This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch docs/struts-7.2.0-documentation-updates in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit c1eae4da810732ddc0addecf5af85eac8997f090 Author: Lukasz Lenart <[email protected]> AuthorDate: Tue Feb 17 07:36:12 2026 +0100 docs: add documentation for Struts 7.2.0 new features and changes - Checkbox hidden field prefix constant (WW-3429) - Spring autowire alwaysRespect default change to true (WW-3647) - Spring bean names support in type converters (WW-4291) - Preparable.prepare() default method (WW-5588) - Dynamic file upload validation parameters (WW-5585) - @Validations annotation fix for doubleRange/shortRange (WW-5579) - JSP direct access security warning (WW-5294) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> --- .../core-developers/action-file-upload-interceptor.md | 19 ++++++++++++++++++- source/core-developers/prepare-interceptor.md | 6 +++++- source/core-developers/type-conversion.md | 11 +++++++++-- source/plugins/spring/index.md | 15 ++++++++++++++- source/security/index.md | 9 ++++++--- source/tag-developers/checkbox-tag.md | 18 ++++++++++++++++++ 6 files changed, 70 insertions(+), 8 deletions(-) diff --git a/source/core-developers/action-file-upload-interceptor.md b/source/core-developers/action-file-upload-interceptor.md index 06a67c55d..52e489e8b 100644 --- a/source/core-developers/action-file-upload-interceptor.md +++ b/source/core-developers/action-file-upload-interceptor.md @@ -37,13 +37,30 @@ You can override the text of these messages by providing text for the following ## Parameters - `maximumSize` (optional) - the maximum size (in bytes) that the interceptor will allow a file reference to be set - on the action. Note, this is <b>not</b> related to the various properties found in struts.properties. + on the action. Note, this is <b>not</b> related to the various properties found in struts.properties. Default to approximately 2MB. - `allowedTypes` (optional) - a comma separated list of content types (ie: `text/html`) that the interceptor will allow a file reference to be set on the action. If none is specified allow all types to be uploaded. - `allowedExtensions` (optional) - a comma separated list of file extensions (ie: `.html`) that the interceptor will allow a file reference to be set on the action. If none is specified allow all extensions to be uploaded. +### Dynamic Parameter Evaluation + +> Since Struts 7.2.0 + +The `allowedTypes`, `allowedExtensions`, and `maximumSize` parameters support `${...}` expression evaluation, +enabling per-request dynamic validation. This is available when used with `WithLazyParams`. + +```xml +<interceptor-ref name="actionFileUpload"> + <param name="allowedTypes">${allowedContentTypes}</param> + <param name="maximumSize">${maxFileSize}</param> +</interceptor-ref> +``` + +The expressions are evaluated against the ValueStack at the time of the upload, allowing your action to provide +dynamic values based on the current request context. + ## Extending the Interceptor You can extend this interceptor and override the acceptFile method to provide more control over which files are supported diff --git a/source/core-developers/prepare-interceptor.md b/source/core-developers/prepare-interceptor.md index c2e97c94e..fdc735fcf 100644 --- a/source/core-developers/prepare-interceptor.md +++ b/source/core-developers/prepare-interceptor.md @@ -29,9 +29,13 @@ on the actual object loaded from the database. See the example for more info. In `PrepareInterceptor` applies only when action implements `Preparable` 1. if the action class have `prepare<MethodName>()`, it will be invoked 2. else if the action class have `prepareDo<MethodName>()`, it will be invoked - 3. no matter if 1] or 2] is performed, if `alwaysInvokePrepare` property of the interceptor is `true` (which is by + 3. no matter if 1] or 2] is performed, if `alwaysInvokePrepare` property of the interceptor is `true` (which is by default `true`), `prepare()` will be invoked. +> Since Struts 7.2.0: The `Preparable.prepare()` method is now a `default` method with an empty implementation. +> Actions that only use per-method variants (e.g., `prepareEdit()`, `prepareSave()`) no longer need to provide +> an empty `prepare()` override. + ## Parameters - `alwaysInvokePrepare` - Default to true. If true, prepare will always be invoked, otherwise it will not. diff --git a/source/core-developers/type-conversion.md b/source/core-developers/type-conversion.md index 85b16bac2..e946b393e 100644 --- a/source/core-developers/type-conversion.md +++ b/source/core-developers/type-conversion.md @@ -114,14 +114,21 @@ amount=com.acme.converters.MyCustomBigDecimalConverter ## Applying a Type Converter for an application -Application-wide converters can be specified in a file called `struts-conversion.properties` or `xwork-conversion.properties` (deprecated) +Application-wide converters can be specified in a file called `struts-conversion.properties` or `xwork-conversion.properties` (deprecated) located in the root of the classpath. ``` # syntax: <type> = <converterClassName> -java.math.BigDecimal = com.acme.MyBigDecimalConverter +java.math.BigDecimal = com.acme.MyBigDecimalConverter ``` +> Since Struts 7.2.0: When the Spring plugin is active, you can use Spring bean