This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 61d4c5638 Updates stage by Jenkins
61d4c5638 is described below
commit 61d4c5638300f1eb8e2ec21928725e0bbb4c3712
Author: jenkins <[email protected]>
AuthorDate: Sun Jun 14 17:58:29 2026 +0000
Updates stage by Jenkins
---
content/core-developers/chaining-interceptor.html | 22 ++++++++
content/core-developers/cookie-interceptor.html | 14 ++++++
content/core-developers/default-properties.html | 5 ++
.../struts-parameter-annotation.html | 15 ++++++
content/plugins/json/index.html | 58 ++++++++++++++++++++++
content/plugins/rest/index.html | 7 +++
6 files changed, 121 insertions(+)
diff --git a/content/core-developers/chaining-interceptor.html
b/content/core-developers/chaining-interceptor.html
index 7d933eb64..01682f93c 100644
--- a/content/core-developers/chaining-interceptor.html
+++ b/content/core-developers/chaining-interceptor.html
@@ -188,6 +188,28 @@ the below three constants in struts.properties or
struts.xml:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span
class="s">"struts.xwork.chaining.copyErrors"</span> <span
class="na">value=</span><span class="s">"true"</span><span
class="nt">/></span>
</code></pre></div></div>
+<h2 id="parameter-authorization">Parameter Authorization</h2>
+
+<p>By default the Chaining Interceptor copies <strong>all</strong> properties
of the objects on
+the value stack into the target action, regardless of any <code
class="language-plaintext highlighter-rouge">@StrutsParameter</code>
+annotation. To restrict copying to annotated properties only, set the global
+constant:</p>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span
class="s">"struts.chaining.requireAnnotations"</span> <span
class="na">value=</span><span class="s">"true"</span><span
class="nt">/></span>
+</code></pre></div></div>
+
+<p>When enabled (default is <code class="language-plaintext
highlighter-rouge">false</code>):</p>
+
+<ul>
+ <li>Only properties whose target setters carry <a
href="struts-parameter-annotation.html"><code class="language-plaintext
highlighter-rouge">@StrutsParameter</code></a>
+are copied; rejected properties are skipped and logged at <code
class="language-plaintext highlighter-rouge">WARN</code>.</li>
+ <li>Authorization uses the same <code class="language-plaintext
highlighter-rouge">ParameterAuthorizer</code> service as the
+<a href="parameters-interceptor.html">Parameters Interceptor</a>, keeping
semantics consistent.</li>
+ <li>The behaviour is <strong>fail-closed</strong>: if the target action
cannot be introspected,
+no properties are copied.</li>
+ <li>This is a <strong>global</strong> constant only — there is no
per-interceptor override.</li>
+</ul>
+
<h2 id="parameters">Parameters</h2>
<ul>
diff --git a/content/core-developers/cookie-interceptor.html
b/content/core-developers/cookie-interceptor.html
index 565cc00af..70bb6d47a 100644
--- a/content/core-developers/cookie-interceptor.html
+++ b/content/core-developers/cookie-interceptor.html
@@ -169,6 +169,20 @@ into Struts’ action.</p>
<p>The action could implement <code class="language-plaintext
highlighter-rouge">CookiesAware</code> in order to have a <code
class="language-plaintext highlighter-rouge">Map</code> of filtered cookies set
into it.</p>
+<h2 id="parameter-authorization">Parameter Authorization</h2>
+
+<p>Cookie values are injected through the same <code class="language-plaintext
highlighter-rouge">@StrutsParameter</code> authorization path
+as the <a href="parameters-interceptor.html">Parameters Interceptor</a>
(previously the
+interceptor wrote directly to the value stack and bypassed authorization).</p>
+
+<blockquote class="alert alert-warning">
+ <p><strong>Behaviour change in 7.2.0:</strong> when annotation enforcement
is active (the
+default <code class="language-plaintext
highlighter-rouge">struts.parameters.requireAnnotations=true</code>), cookies
will only populate
+setters marked with <a href="struts-parameter-annotation.html"><code
class="language-plaintext highlighter-rouge">@StrutsParameter</code></a>.
