content/core-developers/parameter-filter-interceptor.html - struts-site - Git at Google

 <hr />
 <p>layout: default
 title: Parameter Filter Interceptor
 parent:
     title: Interceptors
     url: interceptors.html
 ——</p>

 <h1 id="parameter-filter-interceptor">Parameter Filter Interceptor</h1>

 <p>The Parameter Filter Interceptor blocks parameters from getting to the rest of the stack or your action. You can use
 multiple parameter filter interceptors for a given action, so, for example, you could use one in your default stack
 that filtered parameters you wanted blocked from every action and those you wanted blocked from an individual action
 you could add an additional interceptor for each action.</p>

 <h2 id="parameters">Parameters</h2>

 <ul>
   <li><code class="highlighter-rouge">allowed</code> - a comma delimited list of parameter prefixes that are allowed to pass to the action</li>
   <li><code class="highlighter-rouge">blocked</code> - a comma delimited list of parameter prefixes that are not allowed to pass to the action</li>
   <li><code class="highlighter-rouge">defaultBlock</code> - boolean (default to false) whether by default a given parameter is blocked. If true,
 then a parameter must have a prefix in the allowed list in order to be able to pass to the action</li>
 </ul>

 <p>The way parameters are filtered for the least configuration is that if a string is in the allowed or blocked lists,
 then any parameter that is a member of the object represented by the parameter is allowed or blocked respectively.</p>

 <p>For example, if the parameters are:</p>

 <ul>
   <li><code class="highlighter-rouge">blocked</code>: person,person.address.createDate,personDao</li>
   <li><code class="highlighter-rouge">allowed</code>: person.address</li>
   <li><code class="highlighter-rouge">defaultBlock</code>: false</li>
 </ul>

 <p>The parameters <code class="highlighter-rouge">person.name</code>, <code class="highlighter-rouge">person.phoneNum</code> etc would be blocked because <code class="highlighter-rouge">person</code> is in the blocked list. However,
 <code class="highlighter-rouge">person.address.street</code> and <code class="highlighter-rouge">person.address.city</code> would be allowed because <code class="highlighter-rouge">person.address</code> is in the allowed list
 (the longer string determines permissions).</p>

 <h2 id="example">Example</h2>

 <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;interceptors&gt;</span>
     ...
     <span class="nt">&lt;interceptor</span> <span class="na">name=</span><span class="s">"parameterFilter"</span> <span class="na">class=</span><span class="s">"com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor"</span><span class="nt">/&gt;</span>
     ...
 <span class="nt">&lt;/interceptors&gt;</span>

 <span class="nt">&lt;action</span> <span class="err">....</span><span class="nt">&gt;</span>
      ...
      <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span class="s">"parameterFilter"</span><span class="nt">&gt;</span>
           <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"blocked"</span><span class="nt">&gt;</span>person,person.address.createDate,personDao<span class="nt">&lt;/param&gt;</span>
      <span class="nt">&lt;/interceptor-ref&gt;</span>
      ...
 <span class="nt">&lt;/action&gt;</span>
 </code></pre></div></div>
	<hr />
	<p>layout: default
	title: Parameter Filter Interceptor
	parent:
	title: Interceptors
	url: interceptors.html
	——</p>

	<h1 id="parameter-filter-interceptor">Parameter Filter Interceptor</h1>

	<p>The Parameter Filter Interceptor blocks parameters from getting to the rest of the stack or your action. You can use
	multiple parameter filter interceptors for a given action, so, for example, you could use one in your default stack
	that filtered parameters you wanted blocked from every action and those you wanted blocked from an individual action
	you could add an additional interceptor for each action.</p>

	<h2 id="parameters">Parameters</h2>

	<ul>
	<li><code class="highlighter-rouge">allowed</code> - a comma delimited list of parameter prefixes that are allowed to pass to the action</li>
	<li><code class="highlighter-rouge">blocked</code> - a comma delimited list of parameter prefixes that are not allowed to pass to the action</li>
	<li><code class="highlighter-rouge">defaultBlock</code> - boolean (default to false) whether by default a given parameter is blocked. If true,
	then a parameter must have a prefix in the allowed list in order to be able to pass to the action</li>
	</ul>

	<p>The way parameters are filtered for the least configuration is that if a string is in the allowed or blocked lists,
	then any parameter that is a member of the object represented by the parameter is allowed or blocked respectively.</p>

	<p>For example, if the parameters are:</p>

	<ul>
	<li><code class="highlighter-rouge">blocked</code>: person,person.address.createDate,personDao</li>
	<li><code class="highlighter-rouge">allowed</code>: person.address</li>
	<li><code class="highlighter-rouge">defaultBlock</code>: false</li>
	</ul>

	<p>The parameters <code class="highlighter-rouge">person.name</code>, <code class="highlighter-rouge">person.phoneNum</code> etc would be blocked because <code class="highlighter-rouge">person</code> is in the blocked list. However,
	<code class="highlighter-rouge">person.address.street</code> and <code class="highlighter-rouge">person.address.city</code> would be allowed because <code class="highlighter-rouge">person.address</code> is in the allowed list
	(the longer string determines permissions).</p>

	<h2 id="example">Example</h2>

	<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><interceptors></span>
	...
	<span class="nt"><interceptor</span> <span class="na">name=</span><span class="s">"parameterFilter"</span> <span class="na">class=</span><span class="s">"com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor"</span><span class="nt">/></span>
	...
	<span class="nt"></interceptors></span>

	<span class="nt"><action</span> <span class="err">....</span><span class="nt">></span>
	...
	<span class="nt"><interceptor-ref</span> <span class="na">name=</span><span class="s">"parameterFilter"</span><span class="nt">></span>
	<span class="nt"><param</span> <span class="na">name=</span><span class="s">"blocked"</span><span class="nt">></span>person,person.address.createDate,personDao<span class="nt"></param></span>
	<span class="nt"></interceptor-ref></span>
	...
	<span class="nt"></action></span>
	</code></pre></div></div>