3

I'm using Struts2.3.28. When I submit a form which uses the submit tag with the method attribute, I'm getting this warning:

WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor 
     warn- Parameter [method:save] didn't match accepted 
     pattern [[\w+((\.\w+)|(\[\d+\])|(\(\d+\))|
     (\['(\w|[\u4e00-\u9fa5])+'\])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!

I have struts.enable.DynamicMethodInvocation set to true.

I think this acceptParamNames property for the Parameters Interceptor (sort of a whitelist, it seems) was added in some recent version... The docs only says (basically)

"don't touch this" .

Great! So, what am I supposed to do if I still want to use the method attribute of submit tag?

Further: it's not clear for me the implications of this warning. If the pattern does not match neither the whitelist acceptParamNames nor the blacklist excludeParams (ah, the consistency), what is supposed to happen?

Roman C
  • 49,761
  • 33
  • 66
  • 176
leonbloy
  • 73,180
  • 20
  • 142
  • 190
  • Are you sure that you use 2.3.28? Have you modified accepted or excluded patterns? Cannot reproduce your issue in my project. – Aleksandr M Mar 28 '16 at 08:16
  • Perhaps you need to set devmode ? https://struts.apache.org/docs/devmode.html – leonbloy Mar 28 '16 at 16:24
  • 1
    [Default exclude pattern](https://github.com/apache/struts/blob/support-2-3/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java#L21) excludes `method:` and `isExcluded` [comes before](https://github.com/apache/struts/blob/support-2-3/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java#L386) `isAccepted`. Have you modified exclude pattern? – Aleksandr M Mar 28 '16 at 18:37
  • @AleksandrM Yes, I've removed that restriction. – leonbloy Mar 28 '16 at 21:14
  • That answers why you are seeing exact this message. But DMI should still work, right? If not then it is hard to tell why w/o additional info. – Aleksandr M Mar 29 '16 at 08:56

1 Answers1

1

It's a developer notification that is invoked from the method

 protected boolean isAccepted(String paramName) {
        AcceptedPatternsChecker.IsAccepted result = acceptedPatterns.isAccepted(paramName);
        if (result.isAccepted()) {
            return true;
        }
        notifyDeveloper("Parameter [#0] didn't match accepted pattern [#1]!", paramName, result.getAcceptedPattern());
        return false;
    }

it means that if the parameter name matches the list of accepted patterns, then it's passed by this interceptor (after checks for name length, and if it's not excluded).

New interceptor also checks the acceptance of the parameter value.

The whitelist and blacklist of parameters are managed by the ParameterNameAware action separately.

Note:

Using ParameterNameAware could be dangerous as ParameterNameAware#acceptableParameterName(String) takes precedence over ParametersInterceptor which means if ParametersInterceptor excluded given parameter name you can accept it with ParameterNameAware#acceptableParameterName(String).

The default list of patterns are settled during initialization (it's hardcoded using default constant value), so if you didn't use a parameter acceptParamNames in the interceptor configuration, Struts will use its default pattern list. But you can override the parameter value by specifying this parameter to the parameters interceptor.

Note: The method notifyDeveloper should only print in devMode, otherwise it prints only in DEBUG mode of the logger. You can also trace massages by changing a logger level to TRACE.

To use a method attribute of the submit tag you should:

  1. Enable DMI:
    <constant name="struts.enable.DynamicMethodInvocation" value="true"/>

2. Override the list of excluded patterns. the default list of exluded patterns contains a pattern that excludes method: parameter (and action: too). That is also mentioned by AleksandrM in the comment.

For more information see documentation for params interceptor.

Roman C
  • 49,761
  • 33
  • 66
  • 176
  • To use DMI there is no need to override excluded pattern. DMI happens before parameters mapping. – Aleksandr M Mar 29 '16 at 16:09
  • Updated for better understanding. – Roman C Mar 29 '16 at 16:13
  • There is some misunderstanding. DMI should work even if default pattern is used. The exclude pattern is for parameters not for DMI. – Aleksandr M Mar 29 '16 at 16:23
  • DMI it does but the submit tag generates URLs for default action mapper, which is using this parameter only if DMI is enabled. – Roman C Mar 29 '16 at 16:26
  • Correct, so I will remove part 2. – Roman C Mar 29 '16 at 16:31
  • 1
    I'm still not sure if we need to override the default accept pattern. The crucial point, I think, is not to confuse http parameters with struts params. If I'm using DMI, a (http) parameter like "method:save" is received. Now, it's (perhaps) ok that this is rejected by the struts parameter interceptor, because we don't want this to be treated like a "common" parameter (calling the setter in the action), but only to be processed by the struts url-to-action+method mapping intelligence (which happens before the parameters mapping). It this is true (I'm not sure), then point 2 shouldn't be needed. – leonbloy Mar 29 '16 at 17:40
  • yes, the default action mapper handles this parameters by setting action mapping properties before the params or any other interceptor is invoked, but parameters still remains in the request and should be rejected from this interceptor, while rejected it shows a warning but you can suppress it. You don't need to override it. – Roman C Mar 29 '16 at 17:51