You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/04 11:18:08 UTC
[2/2] git commit: Adds special treatment of Object class and unit test
Adds special treatment of Object class and unit test
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/b3ca9ea5
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/b3ca9ea5
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/b3ca9ea5
Branch: refs/heads/feature/exclude-object-class
Commit: b3ca9ea5e31fc9b6c0a5e644e833874bb7cc62fa
Parents: cb59074
Author: Lukasz Lenart <lu...@apache.org>
Authored: Sun May 4 11:18:00 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Sun May 4 11:18:00 2014 +0200
----------------------------------------------------------------------
.../xwork2/ognl/SecurityMemberAccess.java | 11 +-
.../xwork2/ognl/SecurityMemberAccessTest.java | 139 +++++++++++++++++++
2 files changed, 146 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/b3ca9ea5/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 9d84702..7fe77c3 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -21,6 +21,7 @@ import java.lang.reflect.Member;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Collections;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
@@ -47,8 +48,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
}
@Override
- public boolean isAccessible(Map context, Object target, Member member,
- String propertyName) {
+ public boolean isAccessible(Map context, Object target, Member member, String propertyName) {
if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
return false;
@@ -79,8 +79,11 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
}
protected boolean isClassExcluded(Class<?> targetClass, Class<?> declaringClass) {
- for (Class excludedClass : excludedClasses) {
- if (targetClass.isAssignableFrom(excludedClass) || declaringClass.isAssignableFrom(excludedClass)) {
+ if (targetClass == Object.class || declaringClass == Object.class) {
+ return true;
+ }
+ for (Class<?> excludedClass : excludedClasses) {
+ if (excludedClass.isAssignableFrom(targetClass) || declaringClass.isAssignableFrom(excludedClass)) {
return true;
}
}
http://git-wip-us.apache.org/repos/asf/struts/blob/b3ca9ea5/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
new file mode 100644
index 0000000..4ccc831
--- /dev/null
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -0,0 +1,139 @@
+package com.opensymphony.xwork2.ognl;
+
+import junit.framework.TestCase;
+
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+public class SecurityMemberAccessTest extends TestCase {
+
+ private Map context;
+ private FooBar target;
+
+ @Override
+ public void setUp() throws Exception {
+ context = new HashMap();
+ target = new FooBar();
+ }
+
+ public void testWithoutClassExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ String propertyName = "stringField";
+ Member member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1));
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertTrue(accessible);
+ }
+
+ public void testClassExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ String propertyName = "stringField";
+ Member member = FooBar.class.getDeclaredMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1));
+
+ Set<Class<?>> excluded = new HashSet<Class<?>>();
+ excluded.add(FooBar.class);
+ sma.setExcludedClasses(excluded);
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertFalse(accessible);
+ }
+
+ public void testObjectClassExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ String propertyName = "toString";
+ Member member = FooBar.class.getMethod(propertyName);
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertFalse("toString() from Object is accessible!!!", accessible);
+ }
+
+ public void testObjectOverwrittenMethodsExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ String propertyName = "hashCode";
+ Member member = FooBar.class.getMethod(propertyName);
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertTrue("hashCode() from FooBar isn't accessible!!!", accessible);
+ }
+
+ public void testInterfaceInheritanceExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ String propertyName = "barLogic";
+ Member member = FooBar.class.getMethod("barLogic");
+
+ Set<Class<?>> excluded = new HashSet<Class<?>>();
+ excluded.add(BarInterface.class);
+ sma.setExcludedClasses(excluded);
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertFalse("barLogic() from BarInterface is accessible!!!", accessible);
+ }
+
+}
+
+class FooBar implements FooInterface {
+
+ private String stringField;
+
+ public String getStringField() {
+ return stringField;
+ }
+
+ public void setStringField(String stringField) {
+ this.stringField = stringField;
+ }
+
+ public String fooLogic() {
+ return "fooLogic";
+ }
+
+ public String barLogic() {
+ return "barLogic";
+ }
+
+ @Override
+ public int hashCode() {
+ return 1;
+ }
+
+}
+
+interface FooInterface extends BarInterface {
+
+ String fooLogic();
+
+}
+
+interface BarInterface {
+
+ String barLogic();
+
+}