Christoph Lenggenhager created WW-4257:
------------------------------------------
Summary: ParametersInterceptor uses same method on
ParameterNameAware interface to validate parameters and properties
Key: WW-4257
URL: https://issues.apache.org/jira/browse/WW-4257
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.16
Reporter: Christoph Lenggenhager
With version 2.3.16, the {{ParametersInterceptor}} uses the same method to
validate parameter names and property names.
As we use the {{ParameterNameAware}} interface to implement parameter
whitelisting on action level, this breaks our case.
It might not be how it is intended, but validating a property independent of
the actual bean breaks our current implementation.
Possible fixes would be:
- alter {{ParameterNameAware}} to have an additional separate method to
validate properties
- introduce a new {{PropertyNameAware}} interface
- introduce a new {{ParameterAndPropertyNameAware}} interface
One could also consider to ignore the {{ParameterNameAware}} interface when
validating properties, as for a parameter {{foo.bar}}, the values {{foo.bar}},
{{foo}}, and {{bar}} are passed to the ParameterNameAware interface, which one
could see as a bit redundant. Especially given the case that a context in the
case of property validation is completely lacking.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
