Modified: websites/production/struts/content/downloads.html
==============================================================================
--- websites/production/struts/content/downloads.html (original)
+++ websites/production/struts/content/downloads.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/annotations.html
==============================================================================
--- websites/production/struts/content/getting-started/annotations.html
(original)
+++ websites/production/struts/content/getting-started/annotations.html Fri Jun
16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/coding-actions.html
==============================================================================
--- websites/production/struts/content/getting-started/coding-actions.html
(original)
+++ websites/production/struts/content/getting-started/coding-actions.html Fri
Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/control-tags.html
==============================================================================
--- websites/production/struts/content/getting-started/control-tags.html
(original)
+++ websites/production/struts/content/getting-started/control-tags.html Fri
Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/debugging-struts.html
==============================================================================
--- websites/production/struts/content/getting-started/debugging-struts.html
(original)
+++ websites/production/struts/content/getting-started/debugging-struts.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/exception-handling.html
==============================================================================
--- websites/production/struts/content/getting-started/exception-handling.html
(original)
+++ websites/production/struts/content/getting-started/exception-handling.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/exclude-parameters.html
==============================================================================
--- websites/production/struts/content/getting-started/exclude-parameters.html
(original)
+++ websites/production/struts/content/getting-started/exclude-parameters.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/form-tags.html
==============================================================================
--- websites/production/struts/content/getting-started/form-tags.html (original)
+++ websites/production/struts/content/getting-started/form-tags.html Fri Jun
16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/form-validation-using-xml.html
==============================================================================
---
websites/production/struts/content/getting-started/form-validation-using-xml.html
(original)
+++
websites/production/struts/content/getting-started/form-validation-using-xml.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/form-validation.html
==============================================================================
--- websites/production/struts/content/getting-started/form-validation.html
(original)
+++ websites/production/struts/content/getting-started/form-validation.html Fri
Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/hello-world-using-struts2.html
==============================================================================
---
websites/production/struts/content/getting-started/hello-world-using-struts2.html
(original)
+++
websites/production/struts/content/getting-started/hello-world-using-struts2.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/how-to-create-a-struts2-web-application.html
==============================================================================
---
websites/production/struts/content/getting-started/how-to-create-a-struts2-web-application.html
(original)
+++
websites/production/struts/content/getting-started/how-to-create-a-struts2-web-application.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/http-session.html
==============================================================================
--- websites/production/struts/content/getting-started/http-session.html
(original)
+++ websites/production/struts/content/getting-started/http-session.html Fri
Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/index.html
==============================================================================
--- websites/production/struts/content/getting-started/index.html (original)
+++ websites/production/struts/content/getting-started/index.html Fri Jun 16
07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/introducing-interceptors.html
==============================================================================
---
websites/production/struts/content/getting-started/introducing-interceptors.html
(original)
+++
websites/production/struts/content/getting-started/introducing-interceptors.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/message-resource-files.html
==============================================================================
---
websites/production/struts/content/getting-started/message-resource-files.html
(original)
