Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4751

Struts2 should know and consider config time class of user's Actions

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.12
    • Component/s: None
    • Labels:
      None

      Description

      I see some issues like WW-4105 , WW-4694 and WW-4498 suffers lack of this information i.e. config time class of user's action.

      I also know future issues like below are possible or potential to occur when Struts2 give Actions up to an object factory and, himself does not know any more about Action's real class (i.e. when user set className to a bean name inside his object factory):

      • JSONResult will fail or will generate ugly json when the action is an AOPed proxy. Because JSONResult tries to generate json from un-relevant information like advices and etc.
      • In a security point of view, someone may successfully change that action proxy or aop information simply by calling that action submitting some named parameters.

      I know these are solvable by enforcing user to specify includes/excludes parameters but more better and beauty approach is as below:
      (proxied action) -> ... -> (some subclass of action) -> ... -> (user config time specified class) -> ... -> (some superclass of action) -> ... -> Struts2's ActionSupport -> ...
      If we suppose the above as type hierarchy of the action, knowing user config time specified class, Struts2 can exclude all sub-classes above this class and all super classes under and including ActionSupport in all sensitive places to avoid potential future issues.

      What do you think?

        Issue Links

          Activity

          Hide
          yasser.zamani Yasser Zamani added a comment -

          I am working on this

          Show
          yasser.zamani Yasser Zamani added a comment - I am working on this
          Hide
          yasser.zamani Yasser Zamani added a comment -

          Know S2 can know and consider config time class by unwraping Spring proxies. Further proxies unwrapping support should be added to ProxyUtil class when needed on user demand.

          Show
          yasser.zamani Yasser Zamani added a comment - Know S2 can know and consider config time class by unwraping Spring proxies. Further proxies unwrapping support should be added to ProxyUtil class when needed on user demand.

            People

            • Assignee:
              Unassigned
              Reporter:
              yasser.zamani Yasser Zamani
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development