Class StrutsParameterAuthorizer

java.lang.Object
org.apache.struts2.interceptor.parameter.StrutsParameterAuthorizer
All Implemented Interfaces:
ParameterAuthorizer

public class StrutsParameterAuthorizer extends Object implements ParameterAuthorizer
Default implementation of ParameterAuthorizer that checks StrutsParameter annotations on the target object's members to determine whether a parameter is authorized for injection.

This implementation extracts the authorization logic from ParametersInterceptor so that it can be shared with other input channels (JSON plugin, REST plugin) without duplicating code.

Unlike ParametersInterceptor, this implementation does NOT perform OGNL ThreadAllowlist side effects. Those remain specific to the OGNL-based parameter injection path.

Since:
7.2.0
  • Constructor Details

    • StrutsParameterAuthorizer

      public StrutsParameterAuthorizer()
  • Method Details

    • setOgnlUtil

      public void setOgnlUtil(OgnlUtil ognlUtil)
    • setProxyService

      public void setProxyService(ProxyService proxyService)
    • setDevMode

      public void setDevMode(String mode)
    • setRequireAnnotations

      public void setRequireAnnotations(String requireAnnotations)
    • setRequireAnnotationsTransitionMode

      public void setRequireAnnotationsTransitionMode(String transitionMode)
    • resolveTarget

      public Object resolveTarget(Object action)
      Description copied from interface: ParameterAuthorizer
      Resolves the target object whose annotations should be checked for authorization. For ModelDriven actions, the default implementation returns the action itself; the production implementation (StrutsParameterAuthorizer) overrides this to return the model from the value stack.

      Callers that need both authorization checks AND the resolved target (e.g. for downstream OGNL allowlisting) should call this once and reuse the result.

      This is a default method to preserve the interface as a functional interface (SAM) for lambda-based test stubs.

      Specified by:
      resolveTarget in interface ParameterAuthorizer
      Parameters:
      action - the action instance
      Returns:
      the resolved target — either the action or its model
    • isAuthorized

      public boolean isAuthorized(String parameterName, Object target, Object action)
      Description copied from interface: ParameterAuthorizer
      Determines whether a parameter with the given name is authorized for injection into the given target object.

      When struts.parameters.requireAnnotations is false, this method always returns true for backward compatibility.

      Specified by:
      isAuthorized in interface ParameterAuthorizer
      Parameters:
      parameterName - the parameter name (e.g. "name", "address.city", "items[0].name")
      target - the object receiving the parameter value (the action, or the model for ModelDriven actions)
      action - the action instance; used to detect ModelDriven exemption (when target != action, the target is the model and is exempt from annotation requirements)
      Returns:
      true if the parameter is authorized for injection, false otherwise
    • hasValidAnnotatedMember

      protected boolean hasValidAnnotatedMember(String rootProperty, Object target, long paramDepth)
    • hasValidAnnotatedPropertyDescriptor

      protected boolean hasValidAnnotatedPropertyDescriptor(Object target, PropertyDescriptor propDesc, long paramDepth)
    • hasValidAnnotatedField

      protected boolean hasValidAnnotatedField(Object target, String fieldName, long paramDepth)
    • getPermittedInjectionDepth

      protected int getPermittedInjectionDepth(AnnotatedElement element)
    • getParameterAnnotation

      protected StrutsParameter getParameterAnnotation(AnnotatedElement element)
    • ultimateClass

      protected Class<?> ultimateClass(Object target)
    • getBeanInfo

      protected BeanInfo getBeanInfo(Object target)