This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 1249738b0 Automatic Site Publish by Buildbot
1249738b0 is described below
commit 1249738b03e662b6913f6160be60b39ea781786b
Author: buildbot <us...@infra.apache.org>
AuthorDate: Fri Feb 2 06:26:24 2024 +0000
Automatic Site Publish by Buildbot
---
output/core-developers/basic-validation.html | 3 +
output/core-developers/client-validation.html | 3 +
output/core-developers/conversion-validator.html | 3 +-
.../core-developers/file-upload-interceptor.html | 3 +
output/core-developers/file-upload.html | 9 ++
.../type-conversion-annotation.html | 4 +
output/core-developers/type-conversion.html | 2 +
.../using-non-field-validators.html | 3 +
.../using-visitor-field-validator.html | 1 +
output/core-developers/validation-annotation.html | 1 +
output/core-developers/validation.html | 1 +
output/core-developers/wildcard-mappings.html | 2 +
output/getting-started/coding-actions.html | 4 +-
output/getting-started/processing-forms.html | 32 +++++--
output/plugins/junit/index.html | 1 +
.../plugins/portlet/struts-2-portlet-tutorial.html | 10 +-
output/security/index.html | 102 ++++++++++++++++++---
17 files changed, 158 insertions(+), 26 deletions(-)
diff --git a/output/core-developers/basic-validation.html
b/output/core-developers/basic-validation.html
index 8df18d572..1da220948 100644
--- a/output/core-developers/basic-validation.html
+++ b/output/core-developers/basic-validation.html
@@ -215,6 +215,7 @@
<span class="k">return</span> <span class="n">name</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
<span class="o">}</span>
@@ -223,6 +224,7 @@
<span class="k">return</span> <span class="n">age</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setAge</span><span class="o">(</span><span class="kt">int</span>
<span class="n">age</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">age</span> <span class="o">=</span> <span class="n">age</span><span
class="o">;</span>
<span class="o">}</span>
@@ -231,6 +233,7 @@
<span class="k">return</span> <span
class="n">answer</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setAnswer</span><span class="o">(</span><span
class="nc">String</span> <span class="n">answer</span><span class="o">)</span>
<span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">answer</span> <span class="o">=</span> <span
class="n">answer</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/client-validation.html
b/output/core-developers/client-validation.html
index c922bc167..6b770499f 100644
--- a/output/core-developers/client-validation.html
+++ b/output/core-developers/client-validation.html
@@ -212,6 +212,7 @@
<span class="k">return</span> <span class="n">name</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
<span class="o">}</span>
@@ -220,6 +221,7 @@
<span class="k">return</span> <span class="n">age</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setAge</span><span class="o">(</span><span class="kt">int</span>
<span class="n">age</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">age</span> <span class="o">=</span> <span class="n">age</span><span
class="o">;</span>
<span class="o">}</span>
@@ -228,6 +230,7 @@
<span class="k">return</span> <span
class="n">answer</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setAnswer</span><span class="o">(</span><span
class="nc">String</span> <span class="n">answer</span><span class="o">)</span>
<span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">answer</span> <span class="o">=</span> <span
class="n">answer</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/conversion-validator.html
b/output/core-developers/conversion-validator.html
index 2769f41f2..3c07fa73d 100644
--- a/output/core-developers/conversion-validator.html
+++ b/output/core-developers/conversion-validator.html
@@ -228,7 +228,8 @@ property set to true, it will, meaning the textfield will
have ‘one’ as its
<span class="kd">public</span> <span class="nc">Integer</span> <span
class="nf">getMyIntegerField</span><span class="o">()</span> <span
class="o">{</span>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">myIntegerField</span><span
class="o">;</span>
<span class="o">}</span>
-
+
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setMyIntegerField</span><span class="o">(</span><span
class="nc">Integer</span> <span class="n">myIntegerField</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">myIntegerField</span> <span class="o">=</span> <span
class="n">myIntegerField</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/file-upload-interceptor.html
b/output/core-developers/file-upload-interceptor.html
index 514c6ede1..7aa55be6a 100644
--- a/output/core-developers/file-upload-interceptor.html
+++ b/output/core-developers/file-upload-interceptor.html
@@ -239,14 +239,17 @@ and which are not.</p>
<span class="kd">private</span> <span class="nc">String</span> <span
class="n">contentType</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span
class="n">filename</span><span class="o">;</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUpload</span><span class="o">(</span><span class="nc">File</span>
<span class="n">file</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">file</span> <span class="o">=</span> <span
class="n">file</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadContentType</span><span class="o">(</span><span
class="nc">String</span> <span class="n">contentType</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">contentType</span> <span class="o">=</span> <span
class="n">contentType</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadFileName</span><span class="o">(</span><span
class="nc">String</span> <span class="n">filename</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">filename</span> <span class="o">=</span> <span
class="n">filename</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/file-upload.html
b/output/core-developers/file-upload.html
index c9d2e8274..124b60edf 100644
--- a/output/core-developers/file-upload.html
+++ b/output/core-developers/file-upload.html
@@ -264,14 +264,17 @@ class. For a form field named <code
class="language-plaintext highlighter-rouge"
<span class="kd">private</span> <span class="nc">String</span> <span
