[
https://issues.apache.org/jira/browse/WW-5631?focusedWorklogId=1022325&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1022325
]
ASF GitHub Bot logged work on WW-5631:
--------------------------------------
Author: ASF GitHub Bot
Created on: 27/May/26 06:44
Start Date: 27/May/26 06:44
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #1719:
URL: https://github.com/apache/struts/pull/1719
## Summary
Adds an opt-in flag `struts.chaining.requireAnnotations` (default `false`)
that makes `ChainingInterceptor` only copy a property to the target action when
that property's target member is authorized by `@StrutsParameter`, reusing the
shared `ParameterAuthorizer`.
- `@StrutsParameter` gates the HTTP-request-parameter channel via
`ParametersInterceptor`; action chaining is a separate, developer-configured
channel that copies properties between actions regardless of annotations. Some
applications would prefer chaining to respect the same annotation boundary.
- When the flag is `false` (default), behaviour and cost are unchanged —
fully backward compatible.
- When `true`, unauthorized target properties are skipped and logged at
WARN. Enforcement reuses `ParameterAuthorizer`, so `requireAnnotations`,
`transitionMode` and `depth` semantics stay consistent with
`ParametersInterceptor`.
- **Fail-closed:** if the target action cannot be introspected, nothing is
copied for that object.
- Global constant only (no per-interceptor-ref override). Targets `main`
(7.2.0).
Fixes [WW-5631](https://issues.apache.org/jira/browse/WW-5631)
## Changes
- New constant `StrutsConstants.STRUTS_CHAINING_REQUIRE_ANNOTATIONS` and
`default.properties` entry (default `false`).
- `ChainingInterceptor` enforces `@StrutsParameter` on the target when
enabled (excludes-based gating, so `includes` still works).
- Updated `ChainingInterceptor` JavaDoc.
## Test Plan
- [x] `mvn test -DskipAssembly -pl core -Dtest=ChainingInterceptorTest` —
14/14 pass
- [x] `mvn test -DskipAssembly -pl core
-Dtest='ChainingInterceptor*,ParametersInterceptorTest'` — 49/49 pass
- Covered: flag off (legacy copy), flag on + annotated target (copied), flag
on + unannotated target (skipped + WARN), transition mode (depth-0 copied),
global `requireAnnotations=false` (no-op), `includes` interaction, proxied
target class resolution, fail-closed on introspection failure.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Issue Time Tracking
-------------------
Worklog Id: (was: 1022325)
Remaining Estimate: 0h
Time Spent: 10m
> Add opt-in @StrutsParameter enforcement to ChainingInterceptor
> --------------------------------------------------------------
>
> Key: WW-5631
> URL: https://issues.apache.org/jira/browse/WW-5631
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Reporter: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> h2. Summary
> Add an opt-in option to make {{ChainingInterceptor}} honour the
> {{@StrutsParameter}} annotation on the target action when copying properties
> during action chaining.
> h2. Background
> {{@StrutsParameter}} currently gates a single channel: binding of HTTP
> request parameters to action properties via {{ParametersInterceptor}}. Action
> chaining is a separate, developer-configured channel —
> {{ChainingInterceptor}} copies all eligible properties between actions
> regardless of annotations. This is by design, but some applications would
> prefer chaining to respect the same annotation boundary as parameter
> injection.
> h2. Proposal
>
> Introduce a new constant {{struts.chaining.requireAnnotations}} (default
> {{false}}):
> * When {{false}} (default), behaviour is unchanged — no overhead, fully
> backward compatible.
> * When {{true}}, {{ChainingInterceptor}} only copies a property if the target
> action member is authorized by {{@StrutsParameter}}, reusing the existing
> {{ParameterAuthorizer}} service so {{requireAnnotations}}, {{transitionMode}}
> and {{depth}} semantics stay consistent with {{ParametersInterceptor}}.
> h2. Behaviour notes
> * Rejected properties are skipped and logged at {{WARN}}.
> * Fail-closed: if the target action cannot be introspected, nothing is copied
> for that object.
> * Global constant only (no per-interceptor-ref override).
>
> h2. Acceptance criteria
>
> * New {{struts.chaining.requireAnnotations}} constant and
> {{default.properties}} entry (default {{false}}).
> * {{ChainingInterceptor}} enforces {{@StrutsParameter}} on the target when
> enabled.
> * Unit tests cover: flag off, flag on with annotated/unannotated target,
> transition mode, proxied target, and fail-closed introspection.
> * Updated {{ChainingInterceptor}} JavaDoc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
