[jira] [Created] (WW-5631) Add opt-in @StrutsParameter enforcement to ChainingInterceptor

Tue, 26 May 2026 23:02:07 -0700 

Lukasz Lenart created WW-5631:
---------------------------------

             Summary: Add opt-in @StrutsParameter enforcement to 
ChainingInterceptor
                 Key: WW-5631
                 URL: https://issues.apache.org/jira/browse/WW-5631
             Project: Struts 2
          Issue Type: New Feature
          Components: Core Interceptors
            Reporter: Lukasz Lenart
             Fix For: 7.2.0


h2. Summary

Add an opt-in option to make {{ChainingInterceptor}} honour the 
{{@StrutsParameter}} annotation on the target action when copying properties 
during action chaining.

h2. Background

{{@StrutsParameter}} currently gates a single channel: binding of HTTP request 
parameters to action properties via {{ParametersInterceptor}}. Action chaining 
is a separate, developer-configured channel — {{ChainingInterceptor}} copies 
all eligible properties between actions regardless of annotations. This is by 
design, but some applications would prefer chaining to respect the same 
annotation boundary as parameter injection.

h2. Proposal
  
Introduce a new constant {{struts.chaining.requireAnnotations}} (default 
{{false}}):
* When {{false}} (default), behaviour is unchanged — no overhead, fully 
backward compatible.
* When {{true}}, {{ChainingInterceptor}} only copies a property if the target 
action member is authorized by {{@StrutsParameter}}, reusing the existing 
{{ParameterAuthorizer}} service so {{requireAnnotations}}, {{transitionMode}} 
and {{depth}} semantics stay consistent with {{ParametersInterceptor}}.

h2. Behaviour notes

* Rejected properties are skipped and logged at {{WARN}}.
* Fail-closed: if the target action cannot be introspected, nothing is copied 
for that object.
* Global constant only (no per-interceptor-ref override).
  
h2. Acceptance criteria
  
* New {{struts.chaining.requireAnnotations}} constant and 
{{default.properties}} entry (default {{false}}).
* {{ChainingInterceptor}} enforces {{@StrutsParameter}} on the target when 
enabled.
* Unit tests cover: flag off, flag on with annotated/unannotated target, 
transition mode, proxied target, and fail-closed introspection.
  * Updated {{ChainingInterceptor}} JavaDoc.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to