Class StrutsParameterAuthorizer
java.lang.Object
org.apache.struts2.interceptor.parameter.StrutsParameterAuthorizer
- All Implemented Interfaces:
ParameterAuthorizer
Default implementation of
ParameterAuthorizer that checks StrutsParameter annotations on the target
object's members to determine whether a parameter is authorized for injection.
This implementation extracts the authorization logic from ParametersInterceptor so that it can be shared
with other input channels (JSON plugin, REST plugin) without duplicating code.
Unlike ParametersInterceptor, this implementation does NOT perform OGNL ThreadAllowlist side effects.
Those remain specific to the OGNL-based parameter injection path.
- Since:
- 7.2.0
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected BeanInfogetBeanInfo(Object target) protected StrutsParametergetParameterAnnotation(AnnotatedElement element) protected intprotected booleanhasValidAnnotatedField(Object target, String fieldName, long paramDepth) protected booleanhasValidAnnotatedMember(String rootProperty, Object target, long paramDepth) protected booleanhasValidAnnotatedPropertyDescriptor(Object target, PropertyDescriptor propDesc, long paramDepth) booleanisAuthorized(String parameterName, Object target, Object action) Determines whether a parameter with the given name is authorized for injection into the given target object.resolveTarget(Object action) Resolves the target object whose annotations should be checked for authorization.voidsetDevMode(String mode) voidsetOgnlUtil(OgnlUtil ognlUtil) voidsetProxyService(ProxyService proxyService) voidsetRequireAnnotations(String requireAnnotations) voidsetRequireAnnotationsTransitionMode(String transitionMode) protected Class<?>ultimateClass(Object target)
-
Constructor Details
-
StrutsParameterAuthorizer
public StrutsParameterAuthorizer()
-
-
Method Details
-
setOgnlUtil
-
setProxyService
-
setDevMode
-
setRequireAnnotations
-
setRequireAnnotationsTransitionMode
-
resolveTarget
Description copied from interface:ParameterAuthorizerResolves the target object whose annotations should be checked for authorization. ForModelDrivenactions, the default implementation returns the action itself; the production implementation (StrutsParameterAuthorizer) overrides this to return the model from the value stack.Callers that need both authorization checks AND the resolved target (e.g. for downstream OGNL allowlisting) should call this once and reuse the result.
This is a
defaultmethod to preserve the interface as a functional interface (SAM) for lambda-based test stubs.- Specified by:
resolveTargetin interfaceParameterAuthorizer- Parameters:
action- the action instance- Returns:
- the resolved target — either the action or its model
-
isAuthorized
Description copied from interface:ParameterAuthorizerDetermines whether a parameter with the given name is authorized for injection into the given target object.When
struts.parameters.requireAnnotationsisfalse, this method always returnstruefor backward compatibility.- Specified by:
isAuthorizedin interfaceParameterAuthorizer- Parameters:
parameterName- the parameter name (e.g. "name", "address.city", "items[0].name")target- the object receiving the parameter value (the action, or the model for ModelDriven actions)action- the action instance; used to detect ModelDriven exemption (whentarget != action, the target is the model and is exempt from annotation requirements)- Returns:
trueif the parameter is authorized for injection,falseotherwise
-
hasValidAnnotatedMember
-
hasValidAnnotatedPropertyDescriptor
protected boolean hasValidAnnotatedPropertyDescriptor(Object target, PropertyDescriptor propDesc, long paramDepth) -
hasValidAnnotatedField
-
getPermittedInjectionDepth
-
getParameterAnnotation
-
ultimateClass
-
getBeanInfo
-