You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/23 09:59:08 UTC
[1/3] git commit: Adds ability to exclude whole packages based on
regex
Repository: struts
Updated Branches:
refs/heads/feature/exclude-object-class 8a93df10c -> 5a5af1b58
Adds ability to exclude whole packages based on regex
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/dba9da3a
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/dba9da3a
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/dba9da3a
Branch: refs/heads/feature/exclude-object-class
Commit: dba9da3abf1b5e6f59251b5a6d948c5bc502c9af
Parents: 8a93df1
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri May 23 09:20:07 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri May 23 09:20:07 2014 +0200
----------------------------------------------------------------------
.../xwork2/ognl/SecurityMemberAccess.java | 20 ++++++++++++++++++++
.../xwork2/ognl/SecurityMemberAccessTest.java | 19 +++++++++++++++++++
2 files changed, 39 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/dba9da3a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index c14d8b9..39f882a 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -40,6 +40,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
private Set<Pattern> excludeProperties = Collections.emptySet();
private Set<Pattern> acceptProperties = Collections.emptySet();
private Set<Class<?>> excludedClasses = Collections.emptySet();
+ private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet();
public SecurityMemberAccess(boolean method) {
super(false);
@@ -52,6 +53,13 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
@Override
public boolean isAccessible(Map context, Object target, Member member, String propertyName) {
+ if (isPackageExcluded(target.getClass().getPackage(), member.getDeclaringClass().getPackage())) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Target package [#0] and member package [#1] are excluded!", target, member);
+ }
+ return false;
+ }
+
if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
if (LOG.isDebugEnabled()) {
LOG.debug("Target class [#0] and member type [#1] are excluded!", target, member);
@@ -84,6 +92,15 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
return isAcceptableProperty(propertyName);
}
+ protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) {
+ for (Pattern pattern : excludedPackageNamePatterns) {
+ if (pattern.matcher(targetPackage.getName()).matches() || pattern.matcher(memberPackage.getName()).matches()) {
+ return true;
+ }
+ }
+ return false;
+ }
+
protected boolean isClassExcluded(Class<?> targetClass, Class<?> declaringClass) {
if (targetClass == Object.class || declaringClass == Object.class) {
return true;
@@ -141,4 +158,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
this.excludedClasses = excludedClasses;
}
+ public void setExcludedPackageNamePatterns(Set<Pattern> excludedPackageNamePatterns) {
+ this.excludedPackageNamePatterns = excludedPackageNamePatterns;
+ }
}
http://git-wip-us.apache.org/repos/asf/struts/blob/dba9da3a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 1c14cb2..748d5a9 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -7,6 +7,7 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import java.util.regex.Pattern;
public class SecurityMemberAccessTest extends TestCase {
@@ -171,6 +172,24 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse("barLogic() from BarInterface is accessible!!!", accessible);
}
+ public void testPackageExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Set<Pattern> excluded = new HashSet<Pattern>();
+ excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
+ sma.setExcludedPackageNamePatterns(excluded);
+
+ String propertyName = "stringField";
+ Member member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1));
+
+ // when
+ boolean actual = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertFalse("stringField is accessible!", actual);
+ }
+
}
class FooBar implements FooBarInterface {
[3/3] git commit: Uses WARN to report if package or class is excluded
Posted by lu...@apache.org.
Uses WARN to report if package or class is excluded
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5a5af1b5
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5a5af1b5
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5a5af1b5
Branch: refs/heads/feature/exclude-object-class
Commit: 5a5af1b5879a9865aca03c70ae5bd6f7a3473f7b
Parents: 4ee18f9
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri May 23 09:58:52 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri May 23 09:58:52 2014 +0200
----------------------------------------------------------------------
.../com/opensymphony/xwork2/ognl/SecurityMemberAccess.java | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/5a5af1b5/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 39f882a..d0862e7 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -54,15 +54,15 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
@Override
public boolean isAccessible(Map context, Object target, Member member, String propertyName) {
if (isPackageExcluded(target.getClass().getPackage(), member.getDeclaringClass().getPackage())) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Target package [#0] and member package [#1] are excluded!", target, member);
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Package of target [#0] or package of member [#1] are excluded!", target, member);
}
return false;
}
if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Target class [#0] and member type [#1] are excluded!", target, member);
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Target class [#0] or declaring class of member type [#1] are excluded!", target, member);
}
return false;
}
[2/3] git commit: Ties excluding packages into Struts DI mechanism
Posted by lu...@apache.org.
