This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch docs/struts-7.3.0-json-param-filtering in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit ebe740e63cab6850fe93aafe11a7591ad09977ca Author: Lukasz Lenart <[email protected]> AuthorDate: Tue Jul 14 14:42:36 2026 +0200 docs: document JSON input parameter filtering (Struts 7.3.0) JSON population now applies the same name/value acceptability controls as the Parameters Interceptor (WW-4858, apache/struts#1773): - Always-on: framework-wide accepted/excluded name patterns, param-name max length (paramNameMaxLength, default 100), ParameterNameAware / ParameterValueAware callbacks, @StrutsParameter authorization. - Opt-in: acceptedValuePatterns / excludedValuePatterns and applyPropertyFiltersToInput (reuse excludeProperties/includeProperties on input). Co-Authored-By: Claude Opus 4.8 <[email protected]> --- source/plugins/json/index.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/source/plugins/json/index.md b/source/plugins/json/index.md index cfa7cff04..9be23a5ad 100644 --- a/source/plugins/json/index.md +++ b/source/plugins/json/index.md @@ -590,6 +590,48 @@ annotation **per property, during deserialization** — unauthorized fields are never set on the target object. Annotate the action properties that may be populated from the JSON request body. +### Input parameter filtering + +Since Struts 7.3.0, populating an action from a JSON request body applies the +same name/value acceptability controls that the +[Parameters Interceptor](../../core-developers/parameters-interceptor.html) +applies to ordinary HTTP request parameters. Filtering uses the same +dotted/indexed key paths as form parameters (`address.city`, `items[0].name`), +so the shared pattern checkers behave identically on JSON and form input. +Population itself stays pure reflection over bean setters — no OGNL name +evaluation is introduced on the JSON path. + +The following controls are **always on**: + +- **Excluded and accepted name patterns** — the same framework-wide + accepted/excluded parameter-name patterns the Parameters Interceptor uses. A + JSON key whose full dotted/indexed path matches an excluded pattern, or fails + to match any accepted pattern, is not populated. +- **Maximum key-path length** — set with the `paramNameMaxLength` interceptor + param (default `100`). JSON keys whose full dotted path is longer are rejected. +- **`ParameterNameAware` / `ParameterValueAware`** action callbacks — honored for + JSON input exactly as for form parameters. +- **`@StrutsParameter` authorization** — see + [Parameter authorization](#parameter-authorization) above. + +The following controls are **opt-in** — disabled by default to preserve existing +behavior for permissive JSON apps: + +| Interceptor param | Default | Effect | +|-------------------|---------|--------| +| `acceptedValuePatterns` | *(none)* | Comma-delimited regular expressions; when set, only JSON leaf **values** matching one of them are accepted (matching is case-insensitive). | +| `excludedValuePatterns` | *(none)* | Comma-delimited regular expressions; JSON leaf **values** matching any of them are removed (matching is case-insensitive). | +| `applyPropertyFiltersToInput` | `false` | When `true`, the interceptor's own `excludeProperties` / `includeProperties` patterns — otherwise used only for serialization output — also gate which JSON keys are populated on **input**. | + +```xml +<interceptor-ref name="json"> + <param name="paramNameMaxLength">120</param> + <param name="acceptedValuePatterns">[\w\s.@-]+</param> + <param name="applyPropertyFiltersToInput">true</param> + <param name="excludeProperties">login.password</param> +</interceptor-ref> +``` + ## JSON RPC The json plugin can be used to execute action methods from javascript and return the output. This feature was developed
