WW-5631 Add opt-in @StrutsParameter enforcement to ChainingInterceptor#1719
Open
lukaszlenart wants to merge 9 commits into
Open
WW-5631 Add opt-in @StrutsParameter enforcement to ChainingInterceptor#1719lukaszlenart wants to merge 9 commits into
lukaszlenart wants to merge 9 commits into
Conversation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…leanUtils Use BooleanUtils.toBoolean for the chaining requireAnnotations flag so it accepts the same values (yes/on/1) as the sibling struts.parameters.requireAnnotations switch, and unify the enforcement WARN message prefix. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…et==action Add a test asserting nothing is copied when the target action cannot be introspected (fail-closed), and document why isAuthorized is called with target == action for chaining (no ModelDriven exemption). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
lukaszlenart
force-pushed
the
WW-5631-chaining-require-annotations
branch
from
a1740a4 to
ab5b25f
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an opt-in flag
struts.chaining.requireAnnotations(defaultfalse) that makesChainingInterceptoronly copy a property to the target action when that property's target member is authorized by@StrutsParameter, reusing the sharedParameterAuthorizer.@StrutsParametergates the HTTP-request-parameter channel viaParametersInterceptor; action chaining is a separate, developer-configured channel that copies properties between actions regardless of annotations. Some applications would prefer chaining to respect the same annotation boundary.false(default), behaviour and cost are unchanged — fully backward compatible.true, unauthorized target properties are skipped and logged at WARN. Enforcement reusesParameterAuthorizer, sorequireAnnotations,transitionModeanddepthsemantics stay consistent withParametersInterceptor.main(7.2.0).Fixes WW-5631
Changes
StrutsConstants.STRUTS_CHAINING_REQUIRE_ANNOTATIONSanddefault.propertiesentry (defaultfalse).ChainingInterceptorenforces@StrutsParameteron the target when enabled (excludes-based gating, soincludesstill works).ChainingInterceptorJavaDoc.Test Plan
mvn test -DskipAssembly -pl core -Dtest=ChainingInterceptorTest— 14/14 passmvn test -DskipAssembly -pl core -Dtest='ChainingInterceptor*,ParametersInterceptorTest'— 49/49 passrequireAnnotations=false(no-op),includesinteraction, proxied target class resolution, fail-closed on introspection failure.🤖 Generated with Claude Code