Ties excluding packages into Struts DI mechanism
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/4ee18f96
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/4ee18f96
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/4ee18f96
Branch: refs/heads/feature/exclude-object-class
Commit: 4ee18f96bc2d401f9007c5fd458c47b7ae4ff35d
Parents: dba9da3
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri May 23 09:58:33 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri May 23 09:58:33 2014 +0200
----------------------------------------------------------------------
.../java/org/apache/struts2/StrutsConstants.java | 3 ++-
.../config/DefaultBeanSelectionProvider.java | 3 +++
core/src/main/resources/struts-default.xml | 2 ++
.../com/opensymphony/xwork2/XWorkConstants.java | 2 ++
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 17 ++++++++++++++++-
.../opensymphony/xwork2/ognl/OgnlValueStack.java | 1 +
6 files changed, 26 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/core/src/main/java/org/apache/struts2/StrutsConstants.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index 8c0c5ce..dd08993 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -282,8 +282,9 @@ public final class StrutsConstants {
/** Allows override default DispatcherErrorHandler **/
public static final String STRUTS_DISPATCHER_ERROR_HANDLER = "struts.dispatcher.errorHandler";
- /** Comma delimited set of excluded classes which cannot be accessed via expressions **/
+ /** Comma delimited set of excluded classes and package names which cannot be accessed via expressions **/
public static final String STRUTS_EXCLUDED_CLASSES = "struts.excludedClasses";
+ public static final String STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS = "struts.excludedPackageNamePatterns";
/** Dedicated services to check if passed string is excluded/accepted **/
public static final String STRUTS_EXCLUDED_PATTERNS_CHECKER = "struts.excludedPatterns.checker";
http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
index 4334d3c..a671133 100644
--- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
+++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
@@ -403,7 +403,10 @@ public class DefaultBeanSelectionProvider extends AbstractBeanSelectionProvider
convertIfExist(props, StrutsConstants.STRUTS_ENABLE_OGNL_EVAL_EXPRESSION, XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION);
convertIfExist(props, StrutsConstants.STRUTS_ALLOW_STATIC_METHOD_ACCESS, XWorkConstants.ALLOW_STATIC_METHOD_ACCESS);
convertIfExist(props, StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD, XWorkConstants.RELOAD_XML_CONFIGURATION);
+
convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_CLASSES, XWorkConstants.OGNL_EXCLUDED_CLASSES);
+ convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS, XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS);
+
convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_EXCLUDED_PATTERNS, XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS);
convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_ACCEPTED_PATTERNS, XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS);
http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index a1aa63f..0275a48 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -39,6 +39,8 @@
<struts>
<constant name="struts.excludedClasses" value="java.lang.Object,java.lang.Runtime,ognl.OgnlContext,ognl.MemberAccess,ognl.ClassResolver,ognl.TypeConverter" />
+ <!-- this must be valid regex, each '.' in package name must be escaped! -->
+ <constant name="struts.excludedPackageNamePatterns" value="^java\.lang.*,^ognl.*" />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
index b846ac0..830df78 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
@@ -17,7 +17,9 @@ public final class XWorkConstants {
public static final String RELOAD_XML_CONFIGURATION = "reloadXmlConfiguration";
public static final String ALLOW_STATIC_METHOD_ACCESS = "allowStaticMethodAccess";
public static final String XWORK_LOGGER_FACTORY = "xwork.loggerFactory";
+
public static final String OGNL_EXCLUDED_CLASSES = "ognlExcludedClasses";
+ public static final String OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS = "ognlExcludedPackageNamePatterns";
public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns";
public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns";
http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 1c17eca..b0345fc 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -16,7 +16,6 @@
package com.opensymphony.xwork2.ognl;
import com.opensymphony.xwork2.XWorkConstants;
-import com.opensymphony.xwork2.XWorkException;
import com.opensymphony.xwork2.config.ConfigurationException;
import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Container;
@@ -47,6 +46,7 @@ import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
+import java.util.regex.Pattern;
/**
@@ -67,6 +67,8 @@ public class OgnlUtil {
private boolean enableEvalExpression;
private Set<Class<?>> excludedClasses = new HashSet<Class<?>>();
+ private Set<Pattern> excludedPackageNamePatterns = new HashSet<Pattern>();
+
private Container container;
private boolean allowStaticMethodAccess;
@@ -106,10 +108,22 @@ public class OgnlUtil {
}
}
+ @Inject(value = XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS, required = false)
+ public void setExcludedPackageName(String commaDelimitedPackagePatterns) {
+ Set<String> packagePatterns = TextParseUtil.commaDelimitedStringToSet(commaDelimitedPackagePatterns);
+ for (String pattern : packagePatterns) {
+ excludedPackageNamePatterns.add(Pattern.compile(pattern));
+ }
+ }
+
public Set<Class<?>> getExcludedClasses() {
return excludedClasses;
}
+ public Set<Pattern> getExcludedPackageNamePatterns() {
+ return excludedPackageNamePatterns;
+ }
+
@Inject
public void setContainer(Container container) {
this.container = container;
@@ -568,6 +582,7 @@ public class OgnlUtil {
SecurityMemberAccess memberAccess = new SecurityMemberAccess(allowStaticMethodAccess);
memberAccess.setExcludedClasses(excludedClasses);
+ memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns);
return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess);
}
http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
index 1e4a576..acf54c4 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
@@ -80,6 +80,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS
public void setOgnlUtil(OgnlUtil ognlUtil) {
this.ognlUtil = ognlUtil;
securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses());
+ securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns());
}
protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot,