You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by pb...@apache.org on 2008/11/26 23:00:07 UTC
svn commit: r720996 - /struts/struts1/trunk/core/src/main/java/org/apache/struts/dispatcher/AbstractDispatcher.java

Author: pbenedict
Date: Wed Nov 26 14:00:07 2008
New Revision: 720996

URL: http://svn.apache.org/viewvc?rev=720996&view=rev
Log:
STR-3168: Leave responsibility of redelegating cancelled requests to the target

Modified:
    struts/struts1/trunk/core/src/main/java/org/apache/struts/dispatcher/AbstractDispatcher.java

Modified: struts/struts1/trunk/core/src/main/java/org/apache/struts/dispatcher/AbstractDispatcher.java
URL: http://svn.apache.org/viewvc/struts/struts1/trunk/core/src/main/java/org/apache/struts/dispatcher/AbstractDispatcher.java?rev=720996&r1=720995&r2=720996&view=diff
==============================================================================
--- struts/struts1/trunk/core/src/main/java/org/apache/struts/dispatcher/AbstractDispatcher.java (original)
+++ struts/struts1/trunk/core/src/main/java/org/apache/struts/dispatcher/AbstractDispatcher.java Wed Nov 26 14:00:07 2008
@@ -31,7 +31,6 @@
 import java.lang.reflect.Method;
 import java.util.HashMap;
 
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -77,7 +76,7 @@
     /**
      * Shared commons Logging instance among subclasses.
      */
-    protected final Log log;
+    protected transient final Log log;
 
     /**
      * The dictionary of {@link Method} objects we have introspected for this
@@ -95,21 +94,8 @@
 	methods = new HashMap();
     }
 
-    protected Object cancelled(ActionContext context) throws Exception {
-	Method method = getMethod(context, CANCELLED_METHOD_NAME);
-	return dispatchMethod(context, method, CANCELLED_METHOD_NAME);
-    }
-
     public Object dispatch(ActionContext context) throws Exception {
-	// Process cancelled requests
-	if (isCancelled(context)) {
-	    try {
-		return cancelled(context);
-	    } catch (NoSuchMethodException e) {
-		// expected and ignore
-	    }
-	}
-
+	// Resolve the method name; fallback to default if necessary
 	String methodName = resolveMethodName(context);
 	if ((methodName == null) || "".equals(methodName)) {
 	    methodName = getDefaultMethodName();
@@ -126,10 +112,13 @@
 	try {
 	    method = getMethod(context, methodName);
 	} catch (NoSuchMethodException e) {
+	    // The log message reveals the offending method name...
 	    String path = context.getActionConfig().getPath();
 	    String message = messages.getMessage(MSG_KEY_MISSING_METHOD_LOG, path, methodName);
 	    log.error(message, e);
 
+	    // ...but the exception thrown does not
+	    // See r383718 (XSS vulnerability)
 	    String userMsg = messages.getMessage(MSG_KEY_MISSING_METHOD, path);
 	    NoSuchMethodException e2 = new NoSuchMethodException(userMsg);
 	    e2.initCause(e);
@@ -152,7 +141,7 @@
      * 
      * @return The forward to which control should be transferred, or
      *         <code>null</code> if the response has been completed.
-     * @throws Exception if the application business logic throws an exception.
+     * @throws Exception if the dispatch fails with an exception
      * @see #dispatchMethod(ActionMapping, ActionForm, HttpServletRequest,
      *      HttpServletResponse, String)
      */
@@ -187,10 +176,11 @@
      * will be the target of the dispatch. This implementation caches the method
      * instance for subsequent invocations.
      * 
+     * @param context the current action context
      * @param methodName the name of the method to be introspected
      * @return the method of the specified name
      * @throws NoSuchMethodException if no such method can be found
-     * @see #resolveMethod(ActionContext, String)
+     * @see #resolveMethod(String, ActionContext)
      * @see #flushMethodCache()
      */
     protected final Method getMethod(ActionContext context, String methodName) throws NoSuchMethodException {
@@ -205,7 +195,7 @@
 	    Method method = (Method) methods.get(key);
 
 	    if (method == null) {
-		method = resolveMethod(methodName, context);
+		method = resolveMethod(context, methodName);
 		methods.put(key, method);
 	    }
 
@@ -213,24 +203,34 @@
 	}
     }
 
-    protected final Object invoke(Object target, Method method, Object[] args, String path, String name)
-	    throws Exception {
+    /**
+     * Convenience method to help dispatch the specified method. The method is
+     * invoked via reflection.
+     * 
+     * @param target the target object
+     * @param method the method of the target object
+     * @param args the arguments for the method
+     * @param path the mapping path
+     * @return the return value of the method
+     * @throws Exception if the dispatch fails with an exception
+     */
+    protected final Object invoke(Object target, Method method, Object[] args, String path) throws Exception {
 	try {
 	    return method.invoke(target, args);
 	} catch (IllegalAccessException e) {
 	    String message = messages.getMessage(MSG_KEY_DISPATCH_ERROR, path);
-	    log.error(message + ":" + name, e);
+	    log.error(message + ":" + method.getName(), e);
 	    throw e;
 	} catch (InvocationTargetException e) {
 	    // Rethrow the target exception if possible so that the
 	    // exception handling machinery can deal with it
 	    Throwable t = e.getTargetException();
 	    if (t instanceof Exception) {
-		throw ((Exception) t);
+		throw (Exception) t;
 	    } else {
 		String message = messages.getMessage(MSG_KEY_DISPATCH_ERROR, path);
-		log.error(message + ":" + name, e);
-		throw new ServletException(t);
+		log.error(message + ":" + method.getName(), e);
+		throw new Exception(t);
 	    }
 	}
     }
@@ -258,21 +258,22 @@
      * resolution is only invoked if {@link #getMethod(String)} does not find a
      * match in its method cache.
      * 
-     * @param methodName the method name to use for introspection
      * @param context the current action context
+     * @param methodName the method name to use for introspection
      * @return the method to invoke
      * @throws NoSuchMethodException if an appropriate method cannot be found
      * @see #getMethod(String)
      * @see #invoke(Object, Method, Object[], String, String)
      */
-    protected abstract Method resolveMethod(String methodName, ActionContext context) throws NoSuchMethodException;
+    protected abstract Method resolveMethod(ActionContext context, String methodName) throws NoSuchMethodException;
 
     /**
      * Decides the method name that can handle the request.
      * 
      * @param context the current action context
      * @return the method name or <code>null</code> if no name can be resolved
-     * @see #resolveMethod(String, ActionContext)
+     * @see #getDefaultMethodName()
+     * @see #resolveMethod(ActionContext, String)
      */
     protected abstract String resolveMethodName(ActionContext context);
 
@@ -280,12 +281,12 @@
      * Services the case when the dispatch fails because the method name cannot
      * be resolved. The default behavior throws an {@link IllegalStateException}.
      * Subclasses should override this to provide custom handling such as
-     * sending an HTTP 404 error.
+     * sending an HTTP 404 error or dispatching elsewhere.
      * 
      * @param context the current action context
-     * @throws IllegalStateException always unless supressed by subclass
+     * @return the return value of the dispatch
+     * @throws Exception if an error occurs
      * @see #resolveMethodName(ActionContext)
-     * @see #getDefaultMethodName()
      */
     protected Object unspecified(ActionContext context) throws Exception {
 	ActionConfig config = context.getActionConfig();