Make the class access evaluation mechanism of ExpressionUtils configurable #960
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR outsources the public methods of ExpressionUtils to a dedicated class
StandardExpressionClassAccessEvaluator
that implements a new interfaceIStandardExpressionClassAccessEvaluator
.Thus it now becomes possible for a user to provide a custom implementation of
IExpressionClassAccessEvaluator
that can be supplied to the actingTemplateEngine
e.g. likeBy default (= when the user not explicitly sets a different
IExpressionClassAccessEvaluator
for the actingTemplateEngine
) the implementationStandardExpressionClassAccessEvaluator
with sensible defaults will be used that most likely fits most use-cases and provides the current behavior.But for cases where more control over this behavior is needed e.g.
java.util.concurrent.atomic.AtomicBoolean
that might be used in a template because it is deemed safe for the used context ormy.custom.example.*
the mechanism introduced in this PR can be leveraged by a user of Thymeleaf.
Fixes #829
Alternatives
An alternative is to introduce a method on the templating engine to specifially set packages and classes to allow or deny e.g. something like
to disallow everything from
java
and its subpackages except everything fromjava.time
, Boolean, Byte and all implementations of Collection and Stream, disallow PotentiallyDangerous and disallow DangerousSuperclass and all descendents of it.However in the current behavior
ExpressionUtils
contains perfomance fixes, that would have to be removed in order to make this work. To give users the ability to provide their own performance fixes,IExpressionClassAccessEvaluator
was chosen as an approach for this PR to make the allowed and denied classes configurable.