You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/06/22 07:01:43 UTC
[1/2] struts git commit: add constant to control proxy member access
Repository: struts
Updated Branches:
refs/heads/master 8f53b6f59 -> 5d999d6ac
add constant to control proxy member access
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/0d6442ba
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/0d6442ba
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/0d6442ba
Branch: refs/heads/master
Commit: 0d6442bab5b44d93c4c2e63c5335f0a331333b92
Parents: 4c386c6
Author: Aleksandr Mashchenko <am...@apache.org>
Authored: Thu Jun 22 00:58:41 2017 +0300
Committer: Aleksandr Mashchenko <am...@apache.org>
Committed: Thu Jun 22 00:58:41 2017 +0300
----------------------------------------------------------------------
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 12 +++++
.../xwork2/ognl/OgnlValueStack.java | 1 +
.../xwork2/ognl/SecurityMemberAccess.java | 7 ++-
.../org/apache/struts2/StrutsConstants.java | 2 +
.../ognl/SecurityMemberAccessProxyTest.java | 49 ++++++++++++++++++++
.../xwork2/spring/actionContext-xwork.xml | 1 +
.../spring/src/main/resources/struts-plugin.xml | 2 +
7 files changed, 73 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index ced8eff..d15977f 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -28,6 +28,7 @@ import ognl.*;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
+import org.apache.struts2.StrutsConstants;
import java.beans.BeanInfo;
import java.beans.IntrospectionException;
@@ -64,6 +65,7 @@ public class OgnlUtil {
private Container container;
private boolean allowStaticMethodAccess;
+ private boolean disallowProxyMemberAccess;
@Inject
public void setXWorkConverter(XWorkConverter conv) {
@@ -144,6 +146,15 @@ public class OgnlUtil {
this.allowStaticMethodAccess = Boolean.parseBoolean(allowStaticMethodAccess);
}
+ @Inject(value = StrutsConstants.STRUTS_DISALLOW_PROXY_MEMBER_ACCESS, required = false)
+ public void setDisallowProxyMemberAccess(String disallowProxyMemberAccess) {
+ this.disallowProxyMemberAccess = Boolean.parseBoolean(disallowProxyMemberAccess);
+ }
+
+ public boolean isDisallowProxyMemberAccess() {
+ return disallowProxyMemberAccess;
+ }
+
/**
* Sets the object's properties using the default type converter, defaulting to not throw
* exceptions for problems setting the properties.
@@ -679,6 +690,7 @@ public class OgnlUtil {
memberAccess.setExcludedClasses(excludedClasses);
memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns);
memberAccess.setExcludedPackageNames(excludedPackageNames);
+ memberAccess.setDisallowProxyMemberAccess(disallowProxyMemberAccess);
return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess);
}
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
index 28bef54..4ea6b44 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
@@ -84,6 +84,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS
securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses());
securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns());
securityMemberAccess.setExcludedPackageNames(ognlUtil.getExcludedPackageNames());
+ securityMemberAccess.setDisallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess());
}
protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot,
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index cce09cb..7a84a34 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -41,6 +41,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
private Set<Class<?>> excludedClasses = Collections.emptySet();
private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet();
private Set<String> excludedPackageNames = Collections.emptySet();
+ private boolean disallowProxyMemberAccess;
public SecurityMemberAccess(boolean method) {
super(false);
@@ -85,7 +86,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
return false;
}
- if (ProxyUtil.isProxyMember(member, target)) {
+ if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) {
LOG.warn("Access to proxy [{}] is blocked!", member);
return false;
}
@@ -212,4 +213,8 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
public void setExcludedPackageNames(Set<String> excludedPackageNames) {
this.excludedPackageNames = excludedPackageNames;
}
+
+ public void setDisallowProxyMemberAccess(boolean disallowProxyMemberAccess) {
+ this.disallowProxyMemberAccess = disallowProxyMemberAccess;
+ }
}
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/org/apache/struts2/StrutsConstants.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index 87902cc..0cc7172 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -325,4 +325,6 @@ public final class StrutsConstants {