class="n">contentType</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span
class="n">filename</span><span class="o">;</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUpload</span><span class="o">(</span><span class="nc">File</span>
<span class="n">file</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">file</span> <span class="o">=</span> <span
class="n">file</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadContentType</span><span class="o">(</span><span
class="nc">String</span> <span class="n">contentType</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">contentType</span> <span class="o">=</span> <span
class="n">contentType</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadFileName</span><span class="o">(</span><span
class="nc">String</span> <span class="n">filename</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">filename</span> <span class="o">=</span> <span
class="n">filename</span><span class="o">;</span>
<span class="o">}</span>
@@ -363,6 +366,7 @@ follow the below example.</p>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">uploads</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUpload</span><span class="o">(</span><span
class="nc">File</span><span class="o">[]</span> <span
class="n">upload</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">uploads</span> <span class="o">=</span> <span
class="n">upload</span><span class="o">;</span>
<span class="o">}</span>
@@ -371,6 +375,7 @@ follow the below example.</p>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">uploadFileNames</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadFileName</span><span class="o">(</span><span
class="nc">String</span><span class="o">[]</span> <span
class="n">uploadFileName</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">uploadFileNames</span> <span class="o">=</span> <span
class="n">uploadFileName</span><span class="o">;</span>
<span class="o">}</span>
@@ -379,6 +384,7 @@ follow the below example.</p>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">uploadContentTypes</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadContentType</span><span class="o">(</span><span
class="nc">String</span><span class="o">[]</span> <span
class="n">uploadContentType</span><span class="o">)</span> <span
class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">uploadContentTypes</span> <span class="o">=</span> <span
class="n">uploadContentType</span><span class="o">;</span>
<span class="o">}</span>
@@ -408,6 +414,7 @@ follow the below example.</p>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">uploads</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUpload</span><span class="o">(</span><span
class="nc">List</span><span class="o"><</span><span
class="nc">File</span><span class="o">></span> <span
class="n">uploads</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">uploads</span> <span class="o">=</span> <span
class="n">uploads</span><span class="o">;</span>
<span class="o">}</span>
@@ -416,6 +423,7 @@ follow the below example.</p>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">uploadFileNames</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadFileName</span><span class="o">(</span><span
class="nc">List</span><span class="o"><</span><span
class="nc">String</span><span class="o">></span> <span
class="n">uploadFileNames</span><span class="o">)</span> <span
class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">uploadFileNames</span> <span class="o">=</span> <span
class="n">uploadFileNames</span><span class="o">;</span>
<span class="o">}</span>
@@ -424,6 +432,7 @@ follow the below example.</p>
<span class="k">return</span> <span class="k">this</span><span
class="o">.</span><span class="na">uploadContentTypes</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUploadContentType</span><span class="o">(</span><span
class="nc">List</span><span class="o"><</span><span
class="nc">String</span><span class="o">></span> <span
class="n">contentTypes</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">uploadContentTypes</span> <span class="o">=</span> <span
class="n">contentTypes</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/type-conversion-annotation.html
b/output/core-developers/type-conversion-annotation.html
index 544e1b424..84c959fe0 100644
--- a/output/core-developers/type-conversion-annotation.html
+++ b/output/core-developers/type-conversion-annotation.html
@@ -240,21 +240,25 @@ file within the classpath root. Set type to: <code
class="language-plaintext hig
<span class="kd">private</span> <span class="nc">HashMap</span> <span
class="n">keyValues</span> <span class="o">=</span> <span
class="kc">null</span><span class="o">;</span>
<span class="nd">@TypeConversion</span><span class="o">(</span><span
class="n">type</span> <span class="o">=</span> <span
class="nc">ConversionType</span><span class="o">.</span><span
class="na">APPLICATION</span><span class="o">)</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setConvertInt</span><span class="o">(</span> <span
class="nc">String</span> <span class="n">convertInt</span> <span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">convertInt</span> <span class="o">=</span> <span
class="n">convertInt</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@TypeConversion</span><span class="o">(</span><span
class="n">converterClass</span> <span class="o">=</span> <span
class="nc">XWorkBasicConverter</span><span class="o">.</span><span
class="na">class</span><span class="o">)</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setConvertDouble</span><span class="o">(</span> <span
class="nc">String</span> <span class="n">convertDouble</span> <span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">convertDouble</span> <span class="o">=</span> <span
class="n">convertDouble</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@TypeConversion</span><span class="o">(</span><span
class="n">rule</span> <span class="o">=</span> <span
class="nc">ConversionRule</span><span class="o">.</span><span
class="na">COLLECTION</span><span class="o">,</span> <span
class="n">converterClass</span> <span class="o">=</span> <span
class="nc">String</span><span class="o">.</span><span
