Class ParametersInterceptor
java.lang.Object
org.apache.struts2.interceptor.AbstractInterceptor
org.apache.struts2.interceptor.MethodFilterInterceptor
org.apache.struts2.interceptor.parameter.ParametersInterceptor
- All Implemented Interfaces:
Serializable
,ConditionalInterceptor
,Interceptor
- Direct Known Subclasses:
ActionMappingParametersInterceptor
This interceptor sets all parameters on the value stack.
- See Also:
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected boolean
protected static final int
protected boolean
protected boolean
protected ThreadAllowlist
Fields inherited from class org.apache.struts2.interceptor.MethodFilterInterceptor
excludeMethods, includeMethods
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected void
addParametersToContext
(ActionContext ac, Map<String, ?> newParams) Adds the parameters into context's ParameterMapprotected void
allowlistClass
(Class<?> clazz) protected void
protected void
allowlistParameterizedTypeArg
(Type genericType) protected void
allowlistParamType
(Type paramType) protected void
protected void
protected void
applyParameters
(Object action, ValueStack stack, HttpParameters parameters) protected void
applyParametersOnStack
(ValueStack stack, Map<String, Parameter> parameters, Object action) protected void
batchApplyReflectionContextState
(Map<String, Object> context, boolean value) doIntercept
(ActionInvocation invocation) Subclasses must override to implement the interceptor logic.protected BeanInfo
getBeanInfo
(Object action) protected Comparator<String>
Gets an instance of the comparator to use for the ordered sorting.protected StrutsParameter
getParameterAnnotation
(AnnotatedElement element) Annotation retrieval logic.protected String
getParameterLogMap
(HttpParameters parameters) protected int
protected boolean
hasValidAnnotatedField
(Object action, String fieldName, long paramDepth) protected boolean
hasValidAnnotatedMember
(String rootProperty, Object action, long paramDepth) Note that we check for a public field last or only if there is no valid, annotated property descriptor.protected boolean
hasValidAnnotatedPropertyDescriptor
(Object action, PropertyDescriptor propDesc, long paramDepth) protected HttpParameters
initNewHttpParameters
(HttpParameters parameters) protected boolean
isAcceptableName
(String name) Validates the name passed is: * Within the max length of a parameter name * Is not excluded * Is acceptedprotected boolean
isAcceptableParameter
(String name, Object action) Checks if name of parameter can be accepted or thrown awayprotected boolean
isAcceptableParameterNameAware
(String name, Object action) protected boolean
isAcceptableParameterValue
(Parameter param, Object action) Checks if parameter value can be accepted or thrown awayprotected boolean
isAcceptableParameterValueAware
(Parameter param, Object action) protected boolean
isAcceptableValue
(String name, String value) Validates: * Value is null/blank * Value is not excluded * Value is acceptedprotected boolean
isAccepted
(String paramName) protected boolean
isExcluded
(String paramName) boolean
Whether to order the parameters or notprotected boolean
isParameterAnnotatedAndAllowlist
(String name, Object action) Checks if the Action class member corresponding to a parameter is appropriately annotated withStrutsParameter
and OGNL allowlists any necessary classes.protected boolean
isParamValueAccepted
(String value) protected boolean
isParamValueExcluded
(String value) protected boolean
isWithinLengthLimit
(String name) protected void
notifyDeveloperParameterException
(Object action, String property, String message) protected HttpParameters
retrieveParameters
(ActionContext actionContext) Gets the parameter map to apply from wherever appropriatevoid
setAcceptedPatterns
(AcceptedPatternsChecker acceptedPatterns) void
setAcceptedValuePatterns
(String commaDelimitedPatterns) Sets a comma-delimited list of regular expressions to match values of parameters that should be accepted and included in the parameter map.void
setAcceptParamNames
(String commaDelim) Sets a comma-delimited list of regular expressions to match parameters that are allowed in the parameter map (aka whitelist).void
setDevMode
(String mode) protected void
setDynamicMethodInvocation
(String dmiEnabled) void
setExcludedPatterns
(ExcludedPatternsChecker excludedPatterns) void
setExcludedValuePatterns
(String commaDelimitedPatterns) Sets a comma-delimited list of regular expressions to match values of parameters that should be removed from the parameter map.void
setExcludeParams
(String commaDelim) Sets a comma-delimited list of regular expressions to match parameters that should be removed from the parameter map.void
setOrdered
(boolean ordered) Set whether to order the parameters by object depth or notvoid
setParamNameMaxLength
(int paramNameMaxLength) If the param name exceeds the configured maximum length it will not be accepted.void
setRequireAnnotations
(String requireAnnotations) void
setRequireAnnotationsTransitionMode
(String transitionMode) When 'Transition Mode' is enabled, parameters that are not 'nested' will be accepted without annotations.void
setThreadAllowlist
(ThreadAllowlist threadAllowlist) void
setValueStackFactory
(ValueStackFactory valueStackFactory) toAcceptableParameters
(HttpParameters parameters, Object action) protected ValueStack
toNewStack
(ValueStack stack) Methods inherited from class org.apache.struts2.interceptor.MethodFilterInterceptor
applyInterceptor, getExcludeMethodsSet, getIncludeMethodsSet, intercept, setExcludeMethods, setIncludeMethods
Methods inherited from class org.apache.struts2.interceptor.AbstractInterceptor
destroy, init, setDisabled, shouldIntercept
-
Field Details
-
PARAM_NAME_MAX_LENGTH
protected static final int PARAM_NAME_MAX_LENGTH- See Also:
-
ordered
protected boolean ordered -
requireAnnotations
protected boolean requireAnnotations -
requireAnnotationsTransitionMode
protected boolean requireAnnotationsTransitionMode -
threadAllowlist
-
-
Constructor Details
-
ParametersInterceptor
public ParametersInterceptor()
-
-
Method Details
-
setValueStackFactory
-
setThreadAllowlist
-
setDevMode
-
setRequireAnnotations
-
setRequireAnnotationsTransitionMode
When 'Transition Mode' is enabled, parameters that are not 'nested' will be accepted without annotations. What this means in practice is that all public setters on an Action will be exposed for parameter injection again, and only 'nested' parameters, i.e. public getters on an Action, will require annotations.In this mode, the OGNL auto-allowlisting capability is not degraded in any way, and as such, it offers a convenient option for applications to enable the OGNL allowlist capability whilst they work through the process of annotating all their Action parameters.
