected boolean requireAnnotationsTransitionMode
protected ThreadAllowlist threadAllowlist
public void setValueStackFactory(ValueStackFactory valueStackFactory)
public void setThreadAllowlist(ThreadAllowlist threadAllowlist)
public void setDevMode(String mode)
public void setRequireAnnotations(String requireAnnotations)
public void setRequireAnnotationsTransitionMode(String transitionMode)
In this mode, the OGNL auto-allowlisting capability is not degraded in any way, and as such, it offers a convenient option for applications to enable the OGNL allowlist capability whilst they work through the process of annotating all their Action parameters.
public void setExcludedPatterns(ExcludedPatternsChecker excludedPatterns)
public void setAcceptedPatterns(AcceptedPatternsChecker acceptedPatterns)
protected void setDynamicMethodInvocation(String dmiEnabled)
public void setParamNameMaxLength(int paramNameMaxLength)
paramNameMaxLength
- Maximum length of param namespublic String doIntercept(ActionInvocation invocation) throws Exception
MethodFilterInterceptor
doIntercept
in class MethodFilterInterceptor
invocation
- the action invocationException
- in case of any errorsprotected HttpParameters retrieveParameters(ActionContext actionContext)
actionContext
- The action contextprotected void addParametersToContext(ActionContext ac, Map<String,?> newParams)
In this class this is a no-op, since the parameters were fetched from the same location. In subclasses both this
and retrieveParameters(com.opensymphony.xwork2.ActionContext)
should be overridden.
ac
- The action contextnewParams
- The parameter map to apply@Deprecated protected void setParameters(Object action, ValueStack stack, HttpParameters parameters)
protected void applyParameters(Object action, ValueStack stack, HttpParameters parameters)
protected void batchApplyReflectionContextState(Map<String,Object> context, boolean value)
protected ValueStack toNewStack(ValueStack stack)
protected void applyMemberAccessProperties(ValueStack stack)
protected Map<String,Parameter> toAcceptableParameters(HttpParameters parameters, Object action)
protected HttpParameters initNewHttpParameters(HttpParameters parameters)
protected void applyParametersOnStack(ValueStack stack, Map<String,Parameter> parameters, Object action)
protected void notifyDeveloperParameterException(Object action, String property, String message)
protected boolean isAcceptableParameter(String name, Object action)
name
- parameter nameaction
- current actionprotected boolean isAcceptableParameterNameAware(String name, Object action)
protected boolean isParameterAnnotatedAndAllowlist(String name, Object action)
StrutsParameter
and OGNL allowlists any necessary classes.
Note that this logic relies on the use of DefaultAcceptedPatternsChecker.NESTING_CHARS
and may also
be adversely impacted by the use of custom OGNL property accessors.
protected boolean hasValidAnnotatedMember(String rootProperty, Object action, long paramDepth)
@Deprecated protected boolean hasValidAnnotatedPropertyDescriptor(PropertyDescriptor propDesc, long paramDepth)
hasValidAnnotatedPropertyDescriptor(Object, PropertyDescriptor, long)
instead.protected boolean hasValidAnnotatedPropertyDescriptor(Object action, PropertyDescriptor propDesc, long paramDepth)
protected void allowlistReturnTypeIfParameterized(Method method)
protected void allowlistParameterizedTypeArg(Type genericType)
protected void allowlistParamType(Type paramType)
protected void allowlistClass(Class<?> clazz)
protected boolean hasValidAnnotatedField(Object action, String fieldName, long paramDepth)
protected void allowlistFieldIfParameterized(Field field)
protected int getPermittedInjectionDepth(AnnotatedElement element)
protected StrutsParameter getParameterAnnotation(AnnotatedElement element)
protected boolean isAcceptableParameterValue(Parameter param, Object action)
param
- the parameteraction
- current actionprotected boolean isAcceptableParameterValueAware(Parameter param, Object action)
protected Comparator<String> getOrderedComparator()
protected String getParameterLogMap(HttpParameters parameters)
protected boolean acceptableName(String name)
isAcceptableName(java.lang.String)
protected boolean isAcceptableName(String name)
name
- - Name to checkprotected boolean acceptableValue(String name, String value)
isAcceptableValue(java.lang.String, java.lang.String)
protected boolean isAcceptableValue(String name, String value)
name
- - Param name (for logging)value
- - value to checkprotected boolean isWithinLengthLimit(String name)
protected boolean isAccepted(String paramName)
protected boolean isExcluded(String paramName)
protected boolean isParamValueExcluded(String value)
protected boolean isParamValueAccepted(String value)
public boolean isOrdered()
public void setOrdered(boolean ordered)
ordered
- True to order thempublic void setAcceptParamNames(String commaDelim)
Don't change the default unless you know what you are doing in terms of security implications.
commaDelim
- A comma-delimited list of regular expressionspublic void setExcludeParams(String commaDelim)
commaDelim
- A comma-delimited list of regular expressionspublic void setAcceptedValuePatterns(String commaDelimitedPatterns)
commaDelimitedPatterns
- A comma-delimited set of regular expressionspublic void setExcludedValuePatterns(String commaDelimitedPatterns)
commaDelimitedPatterns
- A comma-delimited set of regular expressionsCopyright © 2000–2024 Apache Software Foundation. All rights reserved.