Class ParameterAuthorizationContext

java.lang.Object
org.apache.struts2.interceptor.parameter.ParameterAuthorizationContext

public final class ParameterAuthorizationContext extends Object
ThreadLocal holder for per-request parameter authorization state, used by deserializer-level authorization (e.g. the REST plugin's ContentTypeInterceptor). All state — the ParameterAuthorizer, the target, the action, and the current property-path stack — is bound by input-channel interceptors before invoking the deserializer, and unbound in a finally block afterwards.

Implementations that consult this context (e.g. AuthorizingSettableBeanProperty) call isActive() to decide whether to enforce authorization at all — when no context is bound (default config, requireAnnotations=false), they short-circuit to the delegate behavior.

Since:
7.2.0
  • Method Details

    • bind

      public static void bind(ParameterAuthorizer authorizer, Object target, Object action)
      Binds an authorizer, target, and action to the current thread. target is the object being populated — typically the action itself, or the model object for ModelDriven actions (the same contract as ParameterAuthorizer.isAuthorized(java.lang.String, java.lang.Object, java.lang.Object)). action is always the action instance. A subsequent call without an intervening unbind() replaces the prior state without resetting the path stack.
      Parameters:
      authorizer - the authorizer to use for this request; must not be null
      target - the object being populated (action or model)
      action - the action instance
    • unbind

      public static void unbind()
      Removes the bound authorizer state and clears the path stack for the current thread. Safe to call even when no context has been bound.
    • isActive

      public static boolean isActive()
      Returns true if an authorizer has been bound on the current thread via bind(org.apache.struts2.interceptor.parameter.ParameterAuthorizer, java.lang.Object, java.lang.Object).
    • isAuthorized

      public static boolean isAuthorized(String parameterPath)
      Authorizes a parameter at the given path against the bound authorizer. Returns true when no context is bound — callers that don't want enforcement at all should not bind context in the first place; this default keeps wrapping deserializers safe for non-authorized requests.
    • pushPath

      public static void pushPath(String cumulativePath)
      Pushes the full cumulative path prefix onto the stack. Subsequent pathFor(String) calls will append name to this prefix. Callers building a collection-element prefix (e.g. items[0]) must pass the full string including the suffix.
      Parameters:
      cumulativePath - the full path prefix to push (e.g. "address" or "items[0]")
    • popPath

      public static void popPath()
      Pops the top path prefix from the stack. Has no effect if the stack is empty.
    • currentPathPrefix

      public static String currentPathPrefix()
      Returns:
      the current top-of-stack path prefix, or empty string if none
    • pathFor

      public static String pathFor(String propertyName)
      Builds the full path for a property at the current nesting level: prefix.propertyName (or just propertyName when at the root).