当 struts.ognl.allowStaticMethodAccess 为 false 时,Struts 2 调用静态方法

2022-01-16 00:00:00 reflection java struts2 ognl valuestack

为了安全问题,struts 2 将 struts.ognl.allowStaticMethodAccess 设置为 false.静态方法调用在某些情况下可能很有用,例如在处理表达式基础验证器时 Struts 2 在验证器实验中使用 StringUtils.

The struts 2 set the struts.ognl.allowStaticMethodAccess to false, for security issues. The static method invocation may be useful in some cases for example when dealing with expression base validators Struts 2 using StringUtils in validator expersions.

解决这个问题的一种方法是在动作中定义一个辅助方法,例如,如果我们想使用 Math 类,我们应该在下面添加:

One way to solve this problem is to define a helper method in the action, for example, if we want to use Math class we should add below:

public double randomMath(){
  return Math.random();
}


public double asinMath(double a){
  return Math.asin(a);
}

....

并将其用作 ${randomMath}${asinMath(1)}

正如您所见,对于 Math 类中的每个方法,我们需要在我们的操作中定义一个具有相同签名的 public 方法.

As you can see for every method in Math class we need to define a public method in our action, with same signature.

有没有更好的方法来避免这些样板吸气剂?!

Is there a better way to avoid these boilerplate getters?!

推荐答案

OGNL 允许执行方法,但默认禁用静态访​​问,因此不能在表达式中使用静态方法.但是,您可以教 OGNL 哪些类需要访问静态方法.

OGNL allows execution of methods, but the static access is disabled by default, so you cannot use static method in expressions. However, you can teach OGNL which classes needs to access the static methods.

方法调用是 OGNL 需要根据动态信息查找方法的另一个领域.MethodAccessor 接口提供了一个挂钩来了解 OGNL 如何调用方法.当请求静态或实例方法时,调用此接口的实现者以实际执行该方法.

OGNL developer guide: Method Accessors

Method calls are another area where OGNL needs to do lookups for methods based on dynamic information. The MethodAccessor interface provides a hook into how OGNL calls a method. When a static or instance method is requested the implementor of this interface is called to actually execute the method.

public interface MethodAccessor
{

    Object callStaticMethod( Map context, Class targetClass, String methodName, List args )
        throws MethodFailedException;

    Object callMethod( Map context, Object target, String methodName, List args )
        throws MethodFailedException;

}

您可以使用 OgnlRuntime.setMethodAccessor() 逐个类设置方法访问器.是 Object 的默认方法访问器(它只是根据方法名称和参数类型找到合适的方法,并使用反射来调用该方法).

You can set a method accessor on a class-by-class basis using OgnlRuntime.setMethodAccessor(). The is a default method accessor for Object (which simply finds an appropriate method based on method name and argument types and uses reflection to call the method).

<小时>

你可以编码一些东西


You can code something

public class StringUtil extends StringUtils implements MethodAccessor {
  //implement above methods
}  

<小时>

动作类

public static final String MESSAGE = "hello.message";

/**
 * Field for Message property.
 */
private String message;

/**
 * Return Message property.
 *
 * @return Message property
 */
public String getMessage() {
    return message;
}
private StringUtil stringUtil = new StringUtil();

public StringUtil getStringUtil() {
  return stringUtil;
}

public String execute() throws Exception {
    setMessage(getText(MESSAGE));
    OgnlRuntime.setMethodAccessor(StringUtil.class, stringUtil);
    return SUCCESS;
}

<小时>

在 JSP 中

<s:if test="!stringUtil.isEmpty(message)">
  <h2><s:property value="message"/></h2>
</s:if>

相关文章