[jira] [Commented] (WW-4874) Asynchronous action method
[
https://issues.apache.org/jira/browse/WW-4874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16224391#comment-16224391
]
zhouyanming commented on WW-4874:
-
[~yasser.zamani], You can modify DefaultActionInvocation directly and no need
to extend StrutsActionProxyFactory, My solution is to extend struts2 core not
to modify it.
> Asynchronous action method
> --
>
> Key: WW-4874
> URL: https://issues.apache.org/jira/browse/WW-4874
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Actions, Dispatch Filter
>Reporter: Yasser Zamani
> Labels: action, asynchronous
> Fix For: 2.5.14
>
> Original Estimate: 1,344h
> Remaining Estimate: 1,344h
>
> User will be able to return {{java.util.concurrent.Callable}} in
> their actions. Struts when sees such result, runs {{resultCode =
> result.call();}} in it's own managed thread pool but exits from servlet's
> main thread with a null result, i.e. gives back main thread to container and
> leaves response open for concurrent processing. When {{resultCode =
> result.call();}} returned, Struts calls
> {{javax.servlet.AsyncContext.dispatch()}} and {{resumes request processing}}
> within a container's thread servlet to generate the appropriate result for
> user according to {{resultCode}}.
> This adds better support for SLS (Short request processing, Long action
> execution, Short response processing) via Servlet 3's Async API.
> Support of other cases like SSL (e.g. a download server) or LLL(e.g. a video
> converter server) is still open.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WW-4874) Asynchronous action method
[
https://issues.apache.org/jira/browse/WW-4874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16224273#comment-16224273
]
zhouyanming commented on WW-4874:
-
Share my implementation
{code:java}
import java.util.Map;
import org.apache.struts2.impl.StrutsActionProxyFactory;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.ActionProxy;
public class CallableActionProxyFactory extends StrutsActionProxyFactory {
@Override
public ActionProxy createActionProxy(String namespace, String
actionName, String methodName,
Map extraContext, boolean
executeResult, boolean cleanupContext) {
ActionInvocation inv = new
CallableActionInvocation(extraContext, true);
container.inject(inv);
return createActionProxy(inv, namespace, actionName,
methodName, executeResult, cleanupContext);
}
}
{code}
{code:java}
import java.io.IOException;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.ForkJoinPool;
import javax.servlet.AsyncContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.support.WebApplicationContextUtils;
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.DefaultActionInvocation;
import com.opensymphony.xwork2.Result;
import com.opensymphony.xwork2.XWorkException;
import com.opensymphony.xwork2.config.entities.ActionConfig;
import com.opensymphony.xwork2.config.entities.ResultConfig;
public class CallableActionInvocation extends DefaultActionInvocation {
private static final long serialVersionUID = -4310552665942898360L;
private static Logger logger =
LoggerFactory.getLogger(CallableActionInvocation.class);
private static ExecutorService executorService;
protected Callable callableResult;
public CallableActionInvocation(Map extraContext,
boolean pushAction) {
super(extraContext, pushAction);
}
@Override
public Result createResult() throws Exception {
if (callableResult != null) {
Callable callable = callableResult;
ActionContext context = ActionContext.getContext();
SecurityContext sc = SecurityContextHolder.getContext();
HttpServletRequest request =
ServletActionContext.getRequest();
HttpServletResponse response =
ServletActionContext.getResponse();
if (executorService == null) {
try {
executorService =
WebApplicationContextUtils.getWebApplicationContext(request.getServletContext())
.getBean("executorService", ExecutorService.class);
} catch (NoSuchBeanDefinitionException e) {
logger.warn("No bean[executorService]
defined, use ForkJoinPool.commonPool() as fallback");
executorService =
ForkJoinPool.commonPool();
}
}
AsyncContext asyncContext = request.startAsync();
@SuppressWarnings("serial")
Result result = new Result() {
@Override
public void execute(ActionInvocation
actionInvocation) throws Exception {
executorService.submit(() -> {
try {
SecurityContextHolder.setContext(sc);
ServletActionContext.setContext(context);
String result =
callable.call();
ActionConfig config =
proxy.getConfig();
Map results = config.getResults();
ResultConfig
resultConfig = results.get(result);
if (resultConfig ==
null) {
[jira] [Commented] (WW-4827) Not fully initialized ObjectFactory tries to create beans
[
https://issues.apache.org/jira/browse/WW-4827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16104730#comment-16104730
]
zhouyanming commented on WW-4827:
-
[~aleksandr-m] You can add a default constructor to keep backward-compatible
> Not fully initialized ObjectFactory tries to create beans
> -
>
> Key: WW-4827
> URL: https://issues.apache.org/jira/browse/WW-4827
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 2.5.12
>Reporter: Aleksandr Mashchenko
>Priority: Critical
> Fix For: 2.5.13
>
>
> This leads to issues when properties aren't injected in some cases, for
> example in custom type converters.
> The problem happens when {{ObjectFactory}} tries to create a bean in the same
> time not being fully initialized itself (e.g. {{ConverterFactory}} injected
> before {{Container}}).
> The issue happens more often under linux (all the time basically) than under
> windows, so it cannot be reproduced 100%. This behavior boils down to the
> fact that {{clazz.getDeclaredMethods()}} is used to get methods which needs
> to be injected and {{clazz.getDeclaredMethods()}} returned elements are -
> _The elements in the array returned are not sorted and are not in any
> particular order._
> Proposed solution moves Container injection from method to constructor in
> ObjectFactory -
> https://github.com/aleksandr-m/struts/commit/6f91d0776a545c911ca4f2875ed9976614711ef9.
> The downside is it isn't backward-compatible, custom object factories must be
> updated.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WW-4817) Threads get blocked due to unnecessary synchronization in OgnlRuntime
[
https://issues.apache.org/jira/browse/WW-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16091265#comment-16091265
]
zhouyanming commented on WW-4817:
-
I think it's safe to add a short circuit.
{code:java}
if (Modifier.isPublic(method.getModifiers()))
{
return method.invoke(target, argsArray);
}
{code}
> Threads get blocked due to unnecessary synchronization in OgnlRuntime
> -
>
> Key: WW-4817
> URL: https://issues.apache.org/jira/browse/WW-4817
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 2.3.32, 2.5.12
>Reporter: Santhana Preethi J
> Fix For: 2.3.x, 2.5.13
>
> Attachments: ThreadBlock.war, threadDump.txt
>
>
> In multi-threaded scenario, due to unnecessary synchronization in
> invokeMethod method in OgnlRuntime class all threads except the first go to
> BLOCKED state.
> {code:java}
> public static Object invokeMethod(Object target, Method method, Object[]
> argsArray)
> throws InvocationTargetException, IllegalAccessException
> {
> ...
> synchronized (method) {
> if ((_methodAccessCache.get(method) == null) ||
> (_methodAccessCache.get(method) == Boolean.TRUE))
> {
> syncInvoke = true;
> }
> ...
> }
> {code}
> Because *syncInvoke* becomes true for the first thread irrespective of
> whether the method is public or not, all other threads go to block state till
> the first thread leaves the method invocation synchronization block.
> Attached threadDump of the blocked threads waiting to lock the monitor
> 0x0006c690e5b8 even though the method invoked by the action is public.
> {code:java}
> "_###_Thread-1499929571461_###_http-nio-8443-exec-20" #374 daemon prio=5
> os_prio=0 tid=0x7f830513a000 nid=0x49c1 waiting for monitor entry
> [0x7f7e9c7c2000]
>java.lang.Thread.State: BLOCKED (on object monitor)
> at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:826)
> - waiting to lock <0x0006c690e5b8> (a java.lang.reflect.Method)
> at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1294)
> at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68)
> at
> com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethodWithDebugInfo(XWorkMethodAccessor.java:117)
> at
> com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod(XWorkMethodAccessor.java:108)
> at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1370)
> at ognl.ASTMethod.getValueBody(ASTMethod.java:91)
> at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
> at ognl.SimpleNode.getValue(SimpleNode.java:258)
> at ognl.Ognl.getValue(Ognl.java:467)
> at ognl.Ognl.getValue(Ognl.java:431)
> at com.opensymphony.xwork2.ognl.OgnlUtil$3.execute(OgnlUtil.java:352)
> at
> com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecuteMethod(OgnlUtil.java:404)
> at com.opensymphony.xwork2.ognl.OgnlUtil.callMethod(OgnlUtil.java:350)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:430)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:290)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
> at
> com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:168)
> .
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> ..
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1533)
> at
>
[jira] [Commented] (WW-4817) Threads get blocked due to unnecessary synchronization in OgnlRuntime
[
https://issues.apache.org/jira/browse/WW-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16088526#comment-16088526
]
zhouyanming commented on WW-4817:
-
Is synchronization check necessary here? If necessary is it for all methods
even public?
> Threads get blocked due to unnecessary synchronization in OgnlRuntime
> -
>
> Key: WW-4817
> URL: https://issues.apache.org/jira/browse/WW-4817
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 2.3.32, 2.5.12
>Reporter: Santhana Preethi J
> Fix For: 2.3.x, 2.5.x
>
> Attachments: ThreadBlock.war, threadDump.txt
>
>
> In multi-threaded scenario, due to unnecessary synchronization in
> invokeMethod method in OgnlRuntime class all threads except the first go to
> BLOCKED state.
> {code:java}
> public static Object invokeMethod(Object target, Method method, Object[]
> argsArray)
> throws InvocationTargetException, IllegalAccessException
> {
> ...
> synchronized (method) {
> if ((_methodAccessCache.get(method) == null) ||
> (_methodAccessCache.get(method) == Boolean.TRUE))
> {
> syncInvoke = true;
> }
> ...
> }
> {code}
> Because *syncInvoke* becomes true for the first thread irrespective of
> whether the method is public or not, all other threads go to block state till
> the first thread leaves the method invocation synchronization block.
> Attached threadDump of the blocked threads waiting to lock the monitor
> 0x0006c690e5b8 even though the method invoked by the action is public.
> {code:java}
> "_###_Thread-1499929571461_###_http-nio-8443-exec-20" #374 daemon prio=5
> os_prio=0 tid=0x7f830513a000 nid=0x49c1 waiting for monitor entry
> [0x7f7e9c7c2000]
>java.lang.Thread.State: BLOCKED (on object monitor)
> at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:826)
> - waiting to lock <0x0006c690e5b8> (a java.lang.reflect.Method)
> at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1294)
> at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68)
> at
> com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethodWithDebugInfo(XWorkMethodAccessor.java:117)
> at
> com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod(XWorkMethodAccessor.java:108)
> at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1370)
> at ognl.ASTMethod.getValueBody(ASTMethod.java:91)
> at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
> at ognl.SimpleNode.getValue(SimpleNode.java:258)
> at ognl.Ognl.getValue(Ognl.java:467)
> at ognl.Ognl.getValue(Ognl.java:431)
> at com.opensymphony.xwork2.ognl.OgnlUtil$3.execute(OgnlUtil.java:352)
> at
> com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecuteMethod(OgnlUtil.java:404)
> at com.opensymphony.xwork2.ognl.OgnlUtil.callMethod(OgnlUtil.java:350)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:430)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:290)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251)
> at
> com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:168)
> .
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> ..
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1533)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1489)
> - locked <0x0006c5249d98> (a org.apache.tomcat.util.net.NioChannel)
> at
>
[jira] [Commented] (WW-4765) Remove all TextParseUtil.translateVariables(message, valueStack) from LocalizedTextUtil
[ https://issues.apache.org/jira/browse/WW-4765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15935608#comment-15935608 ] zhouyanming commented on WW-4765: - https://cwiki.apache.org/confluence/display/WW/S2-045 https://cwiki.apache.org/confluence/display/WW/S2-046 User construct malicious http request which include ognl expression. > Remove all TextParseUtil.translateVariables(message, valueStack) from > LocalizedTextUtil > --- > > Key: WW-4765 > URL: https://issues.apache.org/jira/browse/WW-4765 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: zhouyanming >Priority: Critical > > Some messages are origin from client which could be malicious, We must close > this door. recent S2-045 S2-046 was sufferer. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (WW-4765) Remove all TextParseUtil.translateVariables(message, valueStack) from LocalizedTextUtil
zhouyanming created WW-4765: --- Summary: Remove all TextParseUtil.translateVariables(message, valueStack) from LocalizedTextUtil Key: WW-4765 URL: https://issues.apache.org/jira/browse/WW-4765 Project: Struts 2 Issue Type: Improvement Components: Core Reporter: zhouyanming Priority: Critical Some messages are origin from client which could be malicious, We must close this door. recent S2-045 S2-046 was sufferer. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WW-4744) AnnotationWorkflowInterceptor should supports non-public annotated methods
[
https://issues.apache.org/jira/browse/WW-4744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15867016#comment-15867016
]
zhouyanming commented on WW-4744:
-
Make it non-public to prevent it called by others but only called by
interceptor, Most of spring annotation supports non-public methods such as
lifecycle annotations like @PostConstruct @PreDestroy. Cache is not required,
but I have tested it can improve performance, because search annotation on
every method and every class hierarchy is a little heavy.
> AnnotationWorkflowInterceptor should supports non-public annotated methods
> --
>
> Key: WW-4744
> URL: https://issues.apache.org/jira/browse/WW-4744
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Reporter: zhouyanming
>
> {code:java}
> @Before
> protected String prepare(){
> //TODO
> return null;
> }
> {code}
> [https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/interceptor/annotations/AnnotationWorkflowInterceptor.java#L115]
> {code:java}
> List methods = new
> ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
> Before.class));
> {code}
> [https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/util/AnnotationUtils.java#L123]
> {code:java}
> for (Method m : clazz.getMethods())
> {code}
> clazz.getMethods() only return public methods, so method "prepare" will be
> excluded, and protected modifier is a good practice for intercept method.We
> should improve AnnotationUtils.getAnnotatedMethods() to return all methods.
> Perhaps use an ConcurrentHashMap as cache is much better.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (WW-4744) AnnotationWorkflowInterceptor should supports non-public annotated methods
[
https://issues.apache.org/jira/browse/WW-4744?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhouyanming updated WW-4744:
Description:
{code:java}
@Before
protected String prepare(){
//TODO
return null;
}
{code}
[https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/interceptor/annotations/AnnotationWorkflowInterceptor.java#L115]
{code:java}
List methods = new
ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
Before.class));
{code}
[https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/util/AnnotationUtils.java#L123]
{code:java}
for (Method m : clazz.getMethods())
{code}
clazz.getMethods() only return public methods, so method "prepare" will be
excluded, and protected modifier is a good practice for intercept method.We
should improve AnnotationUtils.getAnnotatedMethods() to return all methods.
