Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4645

SecurityMemberAccess exclude class design issue

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not A Bug
    • Affects Version/s: 2.3.20
    • Fix Version/s: 2.3.30, 2.5.2
    • Component/s: Core Actions
    • Labels:
      None

      Description

      In the isClassExcluded method invoke targetClass.isAssignableFrom(excludedClass), that mean targetClass must be parent class of excludedClass or same as excludedClass.
      How can enumerate all son classes in the excluded classes?
      Why not opposite? I only prevent the parent class, all son classes also be prevented.
      The EX: excludedClass.isAssignableFrom(targetClass)

        Activity

        Hide
        raintung.li Raintung Li added a comment -

        Yes, you can't define the java.lang.Object, but my question is how can enumerate all son's classes?

        For example:
        You add the Runtime,java to black list. Many third part source extend Runtime, how to disable this? I need scan all third part source codes.

        Could add one flag to control this one? If it is true, exclude the son classes, otherwise exclude parent. To keep the compatibility, the default value is false.

        Show
        raintung.li Raintung Li added a comment - Yes, you can't define the java.lang.Object, but my question is how can enumerate all son's classes? For example: You add the Runtime,java to black list. Many third part source extend Runtime, how to disable this? I need scan all third part source codes. Could add one flag to control this one? If it is true, exclude the son classes, otherwise exclude parent. To keep the compatibility, the default value is false.
        Hide
        lukaszlenart Lukasz Lenart added a comment -

        In such case you won't be able exclude java.lang.Object as this will block everything. And now java.lang.Object is defined as an excluded class in struts-default.xml

        Show
        lukaszlenart Lukasz Lenart added a comment - In such case you won't be able exclude java.lang.Object as this will block everything. And now java.lang.Object is defined as an excluded class in struts-default.xml

          People

          • Assignee:
            Unassigned
            Reporter:
            raintung.li Raintung Li
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development