Adds ability to exclude whole packages based on regex
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/dba9da3a Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/dba9da3a Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/dba9da3a Branch: refs/heads/develop Commit: dba9da3abf1b5e6f59251b5a6d948c5bc502c9af Parents: 8a93df1 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Fri May 23 09:20:07 2014 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Fri May 23 09:20:07 2014 +0200 ---------------------------------------------------------------------- .../xwork2/ognl/SecurityMemberAccess.java | 20 ++++++++++++++++++++ .../xwork2/ognl/SecurityMemberAccessTest.java | 19 +++++++++++++++++++ 2 files changed, 39 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/dba9da3a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java index c14d8b9..39f882a 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java @@ -40,6 +40,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess { private Set<Pattern> excludeProperties = Collections.emptySet(); private Set<Pattern> acceptProperties = Collections.emptySet(); private Set<Class<?>> excludedClasses = Collections.emptySet(); + private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet(); public SecurityMemberAccess(boolean method) { super(false); @@ -52,6 +53,13 @@ public class SecurityMemberAccess extends DefaultMemberAccess { @Override public boolean isAccessible(Map context, Object target, Member member, String propertyName) { + if (isPackageExcluded(target.getClass().getPackage(), member.getDeclaringClass().getPackage())) { + if (LOG.isDebugEnabled()) { + LOG.debug("Target package [#0] and member package [#1] are excluded!", target, member); + } + return false; + } + if (isClassExcluded(target.getClass(), member.getDeclaringClass())) { if (LOG.isDebugEnabled()) { LOG.debug("Target class [#0] and member type [#1] are excluded!", target, member); @@ -84,6 +92,15 @@ public class SecurityMemberAccess extends DefaultMemberAccess { return isAcceptableProperty(propertyName); } + protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) { + for (Pattern pattern : excludedPackageNamePatterns) { + if (pattern.matcher(targetPackage.getName()).matches() || pattern.matcher(memberPackage.getName()).matches()) { + return true; + } + } + return false; + } + protected boolean isClassExcluded(Class<?> targetClass, Class<?> declaringClass) { if (targetClass == Object.class || declaringClass == Object.class) { return true; @@ -141,4 +158,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess { this.excludedClasses = excludedClasses; } + public void setExcludedPackageNamePatterns(Set<Pattern> excludedPackageNamePatterns) { + this.excludedPackageNamePatterns = excludedPackageNamePatterns; + } } http://git-wip-us.apache.org/repos/asf/struts/blob/dba9da3a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java index 1c14cb2..748d5a9 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java @@ -7,6 +7,7 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; +import java.util.regex.Pattern; public class SecurityMemberAccessTest extends TestCase { @@ -171,6 +172,24 @@ public class SecurityMemberAccessTest extends TestCase { assertFalse("barLogic() from BarInterface is accessible!!!", accessible); } + public void testPackageExclusion() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Set<Pattern> excluded = new HashSet<Pattern>(); + excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*")); + sma.setExcludedPackageNamePatterns(excluded); + + String propertyName = "stringField"; + Member member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1)); + + // when + boolean actual = sma.isAccessible(context, target, member, propertyName); + + // then + assertFalse("stringField is accessible!", actual); + } + } class FooBar implements FooBarInterface {