Perhaps use an ConcurrentHashMap as cache is much better.
was:
{code:java}
@Before
protected String prepare(){
//TODO
return null;
}
{code}
[https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/interceptor/annotations/AnnotationWorkflowInterceptor.java#L115]
{code:java}
List methods = new
ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
Before.class));
{code}
[https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/util/AnnotationUtils.java#L123]
{code:java}
for (Method m : clazz.getMethods())
{code}
clazz.getMethods() only return public methods, so method "prepare" will be
excluded, and protected modifier is a good practice for intercept method.We
should improve AnnotationUtils.getAnnotatedMethods() to return all methods.
> AnnotationWorkflowInterceptor should supports non-public annotated methods
> --
>
> Key: WW-4744
> URL: https://issues.apache.org/jira/browse/WW-4744
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Reporter: zhouyanming
>
> {code:java}
> @Before
> protected String prepare(){
> //TODO
> return null;
> }
> {code}
> [https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/interceptor/annotations/AnnotationWorkflowInterceptor.java#L115]
> {code:java}
> List methods = new
> ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
> Before.class));
> {code}
> [https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/util/AnnotationUtils.java#L123]
> {code:java}
> for (Method m : clazz.getMethods())
> {code}
> clazz.getMethods() only return public methods, so method "prepare" will be
> excluded, and protected modifier is a good practice for intercept method.We
> should improve AnnotationUtils.getAnnotatedMethods() to return all methods.
> Perhaps use an ConcurrentHashMap as cache is much better.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (WW-4694) AnnotationWorkflowInterceptor doesn't work with spring proxied action
[
https://issues.apache.org/jira/browse/WW-4694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15864818#comment-15864818
]
zhouyanming edited comment on WW-4694 at 2/14/17 1:18 AM:
--
I have created a related issue https://issues.apache.org/jira/browse/WW-4744
was (Author: quaff):
I have create a related issue https://issues.apache.org/jira/browse/WW-4744
> AnnotationWorkflowInterceptor doesn't work with spring proxied action
> -
>
> Key: WW-4694
> URL: https://issues.apache.org/jira/browse/WW-4694
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: zhouyanming
> Fix For: 2.5.next
>
>
> {code:java}
> public String intercept(ActionInvocation invocation) throws Exception {
> final Object action = invocation.getAction();
> invocation.addPreResultListener(this);
> List methods = new
> ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
> Before.class));
> {code}
> if action is annotated with @Transactional ,
> AnnotationUtils.getAnnotatedMethods() will always return empty collection.
> here is my quick fix
> {code:java}
> public static Collection getAnnotatedMethods(Class clazz,
> Class... annotation){
> if( SpringProxy.class.isAssignableFrom(clazz) )
> clazz = clazz.getSuperclass();
> {code}
> but it will add spring dependence, I hope there is an elegant way.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Created] (WW-4744) AnnotationWorkflowInterceptor should supports non-public annotated methods
zhouyanming created WW-4744:
---
Summary: AnnotationWorkflowInterceptor should supports non-public
annotated methods
Key: WW-4744
URL: https://issues.apache.org/jira/browse/WW-4744
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
{code:java}
@Before
protected String prepare(){
//TODO
return null;
}
{code}
[https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/interceptor/annotations/AnnotationWorkflowInterceptor.java#L115]
{code:java}
List methods = new
ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
Before.class));
{code}
[https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/util/AnnotationUtils.java#L123]
{code:java}
for (Method m : clazz.getMethods())
{code}
clazz.getMethods() only return public methods, so method "prepare" will be
excluded, and protected modifier is a good practice for intercept method.We
should improve AnnotationUtils.getAnnotatedMethods() to return all methods.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (WW-4694) AnnotationWorkflowInterceptor doesn't works with spring proxied action
[
https://issues.apache.org/jira/browse/WW-4694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15556885#comment-15556885
]
zhouyanming commented on WW-4694:
-
I know @Transactional is not recommanded, It's just an example, AOP Proxy by
spring is the point.
> AnnotationWorkflowInterceptor doesn't works with spring proxied action
> --
>
> Key: WW-4694
> URL: https://issues.apache.org/jira/browse/WW-4694
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: zhouyanming
> Fix For: 2.5.x
>
>
> {code:java}
> public String intercept(ActionInvocation invocation) throws Exception {
> final Object action = invocation.getAction();
> invocation.addPreResultListener(this);
> List methods = new
> ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
> Before.class));
> {code}
> if action is annotated with @Transactional ,
> AnnotationUtils.getAnnotatedMethods() will always return empty collection.
> here is my quick fix
> {code:java}
> public static Collection getAnnotatedMethods(Class clazz,
> Class... annotation){
> if( SpringProxy.class.isAssignableFrom(clazz) )
> clazz = clazz.getSuperclass();
> {code}
> but it will add spring dependence, I hope there is an elegant way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4694) AnnotationWorkflowInterceptor doesn't works with spring proxied action
[
https://issues.apache.org/jira/browse/WW-4694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15534932#comment-15534932
]
zhouyanming commented on WW-4694:
-
I'm open an issue for spring https://jira.spring.io/browse/SPR-14770
> AnnotationWorkflowInterceptor doesn't works with spring proxied action
> --
>
> Key: WW-4694
> URL: https://issues.apache.org/jira/browse/WW-4694
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: zhouyanming
>
> {code:java}
> public String intercept(ActionInvocation invocation) throws Exception {
> final Object action = invocation.getAction();
> invocation.addPreResultListener(this);
> List methods = new
> ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
> Before.class));
> {code}
> if action is annotated with @Transactional ,
> AnnotationUtils.getAnnotatedMethods() will always return empty collection.
> here is my quick fix
> {code:java}
> public static Collection getAnnotatedMethods(Class clazz,
> Class... annotation){
> if( SpringProxy.class.isAssignableFrom(clazz) )
> clazz = clazz.getSuperclass();
> {code}
> but it will add spring dependence, I hope there is an elegant way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (WW-4694) AnnotationWorkflowInterceptor doesn't works with spring proxied action
zhouyanming created WW-4694:
---
Summary: AnnotationWorkflowInterceptor doesn't works with spring
proxied action
Key: WW-4694
URL: https://issues.apache.org/jira/browse/WW-4694
Project: Struts 2
Issue Type: Bug
Components: Core
Reporter: zhouyanming
{code:java}
public String intercept(ActionInvocation invocation) throws Exception {
final Object action = invocation.getAction();
invocation.addPreResultListener(this);
List methods = new
ArrayList<>(AnnotationUtils.getAnnotatedMethods(action.getClass(),
Before.class));
{code}
if action is annotated with @Transactional ,
AnnotationUtils.getAnnotatedMethods() will always return empty collection.
here is my quick fix
{code:java}
public static Collection getAnnotatedMethods(Class clazz,
Class... annotation){
if( SpringProxy.class.isAssignableFrom(clazz) )
clazz = clazz.getSuperclass();
{code}
but it will add spring dependence, I hope there is an elegant way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (WW-4620) ParametersInterceptor should check collection index to against DOS
[
https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15352268#comment-15352268
]
zhouyanming edited comment on WW-4620 at 6/28/16 3:26 AM:
--
{code:java}
public class TestAction extends ActionSupport{
private List list;
public List getList() {
return list;
}
public void setList(List list) {
this.list = list;
}
public String execute() {
System.out.println(list);
return SUCCESS;
}
}
{code}
DOS attack http://localhost:8080/test?list[10]=test
{code:java}
java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:3181) ~[?:1.8.0_92]
at java.util.ArrayList.grow(ArrayList.java:261) ~[?:1.8.0_92]
at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
~[?:1.8.0_92]
at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
~[?:1.8.0_92]
at java.util.ArrayList.add(ArrayList.java:458) ~[?:1.8.0_92]
at
com.opensymphony.xwork2.ognl.accessor.XWorkListPropertyAccessor.setProperty(XWorkListPropertyAccessor.java:168)
~[xwork-core-2.4.16.jar:?]
at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2432)
~[ognl-3.0.13.jar:?]
at ognl.ASTProperty.setValueBody(ASTProperty.java:127)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.Ognl.setValue(Ognl.java:737) ~[ognl-3.0.13.jar:?]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:252)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:1)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:305)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:247)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:334)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:254)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
~[struts2-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.ironrhino.core.struts.ExceptionInterceptor.intercept(ExceptionInterceptor.java:34)
~[classes/:?]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
{code}
It created by ognl directly, neither CollectionConverter or ArrayConverter can
handle the this situation. the best way is improve XWorkListPropertyAccessor
line 165 add checking for variable "count".
was (Author: quaff):
{code:java}
public class TestAction extends ActionSupport{
private List list;
public List getList() {
return list;
}
public void setList(List list) {
this.list = list;
}
public String execute() {
System.out.println(list);
return SUCCESS;
}
}
{code}
DOS attack http://localhost:8080/test?list[10]=test
{code:java}
java.lang.OutOfMemoryError: Java
[jira] [Commented] (WW-4620) ParametersInterceptor should check collection index to against DOS
[
https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15352268#comment-15352268
]
zhouyanming commented on WW-4620:
-
{code:java}
public class TestAction extends ActionSupport{
private List list;
public List getList() {
return list;
}
public void setList(List list) {
this.list = list;
}
public String execute() {
System.out.println(list);
return SUCCESS;
}
}
{code}
DOS attack http://localhost:8080/test?list[10]=test
{code:java}
java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:3181) ~[?:1.8.0_92]
at java.util.ArrayList.grow(ArrayList.java:261) ~[?:1.8.0_92]
at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
~[?:1.8.0_92]
at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
~[?:1.8.0_92]
at java.util.ArrayList.add(ArrayList.java:458) ~[?:1.8.0_92]
at
com.opensymphony.xwork2.ognl.accessor.XWorkListPropertyAccessor.setProperty(XWorkListPropertyAccessor.java:168)
~[xwork-core-2.4.16.jar:?]
at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2432)
~[ognl-3.0.13.jar:?]
at ognl.ASTProperty.setValueBody(ASTProperty.java:127)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.Ognl.setValue(Ognl.java:737) ~[ognl-3.0.13.jar:?]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:252)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:1)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:305)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:247)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:334)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:254)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
~[struts2-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.ironrhino.core.struts.ExceptionInterceptor.intercept(ExceptionInterceptor.java:34)
~[classes/:?]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
{code}
It created by ognl directly, neither CollectionConverter or ArrayConverter can
handle the this situation. the best way is dive into ongl.
> ParametersInterceptor should check collection index to against DOS
> --
>
> Key: WW-4620
> URL: https://issues.apache.org/jira/browse/WW-4620
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Reporter: zhouyanming
>Priority: Critical
> Fix For: 2.3.30, 2.5.2
>
>
> https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
> This is my workaround:
> {code:java}
> import
[jira] [Commented] (WW-4620) ParametersInterceptor should check collection index to against DOS
[
https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15350343#comment-15350343
]
zhouyanming commented on WW-4620:
-
[~victorsosa] Your pull request make no sense, DOS attack just pass one
parameter like test[1000]=xxx if test is List, it will create a List with
size 1000 and the last element is "xxx", It will exhaust memory. You should
check collection size before create not after.
