Hi all, Atlassian is very excited to have shipped the Struts OGNL Allowlist and Parameter Annotation features in Confluence Data Center 8.8! We believe it to be one of the greatest uplifts in Struts' security posture since its inception, and one which will ensure Struts remains a viable option for web development.
Whilst we await Atlassian customer and plugin vendor feedback, we've additionally commissioned an audit of the design and implementation by an external security firm. However, we'd really love for all Struts developers to test and provide feedback on these new capabilities ahead of their default enablement in Struts 7.0. To do so, please switch to the latest test build of Struts 6.4 or 7.0 and enable the following options: - struts.parameters.requireAnnotations=true - struts.allowlist.enable=true Further information on configuring these capabilities can be found in the Struts Security doc <https://struts.apache.org/security/#defining-and-annotating-your-action-parameters> under the 'Defining and annotating your Action parameters' and 'Allowlist Capability' headings. Best regards, *KUSAL KITHUL-GODAGE* Software Engineer