Package org.camunda.bpm.engine.query

Interface QueryExpressionValidator

All Known Implementing Classes:
DefaultQueryExpressionValidator
public interface QueryExpressionValidator
Validates EL expressions used in query API calls (e.g. TaskQuery.taskAssigneeLikeExpression(java.lang.String)) before they are evaluated by the expression engine.

Validation happens before evaluation, as a separate step that runs regardless of which ExpressionManager is configured.

The default implementation, DefaultQueryExpressionValidator, parses expression text using JUEL's AST and blocks any function call, method invocation, dot-notation property access, or bean reference that is not on the configured allow-list. Bracket-notation indexing (e.g. ${map['key']}, ${list[0]}) is allowed and its sub-expressions are inspected recursively. It is aligned with JuelExpressionManager and its subclass SpringExpressionManager, which are the two ExpressionManagers shipped with the engine. If you replace the ExpressionManager with one that evaluates a different EL dialect (e.g. SpEL), you should also provide a matching QueryExpressionValidator that understands that dialect.

A custom implementation can be registered via ProcessEngineConfigurationImpl.setQueryExpressionValidator(org.camunda.bpm.engine.query.QueryExpressionValidator).

Implementations must throw BadUserRequestException (or a subtype) when validation fails so that callers receive a clear, actionable error.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    validateExpression(String expressionText)
    Validates the given expression string before it is evaluated.

  • Method Details

    • validateExpression

      void validateExpression(String expressionText)
      Validates the given expression string before it is evaluated.

      Implementations should inspect the expression text for disallowed function calls, method invocations, dot-notation property accesses, or bean references and throw BadUserRequestException with a descriptive message when the expression must be rejected. Bracket-notation indexing (e.g. ${map['key']}, ${list[0]}) should generally be allowed so that callers can still filter against collection-typed query variables.

      Parameters:
      expressionText - the full expression string as supplied by the caller (e.g. "${currentUser()}")
      Throws:
      BadUserRequestException - when the expression references a disallowed function or bean