> ParametersInterceptor should check collection index to against DOS
> --
>
> Key: WW-4620
> URL: https://issues.apache.org/jira/browse/WW-4620
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Reporter: zhouyanming
>Priority: Critical
> Fix For: 2.3.30, 2.5.2
>
>
> https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
> This is my workaround:
> {code:java}
> import org.apache.commons.lang3.StringUtils;
> import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
> import com.opensymphony.xwork2.util.logging.Logger;
> import com.opensymphony.xwork2.util.logging.LoggerFactory;
> public class ParamsInterceptor extends ParametersInterceptor {
> private static final Logger LOG =
> LoggerFactory.getLogger(ParametersInterceptor.class);
> protected int autoGrowCollectionLimit = 255;
> public void setAutoGrowCollectionLimit(int autoGrowCollectionLimit) {
> this.autoGrowCollectionLimit = autoGrowCollectionLimit;
> }
> @Override
> protected boolean acceptableName(String name) {
> boolean b = super.acceptableName(name);
> if (b) {
> int start = name.indexOf('[');
> while (start > 0) {
> int end = name.indexOf(']', start);
> if (end < 0)
> break;
> String s = name.substring(start + 1, end);
> if (StringUtils.isNumeric(s)) {
> int index = Integer.valueOf(s);
> if (index > autoGrowCollectionLimit) {
> LOG.warn("Parameter \"#0\"
> exceed max index: [#1]", name, autoGrowCollectionLimit);
> return false;
> }
> }
> start = name.indexOf('[', end);
> }
> }
> return b;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (WW-4620) ParametersInterceptor should check collection index to against DOS
zhouyanming created WW-4620:
---
Summary: ParametersInterceptor should check collection index to
against DOS
Key: WW-4620
URL: https://issues.apache.org/jira/browse/WW-4620
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Priority: Critical
https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
This is my workaround:
{code:java}
import org.apache.commons.lang3.StringUtils;
import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
import com.opensymphony.xwork2.util.logging.Logger;
import com.opensymphony.xwork2.util.logging.LoggerFactory;
public class ParamsInterceptor extends ParametersInterceptor {
private static final Logger LOG =
LoggerFactory.getLogger(ParametersInterceptor.class);
protected int autoGrowCollectionLimit = 255;
public void setAutoGrowCollectionLimit(int autoGrowCollectionLimit) {
this.autoGrowCollectionLimit = autoGrowCollectionLimit;
}
@Override
protected boolean acceptableName(String name) {
boolean b = super.acceptableName(name);
if (b) {
int start = name.indexOf('[');
while (start > 0) {
int end = name.indexOf(']', start);
if (end < 0)
break;
String s = name.substring(start + 1, end);
if (StringUtils.isNumeric(s)) {
int index = Integer.valueOf(s);
if (index > autoGrowCollectionLimit) {
LOG.warn("Parameter \"#0\"
exceed max index: [#1]", name, autoGrowCollectionLimit);
return false;
}
}
start = name.indexOf('[', end);
}
}
return b;
}
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4587) LocalizedTextUtil not caching negative ResourceBundle.getBundle results
[ https://issues.apache.org/jira/browse/WW-4587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15097425#comment-15097425 ] zhouyanming commented on WW-4587: - I confirm it. > LocalizedTextUtil not caching negative ResourceBundle.getBundle results > --- > > Key: WW-4587 > URL: https://issues.apache.org/jira/browse/WW-4587 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.24 >Reporter: Lauri Lehtinen > Fix For: 2.3.25 > > Attachments: struts2_issue.jstack1, struts2_issue.jstack2 > > > I have a few websites running under a single Tomcat packaged as separate war > files. Recently, I have started to run into issues with thread starvation, > which seems to stem from Struts 2. Specifically, calls to > ResourceBundle.getBundle via LocalizedTextUtil.findResourceBundle end up > contending on the lock for WebAppClassLoader. > When testing things locally, it looks like the findResourceBundle is called > numerous times for each tag, with various bundle names being tried, > many resulting in a MissingResourceException which does not get cached. > I will attach a couple of thread dumps that exemplify the situation. > If you suspect this is caused by something I am doing wrong on my end, please > do let me know! -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[ https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15057649#comment-15057649 ] zhouyanming commented on WW-4575: - All my tests are base on freemarker-2.3.23. > Fix performance regression > -- > > Key: WW-4575 > URL: https://issues.apache.org/jira/browse/WW-4575 > Project: Struts 2 > Issue Type: Task >Affects Versions: 2.3.20, 2.3.24 >Reporter: zhouyanming > Fix For: 2.3.25 > > > I have an application run with struts2, recently I found my application > performance downgraded if struts2 upgraded. a special use case: > ab -n 3000 -c 150 http://localhost/login > ||requests/second||struts2 version|| > |684|2.3.16| > |515|2.3.18| > |312|2.3.24| > It's appreciatory if someon test with official example. > I think struts2 should focus on performance improvement, make struts2 more > configurable to deal with performance and security trade-off. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[ https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15048293#comment-15048293 ] zhouyanming commented on WW-4575: - Yes, here is improvements: 1. fix LocalizedTextUtil.findResourceBundle() missing from cache, the promotion is remarkable. by the way, MessageFormat is not thread safe, so cache it with ConcurrentMap may cause exception. 2. rewrite SecurityMemberAccess.isPackageExcluded() using string comparison replace regex. 3. refine FreemarkerManager.buildScopesHashModel() remove synchronization on servletContext and cache HttpSessionHashModel into request, this improvement can apply to 2.3.16 too. > Fix performance regression > -- > > Key: WW-4575 > URL: https://issues.apache.org/jira/browse/WW-4575 > Project: Struts 2 > Issue Type: Task >Affects Versions: 2.3.20, 2.3.24 >Reporter: zhouyanming > Fix For: 2.3.25 > > > I have an application run with struts2, recently I found my application > performance downgraded if struts2 upgraded. a special use case: > ab -n 3000 -c 150 http://localhost/login > ||requests/second||struts2 version|| > |684|2.3.16| > |515|2.3.18| > |312|2.3.24| > It's appreciatory if someon test with official example. > I think struts2 should focus on performance improvement, make struts2 more > configurable to deal with performance and security trade-off. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15047941#comment-15047941
]
zhouyanming commented on WW-4575:
-
I have tested a real application many times, here is the result:
{code}
requestPerSecondOf("2.3.24.1") ~= (improvementsApplied ? 2/3 :
2/5)*requestPerSecondOf("2.3.16.3")
{code}
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
> Fix For: 2.3.25
>
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044287#comment-15044287
]
zhouyanming commented on WW-4575:
-
org.apache.struts2.views.freemarker.FreemarkerManager.java
{code:java}
protected ScopesHashModel buildScopesHashModel(ServletContext servletContext,
HttpServletRequest request, HttpServletResponse response, ObjectWrapper
wrapper, ValueStack stack) {
ScopesHashModel model = new ScopesHashModel(wrapper, servletContext,
request, stack);
// Create hash model wrapper for servlet context (the application). We
need one thread, once per servlet context
synchronized (servletContext) {
ServletContextHashModel servletContextModel =
(ServletContextHashModel) servletContext.getAttribute(ATTR_APPLICATION_MODEL);
if (servletContextModel == null) {
// first try a JSP support servlet. If it fails, default to
the servlet.
GenericServlet servlet = JspSupportServlet.jspSupportServlet;
if (servlet != null) {
servletContextModel = new ServletContextHashModel(servlet,
wrapper);
servletContext.setAttribute(ATTR_APPLICATION_MODEL,
servletContextModel);
} else {
servletContextModel = new
ServletContextHashModel(servletContext, wrapper);
servletContext.setAttribute(ATTR_APPLICATION_MODEL,
servletContextModel);
}
TaglibFactory taglibs = new TaglibFactory(servletContext);
servletContext.setAttribute(ATTR_JSP_TAGLIBS_MODEL, taglibs);
}
model.put(KEY_APPLICATION, servletContextModel);
model.putUnlistedModel(KEY_APPLICATION_PRIVATE,
servletContextModel);
}
...
}
{code}
synchronized on servletContext is very bad idea, we don't need singleton here,
creating duplicate servletContextModel is totally acceptable.
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
> Fix For: 2.3.25
>
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044239#comment-15044239
]
zhouyanming edited comment on WW-4575 at 12/7/15 2:55 AM:
--
SecurityMemberAccess.isPackageExcluded() is called heavily, replace regex with
String.startsWith() will save lots of CPU time.
{code:java}
protected boolean isPackageExcluded(Package targetPackage, Package
memberPackage) {
if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage ==
null)) {
LOG.warn("The use of the default (unnamed) package is
discouraged!");
}
final String targetPackageName = targetPackage == null ? "" :
targetPackage.getName();
final String memberPackageName = memberPackage == null ? "" :
memberPackage.getName();
return isPackageExcluded(targetPackageName) ||
isPackageExcluded(memberPackageName);
}
protected static boolean isPackageExcluded(String packageName) {
return packageName.equals("java.lang") ||
packageName.startsWith("java.lang.") || packageName.equals("ognl")
|| packageName.startsWith("ognl.") ||
packageName.startsWith("javax.")
&&
!(packageName.equals("javax.servlet") ||
packageName.startsWith("javax.servlet."));
}
{code}
was (Author: quaff):
SecurityMemberAccess.isPackageExcluded() is called heavily, replace regex with
String.startsWith() will save lots of CPU time.
{code:java}
protected boolean isPackageExcluded(Package targetPackage, Package
memberPackage) {
if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage ==
null)) {
LOG.warn("The use of the default (unnamed) package is
discouraged!");
}
final String targetPackageName = targetPackage == null ? "" :
targetPackage.getName();
final String memberPackageName = memberPackage == null ? "" :
memberPackage.getName();
return isPackageExcluded(targetPackageName) ||
isPackageExcluded(memberPackageName);
}
protected boolean isPackageExcluded(String packageName) {
return packageName.startsWith("java.lang.") ||
packageName.startsWith("ognl.")
|| packageName.startsWith("javax.") &&
!packageName.startsWith("javax.servlet.");
}
{code}
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
> Fix For: 2.3.25
>
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044211#comment-15044211
]
zhouyanming commented on WW-4575:
-
{code:java}
bundle = ResourceBundle.getBundle(aBundleName, locale, classLoader);
{code}
will always called if aBundleName not exists, It will waste lost of CPU time.
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
> Fix For: 2.3.25
>
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044211#comment-15044211
]
zhouyanming edited comment on WW-4575 at 12/7/15 1:25 AM:
--
{code:java}
bundle = ResourceBundle.getBundle(aBundleName, locale, classLoader);
{code}
will always called if aBundleName not exists, It will waste lots of CPU time
unless using SSD drive
was (Author: quaff):
{code:java}
bundle = ResourceBundle.getBundle(aBundleName, locale, classLoader);
{code}
will always called if aBundleName not exists, It will waste lost of CPU time.
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
> Fix For: 2.3.25
>
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044239#comment-15044239
]
zhouyanming commented on WW-4575:
-
SecurityMemberAccess.isPackageExcluded() is called heavily, replace regex with
String.startsWith() will save lots of CPU time.
{code:java}
protected boolean isPackageExcluded(Package targetPackage, Package
memberPackage) {
if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage ==
null)) {
LOG.warn("The use of the default (unnamed) package is
discouraged!");
}
final String targetPackageName = targetPackage == null ? "" :
targetPackage.getName();
final String memberPackageName = memberPackage == null ? "" :
memberPackage.getName();
return isPackageExcluded(targetPackageName) ||
isPackageExcluded(memberPackageName);
}
protected boolean isPackageExcluded(String packageName) {
return packageName.startsWith("java.lang.") ||
packageName.startsWith("ognl.")
|| packageName.startsWith("javax.") &&
!packageName.startsWith("javax.servlet.");
}
{code}
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
> Fix For: 2.3.25
>
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[ https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037552#comment-15037552 ] zhouyanming commented on WW-4575: - com.opensymphony.xwork2.util.LocalizedTextUtil.findResourceBundle() is a big bottleneck > Fix performance regression > -- > > Key: WW-4575 > URL: https://issues.apache.org/jira/browse/WW-4575 > Project: Struts 2 > Issue Type: Task >Affects Versions: 2.3.20, 2.3.24 >Reporter: zhouyanming > > I have an application run with struts2, recently I found my application > performance downgraded if struts2 upgraded. a special use case: > ab -n 3000 -c 150 http://localhost/login > ||requests/second||struts2 version|| > |684|2.3.16| > |515|2.3.18| > |312|2.3.24| > It's appreciatory if someon test with official example. > I think struts2 should focus on performance improvement, make struts2 more > configurable to deal with performance and security trade-off. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[
https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15038864#comment-15038864
]
zhouyanming commented on WW-4575:
-
{code:java}
public static ResourceBundle findResourceBundle(String aBundleName, Locale
locale) {
ResourceBundle bundle = null;
ClassLoader classLoader = getCurrentThreadContextClassLoader();
String key = createMissesKey(String.valueOf(classLoader.hashCode()),
aBundleName, locale);
try {
if (!bundlesMap.containsKey(key)) {
bundle = ResourceBundle.getBundle(aBundleName, locale,
classLoader);
bundlesMap.putIfAbsent(key, bundle);
} else {
bundle = bundlesMap.get(key);
}
} catch (MissingResourceException ex) {
if (delegatedClassLoaderMap.containsKey(classLoader.hashCode())) {
try {
if (!bundlesMap.containsKey(key)) {
bundle = ResourceBundle.getBundle(aBundleName, locale,
delegatedClassLoaderMap.get(classLoader.hashCode()));
bundlesMap.putIfAbsent(key, bundle);
} else {
bundle = bundlesMap.get(key);
}
} catch (MissingResourceException e) {
if (LOG.isDebugEnabled()) {
LOG.debug("Missing resource bundle [#0]!", aBundleName);
}
}
}
}
return bundle;
}
{code}
ResourceBundle.getBundle(aBundleName, locale, classLoader) get called every
time, bundlesMap.putIfAbsent(key, bundle) never called, You should put an
EmptyResourceBundle in catch (MissingResourceException ex).
> Fix performance regression
> --
>
> Key: WW-4575
> URL: https://issues.apache.org/jira/browse/WW-4575
> Project: Struts 2
> Issue Type: Task
>Affects Versions: 2.3.20, 2.3.24
>Reporter: zhouyanming
>
> I have an application run with struts2, recently I found my application
> performance downgraded if struts2 upgraded. a special use case:
> ab -n 3000 -c 150 http://localhost/login
> ||requests/second||struts2 version||
> |684|2.3.16|
> |515|2.3.18|
> |312|2.3.24|
> It's appreciatory if someon test with official example.
> I think struts2 should focus on performance improvement, make struts2 more
> configurable to deal with performance and security trade-off.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4575) Fix performance regression
[ https://issues.apache.org/jira/browse/WW-4575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15039493#comment-15039493 ] zhouyanming commented on WW-4575: - I try to put an EmptyResourceBundle, then LocalizedTextUtil.getMessage() will be the hotspot, you can profile it with jvisualvm, LocalizedTextUtil will call many times in one request, so It should be simple and fast, I think struts2 is over designed with multiple class hierarchy, the exact class level message and global messages are enough for most applications. Before fix performance bottleneck I suggest revert LocalizedTextUtil to 2.3.16 > Fix performance regression > -- > > Key: WW-4575 > URL: https://issues.apache.org/jira/browse/WW-4575 > Project: Struts 2 > Issue Type: Task >Affects Versions: 2.3.20, 2.3.24 >Reporter: zhouyanming > > I have an application run with struts2, recently I found my application > performance downgraded if struts2 upgraded. a special use case: > ab -n 3000 -c 150 http://localhost/login > ||requests/second||struts2 version|| > |684|2.3.16| > |515|2.3.18| > |312|2.3.24| > It's appreciatory if someon test with official example. > I think struts2 should focus on performance improvement, make struts2 more > configurable to deal with performance and security trade-off. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (WW-4575) Fix performance regression
zhouyanming created WW-4575: --- Summary: Fix performance regression Key: WW-4575 URL: https://issues.apache.org/jira/browse/WW-4575 Project: Struts 2 Issue Type: Task Affects Versions: 2.3.24, 2.3.20 Reporter: zhouyanming I have an application run with struts2, recently I found my application performance downgraded if struts2 upgraded. a special use case: ab -n 3000 -c 150 http://localhost/login ||requests/second||struts2 version|| |684|2.3.16| |515|2.3.18| |312|2.3.24| It's appreciatory if someon test with official example. I think struts2 should focus on performance improvement, make struts2 more configurable to deal with performance and security trade-off. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4540) Enable Strict DMI by default
[
https://issues.apache.org/jira/browse/WW-4540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14952714#comment-14952714
]
zhouyanming commented on WW-4540:
-
I don't use xml for action, I am using one xml for base package, then use my
own PackageProvider scan action classes, those package extends base package in
xml which already strict-method-invocation="false", and
pkgConfig.strictMethodInvocation(false) in java.
> Enable Strict DMI by default
>
>
> Key: WW-4540
> URL: https://issues.apache.org/jira/browse/WW-4540
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
> Fix For: 2.5
>
>
> Struts 2 already supports {{Strict DMI}} but it's disabled by default.
> {{Strict DMI}} should be always enable to allow access only specific methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4540) Enable Strict DMI by default
[
https://issues.apache.org/jira/browse/WW-4540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954128#comment-14954128
]
zhouyanming commented on WW-4540:
-
It works with actionConfig.addAllowedMethod(ActionConfig.REGEX_WILDCARD) and
strict DMI needn't be false.
I doubt this is useful, normally we have many methods in action to be invoked,
methods shouldn't be invoked can marked as protected or private, what's the
value of strict DMI?
