Search code examples
regexparametersconfigurationstruts2struts2-interceptors

WARN: Parameter didn't match accepted pattern in Struts 2

I'm using Struts2.3.28. When I submit a form which uses the submit tag with the method attribute, I'm getting this warning:

WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor 
     warn- Parameter [method:save] didn't match accepted 
     pattern [[\w+((\.\w+)|(\[\d+\])|(\(\d+\))|
     (\['(\w|[\u4e00-\u9fa5])+'\])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!

I have struts.enable.DynamicMethodInvocation set to true.

I think this acceptParamNames property for the Parameters Interceptor (sort of a whitelist, it seems) was added in some recent version... The docs only says (basically)

"don't touch this" .

Great! So, what am I supposed to do if I still want to use the method attribute of submit tag?

Further: it's not clear for me the implications of this warning. If the pattern does not match neither the whitelist acceptParamNames nor the blacklist excludeParams (ah, the consistency), what is supposed to happen?

Solution

  • It's a developer notification that is invoked from the method

     protected boolean isAccepted(String paramName) {
        AcceptedPatternsChecker.IsAccepted result = acceptedPatterns.isAccepted(paramName);
        if (result.isAccepted()) {
            return true;
        }
        notifyDeveloper("Parameter [#0] didn't match accepted pattern [#1]!", paramName, result.getAcceptedPattern());
        return false;
    }

    it means that if the parameter name matches the list of accepted patterns, then it's passed by this interceptor (after checks for name length, and if it's not excluded).

    New interceptor also checks the acceptance of the parameter value.

    The whitelist and blacklist of parameters are managed by the ParameterNameAware action separately.

    Note:

    Using ParameterNameAware could be dangerous as ParameterNameAware#acceptableParameterName(String) takes precedence over ParametersInterceptor which means if ParametersInterceptor excluded given parameter name you can accept it with ParameterNameAware#acceptableParameterName(String).

    The default list of patterns are settled during initialization (it's hardcoded using default constant value), so if you didn't use a parameter acceptParamNames in the interceptor configuration, Struts will use its default pattern list. But you can override the parameter value by specifying this parameter to the parameters interceptor.

    Note: The method notifyDeveloper should only print in devMode, otherwise it prints only in DEBUG mode of the logger. You can also trace massages by changing a logger level to TRACE.

    To use a method attribute of the submit tag you should:

    1. Enable DMI:
        <constant name="struts.enable.DynamicMethodInvocation" value="true"/>

    2. Override the list of excluded patterns. the default list of exluded patterns contains a pattern that excludes method: parameter (and action: too). That is also mentioned by AleksandrM in the comment.

    For more information see documentation for params interceptor.