Apache Commons logo Commons BeanUtils
Apache Commons BeanUtils ™
  • Last Published: 07 Jan 2025
  • |
  • Version: 2.0.0-M2-SNAPSHOT

Commons BeanUtils

Most Java developers are used to creating Java classes that conform to the JavaBeans naming patterns for property getters and setters. It is natural to then access these methods directly, using calls to the corresponding getXxx and setXxx methods. However, there are some occasions where dynamic access to Java object properties (without compiled-in knowledge of the property getter and setter methods to be called) is needed. Example use cases include:

  • Building scripting languages that interact with the Java object model (such as the Bean Scripting Framework).
  • Building template language processors for web presentation and similar uses (such as JSP or Velocity).
  • Building custom tag libraries for JSP and XSP environments (such as Jakarta Taglibs, Struts, Cocoon).
  • Consuming XML-based configuration resources (such as Ant build scripts, web application deployment descriptors, Tomcat's server.xml file).

The Java language provides Reflection and Introspection APIs (see the java.lang.reflect and java.beans packages in the JDK Javadocs). However, these APIs can be quite complex to understand and utilize. The BeanUtils component provides easy-to-use wrappers around these capabilities.

BeanUtils Core And Modules

The 1.7.x and 1.8.x releases of BeanUtils distributed three jars:

  • commons-beanutils.jar - contains everything
  • commons-beanutils-core.jar - excludes Bean Collections classes
  • commons-beanutils-bean-collections.jar - only Bean Collections classes

The main commons-beanutils.jar has an optional dependency on Commons Collections

Version 1.9.0 reverts this split for reasons outlined at BEANUTILS-379. There is now only one jar for the BeanUtils library.

Version 2.0.0 updates the dependencies for Apache Commons Collection from version 3 to 4. Apache Commons Collection 4 changes packages from org.apache.commons.collections to org.apache.commons.collections4. Since some Commons BeanUtils APIs surface Commons Collection types, Commons BeanUtils 2 changes packages from org.apache.commons.beanutils to org.apache.commons.beanutils2.

Bean Collections

Bean collections is a library combining BeanUtils with Commons Collections to provide services for collections of beans. One class (BeanComparator) was previously released, the rest are new. This new distribution strategy should allow this sub-component to evolve naturally without the concerns about size and scope that might otherwise happen.

Bean Collections has an additional dependency on Commons Collections.

Releases

2.0.x releases

BeanUtils 2.0.x releases are not binary compatible (but easy to port) with version 1.x.x and require a minimum of Java 8.

The latest BeanUtils release is available to download here.

1.9.x releases

The latest BeanUtils release is available to download here.
1.9.4

CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in bean introspection by default.

Severity. Medium

Vendor. The Apache Software Foundation

Versions Affected. All versions commons-beanutils-1.9.3 and before.

Description. In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Mitigation. Upgrade to commons-beanutils-1.9.4

Credit. This was discovered by Melloware (https://melloware.com/).

Example. 

/**
* Example usage after 1.9.4
*/
public void testSuppressClassPropertyByDefault() throws Exception {
  final BeanUtilsBean bub = new BeanUtilsBean();
  final AlphaBean bean = new AlphaBean();
  try {
    bub.getProperty(bean, "class");
    fail("Could access class property!");
  } catch (final NoSuchMethodException ex) {
    // ok
  }
}

/**
* Example usage to restore 1.9.3 behavior
*/
public void testAllowAccessToClassProperty() throws Exception {
  final BeanUtilsBean bub = new BeanUtilsBean();
  bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
  final AlphaBean bean = new AlphaBean();
  String result = bub.getProperty(bean, "class");
  assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
}

BeanUtils 1.9.x releases are binary compatible (with a minor exception described in the release notes) with version 1.8.3 and require a minimum of JDK 1.5.

The latest BeanUtils release is available to download