+++
websites/production/struts/content/getting-started/message-resource-files.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/preperable-interface.html
==============================================================================
---
websites/production/struts/content/getting-started/preperable-interface.html
(original)
+++
websites/production/struts/content/getting-started/preperable-interface.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/processing-forms.html
==============================================================================
--- websites/production/struts/content/getting-started/processing-forms.html
(original)
+++ websites/production/struts/content/getting-started/processing-forms.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/spring.html
==============================================================================
--- websites/production/struts/content/getting-started/spring.html (original)
+++ websites/production/struts/content/getting-started/spring.html Fri Jun 16
07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/themes.html
==============================================================================
--- websites/production/struts/content/getting-started/themes.html (original)
+++ websites/production/struts/content/getting-started/themes.html Fri Jun 16
07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/unit-testing.html
==============================================================================
--- websites/production/struts/content/getting-started/unit-testing.html
(original)
+++ websites/production/struts/content/getting-started/unit-testing.html Fri
Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/getting-started/using-tags.html
==============================================================================
--- websites/production/struts/content/getting-started/using-tags.html
(original)
+++ websites/production/struts/content/getting-started/using-tags.html Fri Jun
16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified:
websites/production/struts/content/getting-started/wildcard-method-selection.html
==============================================================================
---
websites/production/struts/content/getting-started/wildcard-method-selection.html
(original)
+++
websites/production/struts/content/getting-started/wildcard-method-selection.html
Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/helping.html
==============================================================================
--- websites/production/struts/content/helping.html (original)
+++ websites/production/struts/content/helping.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/index.html
==============================================================================
--- websites/production/struts/content/index.html (original)
+++ websites/production/struts/content/index.html Fri Jun 16 07:52:55 2017
@@ -77,6 +77,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -85,8 +86,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/kickstart.html
==============================================================================
--- websites/production/struts/content/kickstart.html (original)
+++ websites/production/struts/content/kickstart.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/mail.html
==============================================================================
--- websites/production/struts/content/mail.html (original)
+++ websites/production/struts/content/mail.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/primer.html
==============================================================================
--- websites/production/struts/content/primer.html (original)
+++ websites/production/struts/content/primer.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/releases.html
==============================================================================
--- websites/production/struts/content/releases.html (original)
+++ websites/production/struts/content/releases.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/security.html
==============================================================================
--- websites/production/struts/content/security.html (original)
+++ websites/production/struts/content/security.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/security/index.html
==============================================================================
--- websites/production/struts/content/security/index.html (original)
+++ websites/production/struts/content/security/index.html Fri Jun 16 07:52:55
2017
@@ -7,7 +7,7 @@
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <title>Security (WIP)</title>
+ <title>Security</title>
<link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
<link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
@@ -122,120 +122,90 @@
<article class="container">
<section class="col-md-12">
- <h1 id="security">Security</h1>
+ <h1 class="no_toc" id="security">Security</h1>
+
+<ul id="markdown-toc">
+ <li><a href="#security-tips" id="markdown-toc-security-tips">Security
