Interface ParameterAuthorizer

All Known Implementing Classes:
StrutsParameterAuthorizer

public interface ParameterAuthorizer
Service for determining whether a given parameter name is authorized for injection into a target object, based on StrutsParameter annotation presence and depth.

This service extracts the authorization logic from ParametersInterceptor so that it can be reused by other input channels (e.g. JSON plugin, REST plugin) that also need to enforce @StrutsParameter rules.

Implementations must NOT perform OGNL ThreadAllowlist side effects — those remain specific to ParametersInterceptor.

Since:
7.2.0
  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    isAuthorized(String parameterName, Object target, Object action)
    Determines whether a parameter with the given name is authorized for injection into the given target object.
    default Object
    Resolves the target object whose annotations should be checked for authorization.
  • Method Details

    • isAuthorized

      boolean isAuthorized(String parameterName, Object target, Object action)
      Determines whether a parameter with the given name is authorized for injection into the given target object.

      When struts.parameters.requireAnnotations is false, this method always returns true for backward compatibility.

      Parameters:
      parameterName - the parameter name (e.g. "name", "address.city", "items[0].name")
      target - the object receiving the parameter value (the action, or the model for ModelDriven actions)
      action - the action instance; used to detect ModelDriven exemption (when target != action, the target is the model and is exempt from annotation requirements)
      Returns:
      true if the parameter is authorized for injection, false otherwise
    • resolveTarget

      default Object resolveTarget(Object action)
      Resolves the target object whose annotations should be checked for authorization. For ModelDriven actions, the default implementation returns the action itself; the production implementation (StrutsParameterAuthorizer) overrides this to return the model from the value stack.

      Callers that need both authorization checks AND the resolved target (e.g. for downstream OGNL allowlisting) should call this once and reuse the result.

      This is a default method to preserve the interface as a functional interface (SAM) for lambda-based test stubs.

      Parameters:
      action - the action instance
      Returns:
      the resolved target — either the action or its model
      Since:
      7.2.0