[jira] Commented: (WW-2595) Overriding subset of interceptor params

[Paul Nilsson (JIRA)]

    [ 
https://issues.apache.org/struts/browse/WW-2595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45626#action_45626
 ] 

Paul Nilsson commented on WW-2595:
----------------------------------

Hi,

We are also experiencing a similar problem using 2.1.6. We are using a 
prepare-params-prepare stack with a parameter filter interceptor prior to each 
params, so the stack in the parent package looks like:

<interceptor-stack name="parentStack">
.
.
.
<interceptor-ref name="prePrepareParameterFilter"/>
<interceptor-ref name="params"/>
<interceptor-ref name="prepare"/>
<interceptor-ref name="postPrepareParameterFilter">
    <param name="defaultBlock">true</param>
</interceptor-ref>
<interceptor-ref name="params"/>
.
.
.
</interceptor-stack>

The idea behind this was to create a safe-by-default behavior when using the 
stack, so that objects that were prepared couldn't be set with malicious form 
submissions. 

In simple cases this seems to work fine in child packages using this as a 
parent, and by default all parameters are blocked by the time it gets to the 
second params interceptor. In the case that we override a parameter of the 
postPrepareParameterFilter in the child package it seems to revert the 
ParameterFilterInterceptor to the default behavior where defaultBlock is false, 
therefore no parameters are blocked by the time it reaches the second parms 
interceptor.

So for example in the following package defaultBlock would be true (param 
apparently inherited from the parent package):

<package name="child1" namespace="/child1" extends="parentPackage">
    <action name="list" class="com.domain.ChildAction" method="view">
        <interceptor-ref name="parentStack"/>
        <result type="tiles">main.child</result>
    </action>
</package>

And in this example a parameter is set which seems to make the interceptor 
forget to inherit the parentStacks parameter for the interceptor, so 
defaultBlock is left at false.

<package name="child2" namespace="/child2" extends="parentPackage">
    <action name="list" class="com.domain.ChildAction" method="view">
        <interceptor-ref name="parentStack">
            <param 
name="postPrepareParameterFilter.allowed">myObject.name</param>
        </interceptor-ref>
        <result type="tiles">main.child</result>
    </action>
</package>

Not sure if this is the intended behavior or not. I read through the docs at 
http://struts.apache.org/2.1.6/docs/interceptors.html#Interceptors-InterceptorParameterOverriding
 but this didn't clear it up for me. 

It seems to me that it's dangerous for an interceptor to stop inheriting 
parameters defined in a parent packages definition, just because an unrelated 
parameter was passed to that interceptor in the child package.

> Overriding subset of interceptor params
> ---------------------------------------
>
>                 Key: WW-2595
>                 URL: https://issues.apache.org/struts/browse/WW-2595
>             Project: Struts 2
>          Issue Type: Improvement
>    Affects Versions: 2.0.11
>            Reporter: Jon Wilmoth
>             Fix For: Future
>
>
> Trying to override one of three interceptor parameters in an action specific 
> config using method #2 described in 
> http://struts.apache.org/2.0.11.1/docs/interceptors.html#Interceptors-InterceptorParameterOverriding
>  leaves the params that aren't overridden in the action (but defined in stack 
> definition) null.  Unfortunately, the other two parameters that I'm not 
> overriding are not being taken from the default stack definition and are 
> ending up as null on the interceptor.  Below is a sample action config 
> showing what I'm attempting...
> <package name="packageA"...>
>     <interceptors>
>         <interceptor name="myInterceptor" class="..."/>
>         <interceptor-stack name="myStack">
>             <interceptor-ref name="defaultStack"/>
>             <interceptor-ref name="myInterceptor">
>                 <param name="paramA">defaultValueA</param>
>                 <param name="paramB">defaultValueB</param>
>                 <param name="paramC">defaultValueC</param>
>             </interceptor-ref>
>         </interceptor-stack>
> </package>
> With the following action config, the "myInterceptor" interceptor's  paramA & 
> paramB are null (causing the interceptor logic to break) and not 
> "defaultValueA" and "defaultValueB" as expected/desired.
> <package name="packageB" extends="packageA"...>
>     <action name="myAction" class="myActionClass">
>         <interceptor-ref name="myStack">
>             <param name="myInterceptor.paramC">actionSpecificValue</param>
>         </interceptor-ref>
>     </action>
> </package>
> BTW...defining the action with all parameters overridden (see below) works:
> <action name="myAction" class="myActionClass">
>   <interceptor-ref name="myStack">
>      <!--  same value as defined in "myStack" declaration  -->
>      <param name="myInterceptor.paramA">defaultValueA</param>
>      <!--  same value as defined in "myStack" declaration  -->
>      <param name="myInterceptor.paramB">defaultValueB</param>
>      <param name="myInterceptor.paramC">actionSpecificValue</param>
>  </interceptor-ref>
> </action>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.