feat(proxy): WW-5514 add StrutsProxyService for proxy detection and resolution

Introduces a configurable ProxyService interface and StrutsProxyService
implementation for detecting and resolving Spring AOP/Hibernate proxies.

Key changes:
- Add ProxyService interface with isProxy, ultimateTargetClass, and
  resolveTargetMember methods
- Add StrutsProxyService implementation using configurable caches
- Add ProxyCacheFactory and StrutsProxyCacheFactory for cache management
- Integrate ProxyService into ChainingInterceptor, ParametersInterceptor,
  and SecurityMemberAccess
- Add integration test with Spring AOP proxied action chaining
- Add configuration constants for proxy cache type and size

The StrutsProxyService correctly handles:
- Spring CGLIB proxies (class-based)
- Spring JDK dynamic proxies (interface-based)
- Hibernate entity proxies
- Member resolution for allowlist checking

Fixes WW-5514

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: lukaszlenart

apps/showcase/src/main/java/org/apache/struts2/showcase/proxy/LoggingInterceptor.java

@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.showcase.proxy;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+/**
+ * Simple AOP interceptor that wraps actions in a Spring proxy.
+ * Used to test that Struts correctly handles Spring AOP proxied actions
+ * in action chaining scenarios (WW-5514).
+ */
+public class LoggingInterceptor implements MethodInterceptor {
+
+    private static final Logger LOG = LogManager.getLogger(LoggingInterceptor.class);
+
+    @Override
+    public Object invoke(MethodInvocation invocation) throws Throwable {
+        LOG.debug("Invoking method: {} on target: {}",
+                invocation.getMethod().getName(),
+                invocation.getThis().getClass().getName());
+        return invocation.proceed();
+    }
+}

apps/showcase/src/main/resources/struts-actionchaining.xml

@@ -20,21 +20,26 @@
  */
 -->
 <!DOCTYPE struts PUBLIC
-	"-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
-	"https://struts.apache.org/dtds/struts-6.0.dtd">
+        "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
+        "https://struts.apache.org/dtds/struts-6.0.dtd">
 
 <struts>
-	<package name="actionchaining" extends="struts-default" namespace="/actionchaining">
-		<action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1">
-			<result type="chain">actionChain2</result>
-		</action>
-		<action name="actionChain2" class="org.apache.struts2.showcase.actionchaining.ActionChain2">
-			<result type="chain">actionChain3</result>
-		</action>
-		<action name="actionChain3" class="org.apache.struts2.showcase.actionchaining.ActionChain3">
-			<result>/WEB-INF/actionchaining/actionChainingResult.jsp</result>
-		</action>
-	</package>
+    <package name="actionchaining" extends="struts-default" namespace="/actionchaining">
+        <action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1">
+            <result type="chain">actionChain2</result>
+        </action>
+        <action name="actionChain2" class="org.apache.struts2.showcase.actionchaining.ActionChain2">
+            <result type="chain">actionChain3</result>
+        </action>
+        <action name="actionChain3" class="org.apache.struts2.showcase.actionchaining.ActionChain3">
+            <result>/WEB-INF/actionchaining/actionChainingResult.jsp</result>
+        </action>
+
+        <!-- Spring AOP Proxied Action Chain Test (WW-5514) -->
+        <action name="proxiedActionChain1" class="proxiedActionChain1">
+            <result type="chain">actionChain2</result>
+        </action>
+    </package>
 </struts>
 
 

apps/showcase/src/main/resources/struts.xml

@@ -20,83 +20,88 @@
  */
 -->
 <!DOCTYPE struts PUBLIC
-	"-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
-	"https://struts.apache.org/dtds/struts-6.0.dtd">
+        "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
+        "https://struts.apache.org/dtds/struts-6.0.dtd">
 