names in addition to fully qualified +> class names as converter values in `struts-conversion.properties`. For example, if you have a Spring bean named +> `myBigDecimalConverter`, you can reference it directly: +> ``` +> java.math.BigDecimal = myBigDecimalConverter +> ``` + ## A Simple Example Type conversion is great for situations where you need to turn a String in to a more complex object. Because the web diff --git a/source/plugins/spring/index.md b/source/plugins/spring/index.md index 3203a681d..e35f76934 100644 --- a/source/plugins/spring/index.md +++ b/source/plugins/spring/index.md @@ -228,6 +228,19 @@ so only actions are handled by it. This constant supports a comma separated list > This feature is experimental, and **should never** be used in production > systems. +## Migration Note: autowire alwaysRespect default change (7.2.0) + +Starting with Struts 7.2.0, the `struts.objectFactory.spring.autoWire.alwaysRespect` constant defaults to `true` +(previously `false`). This means the configured autowire strategy is now always applied consistently, which fixes issues +such as broken redirect URLs when Spring String beans are involved. +{:.alert .alert-warning} + +If you experience unexpected behavior after upgrading to 7.2.0, you can restore the previous behavior by setting: + +```xml +<constant name="struts.objectFactory.spring.autoWire.alwaysRespect" value="false" /> +``` + ## Settings The following settings can be customized. See the [developer guide](/core-developers/configuration-files). @@ -235,7 +248,7 @@ The following settings can be customized. See the [developer guide](/core-develo |Setting|Description|Default|Possible Values| |-------|-----------|-------|---------------| |struts.objectFactory.spring.autoWire|The autowire strategy|name|name,type,auto, or constructor| -|struts.objectFactory.spring.autoWire.alwaysRespect|Whether the autowire strategy should always be used, or if the framework should try to guess the best strategy based on the situation|false for backwards-compatibility|true or false| +|struts.objectFactory.spring.autoWire.alwaysRespect|Whether the autowire strategy should always be used, or if the framework should try to guess the best strategy based on the situation|true (changed from false in 7.2.0)|true or false| |struts.objectFactory.spring.useClassCache|Whether to have Spring use its class cache or not|true|true or false| |struts.class.reloading.watchList|List of jar files or directories to watch for changes|null|Comma separated list of absolute or relative paths to jars or directories| |struts.class.reloading.acceptClasses|List of regular expressions of accepted class names|null|Comma separated list of regular expressions of classes that will be loaded by the reloading class loader(we suggest to add regular expressions so only action classes are handled by the reloading class loader)| diff --git a/source/security/index.md b/source/security/index.md index 19eff51bd..0ef428c60 100644 --- a/source/security/index.md +++ b/source/security/index.md @@ -40,11 +40,14 @@ by security level. ### Never expose JSP files directly -You must always hide JSP file behind an action, you cannot allow for direct access to the JSP files as this can leads -to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files under the `WEB-INF` folder -- most of the JEE containers restrict access to files placed under the `WEB-INF` folder. Second option is to add security +You must always hide JSP file behind an action, you cannot allow for direct access to the JSP files as this can leads +to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files under the `WEB-INF` folder +- most of the JEE containers restrict access to files placed under the `WEB-INF` folder. Second option is to add security constraint to the `web.xml` file: +> Since Struts 7.2.0: The framework now logs a security warning when JSP tags are accessed directly outside of +> an action scope. This helps identify JSP files that are inadvertently exposed without action protection. + ```xml <!-- Restricts access to pure JSP files - access available only via Struts action --> <security-constraint> diff --git a/source/tag-developers/checkbox-tag.md b/source/tag-developers/checkbox-tag.md index 38426f42d..58f0b6ffa 100644 --- a/source/tag-developers/checkbox-tag.md +++ b/source/tag-developers/checkbox-tag.md @@ -39,3 +39,21 @@ Renders an HTML input element of type checkbox, populated by the specified prope ```html <input type="checkbox" name="checkboxField1" value="true" checked="checked" /> ``` + +## Hidden Field Prefix + +> Since Struts 7.2.0 + +The checkbox tag generates a companion hidden field to ensure that unchecked values are still submitted with the form. +By default, this hidden field uses the prefix `__checkbox_` (e.g., `__checkbox_checkboxField1`). + +For HTML5 compliance, you can change the prefix to `struts_checkbox_` using the `struts.ui.checkbox.hiddenPrefix` constant: + +```xml +<constant name="struts.ui.checkbox.hiddenPrefix" value="struts_checkbox_" /> +``` + +| Prefix | Example Hidden Field Name | Notes | +|--------|--------------------------|-------| +| `__checkbox_` | `__checkbox_checkboxField1` | Default, backward-compatible | +| `struts_checkbox_` | `struts_checkbox_checkboxField1` | HTML5-compliant alternative |