+Applications that relied on cookies populating un-annotated setters must either
+add the annotation to those setters or stop using <code
class="language-plaintext highlighter-rouge">cookiesName=*</code>.</p>
+</blockquote>
+
<h2 id="parameters">Parameters</h2>
<ul>
diff --git a/content/core-developers/default-properties.html
b/content/core-developers/default-properties.html
index 6afacc395..302bdfb72 100644
--- a/content/core-developers/default-properties.html
+++ b/content/core-developers/default-properties.html
@@ -425,6 +425,11 @@ struts.parameters.requireAnnotations=true
### Useful for transitioning legacy applications, but highly recommended to
set to false as soon as possible!
struts.parameters.requireAnnotations.transitionMode=false
+### Whether ChainingInterceptor enforces @StrutsParameter on the target action
when copying properties.
+### Opt-in hardening; default false preserves legacy chaining behaviour. Only
has effect when
+### struts.parameters.requireAnnotations is also enabled.
+struts.chaining.requireAnnotations=false
+
### Whether to throw a RuntimeException when a property is not found
### in an expression, or when the expression evaluation fails
struts.el.throwExceptionOnFailure=false
diff --git a/content/core-developers/struts-parameter-annotation.html
b/content/core-developers/struts-parameter-annotation.html
index 4567c8dc9..6edf15f73 100644
--- a/content/core-developers/struts-parameter-annotation.html
+++ b/content/core-developers/struts-parameter-annotation.html
@@ -158,6 +158,21 @@
<p>Why it matters: by default (when annotations are required), Struts will
only inject request parameters into fields or setter methods that have this
annotation. This prevents attackers from setting values on fields you didn’t
intend to expose.</p>
+<h2 id="where-authorization-applies">Where authorization applies</h2>
+
+<p>As of Struts 7.2.0 the <code class="language-plaintext
highlighter-rouge">@StrutsParameter</code> authorization is enforced across
every
+channel that can populate an action from request data:</p>
+
+<ul>
+ <li><a href="parameters-interceptor.html">Parameters Interceptor</a> —
request parameters
+(default, governed by <code class="language-plaintext
highlighter-rouge">struts.parameters.requireAnnotations</code>).</li>
+ <li><a href="chaining-interceptor.html">Chaining Interceptor</a> —
value-stack copying during
+action chaining (opt-in via <code class="language-plaintext
highlighter-rouge">struts.chaining.requireAnnotations</code>).</li>
+ <li><a href="cookie-interceptor.html">Cookie Interceptor</a> — cookie
values.</li>
+ <li><a href="../../plugins/json">JSON</a> and <a
href="../../plugins/rest">REST</a> plugins — per-property
+authorization performed during deserialization, so unauthorized fields are
never set.</li>
+</ul>
+
<h2 id="usage">Usage</h2>
<p>The placement of the <code class="language-plaintext
highlighter-rouge">@StrutsParameter</code> annotation is crucial and depends on
how you want to populate your action properties.</p>
diff --git a/content/plugins/json/index.html b/content/plugins/json/index.html
index 37356997b..43f07cc62 100644
--- a/content/plugins/json/index.html
+++ b/content/plugins/json/index.html
@@ -181,6 +181,8 @@
<li><a href="#write-the-mapping-for-the-action"
id="markdown-toc-write-the-mapping-for-the-action">Write the mapping for the
action</a></li>
<li><a href="#json-example-output"
id="markdown-toc-json-example-output">JSON example output</a></li>
<li><a href="#accepting-json" id="markdown-toc-accepting-json">Accepting
JSON</a></li>
+ <li><a href="#deserialization-limits"
id="markdown-toc-deserialization-limits">Deserialization limits</a></li>
+ <li><a href="#parameter-authorization"
id="markdown-toc-parameter-authorization">Parameter authorization</a></li>
</ul>
</li>
<li><a href="#json-rpc" id="markdown-toc-json-rpc">JSON RPC</a></li>
@@ -758,6 +760,62 @@ and <code class="language-plaintext
highlighter-rouge">jsonRpcContentType</code>
<p>Please be aware that those are scoped params per stack, which means, once
set it will be used by actions in scope of this stack.</p>