It will bring two problem:
* It breaked compatibility, application with old version cannot upgrade
smoothly, I wish one constant in struts.xml can disable strict DMI globally not
per package.
* It will bring a little overhead for checking strict DMI.
> Enable Strict DMI by default
>
>
> Key: WW-4540
> URL: https://issues.apache.org/jira/browse/WW-4540
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
> Fix For: 2.5
>
>
> Struts 2 already supports {{Strict DMI}} but it's disabled by default.
> {{Strict DMI}} should be always enable to allow access only specific methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (WW-4540) Enable Strict DMI by default
[
https://issues.apache.org/jira/browse/WW-4540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954375#comment-14954375
]
zhouyanming edited comment on WW-4540 at 10/13/15 5:03 AM:
---
setter/getter must be designed to ensure safety, getter method is readonly will
not change server state, setter method can always invoked by queryString,
setter can not invoked by DMI, action method should be {code:java}public String
method( ){code}, only String getter can be invoked.
was (Author: quaff):
setter/getter must be designed to ensure safety, getter method is readonly will
not change server state, setter method can always invoked by queryString.
> Enable Strict DMI by default
>
>
> Key: WW-4540
> URL: https://issues.apache.org/jira/browse/WW-4540
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
> Fix For: 2.5
>
>
> Struts 2 already supports {{Strict DMI}} but it's disabled by default.
> {{Strict DMI}} should be always enable to allow access only specific methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4540) Enable Strict DMI by default
[
https://issues.apache.org/jira/browse/WW-4540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954375#comment-14954375
]
zhouyanming commented on WW-4540:
-
setter/getter must be designed to ensure safety, getter method is readonly will
not change server state, setter method can always invoked by queryString.
> Enable Strict DMI by default
>
>
> Key: WW-4540
> URL: https://issues.apache.org/jira/browse/WW-4540
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
> Fix For: 2.5
>
>
> Struts 2 already supports {{Strict DMI}} but it's disabled by default.
> {{Strict DMI}} should be always enable to allow access only specific methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4540) Enable Strict DMI by default
[
https://issues.apache.org/jira/browse/WW-4540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14952622#comment-14952622
]
zhouyanming commented on WW-4540:
-
Test failed with both
{code:xml}
{code}
and
{code:java}
pkgConfig = new PackageConfig.Builder(packageName);
pkgConfig.strictMethodInvocation(false);
{code}
It throw exception
{quote}
This method: input for action setting is not allowed! - [unknown location]
at
com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:200)
at
org.apache.struts2.factory.StrutsActionProxy.prepare(StrutsActionProxy.java:63)
at
org.apache.struts2.factory.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:37)
at
com.opensymphony.xwork2.DefaultActionProxyFactory.createActionProxy(DefaultActionProxyFactory.java:58)
at
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:543)
at
org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:81)
at
org.apache.struts2.dispatcher.filter.StrutsExecuteFilter.doFilter(StrutsExecuteFilter.java:88)
{quote}
> Enable Strict DMI by default
>
>
> Key: WW-4540
> URL: https://issues.apache.org/jira/browse/WW-4540
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
> Fix For: 2.5
>
>
> Struts 2 already supports {{Strict DMI}} but it's disabled by default.
> {{Strict DMI}} should be always enable to allow access only specific methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (WW-4544) Improve ContainUtil for uniform comparison
zhouyanming created WW-4544: --- Summary: Improve ContainUtil for uniform comparison Key: WW-4544 URL: https://issues.apache.org/jira/browse/WW-4544 Project: Struts 2 Issue Type: Improvement Reporter: zhouyanming https://github.com/apache/struts/pull/48 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4520) Add prefix for CSS classes
[ https://issues.apache.org/jira/browse/WW-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14614451#comment-14614451 ] zhouyanming commented on WW-4520: - Other templates can reuse struts css classes for consistency, and js are manipulate dom via those classes, also possible in java code for dynamic generating templates. I said UI refactor is not simple as you think, there is no compiler validation, you are likely to miss something. Add prefix for CSS classes -- Key: WW-4520 URL: https://issues.apache.org/jira/browse/WW-4520 Project: Struts 2 Issue Type: Improvement Reporter: Aleksandr Mashchenko Priority: Minor Fix For: 2.5 Add prefix for CSS classes used in Struts to minimize collisions with other frameworks/user defined CSS classes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4520) Add prefix for CSS classes
[ https://issues.apache.org/jira/browse/WW-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14612983#comment-14612983 ] zhouyanming commented on WW-4520: - vote for new html5 theme. Add prefix for CSS classes -- Key: WW-4520 URL: https://issues.apache.org/jira/browse/WW-4520 Project: Struts 2 Issue Type: Improvement Reporter: Aleksandr Mashchenko Priority: Minor Fix For: 2.5 Add prefix for CSS classes used in Struts to minimize collisions with other frameworks/user defined CSS classes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4520) Add prefix for CSS classes
[ https://issues.apache.org/jira/browse/WW-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14612708#comment-14612708 ] zhouyanming commented on WW-4520: - I custom my own css not template. for new app-s, best choice is create a new theme, please do NOT change behavior of default xhtml. Add prefix for CSS classes -- Key: WW-4520 URL: https://issues.apache.org/jira/browse/WW-4520 Project: Struts 2 Issue Type: Improvement Reporter: Aleksandr Mashchenko Priority: Minor Fix For: 2.5 Add prefix for CSS classes used in Struts to minimize collisions with other frameworks/user defined CSS classes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4520) Add prefix for CSS classes
[ https://issues.apache.org/jira/browse/WW-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14611219#comment-14611219 ] zhouyanming commented on WW-4520: - It's trivial and not worthy breaking compatibility, css class is scattering in ftl | jsp | html | css | js , maybe other filetype. It's difficult to rename all. In opposite, your collisions requirement is a lot easier. breaking compatibility is very bad idea, spring do well with keeping compatibility, many developer will upgrade new version to keep up to date, bootstrap 3 breaked compatibility, many developer is stick to bootstrap 2.3, UI refactor is more intractability than you think. Add prefix for CSS classes -- Key: WW-4520 URL: https://issues.apache.org/jira/browse/WW-4520 Project: Struts 2 Issue Type: Improvement Reporter: Aleksandr Mashchenko Priority: Minor Fix For: 2.5 Add prefix for CSS classes used in Struts to minimize collisions with other frameworks/user defined CSS classes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4520) Add prefix for CSS classes
[ https://issues.apache.org/jira/browse/WW-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14609287#comment-14609287 ] zhouyanming commented on WW-4520: - It will break compatibility, web ui migration is hard. Add prefix for CSS classes -- Key: WW-4520 URL: https://issues.apache.org/jira/browse/WW-4520 Project: Struts 2 Issue Type: Improvement Reporter: Aleksandr Mashchenko Priority: Minor Fix For: 2.5 Add prefix for CSS classes used in Struts to minimize collisions with other frameworks/user defined CSS classes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4499) s:radio and s:checkbox tag doesn't accept readonly attribute
[ https://issues.apache.org/jira/browse/WW-4499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14547605#comment-14547605 ] zhouyanming commented on WW-4499: - Those tags don't have readonly attribute, you should use disabled combine hidden tag. s:radio and s:checkbox tag doesn't accept readonly attribute -- Key: WW-4499 URL: https://issues.apache.org/jira/browse/WW-4499 Project: Struts 2 Issue Type: Bug Components: Plugin - Tags Affects Versions: 2.3.20 Environment: Struts-2.3.20 Tomcat 7.0.47 JDK 1.8.0 (Windows x64) Reporter: Iwasa Kazmi s:radio and s:checkbox tag in JSP doesn't accept readonly attribute. On Tomcat, org.apache.jasper.JasperException is thrown and it says unable to find the setter method. In org.apache.struts2.components package, 5 classes have setReadonly() method. Checkbox CheckboxList Radio TextArea TextField In org.apache.struts2.views.jsp.ui package, only two classes have setReadonly() method. TextareaTag TextFieldTag RadioTag class, CheckboxTag class, and CheckboxListTag class need setReadonly() method ? According to the struts-tags.tld and tag reference on the web site, these three tags should accept readonly attribute. If readonly attribute is not supported on these tags, struts-tags.tld and reference pages should be corrected. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4493) Still can't pass parameters with dashes to tags
[
https://issues.apache.org/jira/browse/WW-4493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14508547#comment-14508547
]
zhouyanming commented on WW-4493:
-
struts2 create Configuration with new Configuration() not new
Configuration(Configuration.VERSION_2_3_22) in FreemarkerManager.java, It
doesn't activate new feature, you should patch FreemarkerManager
Still can't pass parameters with dashes to tags
---
Key: WW-4493
URL: https://issues.apache.org/jira/browse/WW-4493
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.23
Reporter: Jasper Rosenberg
Priority: Minor
Labels: freemarker, tags
The latest freemarker now supports dashes in attribute names, so I can write
something like:
{code:xml}
@s.form name=sendToPhone data\-ajax=false
/@s.form
{code}
Unfortunately, the parameters are set using ognl internally, so it blows up
with an error like:
{noformat}
Caused by: ognl.InappropriateExpressionException: Inappropriate OGNL
expression: data - ajax
at ognl.SimpleNode.setValueBody(SimpleNode.java:312)
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
at ognl.SimpleNode.setValue(SimpleNode.java:301)
at ognl.Ognl.setValue(Ognl.java:737)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:287)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:282)
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:340)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:282)
{noformat}
I think there is a simple solution, which is to send any parameters with an
dash directly to the parameters map like so:
{code:title=Component.java|borderStyle=solid}
/**
* Pushes this component's parameter Map as well as the component itself
on to the stack
* and then copies the supplied parameters over. Because the component's
parameter Map is
* pushed before the component itself, any key-value pair that can't be
assigned to component
* will be set in the parameters Map.
*
* @param params the parameters to copy.
*/
public void copyParams(Map params) {
stack.push(parameters);
stack.push(this);
try {
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String key = (String) entry.getKey();
if (key.indexOf('-') = 0) {
// UI component attributes may contain hypens (e.g.
data-ajax), but ognl
// can't handle that, and there can't be a component
property with a hypen
// so into the parameters map it goes.
parameters.put(key, entry.getValue());
} else {
stack.setValue(key, entry.getValue());
}
}
} finally {
stack.pop();
stack.pop();
}
}
{code}
Hoping this can make it into 2.3.24, thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (WW-4494) Improve FreemarkerManager to activate new freemarker feature
zhouyanming created WW-4494: --- Summary: Improve FreemarkerManager to activate new freemarker feature Key: WW-4494 URL: https://issues.apache.org/jira/browse/WW-4494 Project: Struts 2 Issue Type: Improvement Affects Versions: 2.3.23 Reporter: zhouyanming Fix For: 2.3.24 http://freemarker.org/docs/pgui_config_incompatible_improvements.html#pgui_config_incompatible_improvements_how_to_set use new Configuration(Configuration.VERSION_2_3_22) instead of new Configuration( ) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4493) Still can't pass parameters with dashes to tags
[
https://issues.apache.org/jira/browse/WW-4493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14508764#comment-14508764
]
zhouyanming commented on WW-4493:
-
It works for me.
Still can't pass parameters with dashes to tags
---
Key: WW-4493
URL: https://issues.apache.org/jira/browse/WW-4493
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.23
Reporter: Jasper Rosenberg
Priority: Minor
Labels: freemarker, tags
Fix For: 2.3.24
The latest freemarker now supports dashes in attribute names, so I can write
something like:
{code:xml}
@s.form name=sendToPhone data\-ajax=false
/@s.form
{code}
Unfortunately, the parameters are set using ognl internally, so it blows up
with an error like:
{noformat}
Caused by: ognl.InappropriateExpressionException: Inappropriate OGNL
expression: data - ajax
at ognl.SimpleNode.setValueBody(SimpleNode.java:312)
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
at ognl.SimpleNode.setValue(SimpleNode.java:301)
at ognl.Ognl.setValue(Ognl.java:737)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:287)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:282)
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:340)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:282)
{noformat}
I think there is a simple solution, which is to send any parameters with an
dash directly to the parameters map like so:
{code:title=Component.java|borderStyle=solid}
/**
* Pushes this component's parameter Map as well as the component itself
on to the stack
* and then copies the supplied parameters over. Because the component's
parameter Map is
* pushed before the component itself, any key-value pair that can't be
assigned to component
* will be set in the parameters Map.
*
* @param params the parameters to copy.
*/
public void copyParams(Map params) {
stack.push(parameters);
stack.push(this);
try {
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String key = (String) entry.getKey();
if (key.indexOf('-') = 0) {
// UI component attributes may contain hypens (e.g.
data-ajax), but ognl
// can't handle that, and there can't be a component
property with a hypen
// so into the parameters map it goes.
parameters.put(key, entry.getValue());
} else {
stack.setValue(key, entry.getValue());
}
}
} finally {
stack.pop();
stack.pop();
}
}
{code}
Hoping this can make it into 2.3.24, thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (WW-4493) Still can't pass parameters with dashes to tags
[
https://issues.apache.org/jira/browse/WW-4493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14508764#comment-14508764
]
zhouyanming edited comment on WW-4493 at 4/23/15 10:02 AM:
---
It works for me, I am using 2.3.20.
was (Author: quaff):
It works for me.
Still can't pass parameters with dashes to tags
---
Key: WW-4493
URL: https://issues.apache.org/jira/browse/WW-4493
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.23
Reporter: Jasper Rosenberg
Priority: Minor
Labels: freemarker, tags
Fix For: 2.3.24
The latest freemarker now supports dashes in attribute names, so I can write
something like:
{code:xml}
@s.form name=sendToPhone data\-ajax=false
/@s.form
{code}
Unfortunately, the parameters are set using ognl internally, so it blows up
with an error like:
{noformat}
Caused by: ognl.InappropriateExpressionException: Inappropriate OGNL
expression: data - ajax
at ognl.SimpleNode.setValueBody(SimpleNode.java:312)
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
at ognl.SimpleNode.setValue(SimpleNode.java:301)
at ognl.Ognl.setValue(Ognl.java:737)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:287)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:282)
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:340)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:282)
{noformat}
I think there is a simple solution, which is to send any parameters with an
dash directly to the parameters map like so:
{code:title=Component.java|borderStyle=solid}
/**
* Pushes this component's parameter Map as well as the component itself
on to the stack
* and then copies the supplied parameters over. Because the component's
parameter Map is
* pushed before the component itself, any key-value pair that can't be
assigned to component
* will be set in the parameters Map.
*
* @param params the parameters to copy.
