regex - Struts2 warning: Parameter didn't match accepted pattern -


i'm using struts2.3.28. when submit form uses submit tag method attribute, i'm getting warning:

warn  com.opensymphony.xwork2.interceptor.parametersinterceptor       warn- parameter [method:save] didn't match accepted       pattern [[\w+((\.\w+)|(\[\d+\])|(\(\d+\))|      (\['(\w|[\u4e00-\u9fa5])+'\])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!

i have struts.enable.dynamicmethodinvocation set true.

i think acceptparamnames property parametersinterceptor (sort of whitelist, seems) added in recent version... docs says (basically)

"don't touch this" .

great! so, supposed if still want use method attribute of submit tag?

further: it's not clear me implications of warning. if pattern not match neither whitelist (acceptparamnames) nor blacklist (excludeparams) (ah, consistency), supposed happen?

it's developer notification invoked method

 protected boolean isaccepted(string paramname) {         acceptedpatternschecker.isaccepted result = acceptedpatterns.isaccepted(paramname);         if (result.isaccepted()) {             return true;         }         notifydeveloper("parameter [#0] didn't match accepted pattern [#1]!", paramname, result.getacceptedpattern());         return false;     }

it means if parameter name matches the list of accepted patterns, it's passed interceptor (after checks name length, , if it's not excluded).

new interceptor checks acceptance of parameter value.

the whitelist , blacklist of parameters managed parameternameaware action separately.

note:

using parameternameaware dangerous parameternameaware#acceptableparametername(string) takes precedence on parametersinterceptor means if parametersinterceptor excluded given parameter name can accept parameternameaware#acceptableparametername(string).

the default list of patterns settled during initialization (it's hardcoded using default constant value), if didn't use parameter acceptparamnames in interceptor configuration, struts use default pattern list. can override parameter value specifying parameter parameters interceptor.

note: method notifydeveloper should print in devmode, otherwise prints in debug mode of logger. can trace massages changing logger level trace.

to use method attribute of submit tag should:

  1. enable dmi:
    <constant name="struts.enable.dynamicmethodinvocation" value="true"/>

2. override list of excluded patterns. default list of exluded patterns contains pattern excludes method: parameter (and action: too). mentioned aleksandrm in comment.

for more information see documentation params interceptor.


Comments

Post a Comment