Ties excluding packages into Struts DI mechanism
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/4ee18f96 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/4ee18f96 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/4ee18f96 Branch: refs/heads/develop Commit: 4ee18f96bc2d401f9007c5fd458c47b7ae4ff35d Parents: dba9da3 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Fri May 23 09:58:33 2014 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Fri May 23 09:58:33 2014 +0200 ---------------------------------------------------------------------- .../java/org/apache/struts2/StrutsConstants.java | 3 ++- .../config/DefaultBeanSelectionProvider.java | 3 +++ core/src/main/resources/struts-default.xml | 2 ++ .../com/opensymphony/xwork2/XWorkConstants.java | 2 ++ .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 17 ++++++++++++++++- .../opensymphony/xwork2/ognl/OgnlValueStack.java | 1 + 6 files changed, 26 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/core/src/main/java/org/apache/struts2/StrutsConstants.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java index 8c0c5ce..dd08993 100644 --- a/core/src/main/java/org/apache/struts2/StrutsConstants.java +++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java @@ -282,8 +282,9 @@ public final class StrutsConstants { /** Allows override default DispatcherErrorHandler **/ public static final String STRUTS_DISPATCHER_ERROR_HANDLER = "struts.dispatcher.errorHandler"; - /** Comma delimited set of excluded classes which cannot be accessed via expressions **/ + /** Comma delimited set of excluded classes and package names which cannot be accessed via expressions **/ public static final String STRUTS_EXCLUDED_CLASSES = "struts.excludedClasses"; + public static final String STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS = "struts.excludedPackageNamePatterns"; /** Dedicated services to check if passed string is excluded/accepted **/ public static final String STRUTS_EXCLUDED_PATTERNS_CHECKER = "struts.excludedPatterns.checker"; http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java index 4334d3c..a671133 100644 --- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java +++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java @@ -403,7 +403,10 @@ public class DefaultBeanSelectionProvider extends AbstractBeanSelectionProvider convertIfExist(props, StrutsConstants.STRUTS_ENABLE_OGNL_EVAL_EXPRESSION, XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION); convertIfExist(props, StrutsConstants.STRUTS_ALLOW_STATIC_METHOD_ACCESS, XWorkConstants.ALLOW_STATIC_METHOD_ACCESS); convertIfExist(props, StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD, XWorkConstants.RELOAD_XML_CONFIGURATION); + convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_CLASSES, XWorkConstants.OGNL_EXCLUDED_CLASSES); + convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS, XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS); + convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_EXCLUDED_PATTERNS, XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS); convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_ACCEPTED_PATTERNS, XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS); http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/core/src/main/resources/struts-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml index a1aa63f..0275a48 100644 --- a/core/src/main/resources/struts-default.xml +++ b/core/src/main/resources/struts-default.xml @@ -39,6 +39,8 @@ <struts> <constant name="struts.excludedClasses" value="java.lang.Object,java.lang.Runtime,ognl.OgnlContext,ognl.MemberAccess,ognl.ClassResolver,ognl.TypeConverter" /> + <!-- this must be valid regex, each '.' in package name must be escaped! --> + <constant name="struts.excludedPackageNamePatterns" value="^java\.lang.*,^ognl.*" /> <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/> <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" /> http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java index b846ac0..830df78 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java @@ -17,7 +17,9 @@ public final class XWorkConstants { public static final String RELOAD_XML_CONFIGURATION = "reloadXmlConfiguration"; public static final String ALLOW_STATIC_METHOD_ACCESS = "allowStaticMethodAccess"; public static final String XWORK_LOGGER_FACTORY = "xwork.loggerFactory"; + public static final String OGNL_EXCLUDED_CLASSES = "ognlExcludedClasses"; + public static final String OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS = "ognlExcludedPackageNamePatterns"; public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns"; public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns"; http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index 1c17eca..b0345fc 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java @@ -16,7 +16,6 @@ package com.opensymphony.xwork2.ognl; import com.opensymphony.xwork2.XWorkConstants; -import com.opensymphony.xwork2.XWorkException; import com.opensymphony.xwork2.config.ConfigurationException; import com.opensymphony.xwork2.conversion.impl.XWorkConverter; import com.opensymphony.xwork2.inject.Container; @@ -47,6 +46,7 @@ import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; +import java.util.regex.Pattern; /** @@ -67,6 +67,8 @@ public class OgnlUtil { private boolean enableEvalExpression; private Set<Class<?>> excludedClasses = new HashSet<Class<?>>(); + private Set<Pattern> excludedPackageNamePatterns = new HashSet<Pattern>(); + private Container container; private boolean allowStaticMethodAccess; @@ -106,10 +108,22 @@ public class OgnlUtil { } } + @Inject(value = XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS, required = false) + public void setExcludedPackageName(String commaDelimitedPackagePatterns) { + Set<String> packagePatterns = TextParseUtil.commaDelimitedStringToSet(commaDelimitedPackagePatterns); + for (String pattern : packagePatterns) { + excludedPackageNamePatterns.add(Pattern.compile(pattern)); + } + } + public Set<Class<?>> getExcludedClasses() { return excludedClasses; } + public Set<Pattern> getExcludedPackageNamePatterns() { + return excludedPackageNamePatterns; + } + @Inject public void setContainer(Container container) { this.container = container; @@ -568,6 +582,7 @@ public class OgnlUtil { SecurityMemberAccess memberAccess = new SecurityMemberAccess(allowStaticMethodAccess); memberAccess.setExcludedClasses(excludedClasses); + memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns); return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess); } http://git-wip-us.apache.org/repos/asf/struts/blob/4ee18f96/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java index 1e4a576..acf54c4 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java @@ -80,6 +80,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS public void setOgnlUtil(OgnlUtil ognlUtil) { this.ognlUtil = ognlUtil; securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses()); + securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns()); } protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot,