*/
public void copyParams(Map params) {
stack.push(parameters);
stack.push(this);
try {
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String key = (String) entry.getKey();
if (key.indexOf('-') = 0) {
// UI component attributes may contain hypens (e.g.
data-ajax), but ognl
// can't handle that, and there can't be a component
property with a hypen
// so into the parameters map it goes.
parameters.put(key, entry.getValue());
} else {
stack.setValue(key, entry.getValue());
}
}
} finally {
stack.pop();
stack.pop();
}
}
{code}
Hoping this can make it into 2.3.24, thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4493) Still can't pass parameters with dashes to tags
[
https://issues.apache.org/jira/browse/WW-4493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14510125#comment-14510125
]
zhouyanming commented on WW-4493:
-
It works with latest snapshot build
https://builds.apache.org/job/Struts-JDK7-develop/lastSuccessfulBuild/
can you create a simplest project on github ? I will try to fix this problem.
Still can't pass parameters with dashes to tags
---
Key: WW-4493
URL: https://issues.apache.org/jira/browse/WW-4493
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.23
Reporter: Jasper Rosenberg
Priority: Minor
Labels: freemarker, tags
Fix For: 2.3.24
The latest freemarker now supports dashes in attribute names, so I can write
something like:
{code:xml}
@s.form name=sendToPhone data\-ajax=false
/@s.form
{code}
Unfortunately, the parameters are set using ognl internally, so it blows up
with an error like:
{noformat}
Caused by: ognl.InappropriateExpressionException: Inappropriate OGNL
expression: data - ajax
at ognl.SimpleNode.setValueBody(SimpleNode.java:312)
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
at ognl.SimpleNode.setValue(SimpleNode.java:301)
at ognl.Ognl.setValue(Ognl.java:737)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:287)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:282)
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:340)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:282)
{noformat}
I think there is a simple solution, which is to send any parameters with an
dash directly to the parameters map like so:
{code:title=Component.java|borderStyle=solid}
/**
* Pushes this component's parameter Map as well as the component itself
on to the stack
* and then copies the supplied parameters over. Because the component's
parameter Map is
* pushed before the component itself, any key-value pair that can't be
assigned to component
* will be set in the parameters Map.
*
* @param params the parameters to copy.
*/
public void copyParams(Map params) {
stack.push(parameters);
stack.push(this);
try {
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String key = (String) entry.getKey();
if (key.indexOf('-') = 0) {
// UI component attributes may contain hypens (e.g.
data-ajax), but ognl
// can't handle that, and there can't be a component
property with a hypen
// so into the parameters map it goes.
parameters.put(key, entry.getValue());
} else {
stack.setValue(key, entry.getValue());
}
}
} finally {
stack.pop();
stack.pop();
}
}
{code}
Hoping this can make it into 2.3.24, thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4493) Still can't pass parameters with dashes to tags
[
https://issues.apache.org/jira/browse/WW-4493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14506168#comment-14506168
]
zhouyanming commented on WW-4493:
-
works with freemarker-2.3.22.jar new
Configuration(Configuration.VERSION_2_3_22)
Still can't pass parameters with dashes to tags
---
Key: WW-4493
URL: https://issues.apache.org/jira/browse/WW-4493
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.23
Reporter: Jasper Rosenberg
Priority: Minor
Labels: freemarker, tags
The latest freemarker now supports dashes in attribute names, so I can write
something like:
{code:xml}
@s.form name=sendToPhone data\-ajax=false
/@s.form
{code}
Unfortunately, the parameters are set using ognl internally, so it blows up
with an error like:
{noformat}
Caused by: ognl.InappropriateExpressionException: Inappropriate OGNL
expression: data - ajax
at ognl.SimpleNode.setValueBody(SimpleNode.java:312)
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
at ognl.SimpleNode.setValue(SimpleNode.java:301)
at ognl.Ognl.setValue(Ognl.java:737)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:287)
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:282)
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:340)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:282)
{noformat}
I think there is a simple solution, which is to send any parameters with an
dash directly to the parameters map like so:
{code:title=Component.java|borderStyle=solid}
/**
* Pushes this component's parameter Map as well as the component itself
on to the stack
* and then copies the supplied parameters over. Because the component's
parameter Map is
* pushed before the component itself, any key-value pair that can't be
assigned to component
* will be set in the parameters Map.
*
* @param params the parameters to copy.
*/
public void copyParams(Map params) {
stack.push(parameters);
stack.push(this);
try {
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String key = (String) entry.getKey();
if (key.indexOf('-') = 0) {
// UI component attributes may contain hypens (e.g.
data-ajax), but ognl
// can't handle that, and there can't be a component
property with a hypen
// so into the parameters map it goes.
parameters.put(key, entry.getValue());
} else {
stack.setValue(key, entry.getValue());
}
}
} finally {
stack.pop();
stack.pop();
}
}
{code}
Hoping this can make it into 2.3.24, thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4381) upgrade to jasperreports 6.0
[ https://issues.apache.org/jira/browse/WW-4381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14321826#comment-14321826 ] zhouyanming commented on WW-4381: - proposal steps: 1. update pom to net.sf.jasperreports:jasperreports:6.0.3 2. replace JRLoader.loadObject(systemId) with JRLoader.loadObject(new File(systemId)) at line 325 in JasperReportsResult.java upgrade to jasperreports 6.0 Key: WW-4381 URL: https://issues.apache.org/jira/browse/WW-4381 Project: Struts 2 Issue Type: Improvement Components: Plugin - JasperReports Reporter: zhouyanming Fix For: 2.5 JasperReportsResult.java is not compatible with jasperreports 6.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (WW-4464) Improve LocalizedTextUtil defend NPE
zhouyanming created WW-4464: --- Summary: Improve LocalizedTextUtil defend NPE Key: WW-4464 URL: https://issues.apache.org/jira/browse/WW-4464 Project: Struts 2 Issue Type: Improvement Affects Versions: 2.3.20 Reporter: zhouyanming https://github.com/apache/struts/pull/35 there is a typo in commit comment, depend should be defend -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4381) upgrade to jasperreports 6.0
[ https://issues.apache.org/jira/browse/WW-4381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhouyanming updated WW-4381: Description: JasperReportsResult.java is not compatible with jasperreports 6.0 (was: JasperReportsResult.java is not compatible with jasperreports 5.6.0.) Summary: upgrade to jasperreports 6.0 (was: upgrade to jasperreports 5.6.0) upgrade to jasperreports 6.0 Key: WW-4381 URL: https://issues.apache.org/jira/browse/WW-4381 Project: Struts 2 Issue Type: Improvement Components: Plugin - JasperReports Reporter: zhouyanming Fix For: 2.5 JasperReportsResult.java is not compatible with jasperreports 6.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (WW-4419) Defend for NPE when performing async request
zhouyanming created WW-4419: --- Summary: Defend for NPE when performing async request Key: WW-4419 URL: https://issues.apache.org/jira/browse/WW-4419 Project: Struts 2 Issue Type: Bug Components: Plugin - SiteMesh Reporter: zhouyanming https://github.com/apache/struts/pull/30 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (WW-4416) LocalizedTextUtil should suppress exception with tomcat8
zhouyanming created WW-4416:
---
Summary: LocalizedTextUtil should suppress exception with tomcat8
Key: WW-4416
URL: https://issues.apache.org/jira/browse/WW-4416
Project: Struts 2
Issue Type: Improvement
Reporter: zhouyanming
running struts2 with tomcat-8.0.14 will throw exception.
{code:java}
couldn't clear tomcat cache
java.lang.NoSuchFieldException: resourceEntries
at java.lang.Class.getDeclaredField(Class.java:1953)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.clearMap(LocalizedTextUtil.java:859)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.clearTomcatCache(LocalizedTextUtil.java:842)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.reloadBundles(LocalizedTextUtil.java:821)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.reloadBundles(LocalizedTextUtil.java:797)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.findDefaultText(LocalizedTextUtil.java:214)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.getDefaultMessage(LocalizedTextUtil.java:666)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:542)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:370)
at
com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
at
com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4416) LocalizedTextUtil should suppress exception with tomcat8
[
https://issues.apache.org/jira/browse/WW-4416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195940#comment-14195940
]
zhouyanming commented on WW-4416:
-
tomcat8 introduce super class WebappClassLoaderBase and moved field
resourceEntries to it, so
WebappClassLoader.class.getDeclaredField(resourceEntries) will throw
NoSuchFieldException.
LocalizedTextUtil should suppress exception with tomcat8
Key: WW-4416
URL: https://issues.apache.org/jira/browse/WW-4416
Project: Struts 2
Issue Type: Improvement
Reporter: zhouyanming
running struts2 with tomcat-8.0.14 will throw exception.
{code:java}
couldn't clear tomcat cache
java.lang.NoSuchFieldException: resourceEntries
at java.lang.Class.getDeclaredField(Class.java:1953)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.clearMap(LocalizedTextUtil.java:859)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.clearTomcatCache(LocalizedTextUtil.java:842)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.reloadBundles(LocalizedTextUtil.java:821)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.reloadBundles(LocalizedTextUtil.java:797)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.findDefaultText(LocalizedTextUtil.java:214)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.getDefaultMessage(LocalizedTextUtil.java:666)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:542)
at
com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:370)
at
com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
at
com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (WW-4391) FreemarkerResult should respect response.getCharacterEncoding()
zhouyanming created WW-4391: --- Summary: FreemarkerResult should respect response.getCharacterEncoding() Key: WW-4391 URL: https://issues.apache.org/jira/browse/WW-4391 Project: Struts 2 Issue Type: Improvement Components: Core Actions Reporter: zhouyanming response.getCharacterEncoding() should override template.getEncoding() if exists. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (WW-4391) FreemarkerResult should respect response.getCharacterEncoding()
[ https://issues.apache.org/jira/browse/WW-4391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhouyanming updated WW-4391: Attachment: WW-4391.patch here is patch FreemarkerResult should respect response.getCharacterEncoding() --- Key: WW-4391 URL: https://issues.apache.org/jira/browse/WW-4391 Project: Struts 2 Issue Type: Improvement Components: Core Actions Reporter: zhouyanming Attachments: WW-4391.patch response.getCharacterEncoding() should override template.getEncoding() if exists. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (WW-4388) Parameters are not injected when upload file
zhouyanming created WW-4388:
---
Summary: Parameters are not injected when upload file
Key: WW-4388
URL: https://issues.apache.org/jira/browse/WW-4388
Project: Struts 2
Issue Type: Bug
Components: Core Interceptors
Affects Versions: 2.3.18
Reporter: zhouyanming
Priority: Blocker
{code:java}
import java.io.File;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionSupport;
public class UploadAction extends ActionSupport {
private static final long serialVersionUID = 625509291613761721L;
private File[] file;
private String[] fileFileName;
private String folder;
private boolean autorename;
public boolean isAutorename() {
return autorename;
}
public void setAutorename(boolean autorename) {
this.autorename = autorename;
}
public void setFolder(String folder) {
this.folder = folder;
}
public String getFolder() {
return folder;
}
public void setFile(File[] file) {
this.file = file;
}
public void setFileFileName(String[] fileFileName) {
this.fileFileName = fileFileName;
}
@Override
public String execute() {
System.out.println(file); // not null
System.out.println(fileFileName); // not null
System.out.println(folder); // always null
System.out.println(autorename); // always false
// workaround for struts2 bug
folder =
ServletActionContext.getRequest().getParameter(folder);
autorename = true.equals(ServletActionContext.getRequest()
.getParameter(autorename));
System.out.println(folder); // not null
System.out.println(autorename); // true
return SUCCESS;
}
}
{code}
It works fine with 2.3.16.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4388) Parameters are not injected when upload file
[
https://issues.apache.org/jira/browse/WW-4388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14101679#comment-14101679
]
zhouyanming commented on WW-4388:
-
cause by this commit
https://github.com/apache/struts/commit/8aa4fe860693d29e5ef94026bf2a7532ed74b9ea
Parameters are not injected when upload file
-
Key: WW-4388
URL: https://issues.apache.org/jira/browse/WW-4388
Project: Struts 2
Issue Type: Bug
Components: Core Interceptors
Affects Versions: 2.3.18
Reporter: zhouyanming
Priority: Blocker
{code:java}
import java.io.File;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionSupport;
public class UploadAction extends ActionSupport {
private static final long serialVersionUID = 625509291613761721L;
private File[] file;
private String[] fileFileName;
private String folder;
private boolean autorename;
public boolean isAutorename() {
return autorename;
}
public void setAutorename(boolean autorename) {
this.autorename = autorename;
}
public void setFolder(String folder) {
this.folder = folder;
}
public String getFolder() {
return folder;
}
public void setFile(File[] file) {
this.file = file;
}
public void setFileFileName(String[] fileFileName) {
this.fileFileName = fileFileName;
}
@Override
public String execute() {
System.out.println(file); // not null
System.out.println(fileFileName); // not null
System.out.println(folder); // always null
System.out.println(autorename); // always false
// workaround for struts2 bug
folder =
ServletActionContext.getRequest().getParameter(folder);
autorename = true.equals(ServletActionContext.getRequest()
.getParameter(autorename));
System.out.println(folder); // not null
System.out.println(autorename); // true
return SUCCESS;
}
}
{code}
It works fine with 2.3.16.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[ https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14087379#comment-14087379 ] zhouyanming commented on WW-4166: - I mean other maintained branch which supported dynamic attributes, a tiny change to allow class and style. also It should be put into trunk for more reasonable and safety. Allow class attribute on Struts tags -- Key: WW-4166 URL: https://issues.apache.org/jira/browse/WW-4166 Project: Struts 2 Issue Type: Improvement Components: Other Reporter: Eric Lentz Assignee: Lukasz Lenart Priority: Trivial Fix For: 2.3.18 In building a JSP, and working on web related things outside of the Java environment, there are lots of tags which all receive the class attribute. The Struts developer must _remember_ to call the attribute cssClass instead. Typing muscle memory drives me to half of the time typing class instead, which leads to HTML which reads, 'class=class java.util.HashMap' Why not just allow class like the rest of the HTML world? Why do we need to be different? I have a billion things to remember when web developing, this shouldn't be one of them. We don't even have to to deprecate or obsolete cssClass, just also allow class... please! -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[ https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14087467#comment-14087467 ] zhouyanming commented on WW-4166: - map[param] will try map.getParam() first then map.get(param), so map[class] will always call map.getClass(). Allow class attribute on Struts tags -- Key: WW-4166 URL: https://issues.apache.org/jira/browse/WW-4166 Project: Struts 2 Issue Type: Improvement Components: Other Reporter: Eric Lentz Assignee: Lukasz Lenart Priority: Trivial Fix For: 2.3.18 In building a JSP, and working on web related things outside of the Java environment, there are lots of tags which all receive the class attribute. The Struts developer must _remember_ to call the attribute cssClass instead. Typing muscle memory drives me to half of the time typing class instead, which leads to HTML which reads, 'class=class java.util.HashMap' Why not just allow class like the rest of the HTML world? Why do we need to be different? I have a billion things to remember when web developing, this shouldn't be one of them. We don't even have to to deprecate or obsolete cssClass, just also allow class... please! -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[ https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14087198#comment-14087198 ] zhouyanming commented on WW-4166: - I found a tiny change could support such feature before this patch. class and style will be treat as dynamic attributes,but dynamicAttributes.[class] will render class=class java.util.HashMap replace dynamicAttributes.[aKey] with dynamicAttributes.get(aKey) in dynamic-attributes.ftl is more safe, I think this change should be necessary, please apply this patch to all version especially version before 2.3.18. Allow class attribute on Struts tags -- Key: WW-4166 URL: https://issues.apache.org/jira/browse/WW-4166 Project: Struts 2 Issue Type: Improvement Components: Other Reporter: Eric Lentz Assignee: Lukasz Lenart Priority: Trivial Fix For: 2.3.18 In building a JSP, and working on web related things outside of the Java environment, there are lots of tags which all receive the class attribute. The Struts developer must _remember_ to call the attribute cssClass instead. Typing muscle memory drives me to half of the time typing class instead, which leads to HTML which reads, 'class=class java.util.HashMap' Why not just allow class like the rest of the HTML world? Why do we need to be different? I have a billion things to remember when web developing, this shouldn't be one of them. We don't even have to to deprecate or obsolete cssClass, just also allow class... please! -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[
https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14084555#comment-14084555
]
zhouyanming commented on WW-4166:
-
cache will improve 100x performance, and I rewrited your code, please check it.
