Good questions The log messages for these are at the debug level so you will need to enable logging at the debug level to see these. This was a deliberate decision as otherwise bad actors would be able to flood your application logs.
The annotations should only target Action class methods. If you are using a bean (also known as a form DTO), you only need to annotate the getter method on the Action class that returns that bean (and with an appropriate depth limit). If you add `@StrutsParameter(depth = 99)` to every getter/setter method on every Action class, it is indeed equivalent to disabling the capability entirely. So the annotation exists to prevent your application users from invoking any arbitrary getter/setter on your Action classes as they have been able to do in Struts 6 and earlier. Also feel free to have a read of this section if you haven't had a chance too: https://struts.apache.org/security/#defining-and-annotating-your-action-parameters On Tue, Jun 18, 2024 at 5:22 PM Greg Huber <gregh3...@gmail.com> wrote: > > For the |struts.parameters.requireAnnotations=||true| > > If I test my action, there are no log messages for these. ie missing > @StrutsParameter. > > It also says Action class, what if I have a bean in the action class, do > I need to do these also? > > If I add them to every field/bean is this the same as setting it false? > ie what does @StrutsParameter do? > > On 18/06/2024 07:44, Kusal Kithul-Godage wrote: > > I've fleshed out the Security section of the migration guide. Open to > > any feedback on anything that is still unclear. > > https://cwiki.apache.org/confluence/x/wYp3EQ > > > > On Mon, Jun 17, 2024 at 8:14 PM Kusal Kithul-Godage > > <kusal.kithulgod...@gmail.com> wrote: > >> Ah right - yep no objections here > >> > >> Based on the feedback in this thread, I'm working on a minor > >> enhancement for the allowlisting capability which will allow it to > >> continue working at a lesser strictness in environments where > >> Hibernate entities are used. I'll target M8 for this as well as the > >> updated documentation > >> > >> On Mon, Jun 17, 2024 at 8:07 PM Lukasz Lenart<lukaszlen...@apache.org> > >> wrote: > >>> pon., 17 cze 2024 o 11:00 Kusal Kithul-Godage > >>> <kusal.kithulgod...@gmail.com> napisał(a): > >>>> When you say release officially do you mean as the final Struts 7.0.0? > >>> I meant release -> publish as M7 in the Maven Central - in such a case > >>> we can spread testing to other users as they can use official > >>> artifacts. > >>> > >>> Regards > >>> Lukasz > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > >>> For additional commands, e-mail:dev-h...@struts.apache.org > >>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > > For additional commands, e-mail:dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
