[
https://issues.apache.org/jira/browse/WW-5534?focusedWorklogId=960221&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-960221
]
ASF GitHub Bot logged work on WW-5534:
--------------------------------------
Author: ASF GitHub Bot
Created on: 05/Mar/25 11:59
Start Date: 05/Mar/25 11:59
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #1237:
URL: https://github.com/apache/struts/pull/1237#discussion_r1981270038
##########
core/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessTest.java:
##########
@@ -967,6 +969,22 @@ public void
classInclusion_hibernateProxy_allowProxyObjectAccess() throws Except
assertTrue(sma.checkAllowlist(proxyObject, proxyMethod));
}
+ /**
+ * When the allowlist is enabled and proxy object access is allowed,
Spring proxies should be allowlisted based
+ * on their underlying target object. Class allowlisting should work as
expected.
+ */
+ @Test
+ public void classInclusion_springProxy_allowProxyObjectAccess() throws
Exception {
+ SpringService proxyObject = newSpringService();
+ Method proxyMethod = proxyObject.getClass().getMethod("doSomething");
+
+ sma.useEnforceAllowlistEnabled(Boolean.TRUE.toString());
+ sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+ sma.useAllowlistClasses(SpringServiceImpl.class.getName());
+
+ assertTrue(sma.checkAllowlist(proxyObject, proxyMethod));
+ }
+
Review Comment:
There is a dedicated `SecurityMemberAccessProxyTest` and maybe it would be
good to move proxy related test cases there as well.
Issue Time Tracking
-------------------
Worklog Id: (was: 960221)
Time Spent: 2h 50m (was: 2h 40m)
> Actions with Spring's @Transactional and ModelDriven
> ----------------------------------------------------
>
> Key: WW-5534
> URL: https://issues.apache.org/jira/browse/WW-5534
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors, Plugin - Spring
> Affects Versions: 7.0.0
> Reporter: Johannes Mayer
> Priority: Minor
> Fix For: 7.1.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> Hi,
> When using the ModelDriven interface, the getModel method has to be annotated
> with {_}@StrutsParameter{_}.
> When Spring decides to wrap an Action object with SpringCGLIB (e.g. when
> annotating a method with {_}@Transactional){_}, one has to add the Package to
> the allowList, so execute can be called. No harm done, just add this to the
> {_}struts.xml{_}:
> {code:java}
> <constant name="struts.allowlist.packageNames" value="your.action.package"/>
> {code}
> The now emerging problem is, that
> _org.apache.struts2.interceptor.parameter.ParametersInterceptor_ is not able
> to map the request parameter to the model, because it is not able to find a
> suitable _getModel_ method. The reason for this is, that the interceptor is
> trying to find the annotation on the SpringCGLIB class, which does not work.
> As a workaround, I can tell the ParameterInterceptor to not need a
> _@StrutsParameter_ annotation, but imo that defeats the purpose of this
> annotation. I am also warned not to make this configuration. I therefore
> assume that this scenario is not desirable.
> {code:java}
> <constant name="struts.parameters.requireAnnotations" value="false" /> {code}
> Spring's AopUtils gives the option the get to the real class:
> _AopUtils.getTargetClass(springCGLIBObject);_
> I created a project to showcase this:
> [https://github.com/sf-JMA/struts7-model-driven/|https://github.com/sf-JMA/struts7-model-driven/tree/main/src/main]
> I added a test
> [https://github.com/sf-JMA/struts7-model-driven/blob/main/src/test/java/com/steadforce/aek/struts7modeldriven/SpringAopVersusModelDrivenTest.java]
> to show the AopUtils method.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
