当struts.ognl.allowStaticMethodAccess为false时,Struts 2调用静态方法 [英] Struts 2 calling static method when struts.ognl.allowStaticMethodAccess is false
问题描述
出于安全考虑,支柱2将struts.ognl.allowStaticMethodAccess设置为false.静态方法调用在某些情况下可能有用,例如在处理基于表达式的基础验证器时
The struts 2 set the struts.ognl.allowStaticMethodAccess to false, for security issues. The static method invocation may be useful in some cases for example when dealing with expression base validators Struts 2 using StringUtils in validator expersions.
解决此问题的一种方法是在操作中定义一个辅助方法,例如,如果我们要使用Math类,则应在下面添加:
One way to solve this problem is to define a helper method in the action, for example, if we want to use Math class we should add below:
public double randomMath(){
return Math.random();
}
public double asinMath(double a){
return Math.asin(a);
}
....
并将其用作${randomMath}或${asinMath(1)}
如您所见,对于Math类中的每个方法,我们都需要在操作中定义一个具有相同签名的public方法.
As you can see for every method in Math class we need to define a public method in our action, with same signature.
有没有更好的方法来避免这些样板吸气剂?!
Is there a better way to avoid these boilerplate getters?!
推荐答案
OGNL允许执行方法,但是默认情况下禁用静态访问,因此您不能在表达式中使用静态方法.但是,您可以教OGNL哪些类需要访问静态方法.
OGNL allows execution of methods, but the static access is disabled by default, so you cannot use static method in expressions. However, you can teach OGNL which classes needs to access the static methods.
OGNL开发人员指南:方法访问器
方法调用是OGNL需要基于动态信息对方法进行查找的另一个领域.
MethodAccessor接口提供了有关OGNL如何调用方法的信息.当请求静态或实例方法时,将调用此接口的实现者以实际执行该方法.
OGNL developer guide: Method Accessors
Method calls are another area where OGNL needs to do lookups for methods based on dynamic information. The
MethodAccessorinterface provides a hook into how OGNL calls a method. When a static or instance method is requested the implementor of this interface is called to actually execute the method.
public interface MethodAccessor
{
Object callStaticMethod( Map context, Class targetClass, String methodName, List args )
throws MethodFailedException;
Object callMethod( Map context, Object target, String methodName, List args )
throws MethodFailedException;
}
您可以使用OgnlRuntime.setMethodAccessor()逐个类地设置方法访问器.是Object的默认方法访问器(它只是根据方法名称和参数类型找到合适的方法,并使用反射来调用该方法).
You can set a method accessor on a class-by-class basis using OgnlRuntime.setMethodAccessor(). The is a default method accessor for Object (which simply finds an appropriate method based on method name and argument types and uses reflection to call the method).
您可以编写一些东西
You can code something
public class StringUtil extends StringUtils implements MethodAccessor {
//implement above methods
}
动作类
public static final String MESSAGE = "hello.message";
/**
* Field for Message property.
*/
private String message;
/**
* Return Message property.
*
* @return Message property
*/
public String getMessage() {
return message;
}
private StringUtil stringUtil = new StringUtil();
public StringUtil getStringUtil() {
return stringUtil;
}
public String execute() throws Exception {
setMessage(getText(MESSAGE));
OgnlRuntime.setMethodAccessor(StringUtil.class, stringUtil);
return SUCCESS;
}
在JSP中
<s:if test="!stringUtil.isEmpty(message)">
<h2><s:property value="message"/></h2>
</s:if>
这篇关于当struts.ognl.allowStaticMethodAccess为false时,Struts 2调用静态方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
