Merge pull request #615 from apache/WW-2815-xstream

[WW-2815] Refactors XStreamHandler to allow to provide a custom configuration

Author: lukaszlenart

plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java

@@ -21,20 +21,23 @@
 import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.ModelDriven;
 import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.StaxDriver;
 import com.thoughtworks.xstream.security.ArrayTypePermission;
 import com.thoughtworks.xstream.security.ExplicitTypePermission;
-import com.thoughtworks.xstream.security.NoTypePermission;
 import com.thoughtworks.xstream.security.NullPermission;
 import com.thoughtworks.xstream.security.PrimitiveTypePermission;
 import com.thoughtworks.xstream.security.TypePermission;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.struts2.rest.handler.xstream.XStreamAllowedClassNames;
+import org.apache.struts2.rest.handler.xstream.XStreamAllowedClasses;
+import org.apache.struts2.rest.handler.xstream.XStreamPermissionProvider;
+import org.apache.struts2.rest.handler.xstream.XStreamProvider;
 
 import java.io.IOException;
 import java.io.Reader;
 import java.io.Writer;
 import java.util.Collection;
-import java.util.Date;
 import java.util.Map;
 import java.util.Set;
 
@@ -58,19 +61,15 @@ public void toObject(ActionInvocation invocation, Reader in, Object target) {
         xstream.fromXML(in, target);
     }
 
-    /**
-     * @deprecated use version with {@link ActionInvocation}
-     */
-    @Deprecated
-    protected XStream createXStream() {
-        LOG.warn("You are using a deprecated API!");
-        return new XStream();
-    }
-
     protected XStream createXStream(ActionInvocation invocation) {
-        XStream stream = new XStream();
-        LOG.debug("Clears existing permissions");
-        stream.addPermission(NoTypePermission.NONE);
+        XStream stream;
+        if (invocation.getAction() instanceof XStreamProvider) {
+            LOG.debug("Using provider {} to create instance of XStream", invocation.getAction().getClass().getSimpleName());
+            stream = ((XStreamProvider) invocation.getAction()).createXStream();
+        } else {
+            LOG.debug("Creating default XStream instance using Stax driver: {}", StaxDriver.class.getSimpleName());
+            stream = new XStream(new StaxDriver());
+        }
 
         LOG.debug("Adds per action permissions");
         addPerActionPermission(invocation, stream);
@@ -82,13 +81,13 @@ protected XStream createXStream(ActionInvocation invocation) {
 
     private void addPerActionPermission(ActionInvocation invocation, XStream stream) {
         Object action = invocation.getAction();
-        if (action instanceof AllowedClasses) {
-            Set<Class<?>> allowedClasses = ((AllowedClasses) action).allowedClasses();
-            stream.addPermission(new ExplicitTypePermission(allowedClasses.toArray(new Class[allowedClasses.size()])));
+        if (action instanceof XStreamAllowedClasses) {
+            Set<Class<?>> allowedClasses = ((XStreamAllowedClasses) action).allowedClasses();
+            stream.addPermission(new ExplicitTypePermission(allowedClasses.toArray(new Class[0])));
         }
-        if (action instanceof AllowedClassNames) {
-            Set<String> allowedClassNames = ((AllowedClassNames) action).allowedClassNames();
-            stream.addPermission(new ExplicitTypePermission(allowedClassNames.toArray(new String[allowedClassNames.size()])));
+        if (action instanceof XStreamAllowedClassNames) {
+            Set<String> allowedClassNames = ((XStreamAllowedClassNames) action).allowedClassNames();
+            stream.addPermission(new ExplicitTypePermission(allowedClassNames.toArray(new String[0])));
         }
         if (action instanceof XStreamPermissionProvider) {
             Collection<TypePermission> permissions = ((XStreamPermissionProvider) action).getTypePermissions();
@@ -101,13 +100,13 @@ private void addPerActionPermission(ActionInvocation invocation, XStream stream)
     protected void addDefaultPermissions(ActionInvocation invocation, XStream stream) {
         stream.addPermission(new ExplicitTypePermission(new Class[]{invocation.getAction().getClass()}));
         if (invocation.getAction() instanceof ModelDriven) {
-            stream.addPermission(new ExplicitTypePermission(new Class[]{((ModelDriven) invocation.getAction()).getModel().getClass()}));
+            stream.addPermission(new ExplicitTypePermission(new Class[]{((ModelDriven<?>) invocation.getAction()).getModel().getClass()}));
         }
         stream.addPermission(NullPermission.NULL);
+        stream.addPermission(new ExplicitTypePermission(new Class[]{String.class}));
         stream.addPermission(PrimitiveTypePermission.PRIMITIVES);
         stream.addPermission(ArrayTypePermission.ARRAYS);
         stream.addPermission(CollectionTypePermission.COLLECTIONS);
-        stream.addPermission(new ExplicitTypePermission(new Class[]{Date.class}));
     }
 