public static final String STRUTS_TEXT_PROVIDER_FACTORY = "struts.textProviderFactory";
public static final String STRUTS_LOCALIZED_TEXT_PROVIDER = "struts.localizedTextProvider";
+
+ public static final String STRUTS_DISALLOW_PROXY_MEMBER_ACCESS = "struts.disallowProxyMemberAccess";
}
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
new file mode 100644
index 0000000..ceda2e0
--- /dev/null
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
@@ -0,0 +1,49 @@
+package com.opensymphony.xwork2.ognl;
+
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider;
+
+public class SecurityMemberAccessProxyTest extends XWorkTestCase {
+ private Map<String, Object> context;
+
+ @Override
+ public void setUp() throws Exception {
+ super.setUp();
+
+ context = new HashMap<>();
+ // Set up XWork
+ XmlConfigurationProvider provider = new XmlConfigurationProvider("com/opensymphony/xwork2/spring/actionContext-xwork.xml");
+ container.inject(provider);
+ loadConfigurationProviders(provider);
+ }
+
+ public void testProxyAccessIsBlocked() throws Exception {
+ ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+ "chaintoAOPedTestSubBeanAction", null, context);
+
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+ sma.setDisallowProxyMemberAccess(true);
+
+ Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+ boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+ assertFalse(accessible);
+ }
+
+ public void testProxyAccessIsAccessible() throws Exception {
+ ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+ "chaintoAOPedTestSubBeanAction", null, context);
+
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+ boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+ assertTrue(accessible);
+ }
+}
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
----------------------------------------------------------------------
diff --git a/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml b/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
index 4457d15..0eb8c9a 100644
--- a/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
+++ b/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
@@ -2,6 +2,7 @@
<xwork>
<bean type="com.opensymphony.xwork2.ObjectFactory" class="com.opensymphony.xwork2.spring.SpringObjectFactory" />
<constant name="applicationContextPath" value="com/opensymphony/xwork2/spring/actionContext-spring.xml" />
+ <constant name="struts.disallowProxyMemberAccess" value="true" />
<package name="default">
<result-types>
<result-type name="null" class="com.opensymphony.xwork2.mock.MockResult" default="true"/>
http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/plugins/spring/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/resources/struts-plugin.xml b/plugins/spring/src/main/resources/struts-plugin.xml
index eb50772..cc13bca 100644
--- a/plugins/spring/src/main/resources/struts-plugin.xml
+++ b/plugins/spring/src/main/resources/struts-plugin.xml
@@ -35,6 +35,8 @@
<constant name="struts.class.reloading.acceptClasses" value="" />
<constant name="struts.class.reloading.reloadConfig" value="false" />
+ <constant name="struts.disallowProxyMemberAccess" value="true" />
+
<package name="spring-default">
<interceptors>
<interceptor name="autowiring" class="com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"/>
[2/2] struts git commit: Adds a constant to control when proxy can be
accessed
Posted by lu...@apache.org.
Adds a constant to control when proxy can be accessed
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5d999d6a
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5d999d6a
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5d999d6a
Branch: refs/heads/master
Commit: 5d999d6ac145c769191cc2e9a4897a47093f43d8
Parents: 8f53b6f 0d6442b
Author: Lukasz Lenart <lu...@apache.org>
Authored: Thu Jun 22 09:01:35 2017 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Thu Jun 22 09:01:35 2017 +0200
----------------------------------------------------------------------
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 12 +++++
.../xwork2/ognl/OgnlValueStack.java | 1 +
.../xwork2/ognl/SecurityMemberAccess.java | 7 ++-
.../org/apache/struts2/StrutsConstants.java | 2 +
.../ognl/SecurityMemberAccessProxyTest.java | 49 ++++++++++++++++++++
.../xwork2/spring/actionContext-xwork.xml | 1 +
.../spring/src/main/resources/struts-plugin.xml | 2 +
7 files changed, 73 insertions(+), 1 deletion(-)
----------------------------------------------------------------------