 <!-- START SNIPPET: xworkSample -->
 <struts>
 
     <!-- Some or all of these can be flipped to true for debugging -->
-    <constant name="struts.i18n.reload" value="false" />
-    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
-    <constant name="struts.devMode" value="false" />
-    <constant name="struts.configuration.xml.reload" value="false" />
-    <constant name="struts.custom.i18n.resources" value="globalMessages" />
-    <constant name="struts.action.extension" value="action,," />
-
-    <constant name="struts.allowlist.enable" value="true" />
-    <constant name="struts.parameters.requireAnnotations" value="true" />
+    <constant name="struts.i18n.reload" value="false"/>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true"/>
+    <constant name="struts.devMode" value="false"/>
+    <constant name="struts.configuration.xml.reload" value="false"/>
+    <constant name="struts.custom.i18n.resources" value="globalMessages"/>
+    <constant name="struts.action.extension" value="action,,"/>
+
+    <constant name="struts.allowlist.enable" value="true"/>
+    <constant name="struts.parameters.requireAnnotations" value="true"/>
     <constant name="struts.allowlist.packageNames" value="org.apache.struts2.showcase"/>
 
-    <constant name="struts.convention.package.locators.basePackage" value="org.apache.struts2.showcase" />
-    <constant name="struts.convention.result.path" value="/WEB-INF" />
+    <!-- Enable Spring AOP proxy support for action chaining test (WW-5514) -->
+    <constant name="struts.disallowProxyObjectAccess" value="false"/>
+
+    <constant name="struts.convention.package.locators.basePackage" value="org.apache.struts2.showcase"/>
+    <constant name="struts.convention.result.path" value="/WEB-INF"/>
 
     <!-- Necessary for Showcase because default includes org.apache.struts2.* -->
-    <constant name="struts.convention.exclude.packages" value="org.apache.struts.*,org.springframework.web.struts.*,org.springframework.web.struts2.*,org.hibernate.*"/>
+    <constant name="struts.convention.exclude.packages"
+              value="org.apache.struts.*,org.springframework.web.struts.*,org.springframework.web.struts2.*,org.hibernate.*"/>
 
-    <constant name="struts.freemarker.manager.classname" value="customFreemarkerManager" />
-    <constant name="struts.serve.static" value="true" />
-    <constant name="struts.serve.static.browserCache" value="false" />
+    <constant name="struts.freemarker.manager.classname" value="customFreemarkerManager"/>
+    <constant name="struts.serve.static" value="true"/>
+    <constant name="struts.serve.static.browserCache" value="false"/>
 
-    <constant name="struts.action.excludePattern" value=".*/images/.*\.gif,.*/img/.*\.gif,.*/styles/.*\.css,.*/js/.*\.js,/testServlet/.*"/>
+    <constant name="struts.action.excludePattern"
+              value=".*/images/.*\.gif,.*/img/.*\.gif,.*/styles/.*\.css,.*/js/.*\.js,/testServlet/.*"/>
 
-    <include file="struts-interactive.xml" />
+    <include file="struts-interactive.xml"/>
 
-    <include file="struts-hangman.xml" />
+    <include file="struts-hangman.xml"/>
 
     <include file="struts-tags.xml"/>
 
-    <include file="struts-validation.xml" />
+    <include file="struts-validation.xml"/>
 
-    <include file="struts-actionchaining.xml" />
+    <include file="struts-actionchaining.xml"/>
 
-    <include file="struts-fileupload.xml" />
+    <include file="struts-fileupload.xml"/>
 
-    <include file="struts-person.xml" />
+    <include file="struts-person.xml"/>
 
-    <include file="struts-wait.xml" />
+    <include file="struts-wait.xml"/>
 
-    <include file="struts-token.xml" />
+    <include file="struts-token.xml"/>
 
-    <include file="struts-model-driven.xml" />
+    <include file="struts-model-driven.xml"/>
 
-    <include file="struts-filedownload.xml" />
+    <include file="struts-filedownload.xml"/>
 
-    <include file="struts-conversion.xml" />
+    <include file="struts-conversion.xml"/>
 
-    <include file="struts-freemarker.xml" />
+    <include file="struts-freemarker.xml"/>
 
-    <include file="struts-tiles.xml" />
+    <include file="struts-tiles.xml"/>
 
-    <include file="struts-xslt.xml" />
+    <include file="struts-xslt.xml"/>
 
-    <include file="struts-async.xml" />
+    <include file="struts-async.xml"/>
 
-    <include file="struts-dispatcher.xml" />
+    <include file="struts-dispatcher.xml"/>
 
-    <include file="struts-params-annotation.xml" />
+    <include file="struts-params-annotation.xml"/>
 
