I'm using Struts2.3.28. When I submit a form which uses the submit
tag with the method
attribute, I'm getting this warning:
WARN com.opensymphony.xwork2.interceptor.ParametersInterceptor
warn- Parameter [method:save] didn't match accepted
pattern [[\w+((\.\w+)|(\[\d+\])|(\(\d+\))|
(\['(\w|[\u4e00-\u9fa5])+'\])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
I have struts.enable.DynamicMethodInvocation
set to true
.
I think this acceptParamNames
property for the Parameters Interceptor (sort of a whitelist, it seems) was added in some recent version... The docs only says (basically)
"don't touch this" .
Great! So, what am I supposed to do if I still want to use the method
attribute of submit
tag?
Further: it's not clear for me the implications of this warning. If the pattern does not match neither the whitelist acceptParamNames
nor the blacklist excludeParams
(ah, the consistency), what is supposed to happen?
It's a developer notification that is invoked from the method
protected boolean isAccepted(String paramName) {
AcceptedPatternsChecker.IsAccepted result = acceptedPatterns.isAccepted(paramName);
if (result.isAccepted()) {
return true;
}
notifyDeveloper("Parameter [#0] didn't match accepted pattern [#1]!", paramName, result.getAcceptedPattern());
return false;
}
it means that if the parameter name matches the list of accepted patterns, then it's passed by this interceptor (after checks for name length, and if it's not excluded).
New interceptor also checks the acceptance of the parameter value.
The whitelist and blacklist of parameters are managed by the ParameterNameAware
action separately.
Note:
Using
ParameterNameAware
could be dangerous asParameterNameAware#acceptableParameterName(String)
takes precedence overParametersInterceptor
which means ifParametersInterceptor
excluded given parameter name you can accept it withParameterNameAware#acceptableParameterName(String)
.
The default list of patterns are settled during initialization (it's hardcoded using default constant value), so if you didn't use a parameter acceptParamNames
in the interceptor configuration, Struts will use its default pattern list. But you can override the parameter value by specifying this parameter to the parameters interceptor.
Note: The method notifyDeveloper
should only print in devMode
, otherwise it prints only in DEBUG
mode of the logger. You can also trace massages by changing a logger level to TRACE
.
To use a method
attribute of the submit tag you should:
<constant name="struts.enable.DynamicMethodInvocation" value="true"/>
2. Override the list of excluded patterns.
the default list of exluded patterns contains a pattern that excludes method:
parameter (and action:
too). That is also mentioned by AleksandrM in the comment.
For more information see documentation for params
interceptor.