tips</a> <ul>
+ <li><a href="#restrict-access-to-the-config-browser-plugin"
id="markdown-toc-restrict-access-to-the-config-browser-plugin">Restrict access
to the Config Browser Plugin</a></li>
+ <li><a href="#dont-mix-different-access-levels-in-the-same-namespace"
id="markdown-toc-dont-mix-different-access-levels-in-the-same-namespace">Donât
mix different access levels in the same namespace</a></li>
+ <li><a href="#never-expose-jsp-files-directly"
id="markdown-toc-never-expose-jsp-files-directly">Never expose JSP files
directly</a></li>
+ <li><a href="#disable-devmode" id="markdown-toc-disable-devmode">Disable
devMode</a></li>
+ <li><a href="#reduce-logging-level"
id="markdown-toc-reduce-logging-level">Reduce logging level</a></li>
+ <li><a href="#use-utf-8-encoding"
id="markdown-toc-use-utf-8-encoding">Use UTF-8 encoding</a></li>
+ <li><a href="#do-not-define-setters-when-not-needed"
id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters
when not needed</a></li>
+ <li><a
href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do
not use incoming values as an input for localisation logic</a></li>
+ </ul>
+ </li>
+ <li><a href="#internal-security-mechanism"
id="markdown-toc-internal-security-mechanism">Internal security mechanism</a>
<ul>
+ <li><a href="#accessing-static-methods"
id="markdown-toc-accessing-static-methods">Accessing static methods</a></li>
+ <li><a href="#ognl-is-used-to-call-actions-methods"
id="markdown-toc-ognl-is-used-to-call-actions-methods">OGNL is used to call
actionâs methods</a></li>
+ <li><a href="#accepted--excluded-patterns"
id="markdown-toc-accepted--excluded-patterns">Accepted / Excluded
patterns</a></li>
+ <li><a href="#strict-method-invocation"
id="markdown-toc-strict-method-invocation">Strict Method Invocation</a></li>
+ </ul>
+ </li>
+</ul>
-<p>#####Security tips#####</p>
+<h3 id="security-tips">Security tips</h3>
<p>The Apache Struts 2 doesnât provide any security mechanism - it is just a
pure web framework. Below are few tips you should consider during application
development with the Apache Struts 2.</p>
-<p><strong>Restrict access to the Config Browser</strong></p>
+<h4 id="restrict-access-to-the-config-browser-plugin">Restrict access to the
Config Browser Plugin</h4>
-<p><em>Config Browser Plugin</em> Â exposes internal configuration and should
be used only during development phase. If you must use it on production site,
we strictly recommend restricting access to it - you can use  Basic
Authentication or any other security mechanism (e.g. <a
href="http://shiro\.apache\.org/";>Apache
Shiro</a>^[http://shiro.apache.org/])</p>
+<p><a href="https://struts.apache.org/docs/config-browser-plugin.html";>Config
Browser Plugin</a> exposes internal configuration and should be used only
during development phase. If you must use it on production site, we strictly
recommend restricting access to it - you can use  Basic Authentication or any
other security mechanism (e.g. <a href="https://shiro.apache.org/";>Apache
Shiro</a>)</p>
-<p><strong>Donât mix different access levels in the same
namespace</strong></p>
+<h4 id="dont-mix-different-access-levels-in-the-same-namespace">Donât mix
different access levels in the same namespace</h4>
<p>Very often access to different resources is controlled based on URL
patterns, see snippet below. Because of that you cannot mix actions with
different security levels in the same namespace. Always group actions in one
namespace by security level.</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>
<security-constraint>
- <web-resource-collection>
- <web-resource-name>admin</web-resource-name>
- <url-pattern>/secure/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>admin</role-name>
- </auth-constraint>
- </security-constraint>
-
-</code></pre>
-</div>
-
-<p><strong>Never expose JSP files directly</strong></p>
-
-<p>You must always hide JSP file behind an action, you cannot allow for direct
access to the JSP files as this can leads to unpredictable security
vulnerabilities. You can achieve this by putting all your JSP files under theÂ
</p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>WEB-INF
-</code></pre>
-</div>
-<p>folder - most of the JEE containers restrict access to files placed under
the </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>WEB-INF
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="nt"><security-constraint></span>
+ <span class="nt"><web-resource-collection></span>
+ <span class="nt"><web-resource-name></span>admin<span
class="nt"></web-resource-name></span>
+ <span class="nt"><url-pattern></span>/secure/*<span
class="nt"></url-pattern></span>
+ <span class="nt"></web-resource-collection></span>
+ <span class="nt"><auth-constraint></span>
+ <span class="nt"><role-name></span>admin<span
class="nt"></role-name></span>
+ <span class="nt"></auth-constraint></span>
+<span class="nt"></security-constraint></span>
</code></pre>
</div>
-<p>folder. Second option is to add security constraint to the</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>web.xml