class="na">class</span><span class="o">)</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUsers</span><span class="o">(</span> <span class="nc">List</span>
<span class="n">users</span> <span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">users</span> <span class="o">=</span> <span
class="n">users</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@TypeConversion</span><span class="o">(</span><span
class="n">rule</span> <span class="o">=</span> <span
class="nc">ConversionRule</span><span class="o">.</span><span
class="na">MAP</span><span class="o">,</span> <span
class="n">converterClass</span> <span class="o">=</span> <span
class="nc">BigInteger</span><span class="o">.</span><span
class="na">class</span><span class="o">)</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setKeyValues</span><span class="o">(</span> <span
class="nc">HashMap</span> <span class="n">keyValues</span> <span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">keyValues</span> <span class="o">=</span> <span
class="n">keyValues</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/type-conversion.html
b/output/core-developers/type-conversion.html
index 5fe66bb8c..4940162a8 100644
--- a/output/core-developers/type-conversion.html
+++ b/output/core-developers/type-conversion.html
@@ -494,6 +494,7 @@ property. Otherwise, one element of the null <code
class="language-plaintext hig
<span class="kd">private</span> <span class="nc">List</span> <span
class="n">beanList</span> <span class="o">=</span> <span class="k">new</span>
<span class="nc">ArrayList</span><span class="o">();</span>
<span class="kd">private</span> <span class="nc">Map</span> <span
class="n">beanMap</span> <span class="o">=</span> <span class="k">new</span>
<span class="nc">HashMap</span><span class="o">();</span>
+ <span class="nd">@StrutsParameter</span><span class="o">(</span><span
class="n">depth</span> <span class="o">=</span> <span class="mi">2</span><span
class="o">)</span>
<span class="kd">public</span> <span class="nc">List</span> <span
class="nf">getBeanList</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">beanList</span><span
class="o">;</span>
<span class="o">}</span>
@@ -502,6 +503,7 @@ property. Otherwise, one element of the null <code
class="language-plaintext hig
<span class="k">this</span><span class="o">.</span><span
class="na">beanList</span> <span class="o">=</span> <span
class="n">beanList</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span><span class="o">(</span><span
class="n">depth</span> <span class="o">=</span> <span class="mi">2</span><span
class="o">)</span>
<span class="kd">public</span> <span class="nc">Map</span> <span
class="nf">getBeanMap</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">beanMap</span><span
class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/using-non-field-validators.html
b/output/core-developers/using-non-field-validators.html
index 55d02ff56..bf4b3b761 100644
--- a/output/core-developers/using-non-field-validators.html
+++ b/output/core-developers/using-non-field-validators.html
@@ -187,6 +187,7 @@
<span class="k">return</span> <span class="n">someText</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setSomeText</span><span class="o">(</span><span
class="nc">String</span> <span class="n">someText</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">someText</span> <span class="o">=</span> <span
class="n">someText</span><span class="o">;</span>
<span class="o">}</span>
@@ -195,6 +196,7 @@
<span class="k">return</span> <span
class="n">someTextRetype</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setSomeTextRetype</span><span class="o">(</span><span
class="nc">String</span> <span class="n">someTextRetype</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">someTextRetype</span> <span class="o">=</span> <span
class="n">someTextRetype</span><span class="o">;</span>
<span class="o">}</span>
@@ -203,6 +205,7 @@
<span class="k">return</span> <span
class="n">someTextRetypeAgain</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setSomeTextRetypeAgain</span><span class="o">(</span><span
class="nc">String</span> <span class="n">someTextRetypeAgain</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">someTextRetypeAgain</span> <span class="o">=</span> <span
class="n">someTextRetypeAgain</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/using-visitor-field-validator.html
b/output/core-developers/using-visitor-field-validator.html
index 55c452ec9..bbcbfedef 100644
--- a/output/core-developers/using-visitor-field-validator.html
+++ b/output/core-developers/using-visitor-field-validator.html
@@ -187,6 +187,7 @@
<span class="kd">private</span> <span class="nc">User</span> <span
class="n">user</span><span class="o">;</span>
+ <span class="nd">@StrutsParameter</span><span class="o">(</span><span
class="n">depth</span> <span class="o">=</span> <span class="mi">1</span><span
class="o">)</span>
<span class="kd">public</span> <span class="nc">User</span> <span
class="nf">getUser</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">user</span><span
class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/validation-annotation.html
b/output/core-developers/validation-annotation.html
index 22c443507..c88c45264 100644
--- a/output/core-developers/validation-annotation.html
+++ b/output/core-developers/validation-annotation.html
@@ -194,6 +194,7 @@ is no longer necessary.</p>
<span class="nd">@RequiredFieldValidator</span><span
class="o">(</span><span class="n">type</span> <span class="o">=</span> <span
class="nc">ValidatorType</span><span class="o">.</span><span
class="na">FIELD</span><span class="o">,</span> <span class="n">message</span>
<span class="o">=</span> <span class="s">"You must enter a value for
bar."</span><span class="o">)</span>
<span class="nd">@IntRangeFieldValidator</span><span
class="o">(</span><span class="n">type</span> <span class="o">=</span> <span
class="nc">ValidatorType</span><span class="o">.</span><span
class="na">FIELD</span><span class="o">,</span> <span class="n">min</span>
<span class="o">=</span> <span class="s">"6"</span><span class="o">,</span>
<span class="n">max</span> <span class="o">=</span> <span
class="s">"10"</span><span class="o">,</span> <span class="n">message</span>
<span clas [...]
