[
https://issues.apache.org/jira/browse/WW-5534?focusedWorklogId=960539&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-960539
]
ASF GitHub Bot logged work on WW-5534:
--------------------------------------
Author: ASF GitHub Bot
Created on: 06/Mar/25 13:10
Start Date: 06/Mar/25 13:10
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #1243:
URL: https://github.com/apache/struts/pull/1243#discussion_r1983329534
##########
core/src/main/java/org/apache/struts2/interceptor/ModelDrivenInterceptor.java:
##########
@@ -79,20 +81,27 @@
public class ModelDrivenInterceptor extends AbstractInterceptor {
protected boolean refreshModelBeforeResult = false;
+ private ThreadAllowlist threadAllowlist;
public void setRefreshModelBeforeResult(boolean val) {
this.refreshModelBeforeResult = val;
}
+ @Inject
+ public void setThreadAllowlist(ThreadAllowlist threadAllowlist) {
+ this.threadAllowlist = threadAllowlist;
+ }
+
@Override
public String intercept(ActionInvocation invocation) throws Exception {
Object action = invocation.getAction();
- if (action instanceof ModelDriven modelDriven) {
+ if (action instanceof ModelDriven<?> modelDriven) {
ValueStack stack = invocation.getStack();
Object model = modelDriven.getModel();
- if (model != null) {
- stack.push(model);
+ if (model != null) {
+ stack.push(model);
+ threadAllowlist.allowClassHierarchy(model.getClass());
Review Comment:
We OGNL allowlist the model class immediately in the
`ModelDrivenInterceptor` as we expect this class to be safe and accessible from
templates
Issue Time Tracking
-------------------
Worklog Id: (was: 960539)
Time Spent: 3h 40m (was: 3.5h)
> Actions with Spring's @Transactional and ModelDriven
> ----------------------------------------------------
>
> Key: WW-5534
> URL: https://issues.apache.org/jira/browse/WW-5534
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors, Plugin - Spring
> Affects Versions: 7.0.0
> Reporter: Johannes Mayer
> Priority: Minor
> Fix For: 7.1.0
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> Hi,
> When using the ModelDriven interface, the getModel method has to be annotated
> with {_}@StrutsParameter{_}.
> When Spring decides to wrap an Action object with SpringCGLIB (e.g. when
> annotating a method with {_}@Transactional){_}, one has to add the Package to
> the allowList, so execute can be called. No harm done, just add this to the
> {_}struts.xml{_}:
> {code:java}
> <constant name="struts.allowlist.packageNames" value="your.action.package"/>
> {code}
> The now emerging problem is, that
> _org.apache.struts2.interceptor.parameter.ParametersInterceptor_ is not able
> to map the request parameter to the model, because it is not able to find a
> suitable _getModel_ method. The reason for this is, that the interceptor is
> trying to find the annotation on the SpringCGLIB class, which does not work.
> As a workaround, I can tell the ParameterInterceptor to not need a
> _@StrutsParameter_ annotation, but imo that defeats the purpose of this
> annotation. I am also warned not to make this configuration. I therefore
> assume that this scenario is not desirable.
> {code:java}
> <constant name="struts.parameters.requireAnnotations" value="false" /> {code}
> Spring's AopUtils gives the option the get to the real class:
> _AopUtils.getTargetClass(springCGLIBObject);_
> I created a project to showcase this:
> [https://github.com/sf-JMA/struts7-model-driven/|https://github.com/sf-JMA/struts7-model-driven/tree/main/src/main]
> I added a test
> [https://github.com/sf-JMA/struts7-model-driven/blob/main/src/test/java/com/steadforce/aek/struts7modeldriven/SpringAopVersusModelDrivenTest.java]
> to show the AopUtils method.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