-</code></pre>
-</div>
-<p>Â file:</p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code><!-- Restricts
access to pure JSP files - access available only via Struts action -->
-<security-constraint>
- <display-name>No direct JSP access</display-name>
- <web-resource-collection>
- <web-resource-name>No-JSP</web-resource-name>
- <url-pattern>*.jsp</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>no-users</role-name>
- </auth-constraint>
-</security-constraint>
-
-<security-role>
- <description>Don't assign users to this role</description>
- <role-name>no-users</role-name>
-</security-role>
+<h4 id="never-expose-jsp-files-directly">Never expose JSP files directly</h4>
+
+<p>You must always hide JSP file behind an action, you cannot allow for direct
access to the JSP files as this can leads to unpredictable security
vulnerabilities. You can achieve this by putting all your JSP files under theÂ
<code class="highlighter-rouge">WEB-INF</code> folder - most of the JEE
containers restrict access to files placed under the <code
class="highlighter-rouge">WEB-INF</code> folder. Second option is to add
security constraint to the <code class="highlighter-rouge">web.xml</code>Â
file:</p>
+
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="c"><!-- Restricts access to pure JSP files - access available only
via Struts action --></span>
+<span class="nt"><security-constraint></span>
+ <span class="nt"><display-name></span>No direct JSP access<span
class="nt"></display-name></span>
+ <span class="nt"><web-resource-collection></span>
+ <span class="nt"><web-resource-name></span>No-JSP<span
class="nt"></web-resource-name></span>
+ <span class="nt"><url-pattern></span>*.jsp<span
class="nt"></url-pattern></span>
+ <span class="nt"></web-resource-collection></span>
+ <span class="nt"><auth-constraint></span>
+ <span class="nt"><role-name></span>no-users<span
class="nt"></role-name></span>
+ <span class="nt"></auth-constraint></span>
+<span class="nt"></security-constraint></span>
+
+<span class="nt"><security-role></span>
+ <span class="nt"><description></span>Don't assign users to this
role<span class="nt"></description></span>
+ <span class="nt"><role-name></span>no-users<span
class="nt"></role-name></span>
+<span class="nt"></security-role></span>
</code></pre>
</div>
<p>The best approach is to used the both solutions.</p>
-<p><strong>Disable devMode</strong></p>
-
-<p>The </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>devMode
-</code></pre>
-</div>
-<p>is a very useful option during development time, allowing for deep
introspection and debugging into you app.</p>
-
-<p>However, in production it exposes your application to be presenting too
many informations on applicationâs internals or to evaluating risky parameter
expressions. Please **always disable </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>devMode
-</code></pre>
-</div>
-<p>**Â before deploying your application to a production environment. While it
is disabled by default, your</p>
+<h4 id="disable-devmode">Disable devMode</h4>
-<div class="highlighter-rouge"><pre class="highlight"><code>struts.xml
-</code></pre>
-</div>
-<p>Â might include a line setting it to</p>
+<p>The <code class="highlighter-rouge">devMode</code> is a very useful option
during development time, allowing for deep introspection and debugging into you
app.</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>true
-</code></pre>
-</div>
-<p>. The best way is to ensure the following setting is applied to our</p>
+<p>However, in production it exposes your application to be presenting too
many informations on applicationâs internals or to evaluating risky parameter
expressions. Please <strong>always disable</strong> <code
class="highlighter-rouge">devMode</code>Â before deploying your application to
a production environment. While it is disabled by default, your
+<code class="highlighter-rouge">struts.xml</code>Â might include a line
setting it to <code class="highlighter-rouge">true</code>. The best way is to
ensure the following setting is applied to our <code
class="highlighter-rouge">struts.xml</code>Â for production deployment:</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>struts.xml
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="nt"><constant</span> <span class="na">name =</span><span
class="s">"struts.devMode"</span> <span class="na">value=</span><span
class="s">"false"</span> <span class="nt">/></span>
</code></pre>
</div>
-<p>Â for production deployment:</p>
-
-<table>
- <tbody>
- <tr>
- <td>< constant name =âstruts.devModeâ value=âfalseâ /></td>
- </tr>
- </tbody>
-</table>
-
-<table>
- <tbody>
- <tr>
- </tr>
- </tbody>
-</table>
-<p><strong>Reduce logging level</strong></p>
+<h4 id="reduce-logging-level">Reduce logging level</h4>
<p>Itâs a good practice to reduce logging level from <strong>DEBUG</strong>
to <strong>INFO</strong> or less. Frameworkâs classes can produce a lot of
logging entries which will pollute the log file. You can even set logging level
