Class ParameterAuthorizationContext
java.lang.Object
org.apache.struts2.interceptor.parameter.ParameterAuthorizationContext
ThreadLocal holder for per-request parameter authorization state, used by deserializer-level
authorization (e.g. the REST plugin's
ContentTypeInterceptor). All state — the
ParameterAuthorizer, the target, the action, and the current property-path stack — is
bound by input-channel interceptors before invoking the deserializer, and unbound in a
finally block afterwards.
Implementations that consult this context (e.g. AuthorizingSettableBeanProperty) call
isActive() to decide whether to enforce authorization at all — when no context is bound
(default config, requireAnnotations=false), they short-circuit to the delegate behavior.
- Since:
- 7.2.0
-
Method Summary
Modifier and TypeMethodDescriptionstatic voidbind(ParameterAuthorizer authorizer, Object target, Object action) Binds an authorizer, target, and action to the current thread.static Stringstatic booleanisActive()Returnstrueif an authorizer has been bound on the current thread viabind(org.apache.struts2.interceptor.parameter.ParameterAuthorizer, java.lang.Object, java.lang.Object).static booleanisAuthorized(String parameterPath) Authorizes a parameter at the given path against the bound authorizer.static StringBuilds the full path for a property at the current nesting level:prefix.propertyName(or justpropertyNamewhen at the root).static voidpopPath()Pops the top path prefix from the stack.static voidPushes the full cumulative path prefix onto the stack.static voidunbind()Removes the bound authorizer state and clears the path stack for the current thread.
-
Method Details
-
bind
Binds an authorizer, target, and action to the current thread.targetis the object being populated — typically the action itself, or the model object forModelDrivenactions (the same contract asParameterAuthorizer.isAuthorized(java.lang.String, java.lang.Object, java.lang.Object)).actionis always the action instance. A subsequent call without an interveningunbind()replaces the prior state without resetting the path stack.- Parameters:
authorizer- the authorizer to use for this request; must not benulltarget- the object being populated (action or model)action- the action instance
-
unbind
public static void unbind()Removes the bound authorizer state and clears the path stack for the current thread. Safe to call even when no context has been bound. -
isActive
public static boolean isActive()Returnstrueif an authorizer has been bound on the current thread viabind(org.apache.struts2.interceptor.parameter.ParameterAuthorizer, java.lang.Object, java.lang.Object). -
isAuthorized
Authorizes a parameter at the given path against the bound authorizer. Returnstruewhen no context is bound — callers that don't want enforcement at all should not bind context in the first place; this default keeps wrapping deserializers safe for non-authorized requests. -
pushPath
Pushes the full cumulative path prefix onto the stack. SubsequentpathFor(String)calls will appendnameto this prefix. Callers building a collection-element prefix (e.g.items[0]) must pass the full string including the suffix.- Parameters:
cumulativePath- the full path prefix to push (e.g."address"or"items[0]")
-
popPath
public static void popPath()Pops the top path prefix from the stack. Has no effect if the stack is empty. -
currentPathPrefix
- Returns:
- the current top-of-stack path prefix, or empty string if none
-
pathFor
Builds the full path for a property at the current nesting level:prefix.propertyName(or justpropertyNamewhen at the root).
-