Component.java
{code:java}
/**
* Checks if provided name is a valid tag's attribute
*
* @param attrName String name of attribute
* @return true if attribute with the same name was already defined
*/
public boolean isValidTagAttribute(String attrName) {
return getStandardAttributes().contains(attrName);
}
/**
* If needed caches all methods annotated by given annotation to avoid
further scans
*/
protected ListString getStandardAttributes() {
Class clz = getClass();
ListString standardAttributes = standardAttributesMap.get(clz);
if (standardAttributes == null) {
CollectionMethod methods =
AnnotationUtils.getAnnotatedMethods(clz, StrutsTagAttribute.class);
standardAttributes = new ArrayListString(methods.size());
for(Method m : methods)
standardAttributes.add(StringUtils.uncapitalize(m.getName().substring(3)));
standardAttributesMap.putIfAbsent(clz, standardAttributes);
}
return standardAttributes;
}
private static ConcurrentHashMapClass, ListString standardAttributesMap
= new ConcurrentHashMapClass, ListString();
{code}
Allow class attribute on Struts tags
--
Key: WW-4166
URL: https://issues.apache.org/jira/browse/WW-4166
Project: Struts 2
Issue Type: Improvement
Components: Other
Reporter: Eric Lentz
Assignee: Lukasz Lenart
Priority: Trivial
Fix For: 2.3.18
In building a JSP, and working on web related things outside of the Java
environment, there are lots of tags which all receive the class attribute.
The Struts developer must _remember_ to call the attribute cssClass instead.
Typing muscle memory drives me to half of the time typing class instead,
which leads to HTML which reads, 'class=class java.util.HashMap'
Why not just allow class like the rest of the HTML world? Why do we need to
be different? I have a billion things to remember when web developing, this
shouldn't be one of them.
We don't even have to to deprecate or obsolete cssClass, just also allow
class... please!
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4374) access enum values via ognl blocked by SecurityMemberAccess
[
https://issues.apache.org/jira/browse/WW-4374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14084178#comment-14084178
]
zhouyanming commented on WW-4374:
-
It works fine with latest snapshot, thanks.
access enum values via ognl blocked by SecurityMemberAccess
---
Key: WW-4374
URL: https://issues.apache.org/jira/browse/WW-4374
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.18
Reporter: zhouyanming
Assignee: Lukasz Lenart
Priority: Blocker
Fix For: 2.3.18
{code:html}
@s.select list=@test.EnumType@values()
{code}
doesn't works anymore,it breaked compatibility.
SecurityMemberAccess.isAccessible(Map context, Object target, Member member,
String propertyName)
solution is check enum access first then check others.
{code:java}
int modifiers = member.getModifiers();
if (Modifier.isStatic(modifiers)) {
if (member instanceof Method !getAllowStaticMethodAccess()) {
if (target instanceof Class) {
Class clazz = (Class) target;
Method method = (Method) member;
if (Enum.class.isAssignableFrom(clazz)
method.getName().equals(values))
return true;
}
}
}
if (isPackageExcluded(target.getClass().getPackage(),
member.getDeclaringClass().getPackage())) {
if (LOG.isWarnEnabled()) {
LOG.warn(Package of target [#0] or package of member [#1]
are excluded!, target, member);
}
return false;
}
if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
if (LOG.isWarnEnabled()) {
LOG.warn(Target class [#0] or declaring class of member type
[#1] are excluded!, target, member);
}
return false;
}
{code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[
https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14084180#comment-14084180
]
zhouyanming commented on WW-4166:
-
class and style should exclude from dynamic attributes.
{code:xml}
@s.textfield label=%{getText('username')} name=username class=required
span2 style=width:150px;/
{code}
will render
{code:xml}
input type=text name=username id=username class=required span2
style=width:150px; style=width:150px; class=class java.util.HashMap/
{code}
Allow class attribute on Struts tags
--
Key: WW-4166
URL: https://issues.apache.org/jira/browse/WW-4166
Project: Struts 2
Issue Type: Improvement
Components: Other
Reporter: Eric Lentz
Assignee: Lukasz Lenart
Priority: Trivial
Fix For: 2.3.18
In building a JSP, and working on web related things outside of the Java
environment, there are lots of tags which all receive the class attribute.
The Struts developer must _remember_ to call the attribute cssClass instead.
Typing muscle memory drives me to half of the time typing class instead,
which leads to HTML which reads, 'class=class java.util.HashMap'
Why not just allow class like the rest of the HTML world? Why do we need to
be different? I have a billion things to remember when web developing, this
shouldn't be one of them.
We don't even have to to deprecate or obsolete cssClass, just also allow
class... please!
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[
https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14084186#comment-14084186
]
zhouyanming commented on WW-4166:
-
solution:
UIBean.java
1. remove method getStandardAttributes()
2.refactor method copyParams() using isValidTagAttribute()
{code:java}
public void copyParams(Map params) {
super.copyParams(params);
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String key = (String) entry.getKey();
if(!isValidTagAttribute(key) !key.equals(dynamicAttributes))
dynamicAttributes.put(key, entry.getValue());
}
}
{code}
Allow class attribute on Struts tags
--
Key: WW-4166
URL: https://issues.apache.org/jira/browse/WW-4166
Project: Struts 2
Issue Type: Improvement
Components: Other
Reporter: Eric Lentz
Assignee: Lukasz Lenart
Priority: Trivial
Fix For: 2.3.18
In building a JSP, and working on web related things outside of the Java
environment, there are lots of tags which all receive the class attribute.
The Struts developer must _remember_ to call the attribute cssClass instead.
Typing muscle memory drives me to half of the time typing class instead,
which leads to HTML which reads, 'class=class java.util.HashMap'
Why not just allow class like the rest of the HTML world? Why do we need to
be different? I have a billion things to remember when web developing, this
shouldn't be one of them.
We don't even have to to deprecate or obsolete cssClass, just also allow
class... please!
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (WW-4381) upgrade to jasperreports 5.6.0
zhouyanming created WW-4381: --- Summary: upgrade to jasperreports 5.6.0 Key: WW-4381 URL: https://issues.apache.org/jira/browse/WW-4381 Project: Struts 2 Issue Type: Improvement Components: Plugin - JasperReports Reporter: zhouyanming JasperReportsResult.java is not compatible with jasperreports 5.6.0. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (WW-4374) access enum values via ognl blocked by SecurityMemberAccess
zhouyanming created WW-4374:
---
Summary: access enum values via ognl blocked by
SecurityMemberAccess
Key: WW-4374
URL: https://issues.apache.org/jira/browse/WW-4374
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.18
Reporter: zhouyanming
Priority: Blocker
{code:html}
@s.select list=@test.EnumType@values()
{code}
doesn't works anymore,it breaked compatibility.
SecurityMemberAccess.isAccessible(Map context, Object target, Member member,
String propertyName)
solution is check enum access first then check others.
{code:java}
int modifiers = member.getModifiers();
if (Modifier.isStatic(modifiers)) {
if (member instanceof Method !getAllowStaticMethodAccess()) {
if (target instanceof Class) {
Class clazz = (Class) target;
Method method = (Method) member;
if (Enum.class.isAssignableFrom(clazz)
method.getName().equals(values))
return true;
}
}
}
if (isPackageExcluded(target.getClass().getPackage(),
member.getDeclaringClass().getPackage())) {
if (LOG.isWarnEnabled()) {
LOG.warn(Package of target [#0] or package of member [#1] are
excluded!, target, member);
}
return false;
}
if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
if (LOG.isWarnEnabled()) {
LOG.warn(Target class [#0] or declaring class of member type
[#1] are excluded!, target, member);
}
return false;
}
{code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (WW-4375) improve security check performance
zhouyanming created WW-4375: --- Summary: improve security check performance Key: WW-4375 URL: https://issues.apache.org/jira/browse/WW-4375 Project: Struts 2 Issue Type: Improvement Affects Versions: 2.3.18 Reporter: zhouyanming currently struts is a little low performance because we must do much security check,I think struts should provide two ways for security check,One for client inputs and the other for non-inputs.client inputs must use the most strict check.and server side expressions could skip most check,it will improve performance because most of access is from server side. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-3698) jasperreports plugin's ValueStackDataSource converts field values in ValueStackDataSource even when it's not wanted
[
https://issues.apache.org/jira/browse/WW-3698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14040324#comment-14040324
]
zhouyanming commented on WW-3698:
-
agree, but wrapField should be true default for backward compatibility.
jasperreports plugin's ValueStackDataSource converts field values in
ValueStackDataSource even when it's not wanted
---
Key: WW-3698
URL: https://issues.apache.org/jira/browse/WW-3698
Project: Struts 2
Issue Type: Bug
Components: Plugin - JasperReports
Affects Versions: 2.2.3.1
Environment: Tomcat 7 application server, Jasperreports 4.1.1
Reporter: Dario Tortola
Assignee: Lukasz Lenart
Priority: Minor
Labels: patch
Fix For: 2.3.18
Original Estimate: 20m
Remaining Estimate: 20m
Report A with Subreport B
Subreport B's datasource is a java.util.List field of Report A's datasource's
elements
org.apache.struts2.views.jasperreports.ValueStackDataSource.getFieldValue,
after locating the value, if
org.apache.struts2.util.MakeIterator.isIterable(value) instead of value a new
ValueStackDataSource over value is returned.
Since ValueStackDataSource is not a java.util.List, a
javax.servlet.ServletException is thrown when the returned
ValueStackDataSource fails to be cast to List
To avoid such unwanted conversion it's enough to change this code on
ValueStackDataSource.getFieldValue
{code:java}
if (MakeIterator.isIterable(value)) {
return new ValueStackDataSource(this.valueStack, expression);
} else {
return value;
}
{code}
replace (MakeIterator.isIterable(value)) with
(!field.getValueClass().isInstance(value) MakeIterator.isIterable(value))
for the new ValueStackDataSource to be returned only if the value is not
already what the field asks for
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
[
https://issues.apache.org/jira/browse/WW-4333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13988456#comment-13988456
]
zhouyanming commented on WW-4333:
-
should be
{code:java}
public class ExcludedPatterns {
public static final String CLASS_ACCESS_PATTERN1 =
(.*\\.|^)class(\\.|\\[).*;
public static final String CLASS_ACCESS_PATTERN2 =
.*\\['class'\\](\\.|\\[).*;
public static final String CLASS_ACCESS_PATTERN3 =
.*\\[\class\\\](\\.|\\[).*;
public static final String[] EXCLUDED_PATTERNS = {
CLASS_ACCESS_PATTERN1,
CLASS_ACCESS_PATTERN2,
CLASS_ACCESS_PATTERN3,
^dojo\\..*,
^struts\\..*,
^session\\..*,
^request\\..*,
^application\\..*,
^servlet(Request|Response)\\..*,
^parameters\\..*
};
}
{code}
again,I think use regex to block parameterName is not safe way,we should do
something with valuestack or ognl.
ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
Key: WW-4333
URL: https://issues.apache.org/jira/browse/WW-4333
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.16.2
Reporter: Michael Hintenaus
Priority: Critical
Fix For: 2.3.18
it's not possible to set values on nested properties if the parent property
ends with class, for example firstClass.value
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
zhouyanming created WW-4332:
---
Summary: refine excludeParams of ParametersInterceptor to improve
security
Key: WW-4332
URL: https://issues.apache.org/jira/browse/WW-4332
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Priority: Critical
{code}
(.*\.|^)class\..*
{code}
should be
{code}
(.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\[class\](\.|\[).*
{code}
it will block such as
{code}class['classLoader'] , model['class'].classLoader ,
model[class].classLoader {code}
I think use regex to block parameterName is not best solution,It must be done
in ValueStack, seperate entry point , one for serverside, one for client
side,client side should add more restriction and security checks.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (WW-4327) Improve form tags
zhouyanming created WW-4327: --- Summary: Improve form tags Key: WW-4327 URL: https://issues.apache.org/jira/browse/WW-4327 Project: Struts 2 Issue Type: Improvement Components: Core Actions Reporter: zhouyanming 1. make checkbox checkboxlist radio supports readonly. 2. refine template replace ' ?? ' or ' ?if_exists!= ' with ' ?has_content ' -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (WW-4327) Improve form tags
[ https://issues.apache.org/jira/browse/WW-4327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhouyanming updated WW-4327: Attachment: WW-4327.patch here is the patch Improve form tags - Key: WW-4327 URL: https://issues.apache.org/jira/browse/WW-4327 Project: Struts 2 Issue Type: Improvement Components: Core Actions Reporter: zhouyanming Attachments: WW-4327.patch 1. make checkbox checkboxlist radio supports readonly. 2. refine template replace ' ?? ' or ' ?if_exists!= ' with ' ?has_content ' -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
[
https://issues.apache.org/jira/browse/WW-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13949042#comment-13949042
]
zhouyanming commented on WW-4250:
-
it's quoted by single quotes,and can not contains single quote,I think it's
safe.