-
setExcludedPatterns
-
setAcceptedPatterns
-
setDynamicMethodInvocation
-
setParamNameMaxLength
public void setParamNameMaxLength(int paramNameMaxLength) If the param name exceeds the configured maximum length it will not be accepted.- Parameters:
paramNameMaxLength
- Maximum length of param names
-
doIntercept
Description copied from class:MethodFilterInterceptor
Subclasses must override to implement the interceptor logic.- Specified by:
doIntercept
in classMethodFilterInterceptor
- Parameters:
invocation
- the action invocation- Returns:
- the result of invocation
- Throws:
Exception
- in case of any errors
-
retrieveParameters
Gets the parameter map to apply from wherever appropriate- Parameters:
actionContext
- The action context- Returns:
- The parameter map to apply
-
addParametersToContext
Adds the parameters into context's ParameterMapIn this class this is a no-op, since the parameters were fetched from the same location. In subclasses both this and
retrieveParameters(org.apache.struts2.ActionContext)
should be overridden.- Parameters:
ac
- The action contextnewParams
- The parameter map to apply
-
applyParameters
-
batchApplyReflectionContextState
-
toNewStack
-
applyMemberAccessProperties
-
toAcceptableParameters
-
initParameterMap
-
initNewHttpParameters
-
applyParametersOnStack
protected void applyParametersOnStack(ValueStack stack, Map<String, Parameter> parameters, Object action) -
notifyDeveloperParameterException
-
isAcceptableParameter
Checks if name of parameter can be accepted or thrown away- Parameters:
name
- parameter nameaction
- current action- Returns:
- true if parameter is accepted
-
isAcceptableParameterNameAware
-
isParameterAnnotatedAndAllowlist
Checks if the Action class member corresponding to a parameter is appropriately annotated withStrutsParameter
and OGNL allowlists any necessary classes.Note that this logic relies on the use of
DefaultAcceptedPatternsChecker.NESTING_CHARS
and may also be adversely impacted by the use of custom OGNL property accessors. -
hasValidAnnotatedMember
Note that we check for a public field last or only if there is no valid, annotated property descriptor. This is because this check is likely to fail more often than not, as the relative use of public fields is low - so we save computation by checking this last. -
hasValidAnnotatedPropertyDescriptor
protected boolean hasValidAnnotatedPropertyDescriptor(Object action, PropertyDescriptor propDesc, long paramDepth) -
allowlistReturnTypeIfParameterized
-
allowlistParameterizedTypeArg
-
allowlistParamType
-
allowlistClass
-
hasValidAnnotatedField
-
allowlistFieldIfParameterized
-
getPermittedInjectionDepth
- Returns:
- permitted injection depth where -1 indicates not permitted
-
getParameterAnnotation
Annotation retrieval logic. Can be overridden to support extending annotations or some other form of annotation inheritance. -
getBeanInfo
-
isAcceptableParameterValue
Checks if parameter value can be accepted or thrown away- Parameters:
param
- the parameteraction
- current action- Returns:
- true if parameter is accepted
-
isAcceptableParameterValueAware
-
getOrderedComparator
Gets an instance of the comparator to use for the ordered sorting. Override this method to customize the ordering of the parameters as they are set to the action.- Returns:
- A comparator to sort the parameters
-
getParameterLogMap
-
isAcceptableName
Validates the name passed is: * Within the max length of a parameter name * Is not excluded * Is accepted- Parameters:
name
- - Name to check- Returns:
- true if accepted
-
isAcceptableValue
Validates: * Value is null/blank * Value is not excluded * Value is accepted- Parameters:
name
- - Param name (for logging)value
- - value to check- Returns:
- true if accepted
-
isWithinLengthLimit
-
isAccepted
-
isExcluded
-
isParamValueExcluded
-
isParamValueAccepted
-
isOrdered
public boolean isOrdered()Whether to order the parameters or not- Returns:
- True to order
-
setOrdered
public void setOrdered(boolean ordered) Set whether to order the parameters by object depth or not- Parameters:
ordered
- True to order them
-
setAcceptParamNames
Sets a comma-delimited list of regular expressions to match parameters that are allowed in the parameter map (aka whitelist).Don't change the default unless you know what you are doing in terms of security implications.
- Parameters:
commaDelim
- A comma-delimited list of regular expressions
-
setExcludeParams
Sets a comma-delimited list of regular expressions to match parameters that should be removed from the parameter map.- Parameters:
commaDelim
- A comma-delimited list of regular expressions
-
setAcceptedValuePatterns
Sets a comma-delimited list of regular expressions to match values of parameters that should be accepted and included in the parameter map.- Parameters:
commaDelimitedPatterns
- A comma-delimited set of regular expressions
-
setExcludedValuePatterns
Sets a comma-delimited list of regular expressions to match values of parameters that should be removed from the parameter map.- Parameters:
commaDelimitedPatterns
- A comma-delimited set of regular expressions
-