Adds constant to control proxy member access

Author: yasserzamani

Diff for: plugins/spring/src/main/resources/struts-plugin.xml

@@ -34,6 +34,7 @@
     <constant name="struts.class.reloading.watchList" value="" />
     <constant name="struts.class.reloading.acceptClasses" value="" />
     <constant name="struts.class.reloading.reloadConfig" value="false" />
+    <constant name="xwork.disallowProxyMemberAccess" value="true" />
 
     <package name="spring-default">
         <interceptors>

Diff for: xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java

@@ -28,4 +28,5 @@ public final class XWorkConstants {
     public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns";
     public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns";
 
+    public static final String XWORK_DISALLOW_PROXY_MEMBER_ACCESS = "xwork.disallowProxyMemberAccess";
 }

Diff for: xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java

@@ -72,6 +72,7 @@ public class OgnlUtil {
 
     private Container container;
     private boolean allowStaticMethodAccess;
+    private boolean disallowProxyMemberAccess;
 
     @Inject
     public void setXWorkConverter(XWorkConverter conv) {
@@ -144,6 +145,15 @@ public void setAllowStaticMethodAccess(String allowStaticMethodAccess) {
         this.allowStaticMethodAccess = Boolean.parseBoolean(allowStaticMethodAccess);
     }
 
+    @Inject(value = XWorkConstants.XWORK_DISALLOW_PROXY_MEMBER_ACCESS, required = false)
+    public void setDisallowProxyMemberAccess(String disallowProxyMemberAccess) {
+        this.disallowProxyMemberAccess = Boolean.parseBoolean(disallowProxyMemberAccess);
+    }
+
+    public boolean isDisallowProxyMemberAccess() {
+        return disallowProxyMemberAccess;
+    }
+
     /**
      * Sets the object's properties using the default type converter, defaulting to not throw
      * exceptions for problems setting the properties.
@@ -654,6 +664,7 @@ protected Map createDefaultContext(Object root, ClassResolver classResolver) {
         memberAccess.setExcludedClasses(excludedClasses);
         memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns);
         memberAccess.setExcludedPackageNames(excludedPackageNames);
+        memberAccess.setDisallowProxyMemberAccess(disallowProxyMemberAccess);
 
         return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess);
     }

Diff for: xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java

@@ -83,6 +83,7 @@ public void setOgnlUtil(OgnlUtil ognlUtil) {
         securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses());
         securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns());
         securityMemberAccess.setExcludedPackageNames(ognlUtil.getExcludedPackageNames());
+        securityMemberAccess.setDisallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess());
     }
 
     protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot,

Diff for: xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java

@@ -42,6 +42,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
     private Set<Class<?>> excludedClasses = Collections.emptySet();
     private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet();
     private Set<String> excludedPackageNames = Collections.emptySet();
+    private boolean disallowProxyMemberAccess;
 
     public SecurityMemberAccess(boolean method) {
         super(false);
@@ -94,7 +95,7 @@ public boolean isAccessible(Map context, Object target, Member member, String pr
             return false;
         }
 
-        if (ProxyUtil.isProxyMember(member, target)) {
+        if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) {
             LOG.warn("Access to proxy [#0] is blocked!", member);
             return false;
         }
@@ -222,4 +223,8 @@ public void setExcludedPackageNamePatterns(Set<Pattern> excludedPackageNamePatte
     public void setExcludedPackageNames(Set<String> excludedPackageNames) {
         this.excludedPackageNames = excludedPackageNames;
     }
+
+    public void setDisallowProxyMemberAccess(boolean disallowProxyMemberAccess) {
+        this.disallowProxyMemberAccess = disallowProxyMemberAccess;
+    }
 }

Diff for: xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java

@@ -0,0 +1,49 @@
+package com.opensymphony.xwork2.ognl;
+
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider;
+
+public class SecurityMemberAccessProxyTest extends XWorkTestCase {
+    private Map<String, Object> context;
+
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+
+        context = new HashMap<String, Object>();
+        // Set up XWork
+        XmlConfigurationProvider provider = new XmlConfigurationProvider("com/opensymphony/xwork2/spring/actionContext-xwork.xml");
+        container.inject(provider);
+        loadConfigurationProviders(provider);
+    }
+
+    public void testProxyAccessIsBlocked() throws Exception {
+        ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+                "paramsAwareProxiedAction", null, context);
+
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        sma.setDisallowProxyMemberAccess(true);
+
+        Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+        boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+        assertFalse(accessible);
+    }
+
+    public void testProxyAccessIsAccessible() throws Exception {
+        ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+                "paramsAwareProxiedAction", null, context);
+
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+        boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+        assertTrue(accessible);
+    }
+}

Diff for: xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml

@@ -2,6 +2,7 @@
 <xwork>
 	<bean type="com.opensymphony.xwork2.ObjectFactory" class="com.opensymphony.xwork2.spring.SpringObjectFactory" />
 	<constant name="applicationContextPath" value="com/opensymphony/xwork2/spring/actionContext-spring.xml" />
+    <constant name="xwork.disallowProxyMemberAccess" value="true" />
     <package name="default">
         <result-types>
             <result-type name="null" class="com.opensymphony.xwork2.mock.MockResult" default="true"/>