This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch WW-5627-cookie-authorization in repository https://gitbox.apache.org/repos/asf/struts.git
commit ee23865e6a545d76e9d9a67954788243ab2c36dc Author: Lukasz Lenart <[email protected]> AuthorDate: Sat May 9 19:16:19 2026 +0200 WW-5627 docs(cookie): document new 5-arg extension hook and deprecation --- .../org/apache/struts2/interceptor/CookieInterceptor.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java index 7a3d7fa29..78cc84597 100644 --- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java +++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java @@ -101,8 +101,16 @@ import java.util.Set; * * <ul> * <li> - * populateCookieValueIntoStack - this method will decide if this cookie value is qualified - * to be populated into the value stack (hence into the action itself) + * populateCookieValueIntoStack(name, value, map, stack, action) - the preferred extension point + * since 7.2.0. The default implementation gates the cookie write through + * {@link org.apache.struts2.interceptor.parameter.ParameterAuthorizer} and primes the OGNL allowlist via + * {@link org.apache.struts2.interceptor.parameter.ParameterAllowlister} before delegating to the legacy + * 4-arg {@code populateCookieValueIntoStack}. Override here to customize the authorization behavior itself. + * </li> + * <li> + * populateCookieValueIntoStack(name, value, map, stack) - <em>deprecated since 7.2.0</em>. The legacy + * hook that performs the actual {@code stack.setValue}. Existing overrides continue to work and + * automatically receive only authorized cookies via the 5-arg default. * </li> * <li> * injectIntoCookiesAwareAction - this method will inject selected cookies (as a java.util.Map)