to <strong>WARN</strong> for classes that belongs to the framework, see example
Log4j2 configuration:</p>
@@ -257,124 +227,60 @@
</code></pre>
</div>
-<p><strong>Use UTF-8 encoding</strong></p>
+<h4 id="use-utf-8-encoding">Use UTF-8 encoding</h4>
-<p>Always use </p>
+<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add
the following header to each JSP file</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>UTF-8
+<pre><code class="language-jsp"><%@ page contentType="text/html;
charset=UTF-8" %>
</code></pre>
-</div>
-<p>encoding when building an application with the Apache Struts 2, when using
JSPs please add the following header to each JSP file</p>
-<div class="highlighter-rouge"><pre class="highlight"><code><%@ page
contentType="text/html; charset=UTF-8" %>
-</code></pre>
-</div>
+<h4 id="do-not-define-setters-when-not-needed">Do not define setters when not
needed</h4>
-<p><strong>Do not define setters when not needed</strong></p>
+<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential security vulnerabilities. Any
actionâs setter can be used to set incoming untrusted userâs value which
can contain suspicious expression. Some Struts <code
class="highlighter-rouge">Result</code>s automatically populate params based on
values inÂ
+<code class="highlighter-rouge">ValueStack</code> (action in most cases is the
root) which means incoming value will be evaluated as an expression during this
process.</p>
-<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential security vulnerabilities. Any
actionâs setter can be used to set incoming untrusted userâs value which
can contain suspicious expression. Some Struts </p>
+<h4 id="do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not
use incoming values as an input for localisation logic</h4>
-<div class="highlighter-rouge"><pre class="highlight"><code>Result
-</code></pre>
-</div>
-<p>s automatically populate params based on values in </p>
+<p>All <code class="highlighter-rouge">TextProvider</code>âs <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code
class="highlighter-rouge">ActionSupport</code>) perform evaluation of
parameters included in a message to properly localize the text. This means
using incoming request parameters with <code
class="highlighter-rouge">getText(...)</code> methods is potentially dangerous
and should be avoided. See example below, assuming that an action implements
getter and setter for property <code class="highlighter-rouge">message</code>,
the below code allows inject an OGNL expression:</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>ValueStack
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="kd">public</span> <span class="n">String</span> <span
class="nf">execute</span><span class="p">(</span><span class="o">)</span> <span
class="kd">throws</span> <span class="n">Exception</span> <span
class="o">{</span>
+ <span class="n">setMessage</span><span class="o">(</span><span
class="n">getText</span><span class="o">(</span><span
class="n">getMessage</span><span class="o">()));</span>
+ <span class="k">return</span> <span class="n">SUCCESS</span><span
class="o">;</span>
+<span class="o">}</span>
</code></pre>
</div>
-<p>(action in most cases is the root) which means incoming value will be
evaluated as an expression during this process.</p>
-<p><strong>Do not use incoming values as an input for localisation
logic</strong></p>
+<p>Never use value of incoming request parameter as part of your localization
logic.</p>
-<p>All </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>TextProvider
-</code></pre>
-</div>
-<p>âs</p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>getText(...)Â
-</code></pre>
-</div>
-<p>methods (e.g in </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>ActionSupport
-</code></pre>
-</div>
-<p>) perform evaluation of parameters included in a message to properly
localize the text. This means using incoming request parameters with </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>getText(...)
-</code></pre>
-</div>
-<p>methods is potentially dangerous and should be avoided. See example below,
assuming that an action implements getter and setter for property </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>message
-</code></pre>
-</div>
-<p>, the below code allows inject an OGNL expression:</p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>public String
execute() throws Exception {
- setMessage(getText(getMessage()));
- return SUCCESS;
-}
-</code></pre>
-</div>
-
-<p>Never use value of incoming request parameter as part of your localisation
logic.</p>
-
-<p>#####Internal security mechanism#####</p>
+<h3 id="internal-security-mechanism">Internal security mechanism</h3>
<p>The Apache Struts 2 contains internal security manager which blocks access
to particular classes and Java packages - itâs a OGNL-wide mechanism which
means it affects any aspect of the framework ie. incoming parameters,
expressions used in JSPs, etc.</p>
<p>There are three options that can be used to configure excluded packages and
classes:</p>
<ul>
- <li></li>