     public String getContentType() {
@@ -124,8 +123,7 @@ private static class CollectionTypePermission implements TypePermission {
 
         @Override
         public boolean allows(Class type) {
-            return type != null && type.isInterface() &&
-                    (Collection.class.isAssignableFrom(type) || Map.class.isAssignableFrom(type));
+            return type != null && (Collection.class.isAssignableFrom(type) || Map.class.isAssignableFrom(type));
         }
 
     }

plugins/rest/src/main/java/org/apache/struts2/rest/handler/AllowedClassNames.java renamed to plugins/rest/src/main/java/org/apache/struts2/rest/handler/xstream/XStreamAllowedClassNames.java

@@ -16,10 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.struts2.rest.handler;
+package org.apache.struts2.rest.handler.xstream;
 
 import java.util.Set;
 
-public interface AllowedClassNames {
+public interface XStreamAllowedClassNames {
     Set<String> allowedClassNames();
 }

plugins/rest/src/main/java/org/apache/struts2/rest/handler/AllowedClasses.java renamed to plugins/rest/src/main/java/org/apache/struts2/rest/handler/xstream/XStreamAllowedClasses.java

@@ -16,10 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.struts2.rest.handler;
+package org.apache.struts2.rest.handler.xstream;
 
 import java.util.Set;
 
-public interface AllowedClasses {
+public interface XStreamAllowedClasses {
     Set<Class<?>> allowedClasses();
 }

plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamPermissionProvider.java renamed to plugins/rest/src/main/java/org/apache/struts2/rest/handler/xstream/XStreamPermissionProvider.java

@@ -16,7 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.struts2.rest.handler;
+package org.apache.struts2.rest.handler.xstream;
 
 import com.thoughtworks.xstream.security.TypePermission;
 

plugins/rest/src/main/java/org/apache/struts2/rest/handler/xstream/XStreamProvider.java

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.rest.handler.xstream;
+
+import com.thoughtworks.xstream.XStream;
+
+/**
+ * An interface to be implemented by an action to create/provide an instance
+ * of XStream - it allows customisation per action
+ */
+public interface XStreamProvider {
+    XStream createXStream();
+}

plugins/rest/src/test/java/org/apache/struts2/rest/handler/XStreamHandlerTest.java

