struts2对Ognl的打包-MemberAccess
struts2对Ognl的封装--MemberAccess
Ognl的扩展点:
http://java12345678.iteye.com/blog/2031790
MemberAccess接口
定义了对于Memeber(Constructor,Method,Filed是否可以访问),Ognl默认实现DefaultMemberAccess对非公有Member不可以访问。
Struts2对DefaultMemberAccess进行了扩展:在DefaultMemberAccess的非公有Member不可以访问的基础上,添加哪些公有Member可以访问或不可被访问
一、参数决定哪些Memeber可以访问
1.静态方法是否可以访问:由boolean型构建参数决定
public SecurityMemberAccess(boolean method) { allowStaticMethodAccess = method; }
2.哪些公有Member不可以访问:由属性Set<Pattern> excludeProperties决定
3.哪些公有Member可以访问:Set<Pattern> acceptProperties
4.由PropertiesJudge propertiesJudge对象决定某个Memeber是否可以访问
程序代码中的判断:
protected boolean isAcceptableProperty(String name) { if ( name == null) { return true; } //属性名propertyName 不匹配excludeProperties //属性名propertyName 匹配acceptProperties //如果存在propertiesJudge ,则acceptProperty返回true //全满足才能访问 if ((!isExcluded(name)) && isAccepted(name) && (propertiesJudge == null || propertiesJudge.acceptProperty(name))) { return true; } return false; }
二、参数的由来:OgnlValueStack
public class OgnlValueStack{ transient SecurityMemberAccess securityMemberAccess; protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot, boolean allowStaticMethodAccess) { //省略了部分代码 this.securityMemberAccess = new SecurityMemberAccess(allowStaticMethodAccess); this.context = Ognl.createDefaultContext(this.root, accessor, new OgnlTypeConverterWrapper(xworkConverter), securityMemberAccess); } public void setAcceptProperties(Set<Pattern> acceptedProperties) { securityMemberAccess.setAcceptProperties(acceptedProperties); } public void setPropertiesJudge(PropertiesJudge judge) { securityMemberAccess.setPropertiesJudge(judge); } public void setExcludeProperties(Set<Pattern> excludeProperties) { securityMemberAccess.setExcludeProperties(excludeProperties); } }
OgnlValueStack 由OgnlValueStackFactory构建:
public class OgnlValueStackFactory implements ValueStackFactory{ @Inject(value="allowStaticMethodAccess", required=false) public void setAllowStaticMethodAccess(String allowStaticMethodAccess) { this.allowStaticMethodAccess = "true".equalsIgnoreCase(allowStaticMethodAccess); } }