|
This interceptor sets all parameters on the value stack.
This interceptor gets all parameters from ActionContext#getParameters() and sets them on the value stack by
calling {@link OgnlValueStack#setValue(String, Object)}, typically resulting in the values submitted in a form
request being applied to an action in the value stack. Note that the parameter map must contain a String key and
often containers a String[] for the value.
Because parameter names are effectively OGNL statements, it is important that security be taken in to account.
This interceptor will not apply any values in the parameters map if the expression contains an assignment (=),
multiple expressions (,), or references any objects in the context (#). This is all done in the {@link
#acceptableName(String)} method. In addition to this method, if the action being invoked implements the {@link
ParameterNameAware} interface, the action will be consulted to determine if the parameter should be set.
In addition to these restrictions, a flag (XWorkMethodAccessor#DENY_METHOD_EXECUTION) is set such that
no methods are allowed to be invoked. That means that any expression such as person.doSomething() or
person.getName() will be explicitely forbidden. This is needed to make sure that your application is not
exposed to attacks by malicious users.
While this interceptor is being invoked, a flag (InstantiatingNullHandler#CREATE_NULL_OBJECTS) is turned
on to ensure that any null reference is automatically created - if possible. See the type conversion documentation
and the InstantiatingNullHandler javadocs for more information.
Finally, a third flag (XWorkConverter#REPORT_CONVERSION_ERRORS) is set that indicates any errors when
converting the the values to their final data type (String[] -> int) an unrecoverable error occured. With this
flag set, the type conversion errors will be reported in the action context. See the type conversion documentation
and the XWorkConverter javadocs for more information.
If you are looking for detailed logging information about your parameters, turn on DEBUG level logging for this
interceptor. A detailed log of all the parameter keys and values will be reported.
For more information on ways to restrict the parameter names allowed, see the ParameterNameAware javadocs:
This interface is implemented by actions that want to declare acceptable parameters. Works in conjunction with {@link
ParametersInterceptor}. For example, actions may want to create a whitelist of parameters they will accept or a
blacklist of paramters they will reject to prevent clients from setting other unexpected (and possibly dangerous)
parameters.
Parameters
Extending the Interceptor
The best way to add behavior to this interceptor is to utilize the ParameterNameAware interface in your
actions. However, if you wish to apply a global rule that isn't implemented in your action, then you could extend
this interceptor and override the #acceptableName(String) method.
Examples
<action name="someAction" class="com.examples.SomeAction">
<interceptor-ref name="params"/>
<result name="success">good_result.ftl</result>
</action>
|