@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.rest.handler;
+
+import com.opensymphony.xwork2.ActionContext;
+import com.opensymphony.xwork2.ActionSupport;
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.mock.MockActionInvocation;
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.StaxDriver;
+import com.thoughtworks.xstream.security.ExplicitTypePermission;
+import com.thoughtworks.xstream.security.TypePermission;
+import org.apache.struts2.rest.handler.xstream.XStreamAllowedClassNames;
+import org.apache.struts2.rest.handler.xstream.XStreamAllowedClasses;
+import org.apache.struts2.rest.handler.xstream.XStreamPermissionProvider;
+import org.apache.struts2.rest.handler.xstream.XStreamProvider;
+
+import java.io.Reader;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class XStreamHandlerTest extends XWorkTestCase {
+
+    private XStreamHandler handler;
+    private MockActionInvocation ai;
+
+    public void setUp() throws Exception {
+        super.setUp();
+        handler = new XStreamHandler();
+        ai = new MockActionInvocation();
+        ActionSupport action = new ActionSupport();
+        ActionContext context = ActionContext.of(new HashMap<>()).withLocale(Locale.US);
+        ai.setInvocationContext(context);
+        ai.setAction(action);
+    }
+
+    public void testObjectToXml() throws Exception {
+        // given
+        SimpleBean obj = new SimpleBean();
+        obj.setName("Jan");
+        obj.setAge(12L);
+        obj.setParents(Arrays.asList("Adam", "Ewa"));
+
+        // when
+        Writer stream = new StringWriter();
+        handler.fromObject(ai, obj, null, stream);
+
+        // then
+        stream.flush();
+        assertThat(stream.toString())
+            .contains("<org.apache.struts2.rest.handler.SimpleBean>")
+            .contains("<name>Jan</name>")
+            .contains("<age>12</age>")
+            .contains("<parents class=\"java.util.Arrays$ArrayList\">")
+            .contains("<string>Adam</string>")
+            .contains("<string>Ewa</string>")
+            .contains("</org.apache.struts2.rest.handler.SimpleBean>");
+    }
+
+    public void testXmlToObject() {
+        // given
+        String xml = "<?xml version='1.0' encoding='UTF-8'?><org.apache.struts2.rest.handler.SimpleBean><name>Jan</name><age>12</age><parents class=\"java.util.ArrayList\"><string>Adam</string><string>Ewa</string></parents></org.apache.struts2.rest.handler.SimpleBean>";
+
+        SimpleBean obj = new SimpleBean();
+        ai.setAction(new SimpleAction());
+
+        // when
+        Reader in = new StringReader(xml);
+        handler.toObject(ai, in, obj);
+
+        // then
+        assertNotNull(obj);
+        assertEquals("Jan", obj.getName());
+        assertEquals(12L, obj.getAge().longValue());
+        assertNotNull(obj.getParents());
+        assertThat(obj.getParents())
+            .hasSize(2)
+            .containsExactly("Adam", "Ewa");
+    }
+
+    public void testXmlToObjectWithAliases() {
+        // given
+        String xml = "<?xml version='1.0' encoding='UTF-8'?><data><name>Jan</name><age>12</age><parents><string>Adam</string><string>Ewa</string></parents></data>";
+
+        SimpleBean obj = new SimpleBean();
+        ai.setAction(new SimpleAliasAction());
+
+        // when
+        Reader in = new StringReader(xml);
+        handler.toObject(ai, in, obj);
+
+        // then
+        assertNotNull(obj);
+        assertEquals("Jan", obj.getName());
+        assertEquals(12L, obj.getAge().longValue());
+        assertNotNull(obj.getParents());
+        assertThat(obj.getParents())
+            .hasSize(2)
+            .containsExactly("Adam", "Ewa");
+    }
+
+    private static class SimpleAction implements XStreamAllowedClasses, XStreamAllowedClassNames, XStreamPermissionProvider {
+        @Override
+        public Set<Class<?>> allowedClasses() {
+            Set<Class<?>> classes = new HashSet<>();
+            classes.add(SimpleBean.class);
+            return classes;
+        }
+
+        @Override
+        public Set<String> allowedClassNames() {
+            return Collections.emptySet();
+        }
+
+        @Override
+        public Collection<TypePermission> getTypePermissions() {
+            return Collections.emptyList();
+        }
+    }
+
+    private static class SimpleAliasAction extends SimpleAction implements XStreamProvider {
+        @Override
+        public XStream createXStream() {
+            XStream stream = new XStream(new StaxDriver());
+            stream.alias("parents", ArrayList.class);
+            stream.alias("data", SimpleBean.class);
+            return stream;
+        }
+    }
+}