     <package name="default" extends="struts-default">
         <interceptors>
             <interceptor-stack name="crudStack">
-                <interceptor-ref name="checkbox" />
-                <interceptor-ref name="params" />
-                <interceptor-ref name="staticParams" />
-                <interceptor-ref name="defaultStack" />
+                <interceptor-ref name="checkbox"/>
+                <interceptor-ref name="params"/>
+                <interceptor-ref name="staticParams"/>
+                <interceptor-ref name="defaultStack"/>
             </interceptor-stack>
         </interceptors>
 
-        <default-action-ref name="showcase" />
+        <default-action-ref name="showcase"/>
 
         <action name="showcase">
             <result>/WEB-INF/showcase.jsp</result>
@@ -125,7 +130,7 @@
         </action>
         <action name="edit" class="org.apache.struts2.showcase.action.SkillAction">
             <result>/WEB-INF/empmanager/editSkill.jsp</result>
-            <interceptor-ref name="params" />
+            <interceptor-ref name="params"/>
             <interceptor-ref name="basicStack"/>
         </action>
         <action name="save" class="org.apache.struts2.showcase.action.SkillAction" method="save">
@@ -146,9 +151,11 @@
             <interceptor-ref name="basicStack"/>
         </action>
         <action name="edit-*" class="org.apache.struts2.showcase.action.EmployeeAction">
-      		<param name="empId">{1}</param>
+            <param name="empId">{1}</param>
             <result>/WEB-INF/empmanager/editEmployee.jsp</result>
-            <interceptor-ref name="crudStack"><param name="validation.excludeMethods">execute</param></interceptor-ref>
+            <interceptor-ref name="crudStack">
+                <param name="validation.excludeMethods">execute</param>
+            </interceptor-ref>
         </action>
         <action name="save" class="org.apache.struts2.showcase.action.EmployeeAction" method="save">
             <result name="input">/WEB-INF/empmanager/editEmployee.jsp</result>
@@ -168,5 +175,5 @@
 
 </struts>
 
-<!-- END SNIPPET: xworkSample -->
+        <!-- END SNIPPET: xworkSample -->
 

apps/showcase/src/main/webapp/WEB-INF/applicationContext.xml

@@ -115,5 +115,25 @@
     <bean id="guessCharacterAction" class="org.apache.struts2.showcase.hangman.GuessCharacterAction" scope="prototype"/>
     <bean id="getUpdatedHangmanAction" class="org.apache.struts2.showcase.hangman.GetUpdatedHangmanAction"
           scope="prototype"/>
+
+
+    <!-- Spring AOP Proxy Configuration for Action Chaining Test (WW-5514) -->
+    <bean id="loggingInterceptor" class="org.apache.struts2.showcase.proxy.LoggingInterceptor"/>
+
+    <bean class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
+        <property name="proxyTargetClass" value="true"/>
+        <property name="beanNames">
+            <list>
+                <value>proxiedActionChain1</value>
+            </list>
+        </property>
+        <property name="interceptorNames">
+            <list>
+                <value>loggingInterceptor</value>
+            </list>
+        </property>
+    </bean>
+
+    <bean id="proxiedActionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1" scope="prototype"/>
 </beans>
 

apps/showcase/src/test/java/it/org/apache/struts2/showcase/SpringProxyActionChainingTest.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package it.org.apache.struts2.showcase;
+
+import org.htmlunit.WebClient;
+import org.htmlunit.html.HtmlPage;
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Integration test verifying that Spring AOP proxied actions work correctly
+ * with action chaining. This tests the WW-5514 StrutsProxyService integration.
+ *
+ * <p>The test uses a Spring AOP proxied version of ActionChain1 (proxiedActionChain1)
+ * which is wrapped by {@link org.apache.struts2.showcase.proxy.LoggingInterceptor}.
+ * The ChainingInterceptor must correctly resolve the target class through
+ * StrutsProxyService to copy properties to the next action in the chain.</p>
+ */
+public class SpringProxyActionChainingTest {
+
+    /**
+     * Tests that action chaining works correctly when the first action is a Spring AOP proxy.
+     *
+     * <p>This verifies that:
+     * <ul>
+     *   <li>StrutsProxyService correctly identifies the Spring CGLIB proxy</li>
+     *   <li>ChainingInterceptor resolves the target class for property copying</li>
+     *   <li>Properties from the proxied ActionChain1 are correctly copied to ActionChain2</li>
+     * </ul>
+     * </p>
+     */
+    @Test
+    public void testProxiedActionChaining() throws Exception {
+        try (final WebClient webClient = new WebClient()) {
+            final HtmlPage page = webClient.getPage(
+                    ParameterUtils.getBaseUrl() + "/actionchaining/proxiedActionChain1!input"
+            );
+
+            final String pageAsText = page.asNormalizedText();
+
+            // Verify properties were chained correctly despite proxy
+            assertTrue("ActionChain1 property should be present",
+                    pageAsText.contains("Action Chain 1 Property 1: Property Set In Action Chain 1"));
+            assertTrue("ActionChain2 property should be present",
+                    pageAsText.contains("Action Chain 2 Property 1: Property Set in Action Chain 2"));
+            assertTrue("ActionChain3 property should be present",
+                    pageAsText.contains("Action Chain 3 Property 1: Property set in Action Chain 3"));
+        }
+    }
+}

