BeanUtils – Commons

Commons BeanUtils

Most Java developers are used to creating Java classes that conform to the JavaBeans naming patterns for property getters and setters. It is natural to then access these methods directly, using calls to the corresponding getXxx and setXxx methods. However, there are some occasions where dynamic access to Java object properties (without compiled-in knowledge of the property getter and setter methods to be called) is needed. Example use cases include:

Building scripting languages that interact with the Java object model (such as the Bean Scripting Framework).
Building template language processors for web presentation and similar uses (such as JSP or Velocity).
Building custom tag libraries for JSP and XSP environments (such as Jakarta Taglibs, Struts, Cocoon).
Consuming XML-based configuration resources (such as Ant build scripts, web application deployment descriptors, Tomcat's server.xml file).

The Java language provides Reflection and Introspection APIs (see the java.lang.reflect and java.beans packages in the JDK Javadocs). However, these APIs can be quite complex to understand and utilize. The BeanUtils component provides easy-to-use wrappers around these capabilities.

BeanUtils Core And Modules

The 1.7.x and 1.8.x releases of BeanUtils distributed three jars:

commons-beanutils.jar - contains everything
commons-beanutils-core.jar - excludes Bean Collections classes
commons-beanutils-bean-collections.jar - only Bean Collections classes

The main commons-beanutils.jar has an optional dependency on Commons Collections

Version 1.9.0 reverts this split for reasons outlined at BEANUTILS-379. There is now only one jar for the BeanUtils library.

Version 2.0.0 updates the dependencies for Apache Commons Collection from version 3 to 4. Apache Commons Collection 4 changes packages from org.apache.commons.collections to org.apache.commons.collections4. Since some Commons BeanUtils APIs surface Commons Collection types, Commons BeanUtils 2 changes packages from org.apache.commons.beanutils to org.apache.commons.beanutils2.

Bean Collections

Bean collections is a library combining BeanUtils with Commons Collections to provide services for collections of beans. One class (BeanComparator) was previously released, the rest are new. This new distribution strategy should allow this sub-component to evolve naturally without the concerns about size and scope that might otherwise happen.

Bean Collections has an additional dependency on Commons Collections.

Releases

2.0.x releases

BeanUtils 2.0.x releases are not binary compatible (but easy to port) with version 1.x.x and require a minimum of JDK 1.7.

The latest BeanUtils release is available to download here.

2.0.0
- Release Notes
- Javadoc

1.9.x releases

The latest BeanUtils release is available to download here.
1.9.4

CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in bean introspection by default.

Severity. Medium

Vendor. The Apache Software Foundation

Versions Affected. All versions commons-beanutils-1.9.3 and before.

Description. In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Mitigation. Upgrade to commons-beanutils-1.9.4

Credit. This was discovered by Melloware (https://melloware.com/).

Example.

/**
* Example usage after 1.9.4
*/
public void testSuppressClassPropertyByDefault() throws Exception {
  final BeanUtilsBean bub = new BeanUtilsBean();
  final AlphaBean bean = new AlphaBean();
  try {
    bub.getProperty(bean, "class");
    fail("Could access class property!");
  } catch (final NoSuchMethodException ex) {
    // ok
  }
}

/**
* Example usage to restore 1.9.3 behavior
*/
public void testAllowAccessToClassProperty() throws Exception {
  final BeanUtilsBean bub = new BeanUtilsBean();
  bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
  final AlphaBean bean = new AlphaBean();
  String result = bub.getProperty(bean, "class");
  assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
}

BeanUtils 1.9.x releases are binary compatible (with a minor exception described in the release notes) with version 1.8.3 and require a minimum of JDK 1.5.

The latest BeanUtils release is available to download here.

1.8.x releases

BeanUtils 1.8.x releases are binary compatible with version 1.7.0 and require a minimum of JDK 1.3.

1.7.0

BeanUtils 1.7.0 is a service release which removes the dependency upon a specific commons-collection library version. It may be safely used together with either the 2.x or 3.x series of commons-collections releases. It also introduces a number of important enhancements. It is backward compatible with the 1.6 release.

This important service release is intended to help downstream applications solve dependency issues. The dependency on commons collections (which has become problematic now that there are two incompatible series of commons collections releases) has been factored into a separate optional sub-component plus a small number of stable and mature org.apache.commons.collections packaged classes (which are distributed with the BeanUtils core). This arrangement means that the BeanUtils core sub-component (which is the primary dependency for most downsteam applications) can now be safely included on the same classpath as commons collections 2.x, 3.x or indeed neither.

The distribution now contains alternative jar sets. The all-in-one jar contains all classes. The modular jar set consists of a core jar dependent only on commons logging and an optional bean collections jar (containing classes that provide easy and efficient ways to manage collections of beans) which depends on commons collections 3.

Older Releases (Not Mirrored)

Version 1.6.1 - 18 Feb 2003 binary and source
Version 1.6 - 21 Jan 2003 binary and source
Version 1.5 - 23 Oct 2002
Version 1.4.1 - 28 Aug 2002
Version 1.4 - 13 Aug 2002
Version 1.3 - 29 Apr 2002
Version 1.2 - 24 Dec 2001
Version 1.1 - 22 Sep 2001
Version 1.0 - 14 July 2001

Support

The commons mailing lists act as the main support forum. The user list is suitable for most library usage queries. The dev list is intended for the development discussion. Please remember that the lists are shared between all commons components, so prefix your email by [beanutils].

Issues may be reported via ASF JIRA.