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setBar</span><span class="o">(</span><span class="kt">int</span>
<span class="n">bar</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">bar</span> <span class="o">=</span> <span class="n">bar</span><span
class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/validation.html
b/output/core-developers/validation.html
index ab41e0128..2cf7f8ceb 100644
--- a/output/core-developers/validation.html
+++ b/output/core-developers/validation.html
@@ -505,6 +505,7 @@ order is important as this mechanism uses <code
class="language-plaintext highli
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nd">@RequiredStringValidator</span><span
class="o">(</span><span class="n">key</span> <span class="o">=</span> <span
class="s">"errors.required"</span><span class="o">,</span> <span
class="n">messageParams</span> <span class="o">=</span> <span class="o">{</span>
<span class="s">"getText('username.field.name')"</span>
<span class="o">})</span>
+<span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUsername</span><span class="o">(</span><span
class="nc">String</span> <span class="n">username</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">username</span> <span class="o">=</span> <span
class="n">username</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/core-developers/wildcard-mappings.html
b/output/core-developers/wildcard-mappings.html
index fb66e87db..e94a1dadb 100644
--- a/output/core-developers/wildcard-mappings.html
+++ b/output/core-developers/wildcard-mappings.html
@@ -254,6 +254,8 @@ URL and extracted as parameters, for example:</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nd">@Namespace</span><span
class="o">{</span><span class="s">"/users/{userID}"</span><span
class="o">);</span>
<span class="kd">public</span> <span class="kd">class</span> <span
class="nc">DetailsAction</span> <span class="n">exends</span> <span
class="nc">ActionSupport</span> <span class="o">{</span>
<span class="kd">private</span> <span class="nc">Long</span> <span
class="n">userID</span><span class="o">;</span>
+
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUserID</span><span class="o">(</span><span class="nc">Long</span>
<span class="n">userID</span><span class="o">)</span> <span
class="o">{...}</span>
<span class="o">}</span>
</code></pre></div></div>
diff --git a/output/getting-started/coding-actions.html
b/output/getting-started/coding-actions.html
index 2e627299c..6e6776c11 100644
--- a/output/getting-started/coding-actions.html
+++ b/output/getting-started/coding-actions.html
@@ -252,6 +252,7 @@ those form field values provided it has a public set method
that matches the for
<span class="k">return</span> <span class="n">userName</span><span
class="o">;</span>
<span class="o">}</span>
+<span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUserName</span><span class="o">(</span><span
class="nc">String</span> <span class="n">userName</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">userName</span> <span class="o">=</span> <span
class="n">userName</span><span class="o">;</span>
<span class="o">}</span>
@@ -274,7 +275,8 @@ You should see the following page.</p>
<p><img src="attachments/coding_actions_form_submit_result.png"
alt="coding_actions_form_submit_result.png" /></p>
<p>When the form is submitted, Struts will call any set methods of the
HelloWorldAction class that match the form field
-names. So in this example method <code class="language-plaintext
highlighter-rouge">setUserName</code> was called and passed the value the user
entered in the <code class="language-plaintext
highlighter-rouge">userName</code> form field.</p>
+names and are annotated with <code class="language-plaintext
highlighter-rouge">@StrutsParameter</code>. So in this example method <code
class="language-plaintext highlighter-rouge">setUserName</code> was called and
passed the value
+the user entered in the <code class="language-plaintext
highlighter-rouge">userName</code> form field.</p>
<p>On the <code class="language-plaintext highlighter-rouge">index.jsp</code>
we also have a Struts 2 action link (see tutorial <a href="using-tags">Using
Struts 2 Tags</a>) that includes
a query string parameter: <code class="language-plaintext
highlighter-rouge">userName=Bruce+Phillips</code>. If you click on that link
you should see the following result:</p>
diff --git a/output/getting-started/processing-forms.html
b/output/getting-started/processing-forms.html
index 13af47e5c..51e121188 100644
--- a/output/getting-started/processing-forms.html
+++ b/output/getting-started/processing-forms.html
@@ -276,7 +276,7 @@ then discuss some key points. Create a view page named
<code class="language-pla
<p>Note the four Struts 2 textfield tags. Each tag has a name value that
includes an attribute of the <code class="language-plaintext
highlighter-rouge">Person</code> class
(e.g. <code class="language-plaintext highlighter-rouge">firstName</code>).
