struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Allowing user to inject his/her specific utility class into OGNL scopes?
Date Fri, 15 Sep 2017 06:04:31 GMT
As I'm not fully grasp the idea behind, you can always use
#application scope (which is basically a ServletContext wrapper).
There is also ApplicationAware interface to allow actions deal with
it.

Another thing would be implementation of ConfigurationProvider which
can deal with the ServletContext and you can use
ServletContextAwareConfigurationProvider in this case.

You can register your custom ConfigurationProvider as below:

  <filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</filter-class>
    <init-param>
      <param-name>configProviders</param-name>
      <param-value>com.company.MyConfigurationProvider</param-value>
    </init-param>
  </filter>

The flow is as follow:
- in your ServletContextAwareConfigurationProvider you use
ServletContext#setAttribute to inject whatever tool you need
- in actions implementing ApplicationAware you can inject an action
specific tools/values into #application scope
- in JSPs you can call #application['myTool'].doStuff


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2017-09-08 23:49 GMT+02:00 Yasser Zamani <yasser.zamani@live.com>:
> Good morning,
>
> If we suppose "is this OGNL access is an attack?" as our test, adding
> packages to exclusions may have false positives (test is positive but
> it's not an attack). Some issues occur in these false positives.
>
> I spotted such issues for 5 users [1], [2], [3], [4] and myself.
>
> I'll research for a cleaner solution but by now, what's your idea about
> importing something like [5] to Struts2. i.e. allowing user to inject
> his/her specific utility class into OGNL scopes when his/her primitive
> info (e.g. a simple String) is not accessible because of our exclusions?
>
> I can work on that and required documentations on site.
>
> [1] https://issues.apache.org/jira/browse/WW-4852
> [2]
> https://stackoverflow.com/questions/44291034/struts2-5-10-1-core-jar-missing-xwork2-dispatcher-package
> [3] https://www.mail-archive.com/dev@struts.apache.org/msg43017.html
> [4] https://www.mail-archive.com/dev@struts.apache.org/msg42277.html
> [5]
> https://mail-archives.apache.org/mod_mbox/struts-dev/201707.mbox/%3CDB5PR08MB1062D3E6D3D0C002F87442AE92A50%40DB5PR08MB1062.eurprd08.prod.outlook.com%3E

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message