Make ParametersInterceptor supports chinese in hash key by default
--
Key: WW-4250
URL: https://issues.apache.org/jira/browse/WW-4250
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Assignee: Lukasz Lenart
Fix For: 2.3.17
Attachments: 4250.patch
changes: {noformat} \\w - (\\w|[^x00-xff]) {noformat} between single
quotes.
now it can accepts paramName like paramMap['名字']
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
[
https://issues.apache.org/jira/browse/WW-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13949059#comment-13949059
]
zhouyanming commented on WW-4250:
-
I think spaces should be supported too.
{code}
(\\w|\\s|[^x00-xff])
{code}
Make ParametersInterceptor supports chinese in hash key by default
--
Key: WW-4250
URL: https://issues.apache.org/jira/browse/WW-4250
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Assignee: Lukasz Lenart
Fix For: 2.3.17
Attachments: 4250.patch
changes: {noformat} \\w - (\\w|[^x00-xff]) {noformat} between single
quotes.
now it can accepts paramName like paramMap['名字']
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
[
https://issues.apache.org/jira/browse/WW-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13949077#comment-13949077
]
zhouyanming commented on WW-4250:
-
the old version did'nt have \\s.
Make ParametersInterceptor supports chinese in hash key by default
--
Key: WW-4250
URL: https://issues.apache.org/jira/browse/WW-4250
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Assignee: Lukasz Lenart
Fix For: 2.3.17
Attachments: 4250.patch
changes: {noformat} \\w - (\\w|[^x00-xff]) {noformat} between single
quotes.
now it can accepts paramName like paramMap['名字']
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
[
https://issues.apache.org/jira/browse/WW-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13949222#comment-13949222
]
zhouyanming commented on WW-4250:
-
sorry,please revert this patch,the correct version is {{[\u4e00-\u9fa5]}},I
think it should be customized in struts.xml not in ParametersInterceptor.java
Make ParametersInterceptor supports chinese in hash key by default
--
Key: WW-4250
URL: https://issues.apache.org/jira/browse/WW-4250
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Assignee: Lukasz Lenart
Fix For: 2.3.17
Attachments: 4250.patch
changes: {noformat} \\w - (\\w|[^x00-xff]) {noformat} between single
quotes.
now it can accepts paramName like paramMap['名字']
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
zhouyanming created WW-4250: --- Summary: Make ParametersInterceptor supports chinese in hash key by default Key: WW-4250 URL: https://issues.apache.org/jira/browse/WW-4250 Project: Struts 2 Issue Type: Improvement Components: Core Interceptors Reporter: zhouyanming changes: \\w - (\\w|[^x00-xff]) between single quotes. now it can accepts paramName like paramMap['名字'] -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
[ https://issues.apache.org/jira/browse/WW-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhouyanming updated WW-4250: Attachment: 4250.patch and support other language like korean Japanese Make ParametersInterceptor supports chinese in hash key by default -- Key: WW-4250 URL: https://issues.apache.org/jira/browse/WW-4250 Project: Struts 2 Issue Type: Improvement Components: Core Interceptors Reporter: zhouyanming Attachments: 4250.patch changes: \\w - (\\w|[^x00-xff]) between single quotes. now it can accepts paramName like paramMap['名字'] -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (WW-4250) Make ParametersInterceptor supports chinese in hash key by default
[
https://issues.apache.org/jira/browse/WW-4250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhouyanming updated WW-4250:
Description:
changes: {noformat} \\w - (\\w|[^x00-xff]) {noformat} between single
quotes.
now it can accepts paramName like paramMap['名字']
was:
changes: \\w - (\\w|[^x00-xff]) between single quotes.
now it can accepts paramName like paramMap['名字']
Make ParametersInterceptor supports chinese in hash key by default
--
Key: WW-4250
URL: https://issues.apache.org/jira/browse/WW-4250
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: zhouyanming
Attachments: 4250.patch
changes: {noformat} \\w - (\\w|[^x00-xff]) {noformat} between single
quotes.
now it can accepts paramName like paramMap['名字']
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (WW-3698) jasperreports plugin's ValueStackDataSource converts field values in ValueStackDataSource even when it's not wanted
[
https://issues.apache.org/jira/browse/WW-3698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13788759#comment-13788759
]
zhouyanming commented on WW-3698:
-
[~broncace] see WW-4064
jasperreports plugin's ValueStackDataSource converts field values in
ValueStackDataSource even when it's not wanted
---
Key: WW-3698
URL: https://issues.apache.org/jira/browse/WW-3698
Project: Struts 2
Issue Type: Bug
Components: Plugin - JasperReports
Affects Versions: 2.2.3.1
Environment: Tomcat 7 application server, Jasperreports 4.1.1
Reporter: Dario Tortola
Assignee: Lukasz Lenart
Priority: Minor
Labels: patch
Fix For: 2.3.12
Original Estimate: 20m
Remaining Estimate: 20m
Report A with Subreport B
Subreport B's datasource is a java.util.List field of Report A's datasource's
elements
org.apache.struts2.views.jasperreports.ValueStackDataSource.getFieldValue,
after locating the value, if
org.apache.struts2.util.MakeIterator.isIterable(value) instead of value a new
ValueStackDataSource over value is returned.
Since ValueStackDataSource is not a java.util.List, a
javax.servlet.ServletException is thrown when the returned
ValueStackDataSource fails to be cast to List
To avoid such unwanted conversion it's enough to change this code on
ValueStackDataSource.getFieldValue
{code:java}
if (MakeIterator.isIterable(value)) {
return new ValueStackDataSource(this.valueStack, expression);
} else {
return value;
}
{code}
replace (MakeIterator.isIterable(value)) with
(!field.getValueClass().isInstance(value) MakeIterator.isIterable(value))
for the new ValueStackDataSource to be returned only if the value is not
already what the field asks for
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (WW-4064) WW-3698 cause ClassCastException
[
https://issues.apache.org/jira/browse/WW-4064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13788909#comment-13788909
]
zhouyanming commented on WW-4064:
-
yes
WW-3698 cause ClassCastException
Key: WW-4064
URL: https://issues.apache.org/jira/browse/WW-4064
Project: Struts 2
Issue Type: Bug
Components: Plugin - JasperReports
Affects Versions: 2.3.14
Reporter: zhouyanming
Priority: Blocker
Fix For: 2.3.16
Attachments: application-error.log
my application works fine before commit 1439171,when I upgrade to 2.3.14,it
raise a ClassCastException
{noformat}
Caused by: java.lang.ClassCastException:
org.hibernate.collection.internal.PersistentList cannot be cast to
net.sf.jasperreports.engine.JRDataSource
at order_1283128512214_277101.evaluate(order_1283128512214_277101:275)
at
net.sf.jasperreports.engine.fill.JREvaluator.evaluate(JREvaluator.java:190)
... 120 more
{noformat}
{code:java}
class Order{
ListOrderItem items;
}
{code}
items in subreport should be JRDataSource but List
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (WW-4064) WW-3698 cause ClassCastException
[
https://issues.apache.org/jira/browse/WW-4064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13770504#comment-13770504
]
zhouyanming commented on WW-4064:
-
adding !field.getValueClass().isInstance(value) cause the problem
WW-3698 cause ClassCastException
Key: WW-4064
URL: https://issues.apache.org/jira/browse/WW-4064
Project: Struts 2
Issue Type: Bug
Components: Plugin - JasperReports
Affects Versions: 2.3.14
Reporter: zhouyanming
Priority: Blocker
Fix For: 2.3.17
Attachments: application-error.log
my application works fine before commit 1439171,when I upgrade to 2.3.14,it
raise a ClassCastException
{noformat}
Caused by: java.lang.ClassCastException:
org.hibernate.collection.internal.PersistentList cannot be cast to
net.sf.jasperreports.engine.JRDataSource
at order_1283128512214_277101.evaluate(order_1283128512214_277101:275)
at
net.sf.jasperreports.engine.fill.JREvaluator.evaluate(JREvaluator.java:190)
... 120 more
{noformat}
{code:java}
class Order{
ListOrderItem items;
}
{code}
items in subreport should be JRDataSource but List
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4113) Wrong cache key generated in OGNL 3.0.5/3.0.6
[ https://issues.apache.org/jira/browse/WW-4113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13765001#comment-13765001 ] zhouyanming commented on WW-4113: - where is ognl-3.0.7.jar Wrong cache key generated in OGNL 3.0.5/3.0.6 - Key: WW-4113 URL: https://issues.apache.org/jira/browse/WW-4113 Project: Struts 2 Issue Type: Bug Components: Expression Language Affects Versions: 2.3.4, 2.3.4.1, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15 Reporter: Kevin Su Assignee: Lukasz Lenart Labels: patch Fix For: 2.3.17 Struts since 2.3.4 (maybe earlier as well) has dependency on ognl.OgnlRuntime 3.0.5 / 3.0.6. OgnlRuntime 3.0.5/3.0.6 has a bug in the cache implementation to look up the getter and setter methods. The hashCode of the action class (in combination to the hashCode for the name of the property) is used as a unique key into the cache of getter and setters. Since hashCode can not be relied on to be unique, setting the property on the target action class may fail because the wrong method from another action is returned. The latest implemenation of OgnlRuntime in Apache commons has the proper implementation. We are currently using our own patched version of 3.0.6 to work around the issue. However, we'll like to see this resolved so we don't need to maintain our own private version of Ognl. Is there a plan to migrate the dependency to the Apache commons distribution of Ognl? If not, we'll be happy to share our fix. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4166) Allow class attribute on Struts tags
[ https://issues.apache.org/jira/browse/WW-4166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13729029#comment-13729029 ] zhouyanming commented on WW-4166: - maybe should rename cssStyle to style? Allow class attribute on Struts tags -- Key: WW-4166 URL: https://issues.apache.org/jira/browse/WW-4166 Project: Struts 2 Issue Type: Improvement Components: Other Reporter: Eric Lentz Priority: Trivial Fix For: 2.3.17 In building a JSP, and working on web related things outside of the Java environment, there are lots of tags which all receive the class attribute. The Struts developer must _remember_ to call the attribute cssClass instead. Typing muscle memory drives me to half of the time typing class instead, which leads to HTML which reads, 'class=class java.util.HashMap' Why not just allow class like the rest of the HTML world? Why do we need to be different? I have a billion things to remember when web developing, this shouldn't be one of them. We don't even have to to deprecate or obsolete cssClass, just also allow class... please! -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4150) Support attributes with hyphens in tag dynamic attributes
[
https://issues.apache.org/jira/browse/WW-4150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13724655#comment-13724655
]
zhouyanming commented on WW-4150:
-
thanks,patch of dynamic attributes for freemarker template was submitted by me.
Support attributes with hyphens in tag dynamic attributes
-
Key: WW-4150
URL: https://issues.apache.org/jira/browse/WW-4150
Project: Struts 2
Issue Type: Improvement
Components: Other
Affects Versions: 2.3.15.1
Reporter: Jasper Rosenberg
Priority: Minor
Fix For: 2.3.17
A lot of CSS/JS frameworks look for attributes on html elements that include
a hyphen to do their magic (JQuery Mobile, Bootstrap, etc).
For example, in my JQuery Mobile app, I'd like to be able to say:
{code}
@s.form ... data-ajax=false
/@s.form
{code}
Unfortunately, this doesn't work because Freemarker doesn't allow hyphens in
macro parameter names. I entered an enhancement request for this here:
https://sourceforge.net/p/freemarker/bugs/395/
I'm not sure when or if that might be fixed, so perhaps a work around would
be to allow explicit dynamic attributes through some kind of parameter
convention.
{code}
@s.form ...
@s.param name=dyn:data-ajax value=false/
/@s.form
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4146) cache attack at OgnlUtil.expressions
[
https://issues.apache.org/jira/browse/WW-4146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13719380#comment-13719380
]
zhouyanming commented on WW-4146:
-
I mean cache expression for map has no sense
when foo.bar is a map,cache foo.bar['a'] will not reused normally,it will be
foo.bar['b'] or other uncertain expression next time.
cache attack at OgnlUtil.expressions
-
Key: WW-4146
URL: https://issues.apache.org/jira/browse/WW-4146
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.15.1
Reporter: bruce liu
Fix For: 2.3.17
Attachments: WW-4146.patch
in class com.opensymphony.xwork2.ognl.OgnlUtil, code :
{code:java}
tree = expressions.get(expression);
if (tree == null) {
tree = Ognl.parseExpression(expression);
expressions.putIfAbsent(expression, tree);
}
{code}
every parameter in the request cached in field expressions which is an
instances of ConcurrentMapString, Object, use parameterName as key. so i
construct huge different parameters that has different name (like abc[123],
abc[124] ), they all cached in expressions, this cause outofmemory error,
and let map acted like a list .
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4146) cache attack at OgnlUtil.expressions
[
https://issues.apache.org/jira/browse/WW-4146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13719062#comment-13719062
]
zhouyanming commented on WW-4146:
-
{quote}
Unfortunately my patch does not totally cover all the cases (you can still
inject foo[1],foo[2], ...,foo[N], when foo is a valid parameter name)
{quote}
can you determine foo if it is a hash,a hash should not be cached,it is no
sense.
cache attack at OgnlUtil.expressions
-
Key: WW-4146
URL: https://issues.apache.org/jira/browse/WW-4146
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.15.1
Reporter: bruce liu
Fix For: 2.3.17
Attachments: WW-4146.patch
in class com.opensymphony.xwork2.ognl.OgnlUtil, code :
{code:java}
tree = expressions.get(expression);
if (tree == null) {
tree = Ognl.parseExpression(expression);
expressions.putIfAbsent(expression, tree);
}
{code}
every parameter in the request cached in field expressions which is an
instances of ConcurrentMapString, Object, use parameterName as key. so i
construct huge different parameters that has different name (like abc[123],
abc[124] ), they all cached in expressions, this cause outofmemory error,
and let map acted like a list .
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4150) Support attributes with hyphens in tag dynamic attributes
[
https://issues.apache.org/jira/browse/WW-4150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13717806#comment-13717806
]
zhouyanming commented on WW-4150:
-
workaround
@s.form dynamicAttributes={'data-ajax':'false'}
...