The name attribute’s value also has a reference to an object called <code
class="language-plaintext highlighter-rouge">personBean</code>. This object is
of type <code class="language-plaintext highlighter-rouge">Person</code>. When
we create the Action class that handles this form submission, we’ll have to
specify that object
-in that Action class (see below).</p>
+in that Action class and annotate it (see below).</p>
<p>The complete name value, <code class="language-plaintext
highlighter-rouge">personBean.firstName</code>, instructs Struts 2 to use the
input value for that textfield as
the argument to the personBean object’s <code class="language-plaintext
highlighter-rouge">setFirstName</code> method. So if the user types “Bruce” in
the textfield that has
@@ -313,7 +313,8 @@ the Struts 2 framework. We need an Action class to process
this form. If you rec
<span class="k">return</span> <span class="no">SUCCESS</span><span
class="o">;</span>
<span class="o">}</span>
-
+
+ <span class="nd">@StrutsParameter</span><span class="o">(</span><span
class="n">depth</span> <span class="o">=</span> <span class="mi">1</span><span
class="o">)</span>
<span class="kd">public</span> <span class="nc">Person</span> <span
class="nf">getPersonBean</span><span class="o">()</span> <span
class="o">{</span>
<span class="k">return</span> <span class="n">personBean</span><span
class="o">;</span>
<span class="o">}</span>
@@ -325,8 +326,18 @@ the Struts 2 framework. We need an Action class to process
this form. If you rec
<span class="o">}</span>
</code></pre></div></div>
-<p>In the <code class="language-plaintext highlighter-rouge">Register</code>
class note that we’ve declared an attribute named <code
class="language-plaintext highlighter-rouge">personBean</code> of type <code
class="language-plaintext highlighter-rouge">Person</code> and there is a
public
-get and set method for this object.</p>
+<p>In the <code class="language-plaintext highlighter-rouge">Register</code>
class, note that we’ve declared an attribute named <code
class="language-plaintext highlighter-rouge">personBean</code> of type <code
class="language-plaintext highlighter-rouge">Person</code>, there are public
+getter and setter methods for this object, and the getter is annotated with
<code class="language-plaintext highlighter-rouge">@StrutsParameter(depth =
1)</code>.</p>
+
+<p>In the previous <a href="coding-actions">Coding Struts 2 Actions</a>
tutorial, we annotated the username <strong>setter</strong>, which took a
+simple String as its parameter type, with <code class="language-plaintext
highlighter-rouge">@StrutsParameter</code>. In this example, we are using a
“Bean” object (sometimes
+referred to as a DTO or model object) to encapsulate the form data. When we
choose to use a DTO instead of a primitive,
+String, or other TypeConverter supported object, we must annotate the
<strong>getter</strong> method instead, and also assign a depth
+corresponding to how deep the DTO graph is. In this case, the <code
class="language-plaintext highlighter-rouge">Person</code> object does not have
any further DTOs or
+collections within it, so a depth of 1 will suffice.</p>
+
+<p>For more information on these annotations and their security implications,
please refer
+to <a
href="../security/index#defining-and-annotating-your-action-parameters">Security</a>.</p>
<p>The <code class="language-plaintext highlighter-rouge">Register</code>
class also overrides the <code class="language-plaintext
highlighter-rouge">execute</code> method. The <code class="language-plaintext
highlighter-rouge">execute</code> method is the one we will specify in the
<code class="language-plaintext highlighter-rouge">struts.xml</code> to be
called in response to the register action. In this example, the <code
class="language-plaintext highlighter-rouge">execute</code> method just returns
@@ -334,12 +345,13 @@ the String constant <code class="language-plaintext
highlighter-rouge">SUCCESS</
method we would call upon other classes (Service objects) to perform the
business processing of the form, such as storing
the user’s input into a data repository.</p>
-<p>The <code class="language-plaintext highlighter-rouge">personBean</code>
object of type <code class="language-plaintext highlighter-rouge">Person</code>
declared in the Register Action class matches the <code
class="language-plaintext highlighter-rouge">personBean</code> name we used in
-the form’s textfields. When the form is submitted, the Struts 2 framework will
inspect the Action class and look for
-an object named <code class="language-plaintext
highlighter-rouge">personBean</code>. It will create that object using the
<code class="language-plaintext highlighter-rouge">Person</code> class’s
default constructor. Then for each
-form field that has a name value of personBean.someAttribute (e.g <code
class="language-plaintext highlighter-rouge">personBean.firstName</code>) it
will call the personBean’s
-public set method for that attribute and pass it the form field’s value (the
user input). This all happens before
-the execute method occurs.</p>
+<p>The <code class="language-plaintext highlighter-rouge">personBean</code>
getter of return type <code class="language-plaintext
highlighter-rouge">Person</code> declared in the Register Action class matches
the <code class="language-plaintext highlighter-rouge">personBean</code> name we
+used in the form’s textfields. When the form is submitted, the Struts 2
framework will inspect the Action class and look
+for a getter for <code class="language-plaintext
highlighter-rouge">personBean</code>. If it returns <code
class="language-plaintext highlighter-rouge">null</code> and a matching setter
exists, it will create that object using the
+<code class="language-plaintext highlighter-rouge">Person</code> class’s