+ <li>
+ <p><code class="highlighter-rouge">struts.excludedClasses</code> -
comma-separated list of excluded classes</p>
+ </li>
+ <li>
+ <p><code
class="highlighter-rouge">struts.excludedPackageNamePatterns</code> - patterns
used to exclude packages based on RegEx - this option is slower than simple
string comparison but itâs more flexible</p>
+ </li>
+ <li>
+ <p><code class="highlighter-rouge">struts.excludedPackageNames</code> -
comma-separated list of excluded packages, it is used with simple string
comparison via <code class="highlighter-rouge">startWith</code> and <code
class="highlighter-rouge">equals</code></p>
+ </li>
</ul>
-<div class="highlighter-rouge"><pre
class="highlight"><code>struts.excludedClasses
-</code></pre>
-</div>
-<p>- comma-separated list of excluded classes</p>
-
-<ul>
- <li></li>
-</ul>
-
-<div class="highlighter-rouge"><pre
class="highlight"><code>struts.excludedPackageNamePatterns
-</code></pre>
-</div>
-<p>- patterns used to exclude packages based on RegEx - this option is slower
than simple string comparison but itâs more flexible</p>
-
-<ul>
- <li></li>
-</ul>
-
-<div class="highlighter-rouge"><pre
class="highlight"><code>struts.excludedPackageNames
-</code></pre>
-</div>
-<p>- comma-separated list of excluded packages, it is used with simple string
comparison via </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>startWith
-</code></pre>
-</div>
-<p>and </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>equals
-</code></pre>
-</div>
-
<p>The defaults are as follow:</p>
-<div class="highlighter-rouge"><pre class="highlight"><code><constant
name="struts.excludedClasses"
- value="com.opensymphony.xwork2.ActionContext" />
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="nt"><constant</span> <span class="na">name=</span><span
class="s">"struts.excludedClasses"</span>
+ <span class="na">value=</span><span
class="s">"com.opensymphony.xwork2.ActionContext"</span> <span
class="nt">/></span>
-<!-- this must be valid regex, each '.' in package name must be escaped!
-->
-<!-- it's more flexible but slower than simple string comparison -->
-<!-- constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / -->
+<span class="c"><!-- this must be valid regex, each '.' in package name
must be escaped! --></span>
+<span class="c"><!-- it's more flexible but slower than simple string
comparison --></span>
+<span class="c"><!-- constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" /
--></span>
-<!-- this is simpler version of the above used with string comparison -->
-<constant name="struts.excludedPackageNames" value="java.lang,ognl,javax"
/>
+<span class="c"><!-- this is simpler version of the above used with string
comparison --></span>
+<span class="nt"><constant</span> <span class="na">name=</span><span
class="s">"struts.excludedPackageNames"</span> <span
class="na">value=</span><span class="s">"java.lang,ognl,javax"</span> <span
class="nt">/></span>
</code></pre>
</div>
@@ -384,93 +290,48 @@
</code></pre>
</div>
-<p>In that case </p>
+<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used
to create a new instance of class (inside JSP) - itâs blocked because <code
class="highlighter-rouge">target</code> of such expression is evaluated toÂ
<code class="highlighter-rouge">java.lang.Class</code></p>
-<div class="highlighter-rouge"><pre class="highlight"><code>new MyBean()
-</code></pre>
-</div>
-<p>was used to create a new instance of class (inside JSP) - itâs blocked
because </p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>target
-</code></pre>
-</div>
-<p>of such expression is evaluated to </p>
+<p>It is possible to redefine the above constants in struts.xml but try to
avoid this and rather change design of your application!</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>java.lang.Class
-</code></pre>
-</div>
+<h4 id="accessing-static-methods">Accessing static methods</h4>
-<p>It is possible to redefine the above constants in struts.xml but try to
avoid this and rather change design of your application!</p>
+<p>Support for accessing static methods from expression will be disabled soon,
please consider re-factoring your application to avoid further problems! Please
check <a href="https://issues.apache.org/jira/browse/WW-4348";>WW-4348</a>.</p>
-<table>
- <tbody>
- <tr>
- </tr>
- </tbody>
-</table>
-
-<p><strong>Accessing static methods</strong></p>
-
-<p>Support for accessing static methods from expression will be disabled soon,
please consider re-factoring your application to avoid further problems! Please
check <a
href="https://issues\.apache\.org/jira/browse/WW\-4348";>WW-4348</a>^[https://issues.apache.org/jira/browse/WW-4348].</p>
-
-<blockquote>
-
-</blockquote>
-
-<p><strong>OGNL is used to call actionâs methods</strong></p>
-
-<p>This can impact actions which have large inheritance hierarchy and use the
same methodâs name throughout the hierarchy, this was reported as an issue <a
href="https://issues\.apache\.org/jira/browse/WW\-4405";>WW-4405</a>^[https://issues.apache.org/jira/browse/WW-4405].
