| <hr /> |
| <p>layout: default |
| title: Parameter Filter Interceptor |
| parent: |
| title: Interceptors |
| url: interceptors.html |
| ——</p> |
| |
| <h1 id="parameter-filter-interceptor">Parameter Filter Interceptor</h1> |
| |
| <p>The Parameter Filter Interceptor blocks parameters from getting to the rest of the stack or your action. You can use |
| multiple parameter filter interceptors for a given action, so, for example, you could use one in your default stack |
| that filtered parameters you wanted blocked from every action and those you wanted blocked from an individual action |
| you could add an additional interceptor for each action.</p> |
| |
| <h2 id="parameters">Parameters</h2> |
| |
| <ul> |
| <li><code class="highlighter-rouge">allowed</code> - a comma delimited list of parameter prefixes that are allowed to pass to the action</li> |
| <li><code class="highlighter-rouge">blocked</code> - a comma delimited list of parameter prefixes that are not allowed to pass to the action</li> |
| <li><code class="highlighter-rouge">defaultBlock</code> - boolean (default to false) whether by default a given parameter is blocked. If true, |
| then a parameter must have a prefix in the allowed list in order to be able to pass to the action</li> |
| </ul> |
| |
| <p>The way parameters are filtered for the least configuration is that if a string is in the allowed or blocked lists, |
| then any parameter that is a member of the object represented by the parameter is allowed or blocked respectively.</p> |
| |
| <p>For example, if the parameters are:</p> |
| |
| <ul> |
| <li><code class="highlighter-rouge">blocked</code>: person,person.address.createDate,personDao</li> |
| <li><code class="highlighter-rouge">allowed</code>: person.address</li> |
| <li><code class="highlighter-rouge">defaultBlock</code>: false</li> |
| </ul> |
| |
| <p>The parameters <code class="highlighter-rouge">person.name</code>, <code class="highlighter-rouge">person.phoneNum</code> etc would be blocked because <code class="highlighter-rouge">person</code> is in the blocked list. However, |
| <code class="highlighter-rouge">person.address.street</code> and <code class="highlighter-rouge">person.address.city</code> would be allowed because <code class="highlighter-rouge">person.address</code> is in the allowed list |
| (the longer string determines permissions).</p> |
| |
| <h2 id="example">Example</h2> |
| |
| <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><interceptors></span> |
| ... |
| <span class="nt"><interceptor</span> <span class="na">name=</span><span class="s">"parameterFilter"</span> <span class="na">class=</span><span class="s">"com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor"</span><span class="nt">/></span> |
| ... |
| <span class="nt"></interceptors></span> |
| |
| <span class="nt"><action</span> <span class="err">....</span><span class="nt">></span> |
| ... |
| <span class="nt"><interceptor-ref</span> <span class="na">name=</span><span class="s">"parameterFilter"</span><span class="nt">></span> |
| <span class="nt"><param</span> <span class="na">name=</span><span class="s">"blocked"</span><span class="nt">></span>person,person.address.createDate,personDao<span class="nt"></param></span> |
| <span class="nt"></interceptor-ref></span> |
| ... |
| <span class="nt"></action></span> |
| </code></pre></div></div> |