default constructor and set it using the setter. Note that the setter can be
omitted if your Action
+initialises the field on construction. Then for each form field that has a
name value of personBean.someAttribute
+(e.g <code class="language-plaintext
highlighter-rouge">personBean.firstName</code>) it will call the personBean’s
public set method for that attribute and pass it the form
+field’s value (the user input). This all happens before the execute method
occurs.</p>
<p>When Struts 2 runs the <code class="language-plaintext
highlighter-rouge">execute</code> method of class <code
class="language-plaintext highlighter-rouge">Register</code>, the <code
class="language-plaintext highlighter-rouge">personBean</code> object in class
<code class="language-plaintext highlighter-rouge">Register</code> now has
values
for its instance fields that are equal to the values the user entered into the
corresponding form fields.</p>
diff --git a/output/plugins/junit/index.html b/output/plugins/junit/index.html
index 8d8344063..8ef2f2eef 100644
--- a/output/plugins/junit/index.html
+++ b/output/plugins/junit/index.html
@@ -192,6 +192,7 @@ an action:</p>
<span class="k">return</span> <span class="n">name</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/plugins/portlet/struts-2-portlet-tutorial.html
b/output/plugins/portlet/struts-2-portlet-tutorial.html
index 5cab55578..40d89205a 100644
--- a/output/plugins/portlet/struts-2-portlet-tutorial.html
+++ b/output/plugins/portlet/struts-2-portlet-tutorial.html
@@ -324,10 +324,12 @@ If you have not used Struts 2 before, please check out
some of the other Struts
<span class="kd">private</span> <span class="nc">String</span> <span
class="n">name</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span
class="n">url</span><span class="o">;</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUrl</span><span class="o">(</span><span class="nc">String</span>
<span class="n">url</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">url</span> <span class="o">=</span> <span class="n">url</span><span
class="o">;</span>
<span class="o">}</span>
@@ -390,10 +392,12 @@ If you have not used Struts 2 before, please check out
some of the other Struts
<span class="kd">private</span> <span class="nc">PortletPreferences</span>
<span class="n">portletPreferences</span><span class="o">;</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUrl</span><span class="o">(</span><span class="nc">String</span>
<span class="n">url</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">url</span> <span class="o">=</span> <span class="n">url</span><span
class="o">;</span>
<span class="o">}</span>
@@ -599,6 +603,7 @@ If you have not used Struts 2 before, please check out some
of the other Struts
<span class="kd">private</span> <span class="nc">PortletPreferences</span>
<span class="n">portletPreferences</span><span class="o">;</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setBookmarkName</span><span class="o">(</span><span
class="nc">String</span> <span class="n">bookmarkName</span><span
class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">bookmarkName</span> <span class="o">=</span> <span
class="n">bookmarkName</span><span class="o">;</span>
<span class="o">}</span>
@@ -672,7 +677,8 @@ If you have not used Struts 2 before, please check out some
of the other Struts
<span class="kd">public</span> <span class="nc">String</span> <span
class="nf">getOldName</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">oldName</span><span
class="o">;</span>
<span class="o">}</span>
-
+
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setOldName</span><span class="o">(</span><span
class="nc">String</span> <span class="n">oldName</span><span class="o">)</span>
<span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">oldName</span> <span class="o">=</span> <span
class="n">oldName</span><span class="o">;</span>
<span class="o">}</span>
@@ -681,10 +687,12 @@ If you have not used Struts 2 before, please check out
some of the other Struts
<span class="k">return</span> <span class="n">url</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setUrl</span><span class="o">(</span><span class="nc">String</span>
<span class="n">url</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">url</span> <span class="o">=</span> <span class="n">url</span><span
class="o">;</span>
<span class="o">}</span>
+ <span class="nd">@StrutsParameter</span>
<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
<span class="o">}</span>
diff --git a/output/security/index.html b/output/security/index.html
index 998d4b1cc..a3c6bb9b2 100644
--- a/output/security/index.html
+++ b/output/security/index.html
@@ -158,6 +158,7 @@
<li><a href="#disable-devmode" id="markdown-toc-disable-devmode">Disable
devMode</a></li>
<li><a href="#reduce-logging-level"
id="markdown-toc-reduce-logging-level">Reduce logging level</a></li>
<li><a href="#use-utf-8-encoding"
id="markdown-toc-use-utf-8-encoding">Use UTF-8 encoding</a></li>
+ <li><a href="#defining-and-annotating-your-action-parameters"
id="markdown-toc-defining-and-annotating-your-action-parameters">Defining and
annotating your Action parameters</a></li>
<li><a href="#do-not-define-setters-when-not-needed"
id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters
when not needed</a></li>
<li><a
href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do
not use incoming values as an input for localisation logic</a></li>
<li><a
href="#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation"
id="markdown-toc-do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation">Do
not use incoming, untrusted user input in forced expression evaluation</a></li>
@@ -289,9 +290,80 @@ header to each JSP file</p>
<div class="language-jsp highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><%@ page </span><span
class="na">contentType=</span><span class="s">"text/html; charset=UTF-8"</span>