See the example below:</p>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>public class
RealAction extends BaseAction {
- @Action("save")
- public String save() throws Exception {
- super.save();
- return SUCCESS;
- }
-}
-Â
-public class BaseAction extends AbstractAction {
- public String save() throws Exception {
- save(Double.MAX_VALUE);
- return SUCCESS;
- }
-}
-Â
-public abstract class AbstractAction extends ActionSupport {
- protected void save(Double val) {
- // some logic
- }
-}
-</code></pre>
-</div>
+<h4 id="ognl-is-used-to-call-actions-methods">OGNL is used to call actionâs
methods</h4>
-<p>In such case OGNL cannot properly map which method to call when request is
coming. This is do the OGNL limitation. To solve the problem donât use the
same methodâs names through the hierarchy, you can simply change the
actionâs method from </p>
+<p>This can impact actions which have large inheritance hierarchy and use the
same methodâs name throughout the hierarchy, this was reported as an issue <a
href="https://issues.apache.org/jira/browse/WW-4405";>WW-4405</a>. See the
example below:</p>
-<div class="highlighter-rouge"><pre class="highlight"><code>save()
-</code></pre>
-</div>
-<p>to </p>
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="kd">public</span> <span class="kd">class</span> <span
class="nc">RealAction</span> <span class="kd">extends</span> <span
class="n">BaseAction</span> <span class="o">{</span>
+ <span class="nd">@Action</span><span class="o">(</span><span
class="s">"save"</span><span class="o">)</span>
+ <span class="kd">public</span> <span class="n">String</span> <span
class="n">save</span><span class="o">()</span> <span class="kd">throws</span>
<span class="n">Exception</span> <span class="o">{</span>
+ <span class="kd">super</span><span class="o">.</span><span
class="na">save</span><span class="o">();</span>
+ <span class="k">return</span> <span class="n">SUCCESS</span><span
class="o">;</span>
+ <span class="o">}</span>
+<span class="o">}</span>
-<div class="highlighter-rouge"><pre class="highlight"><code>saveAction()
-</code></pre>
-</div>
-<p> and leaving annotation as is to allow call this action via </p>
+<span class="kd">public</span> <span class="kd">class</span> <span
class="nc">BaseAction</span> <span class="kd">extends</span> <span
class="n">AbstractAction</span> <span class="o">{</span>
+ <span class="kd">public</span> <span class="n">String</span> <span
class="n">save</span><span class="o">()</span> <span class="kd">throws</span>
<span class="n">Exception</span> <span class="o">{</span>
+ <span class="n">save</span><span class="o">(</span><span
class="n">Double</span><span class="o">.</span><span
class="na">MAX_VALUE</span><span class="o">);</span>
+ <span class="k">return</span> <span class="n">SUCCESS</span><span
class="o">;</span>
+ <span class="o">}</span>
+<span class="o">}</span>
-<div class="highlighter-rouge"><pre class="highlight"><code>/save.action
+<span class="kd">public</span> <span class="kd">abstract</span> <span
class="kd">class</span> <span class="nc">AbstractAction</span> <span
class="kd">extends</span> <span class="n">ActionSupport</span> <span
class="o">{</span>
+ <span class="kd">protected</span> <span class="kt">void</span> <span
class="n">save</span><span class="o">(</span><span class="n">Double</span>
<span class="n">val</span><span class="o">)</span> <span class="o">{</span>
+ <span class="c1">// some logic</span>
+ <span class="o">}</span>
+<span class="o">}</span>
</code></pre>
</div>
-<p>request.</p>
-<p><strong>Accepted / Excluded patterns</strong></p>
+<p>In such case OGNL cannot properly map which method to call when request is
coming. This is do the OGNL limitation. To solve the problem donât use the
same methodâs names through the hierarchy, you can simply change the
actionâs method from <code class="highlighter-rouge">save()</code> to <code
class="highlighter-rouge">saveAction()</code>Â and leaving annotation as is to
allow call this action via <code
class="highlighter-rouge">/save.action</code> request.</p>
-<p>As from version 2.3.20 the framework provides two new interfaces which are
used to accept / exclude param names and values -Â <a
