Reply To: security related isuue
nice to hear that you are addicted to Rewrite the same way as we are. 🙂
Yeah, we really should find a way to address this issue. As I said before, I think we should modify the ExpressionLanguageProvider SPI to behave like this.
- Throw an
UnsupportedOperationExceptionif the provider cannot perform the task for some reason. The SpringExpressionLanguageProvider would for example throw this exception if the Spring ApplicationContext cannot be found. This is already part of the API. No change is required here.
- Throw an
ExpressionLanguageException(or find some other name) if the provider isn’t able to perform the EL invocation. If the expression is
myBean.foofor example and
foodoesn’t exist, the provider should throw this exception. This exception should be catched and wrapped by Rewrite as this is usually a problem with the user’s Rewrite configuration.
- If the code of the invoked bean method (for example
myBean.foo) throws a runtime exception, it should simply be thrown and not be catched or wrapped by Rewrite. I think this makes sense because these exceptions aren’t related to Rewrite at all and a usually bugs in the user’s code or something like that. Rewrite should do anything in this case.
Does this make sense to you?