You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Paul Nilsson (JIRA)" <ji...@apache.org> on 2009/02/20 15:34:47 UTC

[jira] Commented: (WW-2595) Overriding subset of interceptor params

    [ https://issues.apache.org/struts/browse/WW-2595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45626#action_45626 ] 

Paul Nilsson commented on WW-2595:
----------------------------------

Hi,

We are also experiencing a similar problem using 2.1.6. We are using a prepare-params-prepare stack with a parameter filter interceptor prior to each params, so the stack in the parent package looks like:

<interceptor-stack name="parentStack">
.
.
.
<interceptor-ref name="prePrepareParameterFilter"/>
<interceptor-ref name="params"/>
<interceptor-ref name="prepare"/>
<interceptor-ref name="postPrepareParameterFilter">
    <param name="defaultBlock">true</param>
</interceptor-ref>
<interceptor-ref name="params"/>
.
.
.
</interceptor-stack>

The idea behind this was to create a safe-by-default behavior when using the stack, so that objects that were prepared couldn't be set with malicious form submissions. 

In simple cases this seems to work fine in child packages using this as a parent, and by default all parameters are blocked by the time it gets to the second params interceptor. In the case that we override a parameter of the postPrepareParameterFilter in the child package it seems to revert the ParameterFilterInterceptor to the default behavior where defaultBlock is false, therefore no parameters are blocked by the time it reaches the second parms interceptor.

So for example in the following package defaultBlock would be true (param apparently inherited from the parent package):

<package name="child1" namespace="/child1" extends="parentPackage">
    <action name="list" class="com.domain.ChildAction" method="view">
        <interceptor-ref name="parentStack"/>
        <result type="tiles">main.child</result>
    </action>
</package>

And in this example a parameter is set which seems to make the interceptor forget to inherit the parentStacks parameter for the interceptor, so defaultBlock is left at false.

<package name="child2" namespace="/child2" extends="parentPackage">
    <action name="list" class="com.domain.ChildAction" method="view">
        <interceptor-ref name="parentStack">
            <param name="postPrepareParameterFilter.allowed">myObject.name</param>
        </interceptor-ref>
        <result type="tiles">main.child</result>
    </action>
</package>

Not sure if this is the intended behavior or not. I read through the docs at http://struts.apache.org/2.1.6/docs/interceptors.html#Interceptors-InterceptorParameterOverriding but this didn't clear it up for me. 

It seems to me that it's dangerous for an interceptor to stop inheriting parameters defined in a parent packages definition, just because an unrelated parameter was passed to that interceptor in the child package.

> Overriding subset of interceptor params
> ---------------------------------------
>
>                 Key: WW-2595
>                 URL: https://issues.apache.org/struts/browse/WW-2595
>             Project: Struts 2
>          Issue Type: Improvement
>    Affects Versions: 2.0.11
>            Reporter: Jon Wilmoth
>             Fix For: Future
>
>
> Trying to override one of three interceptor parameters in an action specific config using method #2 described in http://struts.apache.org/2.0.11.1/docs/interceptors.html#Interceptors-InterceptorParameterOverriding leaves the params that aren't overridden in the action (but defined in stack definition) null.  Unfortunately, the other two parameters that I'm not overriding are not being taken from the default stack definition and are ending up as null on the interceptor.  Below is a sample action config showing what I'm attempting...
> <package name="packageA"...>
>     <interceptors>
>         <interceptor name="myInterceptor" class="..."/>
>         <interceptor-stack name="myStack">
>             <interceptor-ref name="defaultStack"/>
>             <interceptor-ref name="myInterceptor">
>                 <param name="paramA">defaultValueA</param>
>                 <param name="paramB">defaultValueB</param>
>                 <param name="paramC">defaultValueC</param>
>             </interceptor-ref>
>         </interceptor-stack>
> </package>
> With the following action config, the "myInterceptor" interceptor's  paramA & paramB are null (causing the interceptor logic to break) and not "defaultValueA" and "defaultValueB" as expected/desired.
> <package name="packageB" extends="packageA"...>
>     <action name="myAction" class="myActionClass">
>         <interceptor-ref name="myStack">
>             <param name="myInterceptor.paramC">actionSpecificValue</param>
>         </interceptor-ref>
>     </action>
> </package>
> BTW...defining the action with all parameters overridden (see below) works:
> <action name="myAction" class="myActionClass">
>   <interceptor-ref name="myStack">
>      <!--  same value as defined in "myStack" declaration  -->
>      <param name="myInterceptor.paramA">defaultValueA</param>
>      <!--  same value as defined in "myStack" declaration  -->
>      <param name="myInterceptor.paramB">defaultValueB</param>
>      <param name="myInterceptor.paramC">actionSpecificValue</param>
>  </interceptor-ref>
> </action>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.