<span class="nt">%></span>
</code></pre></div></div>
+<h3 id="defining-and-annotating-your-action-parameters">Defining and
annotating your Action parameters</h3>
+
+<blockquote>
+ <p>Note: Since 6.4 using <code class="language-plaintext
highlighter-rouge">struts.parameters.requireAnnotations=true</code>. Or by
default from 7.0.</p>
+</blockquote>
+
+<p>Request parameters, such as those submitted by a form, can be stored on
your Struts Action class by defining getters and
+setters for them. For example, if you have a form with a field called <code
class="language-plaintext highlighter-rouge">name</code>, you can store the
value of that field by
+defining a <code class="language-plaintext highlighter-rouge">public void
setName(String name)</code> method on your Action class, and then importantly,
annotating this method
+with <code class="language-plaintext
highlighter-rouge">@StrutsParameter</code>. The presence of this annotation
indicates that the method is intended for parameter injection
+and is safe to be invoked by any user who can view the Action.</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="kd">private</span> <span
class="nc">String</span> <span class="n">name</span><span class="o">;</span>
+
+<span class="nd">@StrutsParameter</span>
+<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setName</span><span class="o">(</span><span class="nc">String</span>
<span class="n">name</span><span class="o">)</span> <span class="o">{</span>
+ <span class="k">this</span><span class="o">.</span><span
class="na">name</span> <span class="o">=</span> <span
class="n">name</span><span class="o">;</span>
+<span class="o">}</span>
+</code></pre></div></div>
+
+<p>If you wish to populate a DTO (Data Transfer Object) instead of setting the
parameters directly on the Action class, you
+can define a getter for the DTO on your Action class instead. For example,
define a method <code class="language-plaintext highlighter-rouge">public MyDto
getFormData()</code>
+which is also annotated by <code class="language-plaintext
highlighter-rouge">@StrutsParameter(depth = 1)</code>. Then, a parameter with
name <code class="language-plaintext
highlighter-rouge">formData.fullName</code> will be mapped
+to the setter <code class="language-plaintext
highlighter-rouge">setFullName</code> on that DTO. Note that the <code
class="language-plaintext highlighter-rouge">@StrutsParameter</code> annotation
has a <code class="language-plaintext highlighter-rouge">depth</code> field
which dictates
+the depth to which parameter injection is permitted. The default value is 0,
which only allows setting parameters
+directly on the Action class as in the first example. A <code
class="language-plaintext highlighter-rouge">depth</code> of 1 indicates that
the immediate public properties of
+an object returned by the getter are permitted to be set. If you have further
nested objects, you can increase
+the <code class="language-plaintext highlighter-rouge">depth</code>
accordingly. Do not set this <code class="language-plaintext
highlighter-rouge">depth</code> field to a value greater than the minimum
required for your use case.</p>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="kd">private</span> <span
class="nc">MyDto</span> <span class="n">formData</span> <span
class="o">=</span> <span class="k">new</span> <span
class="nc">MyDto</span><span class="o">();</span>
+
+<span class="nd">@StrutsParameter</span><span class="o">(</span><span
class="n">depth</span> <span class="o">=</span> <span class="mi">1</span><span
class="o">)</span>
+<span class="kd">public</span> <span class="nc">MyDto</span> <span
class="nf">getFormData</span><span class="o">()</span> <span class="o">{</span>
+ <span class="k">return</span> <span class="n">formData</span><span
class="o">;</span>
+<span class="o">}</span>
+
+<span class="kd">public</span> <span class="kd">static</span> <span
class="kd">class</span> <span class="nc">MyDto</span> <span class="o">{</span>
+ <span class="kd">private</span> <span class="nc">String</span> <span
class="n">fullName</span><span class="o">;</span>
+
+ <span class="kd">public</span> <span class="kt">void</span> <span
class="nf">setFullName</span><span class="o">(</span><span
class="nc">String</span> <span class="n">fullName</span><span
class="o">)</span> <span class="o">{</span>
+ <span class="k">this</span><span class="o">.</span><span
class="na">fullName</span> <span class="o">=</span> <span
class="n">fullName</span><span class="o">;</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+</code></pre></div></div>
+
+<p>It is critical that any method you annotate with <code
class="language-plaintext highlighter-rouge">@StrutsParameter</code> is safe
for any user who can view that corresponding
+action to invoke (including any public methods on objects returned by that
method and so forth). Any getters you
+annotate should only ever return a DTO or a collection/hierarchy of DTOs. Do
NOT mix business logic or service
+references with your parameter injection methods and DTOs. Additionally, any
database DTOs should be entirely separate
+from request parameter/form DTOs.</p>
+
+<p>Do NOT, under any circumstance, annotate a method that returns one of the
following unsafe objects:</p>
+<ul>
+ <li>live Hibernate persistent objects</li>
+ <li>container or Spring-managed beans, or any other live
components/services</li>
+ <li>objects (or objects that contain references to objects) that contain
setter methods that are used for anything other
+than setting form parameter values</li>
+</ul>
+
+<p>If you are finding updating your application with this new annotation
time-consuming, you can temporarily combine the
+above option with <code class="language-plaintext
highlighter-rouge">struts.parameters.requireAnnotations.transitionMode=true</code>.
