public class ParametersInterceptor extends MethodFilterInterceptor
ActionContext.getParameters()
and sets them on the value stack by
calling ValueStack.setValue(String, Object)
, typically resulting in the values submitted in a form
request being applied to an action in the value stack. Note that the parameter map must contain a String key and
often containers a String[] for the value.
The interceptor takes one parameter named 'ordered'. When set to true action properties are guaranteed to be
set top-down which means that top action's properties are set first. Then it's subcomponents properties are set.
The reason for this order is to enable a 'factory' pattern. For example, let's assume that one has an action
that contains a property named 'modelClass' that allows to choose what is the underlying implementation of model.
By assuring that modelClass property is set before any model properties are set, it's possible to choose model
implementation during action.setModelClass() call. Similiarily it's possible to use action.setPrimaryKey()
property set call to actually load the model class from persistent storage. Without any assumption on parameter
order you have to use patterns like 'Preparable'.
Because parameter names are effectively OGNL statements, it is important that security be taken in to account.
This interceptor will not apply any values in the parameters map if the expression contains an assignment (=),
multiple expressions (,), or references any objects in the context (#). This is all done in the acceptableName(String)
method. In addition to this method, if the action being invoked implements the ParameterNameAware
interface, the action will be consulted to determine if the parameter should be set.
In addition to these restrictions, a flag (ReflectionContextState.DENY_METHOD_EXECUTION
) is set such that
no methods are allowed to be invoked. That means that any expression such as person.doSomething() or
person.getName() will be explicitely forbidden. This is needed to make sure that your application is not
exposed to attacks by malicious users.
While this interceptor is being invoked, a flag (ReflectionContextState.CREATE_NULL_OBJECTS
) is turned
on to ensure that any null reference is automatically created - if possible. See the type conversion documentation
and the InstantiatingNullHandler
javadocs for more information.
Finally, a third flag (XWorkConverter.REPORT_CONVERSION_ERRORS
) is set that indicates any errors when
converting the the values to their final data type (String[] -> int) an unrecoverable error occured. With this
flag set, the type conversion errors will be reported in the action context. See the type conversion documentation
and the XWorkConverter
javadocs for more information.
If you are looking for detailed logging information about your parameters, turn on DEBUG level logging for this
interceptor. A detailed log of all the parameter keys and values will be reported.
Note: Since XWork 2.0.2, this interceptor extends MethodFilterInterceptor
, therefore being
able to deal with excludeMethods / includeMethods parameters. See [Workflow Interceptor]
(class DefaultWorkflowInterceptor
) for documentation and examples on how to use this feature.
Interceptor parameters:
ParameterNameAware
interface in your
actions. However, if you wish to apply a global rule that isn't implemented in your action, then you could extend
this interceptor and override the acceptableName(String)
method.
Using ParameterNameAware
could be dangerous as ParameterNameAware.acceptableParameterName(String)
takes precedence
over ParametersInterceptor which means if ParametersInterceptor excluded given parameter name you can accept it with
ParameterNameAware.acceptableParameterName(String)
.
The best idea is to define very tight restrictions with ParametersInterceptor and relax them per action with
ParameterNameAware.acceptableParameterName(String)
Example code:
<action name="someAction" class="com.examples.SomeAction"> <interceptor-ref name="params"/> <result name="success">good_result.ftl</result> </action>
Modifier and Type | Field and Description |
---|---|
static String |
ACCEPTED_PARAM_NAMES |
protected Set<Pattern> |
acceptParams |
protected Set<Pattern> |
excludeParams |
protected boolean |
ordered |
protected static int |
PARAM_NAME_MAX_LENGTH |
excludeMethods, includeMethods, log
Constructor and Description |
---|
ParametersInterceptor() |
Modifier and Type | Method and Description |
---|---|
protected boolean |
acceptableName(String name) |
protected void |
addParametersToContext(ActionContext ac,
Map<String,Object> newParams)
Adds the parameters into context's ParameterMap
|
String |
doIntercept(ActionInvocation invocation)
Subclasses must override to implement the interceptor logic.
|
protected Set |
getExcludeParamsSet()
Gets a set of regular expressions of parameters to remove
from the parameter map
|
protected Comparator<String> |
getOrderedComparator()
Gets an instance of the comparator to use for the ordered sorting.
|
protected String |
getParameterLogMap(Map<String,Object> parameters) |
protected void |
initializeHardCodedExcludePatterns() |
protected boolean |
isAcceptableParameter(String name,
Object action)
Checks if name of parameter can be accepted or thrown away
|
protected boolean |
isAccepted(String paramName) |
protected boolean |
isExcluded(String paramName) |
boolean |
isOrdered()
Whether to order the parameters or not
|
protected boolean |
isWithinLengthLimit(String name) |
protected void |
notifyDeveloper(Object action,
String property,
String message) |
protected Map<String,Object> |
retrieveParameters(ActionContext ac)
Gets the parameter map to apply from wherever appropriate
|
void |
setAcceptParamNames(String commaDelim)
Sets a comma-delimited list of regular expressions to match
parameters that are allowed in the parameter map (aka whitelist).
|
void |
setDevMode(String mode) |
void |
setExcludeParams(String commaDelim)
Sets a comma-delimited list of regular expressions to match
parameters that should be removed from the parameter map.
|
void |
setOrdered(boolean ordered)
Set whether to order the parameters by object depth or not
|
protected void |
setParameters(Object action,
ValueStack stack,
Map<String,Object> parameters) |
void |
setParamNameMaxLength(int paramNameMaxLength)
If the param name exceeds the configured maximum length it will not be
accepted.
|
void |
setValueStackFactory(ValueStackFactory valueStackFactory) |
applyInterceptor, getExcludeMethodsSet, getIncludeMethodsSet, intercept, setExcludeMethods, setIncludeMethods
destroy, init
public static final String ACCEPTED_PARAM_NAMES
protected static final int PARAM_NAME_MAX_LENGTH
protected boolean ordered
public void setValueStackFactory(ValueStackFactory valueStackFactory)
public void setDevMode(String mode)
public void setAcceptParamNames(String commaDelim)
commaDelim
- A comma-delimited list of regular expressionspublic void setParamNameMaxLength(int paramNameMaxLength)
paramNameMaxLength
- Maximum length of param namespublic String doIntercept(ActionInvocation invocation) throws Exception
MethodFilterInterceptor
doIntercept
in class MethodFilterInterceptor
invocation
- the action invocationException
protected Map<String,Object> retrieveParameters(ActionContext ac)
ac
- The action contextprotected void addParametersToContext(ActionContext ac, Map<String,Object> newParams)
ac
- The action contextnewParams
- The parameter map to apply
In this class this is a no-op, since the parameters were fetched from the same location.
In subclasses both retrieveParameters() and addParametersToContext() should be overridden.protected void setParameters(Object action, ValueStack stack, Map<String,Object> parameters)
protected boolean isAcceptableParameter(String name, Object action)
name
- parameter nameaction
- current actionprotected Comparator<String> getOrderedComparator()
protected boolean acceptableName(String name)
protected boolean isWithinLengthLimit(String name)
protected boolean isAccepted(String paramName)
protected boolean isExcluded(String paramName)
public boolean isOrdered()
public void setOrdered(boolean ordered)
ordered
- True to order themprotected Set getExcludeParamsSet()
protected void initializeHardCodedExcludePatterns()
public void setExcludeParams(String commaDelim)
commaDelim
- A comma-delimited list of regular expressionsCopyright © 2000-2014 Apache Software Foundation. All Rights Reserved.