href="http://struts\.apache\.org/maven/struts2\-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker\.html";>AcceptedPatternsChecker</a>^[http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html]
and <a
href="http://struts\.apache\.org/maven/struts2\-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker\.html";>ExcludedPatternsChecker</a>^[http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html]
with default implementations. These two interfaces are used by <a
href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a> and <a
href="../core-developers/cookie-interceptor.html">Cookie Interceptor</a> to
check if param can be accepted or must be excluded. If you were using </p>
+<h4 id="accepted--excluded-patterns">Accepted / Excluded patterns</h4>
-<div class="highlighter-rouge"><pre class="highlight"><code>excludeParams
-</code></pre>
-</div>
-<p>previously please compare patterns used by you with these provided by the
framework in default implementation.</p>
+<p>As from version 2.3.20 the framework provides two new interfaces which are
used to accept / exclude param names and values -Â <a
href="https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html";>AcceptedPatternsChecker</a>
and <a
href="https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html";>ExcludedPatternsChecker</a>
with default implementations. These two interfaces are used by <a
href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a> and <a
href="../core-developers/cookie-interceptor.html">Cookie Interceptor</a> to
check if param can be accepted or must be excluded. If you were using <code
class="highlighter-rouge">excludeParams</code> previously please compare
patterns used by you with these provided by the framework in default
implementation.</p>
-<p><strong>Strict Method Invocation</strong></p>
+<h4 id="strict-method-invocation">Strict Method Invocation</h4>
<p>This mechanism was introduced in version 2.5. It allows control what
methods can be accessed with the bang â!â operator via <a
href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read more in Strict Method Invocation section
of <a href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
Modified: websites/production/struts/content/struts1eol-announcement.html
==============================================================================
--- websites/production/struts/content/struts1eol-announcement.html (original)
+++ websites/production/struts/content/struts1eol-announcement.html Fri Jun 16
07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/struts1eol-press.html
==============================================================================
--- websites/production/struts/content/struts1eol-press.html (original)
+++ websites/production/struts/content/struts1eol-press.html Fri Jun 16
07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/submitting-patches.html
==============================================================================
--- websites/production/struts/content/submitting-patches.html (original)
+++ websites/production/struts/content/submitting-patches.html Fri Jun 16
07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/volunteers.html
==============================================================================
--- websites/production/struts/content/volunteers.html (original)
+++ websites/production/struts/content/volunteers.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
Modified: websites/production/struts/content/youatstruts.html
==============================================================================
--- websites/production/struts/content/youatstruts.html (original)
+++ websites/production/struts/content/youatstruts.html Fri Jun 16 07:52:55 2017
@@ -79,6 +79,7 @@
<li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
<li><a href="/docs/tutorials.html">Tutorials</a></li>
<li><a href="/docs/faqs.html">FAQs</a></li>
<li><a href="/docs/guides.html">Guides</a></li>
@@ -87,8 +88,7 @@
<li><a href="/docs/plugins.html">Plugin APIs</a></li>
<li><a href="/docs/tag-reference.html">Tag reference</a></li>
<li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
- <li class="divider"></li>
- <li><a href="/security/">Security Guide (WIP)</a></li>
+ <li class="divider"></li>
<li><a href="/core-developers/">Core Developers Guide
(WIP)</a></li>
</ul>
</li>
