struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Not calling ParameterNameAware.acceptableParameterName when implemented - since xwork 2.3.7
Date Tue, 16 Jul 2013 09:57:39 GMT
2013/7/13 Przemysław Celej <>:
> Hi,
> Recently we had to update Struts2 to most recent version due to security
> issues. After update we've noticed some strange behaviour, in my
> application every action implements ParameterNameAware interface, till
> yesterday I thought that interface's method acceptableParameterName() is
> called _everytime_ the Struts tries to set a parameter, and that was the
> case till Struts 2.3.7 came out, I found that now the method is called
> _only_ if parameter's name is not allowed by Strut's configuration (see
> ParametersInterceptor class comparison: [1] [2]). This behaviour allows
> manipulating internal action's properties whose name met configuration
> patterns - in practice, in most application this allows accessing bussiness
> logic layer that shouldn't be accessed by users in any way. What is worse,
> there is not mention in version notes for 2.3.7 [3] about this change.

This was already pointed out and resolved in [1] and description of
ParametersInterceptor was also extended [2]. You can always return to
the old behaviour overriding isAcceptableParameter() in

I'm wondering if changing order of execution (ie. return
(parameterNameAware != null &&
parameterNameAware.acceptableParameterName(name) ||
acceptableName(name));) would be better? Or maybe revert to the old


+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message