core/src/main/java/org/apache/struts2/StrutsConstants.java

@@ -516,6 +516,35 @@ public final class StrutsConstants {
      */
     public static final String STRUTS_OGNL_EXPRESSION_CACHE_MAXSIZE = "struts.ognl.expressionCacheMaxSize";
 
+    /**
+     * Specifies the type of cache to use for proxy detection. Valid values defined in
+     * {@link org.apache.struts2.ognl.OgnlCacheFactory.CacheType}.
+     *
+     * @since 7.2.0
+     */
+    public static final String STRUTS_PROXY_CACHE_TYPE = "struts.proxy.cacheType";
+
+    /**
+     * Specifies the maximum cache size for proxy detection caches.
+     *
+     * @since 7.2.0
+     */
+    public static final String STRUTS_PROXY_CACHE_MAXSIZE = "struts.proxy.cacheMaxSize";
+
+    /**
+     * The {@link org.apache.struts2.ognl.ProxyCacheFactory} implementation class.
+     *
+     * @since 7.2.0
+     */
+    public static final String STRUTS_PROXY_CACHE_FACTORY = "struts.proxy.cacheFactory";
+
+    /**
+     * The {@link org.apache.struts2.util.ProxyService} implementation class.
+     *
+     * @since 7.2.0
+     */
+    public static final String STRUTS_PROXYSERVICE = "struts.proxyService";
+
     /**
      * Enables evaluation of OGNL expressions
      *

core/src/main/java/org/apache/struts2/config/StrutsBeanSelectionProvider.java

@@ -61,6 +61,7 @@
 import org.apache.struts2.ognl.BeanInfoCacheFactory;
 import org.apache.struts2.ognl.ExpressionCacheFactory;
 import org.apache.struts2.ognl.OgnlGuard;
+import org.apache.struts2.ognl.ProxyCacheFactory;
 import org.apache.struts2.ognl.SecurityMemberAccess;
 import org.apache.struts2.ognl.accessor.RootAccessor;
 import org.apache.struts2.security.AcceptedPatternsChecker;
@@ -72,6 +73,7 @@
 import org.apache.struts2.url.UrlEncoder;
 import org.apache.struts2.util.ContentTypeMatcher;
 import org.apache.struts2.util.PatternMatcher;
+import org.apache.struts2.util.ProxyService;
 import org.apache.struts2.util.TextParser;
 import org.apache.struts2.util.ValueStackFactory;
 import org.apache.struts2.util.location.LocatableProperties;
@@ -442,6 +444,8 @@ public void register(ContainerBuilder builder, LocatableProperties props) {
 
         alias(ExpressionCacheFactory.class, StrutsConstants.STRUTS_OGNL_EXPRESSION_CACHE_FACTORY, builder, props, Scope.SINGLETON);
         alias(BeanInfoCacheFactory.class, StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_FACTORY, builder, props, Scope.SINGLETON);
+        alias(ProxyCacheFactory.class, StrutsConstants.STRUTS_PROXY_CACHE_FACTORY, builder, props, Scope.SINGLETON);
+        alias(ProxyService.class, StrutsConstants.STRUTS_PROXYSERVICE, builder, props, Scope.SINGLETON);
 
         alias(SecurityMemberAccess.class, StrutsConstants.STRUTS_MEMBER_ACCESS, builder, props, Scope.PROTOTYPE);
         alias(OgnlGuard.class, StrutsConstants.STRUTS_OGNL_GUARD, builder, props, Scope.SINGLETON);