Interface ParameterAuthorizer
- All Known Implementing Classes:
StrutsParameterAuthorizer
public interface ParameterAuthorizer
Service for determining whether a given parameter name is authorized for injection into a target object, based on
StrutsParameter annotation presence and depth.
This service extracts the authorization logic from ParametersInterceptor so that it can be reused by other
input channels (e.g. JSON plugin, REST plugin) that also need to enforce @StrutsParameter rules.
Implementations must NOT perform OGNL ThreadAllowlist side effects — those remain specific to
ParametersInterceptor.
- Since:
- 7.2.0
-
Method Summary
Modifier and TypeMethodDescriptionbooleanisAuthorized(String parameterName, Object target, Object action) Determines whether a parameter with the given name is authorized for injection into the given target object.default ObjectresolveTarget(Object action) Resolves the target object whose annotations should be checked for authorization.
-
Method Details
-
isAuthorized
Determines whether a parameter with the given name is authorized for injection into the given target object.When
struts.parameters.requireAnnotationsisfalse, this method always returnstruefor backward compatibility.- Parameters:
parameterName- the parameter name (e.g. "name", "address.city", "items[0].name")target- the object receiving the parameter value (the action, or the model for ModelDriven actions)action- the action instance; used to detect ModelDriven exemption (whentarget != action, the target is the model and is exempt from annotation requirements)- Returns:
trueif the parameter is authorized for injection,falseotherwise
-
resolveTarget
Resolves the target object whose annotations should be checked for authorization. ForModelDrivenactions, the default implementation returns the action itself; the production implementation (StrutsParameterAuthorizer) overrides this to return the model from the value stack.Callers that need both authorization checks AND the resolved target (e.g. for downstream OGNL allowlisting) should call this once and reuse the result.
This is a
defaultmethod to preserve the interface as a functional interface (SAM) for lambda-based test stubs.- Parameters:
action- the action instance- Returns:
- the resolved target — either the action or its model
- Since:
- 7.2.0
-