Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4257

ParametersInterceptor uses same method on ParameterNameAware interface to validate parameters and properties


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.16
    • Fix Version/s: 2.3.20
    • Component/s: None
    • Labels:


      With version 2.3.16, the ParametersInterceptor uses the same method to validate parameter names and property names.
      As we use the ParameterNameAware interface to implement parameter whitelisting on action level, this breaks our case.

      It might not be how it is intended, but validating a property independent of the actual bean breaks our current implementation.

      Possible fixes would be:

      • alter ParameterNameAware to have an additional separate method to validate properties
      • introduce a new PropertyNameAware interface
      • introduce a new ParameterAndPropertyNameAware interface

      One could also consider to ignore the ParameterNameAware interface when validating properties, as for a parameter foo.bar, the values foo.bar, foo, and bar are passed to the ParameterNameAware interface, which one could see as a bit redundant. Especially given the fact that a context in the case of property validation is not provided. Therefore, it is impossible for the implementation to distinguish between a parameter and a property.


        1. ww-4257.patch
          5 kB
          Christoph Lenggenhager



            • Assignee:
              lukaszlenart Lukasz Lenart
              clenggenhager Christoph Lenggenhager
            • Votes:
              0 Vote for this issue
              4 Start watching this issue


              • Created: