Yeah good call I'll look into it On Tue, Jun 18, 2024 at 5:54 PM Greg Huber <gregh3...@gmail.com> wrote: > > OK thanks. > > Can the logging be the same others - Developer Notification rather than > changing the debug level? > > ie for a bad date I get > > 024-06-18 08:24:53,696 WARN org.apache.struts2.components.Date Date:end > - Developer Notification (set struts.devMode to false to disable this > message): > > Expression [bean.created] passed to <s:date/> tag which was evaluated to > [null](null) isn't supported! > > On 18/06/2024 08:34, Kusal Kithul-Godage wrote: > > Good questions > > > > The log messages for these are at the debug level so you will need to > > enable logging at the debug level to see these. This was a deliberate > > decision as otherwise bad actors would be able to flood your > > application logs. > > > > The annotations should only target Action class methods. If you are > > using a bean (also known as a form DTO), you only need to annotate the > > getter method on the Action class that returns that bean (and with an > > appropriate depth limit). > > > > If you add `@StrutsParameter(depth = 99)` to every getter/setter > > method on every Action class, it is indeed equivalent to disabling the > > capability entirely. > > > > So the annotation exists to prevent your application users from > > invoking any arbitrary getter/setter on your Action classes as they > > have been able to do in Struts 6 and earlier. > > > > Also feel free to have a read of this section if you haven't had a chance > > too: > > https://struts.apache.org/security/#defining-and-annotating-your-action-parameters > > > > On Tue, Jun 18, 2024 at 5:22 PM Greg Huber<gregh3...@gmail.com> wrote: > >> For the |struts.parameters.requireAnnotations=||true| > >> > >> If I test my action, there are no log messages for these. ie missing > >> @StrutsParameter. > >> > >> It also says Action class, what if I have a bean in the action class, do > >> I need to do these also? > >> > >> If I add them to every field/bean is this the same as setting it false? > >> ie what does @StrutsParameter do? > >> > >> On 18/06/2024 07:44, Kusal Kithul-Godage wrote: > >>> I've fleshed out the Security section of the migration guide. Open to > >>> any feedback on anything that is still unclear. > >>> https://cwiki.apache.org/confluence/x/wYp3EQ > >>> > >>> On Mon, Jun 17, 2024 at 8:14 PM Kusal Kithul-Godage > >>> <kusal.kithulgod...@gmail.com> wrote: > >>>> Ah right - yep no objections here > >>>> > >>>> Based on the feedback in this thread, I'm working on a minor > >>>> enhancement for the allowlisting capability which will allow it to > >>>> continue working at a lesser strictness in environments where > >>>> Hibernate entities are used. I'll target M8 for this as well as the > >>>> updated documentation > >>>> > >>>> On Mon, Jun 17, 2024 at 8:07 PM Lukasz Lenart<lukaszlen...@apache.org> > >>>> wrote: > >>>>> pon., 17 cze 2024 o 11:00 Kusal Kithul-Godage > >>>>> <kusal.kithulgod...@gmail.com> napisał(a): > >>>>>> When you say release officially do you mean as the final Struts 7.0.0? > >>>>> I meant release -> publish as M7 in the Maven Central - in such a case > >>>>> we can spread testing to other users as they can use official > >>>>> artifacts. > >>>>> > >>>>> Regards > >>>>> Lukasz > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >>>>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>> For additional commands,e-mail:dev-h...@struts.apache.org > >>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > > For additional commands, e-mail:dev-h...@struts.apache.org > >
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
