[
https://issues.apache.org/jira/browse/WW-5631?focusedWorklogId=1022326&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1022326
]
ASF GitHub Bot logged work on WW-5631:
--------------------------------------
Author: ASF GitHub Bot
Created on: 27/May/26 06:50
Start Date: 27/May/26 06:50
Worklog Time Spent: 10m
Work Description: sonarqubecloud[bot] commented on PR #1719:
URL: https://github.com/apache/struts/pull/1719#issuecomment-4552129981
## [](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=1719)
**Quality Gate passed**
Issues
 [3 New
issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=1719&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)
 [0 Accepted
issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=1719&issueStatuses=ACCEPTED)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts&pullRequest=1719&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)
 [93.9% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1719&metric=new_coverage&view=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1719&metric=new_duplicated_lines_density&view=list)
<!
Issue Time Tracking
-------------------
Worklog Id: (was: 1022326)
Time Spent: 20m (was: 10m)
> Add opt-in @StrutsParameter enforcement to ChainingInterceptor
> --------------------------------------------------------------
>
> Key: WW-5631
> URL: https://issues.apache.org/jira/browse/WW-5631
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Reporter: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> h2. Summary
> Add an opt-in option to make {{ChainingInterceptor}} honour the
> {{@StrutsParameter}} annotation on the target action when copying properties
> during action chaining.
> h2. Background
> {{@StrutsParameter}} currently gates a single channel: binding of HTTP
> request parameters to action properties via {{ParametersInterceptor}}. Action
> chaining is a separate, developer-configured channel —
> {{ChainingInterceptor}} copies all eligible properties between actions
> regardless of annotations. This is by design, but some applications would
> prefer chaining to respect the same annotation boundary as parameter
> injection.
> h2. Proposal
>
> Introduce a new constant {{struts.chaining.requireAnnotations}} (default
> {{false}}):
> * When {{false}} (default), behaviour is unchanged — no overhead, fully
> backward compatible.
> * When {{true}}, {{ChainingInterceptor}} only copies a property if the target
> action member is authorized by {{@StrutsParameter}}, reusing the existing
> {{ParameterAuthorizer}} service so {{requireAnnotations}}, {{transitionMode}}
> and {{depth}} semantics stay consistent with {{ParametersInterceptor}}.
> h2. Behaviour notes
> * Rejected properties are skipped and logged at {{WARN}}.
> * Fail-closed: if the target action cannot be introspected, nothing is copied
> for that object.
> * Global constant only (no per-interceptor-ref override).
>
> h2. Acceptance criteria
>
> * New {{struts.chaining.requireAnnotations}} constant and
> {{default.properties}} entry (default {{false}}).
> * {{ChainingInterceptor}} enforces {{@StrutsParameter}} on the target when
> enabled.
> * Unit tests cover: flag off, flag on with annotated/unannotated target,
> transition mode, proxied target, and fail-closed introspection.
> * Updated {{ChainingInterceptor}} JavaDoc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
