Struts 2
  1. Struts 2
  2. WW-4257

ParametersInterceptor uses same method on ParameterNameAware interface to validate parameters and properties


    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.16
    • Fix Version/s: 2.3.20
    • Component/s: None
    • Labels:


      With version 2.3.16, the ParametersInterceptor uses the same method to validate parameter names and property names.
      As we use the ParameterNameAware interface to implement parameter whitelisting on action level, this breaks our case.

      It might not be how it is intended, but validating a property independent of the actual bean breaks our current implementation.

      Possible fixes would be:

      • alter ParameterNameAware to have an additional separate method to validate properties
      • introduce a new PropertyNameAware interface
      • introduce a new ParameterAndPropertyNameAware interface

      One could also consider to ignore the ParameterNameAware interface when validating properties, as for a parameter, the values, foo, and bar are passed to the ParameterNameAware interface, which one could see as a bit redundant. Especially given the fact that a context in the case of property validation is not provided. Therefore, it is impossible for the implementation to distinguish between a parameter and a property.

      1. ww-4257.patch
        5 kB
        Christoph Lenggenhager


        No work has yet been logged on this issue.


          • Assignee:
            Lukasz Lenart
            Christoph Lenggenhager
          • Votes:
            0 Vote for this issue
            4 Start watching this issue


            • Created: