Re: Struts2 Validator failing constructor call

Thu, 11 Apr 2024 22:56:19 -0700 

czw., 11 kwi 2024 o 17:07 <[email protected]> napisał(a):
> I have a 10 year old struts2 web application that uses validation with rules 
> defined in XML files.

Do you try to migrate to the latest version? What version do you use?

> One of these instantiates a java.util.Date to compare the the value of a bean 
> with the current date:
>             ( employee.birthday == null || employee.birthday.before(new 
> java.util.Date()))

I assume this is an expression in the XML file? Could you post the
whole XML definition (or at least the section)?

> When it comes to instantiate the Date object the call fails in 
> SecurityMemberAccess. isAccessible. Form me it seems that a constructor call 
> is not handled here properly.
>
>     public boolean isAccessible(Map context, Object target, Member member, 
> String propertyName) {
>         LOG.debug("Checking access for [target: {}, member: {}, property: 
> {}]", target, member, propertyName);
>
>         final int memberModifiers = member.getModifiers();
>         final Class<?> memberClass = member.getDeclaringClass();
>         // target can be null in case of accessing static fields, since OGNL 
> 3.2.8
>         final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? 
> memberClass : target.getClass();
>         if (!memberClass.isAssignableFrom(targetClass)) {
>             throw new IllegalArgumentException("Target does not match 
> member!");
>         }
>
> When the method is called target is the class object for java.util.Date, 
> member is a representation of public java.util.Date() and propertyName is 
> null.
> memberModifiers evaluates to 1 and memberClass to the class object for 
> java.util.Date.
>
> This causes the if to resolve to false and throwing the exception. I cannot 
> see how anyone could call any constructor at all.
>
> Is this a known issue or am I overseeing something?

This logic has improved a lot in newer versions of Struts, I would
suggest starting thinking about migration. You can always implement
your own SecurityAccessMember.


Cheers
Łukasz

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to