Sorry for missing the Struts version. We are on 6.3.0.2 and can't wait to move
on to 7 along with JDK 21 😊
I am aware that we could have our own SecurityMemberAccess but as I mentioned,
we consider this a bug.
Having an own implementation of SecurityMemberAccess would only be a viable
workaround.
Here is the relevant part of the validation config file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE validators PUBLIC
"-//Apache Struts//XWork Validator 1.0.2//EN"
"http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd";>
<validators>
... more validators here ...
<field name="employee.birthday">
<field-validator type="fieldexpression" >
<param name="expression"><![CDATA[
( employee.birthday == null ||
employee.birthday.before(new java.util.Date()))
]]></param>
<message key="errors_birthday" />
</field-validator>
</field>
... more validators here ...
</validators>
We are using this a lot throughout the whole software and this used to work in
former version. But I cannot tell when it actually broke.
-----Ursprüngliche Nachricht-----
Von: Lukasz Lenart <[email protected]>
Gesendet: Freitag, 12. April 2024 07:55
An: Struts Users Mailing List <[email protected]>
Betreff: Re: Struts2 Validator failing constructor call
czw., 11 kwi 2024 o 17:07 <[email protected]> napisał(a):
> I have a 10 year old struts2 web application that uses validation with rules
> defined in XML files.
Do you try to migrate to the latest version? What version do you use?
> One of these instantiates a java.util.Date to compare the the value of a bean
> with the current date:
> ( employee.birthday == null ||
> employee.birthday.before(new java.util.Date()))
I assume this is an expression in the XML file? Could you post the whole XML
definition (or at least the section)?
> When it comes to instantiate the Date object the call fails in
> SecurityMemberAccess. isAccessible. Form me it seems that a constructor call
> is not handled here properly.
>
> public boolean isAccessible(Map context, Object target, Member member,
> String propertyName) {
> LOG.debug("Checking access for [target: {}, member: {},
> property: {}]", target, member, propertyName);
>
> final int memberModifiers = member.getModifiers();
> final Class<?> memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class<?> targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
>
> When the method is called target is the class object for java.util.Date,
> member is a representation of public java.util.Date() and propertyName is
> null.
> memberModifiers evaluates to 1 and memberClass to the class object for
> java.util.Date.
>
> This causes the if to resolve to false and throwing the exception. I cannot
> see how anyone could call any constructor at all.
>
> Is this a known issue or am I overseeing something?
This logic has improved a lot in newer versions of Struts, I would suggest
starting thinking about migration. You can always implement your own
SecurityAccessMember.
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