When this mode is enabled, only ‘nested’
+parameters, i.e. DTOs or Collections represented by public getters on Action
classes, will require annotations. This
+means public setters will still be exposed for parameter injection. Notably,
+the <a href="#allowlist-capability">auto-allowlisting capability</a>, which is
also supported by these annotations, is not degraded
+in any way, so it proves a useful transitioning option for applications that
wish to enable the OGNL allowlist as soon
+as possible.</p>
+
<h3 id="do-not-define-setters-when-not-needed">Do not define setters when not
needed</h3>
-<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential
+<blockquote>
+ <p>Note: Only relevant if you are not using <code class="language-plaintext
highlighter-rouge">struts.parameters.requireAnnotations=true</code> as per the
previous section.</p>
+</blockquote>
+
+<p>You should carefully design your actions without exposing anything via
setters and getters, this can lead to potential
security vulnerabilities. Any action’s setter can be used to set incoming
untrusted user’s value which can contain
suspicious expression. Some Struts <code class="language-plaintext
highlighter-rouge">Result</code>s automatically populate params based on values
in
<code class="language-plaintext highlighter-rouge">ValueStack</code> (action
in most cases is the root) which means incoming value will be evaluated as an
expression during
@@ -484,12 +556,14 @@ to the ActionContext from OGNL expressions entirely.</p>
<p>Note that before disabling access to the ActionContext from OGNL
expressions, you should ensure that your application
does not rely on this capability. OGNL expressions may access the context
directly using the <code class="language-plaintext highlighter-rouge">#</code>
operator, or indirectly
-using the OgnlValueStack’s fallback to context lookup capability. As of Struts
6.4.0, the Set and Action Struts
-components require ActionContext access from OGNL expressions.</p>
+using the OgnlValueStack’s fallback to context lookup capability. As of Struts
6.4.0, the Set, Iterator and Action
+Struts components require ActionContext access from OGNL expressions.</p>
<p>To disable access to the ActionContext from OGNL expressions, set the
following constants in your <code class="language-plaintext
highlighter-rouge">struts.xml</code> or
-<code class="language-plaintext highlighter-rouge">struts.properties</code>
file. Please also refer to the documentation below for further details on these
configuration
-options.</p>
+<code class="language-plaintext highlighter-rouge">struts.properties</code>
file. The option <code class="language-plaintext
highlighter-rouge">struts.ognl.excludedNodeTypes</code> is an <a
href="#Struts-OGNL-Guard">OGNL Guard</a> setting
+which completely forbids the context accessing syntax node. The <code
class="language-plaintext
highlighter-rouge">struts.ognl.valueStackFallbackToContext</code> option
+disables ValueStack behaviour which allows the context to be accessed
indirectly via a fallback behaviour triggered when
+an OGNL expression does not evaluate to a valid value.</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span
class="s">"struts.ognl.valueStackFallbackToContext"</span> <span
class="na">value=</span><span class="s">"false"</span><span
class="nt">/></span>
<span class="nt"><constant</span> <span class="na">name=</span><span
class="s">"struts.ognl.excludedNodeTypes"</span> <span
class="na">value=</span><span class="s">"
@@ -539,38 +613,40 @@ with other known dangerous classes or packages in your
application.</p>
<h4 id="additional-options">Additional Options</h4>
-<p>We additionally recommend enabling the following options and hope to enable
them by default in a future major version.</p>
+<p>We additionally recommend enabling the following options (enabled by
default in 7.0).</p>
<ul>
<li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
methods are always blocked, but static fields can also optionally be
blocked</li>
<li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as they may present a
security risk</li>
<li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be used in
production</li>
<li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
SecurityMemberAccess policy</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.valueStackFallbackToContext=false</code> -
disable fallback to OGNL context lookup if expression does not evaluate to a
valid value</li>
</ul>
<h4 id="allowlist-capability">Allowlist Capability</h4>
<blockquote>
- <p>Note: since Struts 6.4.</p>
+ <p>Note: Since Struts 6.4. Or by default from 7.0.</p>
</blockquote>
-<p>For even more stringent OGNL protection, we recommend enabling the
allowlist capability with <code class="language-plaintext
highlighter-rouge">struts.allowlist.enable</code>.</p>
+<p>For the most stringent OGNL protection, we recommend enabling the allowlist
capability with <code class="language-plaintext
highlighter-rouge">struts.allowlist.enable</code>.</p>
<p>Now, in addition to enforcing the exclusion list, classes involved in OGNL
expression must also belong to a list of
allowlisted classes and packages. By default, all required Struts classes are
allowlisted as well as any classes that
are defined in your <code class="language-plaintext
highlighter-rouge">struts.xml</code> package configurations.</p>
+<p>We highly recommend enabling the <a
href="#defining-and-annotating-your-action-parameters">parameter annotation</a>
capability to
+ensure any necessary parameter injection types are allowlisted, in addition to
its other benefits.</p>
+
<p>You can add additional classes and packages to the allowlist with:</p>
<ul>
<li><code class="language-plaintext
highlighter-rouge">struts.allowlist.classes</code>: comma-separated list of
allowlisted classes.</li>
<li><code class="language-plaintext
highlighter-rouge">struts.allowlist.packages</code>: comma-separated list of
allowlisted packages, matched using string comparison via
-<code class="language-plaintext highlighter-rouge">startWith</code>. Note that
classes in subpackages are also allowlisted.</li>
+<code class="language-plaintext highlighter-rouge">startsWith</code>. Note
that classes in subpackages are also allowlisted.</li>
</ul>
-<p>Generally, the only additional classes or packages you will need to
configure are those model classes that you wish to
-be constructed/manipulated by Struts form submissions (i.e. parameter
injected).</p>
+<p>Depending on the functionality of your application, you may not need to
manually allowlist any classes. Please monitor
+your application logs for any warnings about blocked classes and add them to
the allowlist as necessary.</p>
<h4 id="extensibility">Extensibility</h4>
@@ -597,7 +673,7 @@ feature is disabled by default but can be enabled and
configured with <code clas
excluded node types. This will mitigate against a host of String concatenation
attacks.</p>
<p>For applications using a minimal number of Struts features, you may find
the following list a good starting point.
-Please be aware that this list WILL break certain Struts features:</p>
+Please be aware that this list WILL break certain Struts features.</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span class="s">"struts.ognl.excludedNodeTypes"</span>
<span class="na">value=</span><span class="s">"