/@s.form
Support attributes with hyphens in tag dynamic attributes
-
Key: WW-4150
URL: https://issues.apache.org/jira/browse/WW-4150
Project: Struts 2
Issue Type: Improvement
Components: Other
Affects Versions: 2.3.15.1
Reporter: Jasper Rosenberg
Priority: Minor
Fix For: 2.3.17
A lot of CSS/JS frameworks look for attributes on html elements that include
a hyphen to do their magic (JQuery Mobile, Bootstrap, etc).
For example, in my JQuery Mobile app, I'd like to be able to say:
{code}
@s.form ... data-ajax=false
/@s.form
{code}
Unfortunately, this doesn't work because Freemarker doesn't allow hyphens in
macro parameter names. I entered an enhancement request for this here:
https://sourceforge.net/p/freemarker/bugs/395/
I'm not sure when or if that might be fixed, so perhaps a work around would
be to allow explicit dynamic attributes through some kind of parameter
convention.
{code}
@s.form ...
@s.param name=dyn:data-ajax value=false/
/@s.form
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (WW-4150) Support attributes with hyphens in tag dynamic attributes
[
https://issues.apache.org/jira/browse/WW-4150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13717806#comment-13717806
]
zhouyanming edited comment on WW-4150 at 7/24/13 12:12 AM:
---
workaround
{code:html}
@s.form dynamicAttributes={'data-ajax':'false'}
...
/@s.form
{code}
was (Author: quaff):
workaround
@s.form dynamicAttributes={'data-ajax':'false'}
...
/@s.form
Support attributes with hyphens in tag dynamic attributes
-
Key: WW-4150
URL: https://issues.apache.org/jira/browse/WW-4150
Project: Struts 2
Issue Type: Improvement
Components: Other
Affects Versions: 2.3.15.1
Reporter: Jasper Rosenberg
Priority: Minor
Fix For: 2.3.17
A lot of CSS/JS frameworks look for attributes on html elements that include
a hyphen to do their magic (JQuery Mobile, Bootstrap, etc).
For example, in my JQuery Mobile app, I'd like to be able to say:
{code}
@s.form ... data-ajax=false
/@s.form
{code}
Unfortunately, this doesn't work because Freemarker doesn't allow hyphens in
macro parameter names. I entered an enhancement request for this here:
https://sourceforge.net/p/freemarker/bugs/395/
I'm not sure when or if that might be fixed, so perhaps a work around would
be to allow explicit dynamic attributes through some kind of parameter
convention.
{code}
@s.form ...
@s.param name=dyn:data-ajax value=false/
/@s.form
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4140) Security Improvement
[ https://issues.apache.org/jira/browse/WW-4140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13717818#comment-13717818 ] zhouyanming commented on WW-4140: - Struts2 disaster in china,many systems were hijacked. I think you guys should restrict ognl to access Runtime Process ProcessBuilder and so on,maby all java.lang.* and java.net.*,it's very critical. Security Improvement Key: WW-4140 URL: https://issues.apache.org/jira/browse/WW-4140 Project: Struts 2 Issue Type: Bug Components: Core Actions Affects Versions: 2.3.15 Reporter: Rene Gielen Assignee: Rene Gielen Labels: security Fix For: 2.3.15.1, 2.3.16 CVE-2013-2248 CVE-2013-2251 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Created] (WW-4151) add getter methods for org.apache.struts2.components.Form
zhouyanming created WW-4151:
---
Summary: add getter methods for org.apache.struts2.components.Form
Key: WW-4151
URL: https://issues.apache.org/jira/browse/WW-4151
Project: Struts 2
Issue Type: Improvement
Reporter: zhouyanming
I'm trying implement my own org.apache.struts2.components.UrlRenderer to
replace default org.apache.struts2.components.ServletUrlRenderer
{code:java}
public void renderFormUrl(Form formComponent) {
String namespace = formComponent.determineNamespace(
formComponent.namespace,
formComponent.getStack(),
formComponent.request);
String action;
if (formComponent.action != null) {
action = formComponent.findString(formComponent.action);
} else {
// no action supplied? ok, then default to the current
request
// (action or general URL)
ActionInvocation ai = (ActionInvocation)
formComponent.getStack()
.getContext().get(ActionContext.ACTION_INVOCATION);
if (ai != null) {
action = ai.getProxy().getActionName();
namespace = ai.getProxy().getNamespace();
} else {
// hmm, ok, we need to just assume the current
URL cut down
String uri =
formComponent.request.getRequestURI();
action = uri.substring(uri.lastIndexOf('/'));
}
}
Map actionParams = null;
if (action != null action.indexOf(?) 0) {
String queryString =
action.substring(action.indexOf(?) + 1);
actionParams = urlHelper.parseQueryString(queryString,
false);
action = action.substring(0, action.indexOf(?));
}
ActionMapping nameMapping = actionMapper
.getMappingFromActionName(action);
String actionName = nameMapping.getName();
String actionMethod = nameMapping.getMethod();
final ActionConfig actionConfig = formComponent.configuration
.getRuntimeConfiguration().getActionConfig(namespace,
actionName);
if (actionConfig != null) {
ActionMapping mapping = new ActionMapping(actionName,
namespace,
actionMethod, formComponent.parameters);
String result = urlHelper
.buildUrl(formComponent.actionMapper
.getUriFromActionMapping(mapping),
formComponent.request,
formComponent.response,
actionParams, null,
formComponent.includeContext,
true);
formComponent.addParameter(action, result);
// let's try to get the actual action class and name
// this can be used for getting the list of validators
formComponent.addParameter(actionName, actionName);
try {
Class clazz = formComponent.objectFactory
.getClassInstance(actionConfig.getClassName());
formComponent.addParameter(actionClass,
clazz);
} catch (ClassNotFoundException e) {
// this is OK, we'll just move on
}
formComponent.addParameter(namespace, namespace);
// if the name isn't specified, use the action name
if (formComponent.name == null) {
formComponent.addParameter(name, actionName);
}
// if the id isn't specified, use the action name
if (formComponent.getId() == null actionName !=
null) {
formComponent.addParameter(id,
formComponent.escape(actionName));
}
} else if (action != null) {
// Since we can't find an action alias in the
configuration, we just
// assume the action attribute supplied is the path to
be used as
// the URI this form
[jira] [Updated] (WW-4151) add getter methods for org.apache.struts2.components.Form
[
https://issues.apache.org/jira/browse/WW-4151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhouyanming updated WW-4151:
Attachment: WW-4151.patch
here is patch
add getter methods for org.apache.struts2.components.Form
-
Key: WW-4151
URL: https://issues.apache.org/jira/browse/WW-4151
Project: Struts 2
Issue Type: Improvement
Reporter: zhouyanming
Attachments: WW-4151.patch
I'm trying implement my own org.apache.struts2.components.UrlRenderer to
replace default org.apache.struts2.components.ServletUrlRenderer
{code:java}
public void renderFormUrl(Form formComponent) {
String namespace = formComponent.determineNamespace(
formComponent.namespace,
formComponent.getStack(),
formComponent.request);
String action;
if (formComponent.action != null) {
action = formComponent.findString(formComponent.action);
} else {
// no action supplied? ok, then default to the current
request
// (action or general URL)
ActionInvocation ai = (ActionInvocation)
formComponent.getStack()
.getContext().get(ActionContext.ACTION_INVOCATION);
if (ai != null) {
action = ai.getProxy().getActionName();
namespace = ai.getProxy().getNamespace();
} else {
// hmm, ok, we need to just assume the current
URL cut down
String uri =
formComponent.request.getRequestURI();
action = uri.substring(uri.lastIndexOf('/'));
}
}
Map actionParams = null;
if (action != null action.indexOf(?) 0) {
String queryString =
action.substring(action.indexOf(?) + 1);
actionParams = urlHelper.parseQueryString(queryString,
false);
action = action.substring(0, action.indexOf(?));
}
ActionMapping nameMapping = actionMapper
.getMappingFromActionName(action);
String actionName = nameMapping.getName();
String actionMethod = nameMapping.getMethod();
final ActionConfig actionConfig = formComponent.configuration
.getRuntimeConfiguration().getActionConfig(namespace,
actionName);
if (actionConfig != null) {
ActionMapping mapping = new ActionMapping(actionName,
namespace,
actionMethod, formComponent.parameters);
String result = urlHelper
.buildUrl(formComponent.actionMapper
.getUriFromActionMapping(mapping),
formComponent.request,
formComponent.response,
actionParams, null,
formComponent.includeContext,
true);
formComponent.addParameter(action, result);
// let's try to get the actual action class and name
// this can be used for getting the list of validators
formComponent.addParameter(actionName, actionName);
try {
Class clazz = formComponent.objectFactory
.getClassInstance(actionConfig.getClassName());
formComponent.addParameter(actionClass,
clazz);
} catch (ClassNotFoundException e) {
// this is OK, we'll just move on
}
formComponent.addParameter(namespace, namespace);
// if the name isn't specified, use the action name
if (formComponent.name == null) {
formComponent.addParameter(name, actionName);
}
// if the id isn't specified, use the action name
if (formComponent.getId() == null actionName !=
null) {
formComponent.addParameter(id,
formComponent.escape(actionName));
}
} else if (action != null) {
//
[jira] [Commented] (WW-4146) cache attack at OgnlUtil.expressions
[
https://issues.apache.org/jira/browse/WW-4146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13718002#comment-13718002
]
zhouyanming commented on WW-4146:
-
agree with bruce liu
cache attack at OgnlUtil.expressions
-
Key: WW-4146
URL: https://issues.apache.org/jira/browse/WW-4146
Project: Struts 2
Issue Type: Bug
Components: Expression Language
Affects Versions: 2.3.15.1
Reporter: bruce liu
Fix For: 2.3.17
in class com.opensymphony.xwork2.ognl.OgnlUtil, code :
{code:java}
tree = expressions.get(expression);
if (tree == null) {
tree = Ognl.parseExpression(expression);
expressions.putIfAbsent(expression, tree);
}
{code}
every parameter in the request cached in field expressions which is an
instances of ConcurrentMapString, Object, use parameterName as key. so i
construct huge different parameters that has different name (like abc[123],
abc[124] ), they all cached in expressions, this cause outofmemory error,
and let map acted like a list .
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4135) It is showing some debug text like java.lang.Object@3fa472bf next to the button generated by s:submit tag
[ https://issues.apache.org/jira/browse/WW-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13700486#comment-13700486 ] zhouyanming commented on WW-4135: - please paste generated html source It is showing some debug text like java.lang.Object@3fa472bf next to the button generated by s:submit tag - Key: WW-4135 URL: https://issues.apache.org/jira/browse/WW-4135 Project: Struts 2 Issue Type: Bug Components: Core Actions Affects Versions: 2.3.15 Reporter: Lucy We are using s:submit rendering the action buttons. Today when I upgraded the struts2 version from 2.3.4.1 to 2.3.15, now it is showing some debugging text like: java.lang.Object@3fa472bf on the left side of the button. The button still functions fine. I just tested it with struts2-core-2.3.14.3, it didn't show the problem. So this is a regression bug. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4135) It is showing some debug text like java.lang.Object@3fa472bf next to the button generated by s:submit tag
[ https://issues.apache.org/jira/browse/WW-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13700449#comment-13700449 ] zhouyanming commented on WW-4135: - are you using freemarker as template? maybe it cause by dynamic attributes,could you paste your s:submit ? It is showing some debug text like java.lang.Object@3fa472bf next to the button generated by s:submit tag - Key: WW-4135 URL: https://issues.apache.org/jira/browse/WW-4135 Project: Struts 2 Issue Type: Bug Components: Core Actions Affects Versions: 2.3.15 Reporter: Lucy We are using s:submit rendering the action buttons. Today when I upgraded the struts2 version from 2.3.4.1 to 2.3.15, now it is showing some debugging text like: java.lang.Object@3fa472bf on the left side of the button. The button still functions fine. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4135) It is showing some debug text like java.lang.Object@3fa472bf next to the button generated by s:submit tag
[ https://issues.apache.org/jira/browse/WW-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13700459#comment-13700459 ] zhouyanming commented on WW-4135: - please remove action=cancelAction and test it. It is showing some debug text like java.lang.Object@3fa472bf next to the button generated by s:submit tag - Key: WW-4135 URL: https://issues.apache.org/jira/browse/WW-4135 Project: Struts 2 Issue Type: Bug Components: Core Actions Affects Versions: 2.3.15 Reporter: Lucy We are using s:submit rendering the action buttons. Today when I upgraded the struts2 version from 2.3.4.1 to 2.3.15, now it is showing some debugging text like: java.lang.Object@3fa472bf on the left side of the button. The button still functions fine. I just tested it with struts2-core-2.3.14.3, it didn't show the problem. So this is a regression bug. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4064) WW-3698 cause ClassCastException
[
https://issues.apache.org/jira/browse/WW-4064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhouyanming updated WW-4064:
Attachment: application-error.log
here is my error log
WW-3698 cause ClassCastException
Key: WW-4064
URL: https://issues.apache.org/jira/browse/WW-4064
Project: Struts 2
Issue Type: Bug
Components: Plugin - JasperReports
Affects Versions: 2.3.14
Reporter: zhouyanming
Priority: Blocker
Fix For: 2.3.15
Attachments: application-error.log
my application works fine before commit 1439171,when I upgrade to 2.3.14,it
raise a ClassCastException
Caused by: java.lang.ClassCastException:
org.hibernate.collection.internal.PersistentList cannot be cast to
net.sf.jasperreports.engine.JRDataSource
at order_1283128512214_277101.evaluate(order_1283128512214_277101:275)
at
net.sf.jasperreports.engine.fill.JREvaluator.evaluate(JREvaluator.java:190)
... 120 more
class Order{
ListOrderItem items;
}
items in subreport should be JRDataSource but List
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Created] (WW-4064) WW-3698 cause ClassCastException
zhouyanming created WW-4064: --- Summary: WW-3698 cause ClassCastException Key: WW-4064 URL: https://issues.apache.org/jira/browse/WW-4064 Project: Struts 2 Issue Type: Bug Components: Plugin - JasperReports Affects Versions: 2.3.14 Reporter: zhouyanming Priority: Blocker my application works fine before commit 1439171,when I upgrade to 2.3.14,it raise a ClassCastException Caused by: java.lang.ClassCastException: org.hibernate.collection.internal.PersistentList cannot be cast to net.sf.jasperreports.engine.JRDataSource at order_1283128512214_277101.evaluate(order_1283128512214_277101:275) at net.sf.jasperreports.engine.fill.JREvaluator.evaluate(JREvaluator.java:190) ... 120 more -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
