lukaszlenart opened a new pull request, #1719: URL: https://github.com/apache/struts/pull/1719
## Summary Adds an opt-in flag `struts.chaining.requireAnnotations` (default `false`) that makes `ChainingInterceptor` only copy a property to the target action when that property's target member is authorized by `@StrutsParameter`, reusing the shared `ParameterAuthorizer`. - `@StrutsParameter` gates the HTTP-request-parameter channel via `ParametersInterceptor`; action chaining is a separate, developer-configured channel that copies properties between actions regardless of annotations. Some applications would prefer chaining to respect the same annotation boundary. - When the flag is `false` (default), behaviour and cost are unchanged — fully backward compatible. - When `true`, unauthorized target properties are skipped and logged at WARN. Enforcement reuses `ParameterAuthorizer`, so `requireAnnotations`, `transitionMode` and `depth` semantics stay consistent with `ParametersInterceptor`. - **Fail-closed:** if the target action cannot be introspected, nothing is copied for that object. - Global constant only (no per-interceptor-ref override). Targets `main` (7.2.0). Fixes [WW-5631](https://issues.apache.org/jira/browse/WW-5631) ## Changes - New constant `StrutsConstants.STRUTS_CHAINING_REQUIRE_ANNOTATIONS` and `default.properties` entry (default `false`). - `ChainingInterceptor` enforces `@StrutsParameter` on the target when enabled (excludes-based gating, so `includes` still works). - Updated `ChainingInterceptor` JavaDoc. ## Test Plan - [x] `mvn test -DskipAssembly -pl core -Dtest=ChainingInterceptorTest` — 14/14 pass - [x] `mvn test -DskipAssembly -pl core -Dtest='ChainingInterceptor*,ParametersInterceptorTest'` — 49/49 pass - Covered: flag off (legacy copy), flag on + annotated target (copied), flag on + unannotated target (skipped + WARN), transition mode (depth-0 copied), global `requireAnnotations=false` (no-op), `includes` interaction, proxied target class resolution, fail-closed on introspection failure. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