+<h3 id="deserialization-limits">Deserialization limits</h3>
+
+<p>To guard against malicious or oversized payloads, JSON deserialization
enforces
+the following limits. Each can be set globally as a constant or
per-interceptor as
+a <code class="language-plaintext highlighter-rouge"><param></code>
(following the same pattern as the fileUpload interceptor):</p>
+
+<table>
+ <thead>
+ <tr>
+ <th>Constant</th>
+ <th>Default</th>
+ <th>Controls</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><code class="language-plaintext
highlighter-rouge">struts.json.maxElements</code></td>
+ <td><code class="language-plaintext highlighter-rouge">10000</code></td>
+ <td>Maximum number of elements in a single JSON array or object</td>
+ </tr>
+ <tr>
+ <td><code class="language-plaintext
highlighter-rouge">struts.json.maxDepth</code></td>
+ <td><code class="language-plaintext highlighter-rouge">64</code></td>
+ <td>Maximum nesting depth of the JSON structure</td>
+ </tr>
+ <tr>
+ <td><code class="language-plaintext
highlighter-rouge">struts.json.maxLength</code></td>
+ <td><code class="language-plaintext highlighter-rouge">2097152</code> (2
MB)</td>
+ <td>Maximum length of the JSON input</td>
+ </tr>
+ <tr>
+ <td><code class="language-plaintext
highlighter-rouge">struts.json.maxStringLength</code></td>
+ <td><code class="language-plaintext highlighter-rouge">262144</code>
(256 KB)</td>
+ <td>Maximum length of an individual JSON string value</td>
+ </tr>
+ <tr>
+ <td><code class="language-plaintext
highlighter-rouge">struts.json.maxKeyLength</code></td>
+ <td><code class="language-plaintext highlighter-rouge">512</code></td>
+ <td>Maximum length of a JSON object key</td>
+ </tr>
+ </tbody>
+</table>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span class="s">"struts.json.maxLength"</span> <span
class="na">value=</span><span class="s">"1048576"</span><span
class="nt">/></span>
+</code></pre></div></div>
+
+<p>The reader and writer implementations are also pluggable via
+<code class="language-plaintext highlighter-rouge">struts.json.reader</code>
and <code class="language-plaintext
highlighter-rouge">struts.json.writer</code> (both default to <code
class="language-plaintext highlighter-rouge">struts</code>).</p>
+
+<h3 id="parameter-authorization">Parameter authorization</h3>
+
+<p>JSON deserialization enforces the <a
href="../../core-developers/struts-parameter-annotation.html"><code
class="language-plaintext highlighter-rouge">@StrutsParameter</code></a>
+annotation <strong>per property, during deserialization</strong> —
unauthorized fields are
+never set on the target object. Annotate the action properties that may be
+populated from the JSON request body.</p>
+
<h2 id="json-rpc">JSON RPC</h2>
<p>The json plugin can be used to execute action methods from javascript and
return the output. This feature was developed
diff --git a/content/plugins/rest/index.html b/content/plugins/rest/index.html
index 888cff0bd..1c09de631 100644
--- a/content/plugins/rest/index.html
+++ b/content/plugins/rest/index.html
@@ -538,6 +538,13 @@ look like this:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span class="s">"struts.rest.handlerOverride.xml"</span>
<span class="na">value=</span><span class="s">"myXml"</span><span
class="nt">/></span>
</code></pre></div></div>
+<p>As of Struts 7.2.0 the built-in content type handlers enforce the
+<a href="../../core-developers/struts-parameter-annotation.html"><code
class="language-plaintext highlighter-rouge">@StrutsParameter</code></a>
+annotation per property during deserialization. Custom handlers that need the
+same property-level authorization should implement
+<code class="language-plaintext
highlighter-rouge">AuthorizationAwareContentTypeHandler</code> (which extends
<code class="language-plaintext highlighter-rouge">ContentTypeHandler</code>
with
+authorization callbacks) instead of <code class="language-plaintext
highlighter-rouge">ContentTypeHandler</code> directly.</p>
+
<h3 id="settings">Settings</h3>
<p>The following settings can be customized. See the <a
href="/core-developers/configuration-files">developer guide</a>.
