The Apache Struts 7.2.1 test build is available. This release contains
a few minor breaking changes plus some bug fixes. Also a lot of
dependencies have been updated:

Breaking changes

- JSON and REST request bodies are now authorized per property during
deserialization, so action/model properties without @StrutsParameter
are no longer populated when struts.parameters.requireAnnotations is
enabled (the default) [WW-5626], [WW-5624].
- CookieInterceptor  now applies @StrutsParameter  authorization to
cookie values and deprecates the 4-arg
populateCookieValueIntoStack(...)  in favor of a new 5-arg overload
taking the action, so un-annotated setters stop receiving cookies and
subclass overrides must migrate [WW-5627].
- Apache Commons FileUpload was upgraded to 2.0.0-M5, whose renamed
methods break custom upload code or FileUploadInterceptor  subclasses
calling its API directly [WW-5615], [WW-5632].
- OGNL was upgraded from 3.3.5 to 3.4.11, which may affect code or
configuration relying on OGNL expression, method-access, or security
semantics [WW-5536], [WW-5613].
- StreamResult  now honors an explicitly empty contentCharSet  by
clearing the response character encoding, changing the emitted
Content-Type for that configuration [WW-5602].
- ChainingInterceptor  adds the opt-in
struts.chaining.requireAnnotations  constant (default false) that,
when enabled, skips properties without @StrutsParameter  during action
chaining [WW-5631].

Bug
[WW-2963] - default-action-ref fails to find wildcard named actions
[WW-3429] - <input> tag generated by <s:checkbox> produce HTML warning
in validators
[WW-3647] - Adding a jndi-lookup Spring bean breaks ServletActionRedirectResult
[WW-4421] - Duplicate @Action value annotation check skipped
[WW-4428] - Add support for new Java 8 LocalDate and LocalDateTime to
the JSON plugin
[WW-5294] - Tag <s:textfield/> is not showing the warning when exposed
directly via JSP
[WW-5368] - Access warning when get resource bundle which its name
starts with "label"
[WW-5514] - Allow configuration of ProxyUtil for cache types
[WW-5519] - Plugin not compatible with latest version of IDEA
[WW-5535] - HttpMethodInterceptor does not work with action names
using wildcards
[WW-5537] - Memory Leak
[WW-5549] - i18n interceptor param supportedLocale (when set) disables
request_locale param functionality
[WW-5578] - Bad interceptor configuration is masked
[WW-5586] - WithLazyParams interceptors cannot be configured within
interceptor stacks
[WW-5587] - WithLazyParams interceptors lose parameters in stack configurations
[WW-5592] - Textfield tag not allowing white space
[WW-5593] - Convention plugin fails with NoClassDefFoundError when
scanning classes with missing dependencies
[WW-5594] - Convention plugin exclusion pattern org.apache.struts2.*
doesn't match root package classes
[WW-5602] - Can't specify empty charset on StreamResult
[WW-5614] - Excessive memory usage in apps with large short-lived objects
[WW-5623] - Harden output encoding of the form action attribute in
PostbackResult
[WW-5624] - Request body population bypasses @StrutsParameter contract
outside ParametersInterceptor
[WW-5630] - Performance Issue SecurityMemberAccess
[WW-5636] - ServletRedirectResult writes unescaped URL to response
body for non-302 status codes

New Feature
[WW-5444] - Implement a new html5 theme
[WW-5631] - Add opt-in @StrutsParameter enforcement to ChainingInterceptor
[WW-5632] - Harden commons-fileupload2 dependency against milestone
binary-incompatibility

Improvement
[WW-4291] - Can't use Spring bean name for type convertor
[WW-5256] - Reduce size of generate html out of freemarker tag templates
[WW-5560] - Support IntelliJ Platform 2024.2
[WW-5563] - Support IntelliJ Platform 2025.3
[WW-5576] - In Java 25: the use of the three-letter time zone IDs is deprecated
[WW-5585] - Allow dynamically set "allowedTypes" and
"allowedExtensions" for file upload validation
[WW-5588] - Allow Preparable interface to work with only per-method
prepare*() implementations
[WW-5589] - Convert remaining UIBean protected fields to private to
prevent OGNL warnings
[WW-5603] - xwork-default.xml is shown as framework config file
[WW-5613] - Add proper support for OGNL 3.4.10
[WW-5617] - Use System.err.println() instead of printStackTrace()
[WW-5618] - Make JSON plugin more configurable
[WW-5621] - Harden XML parsers against Entity Expansion (Billion Laughs) attacks
[WW-5622] - Optimize Hibernate proxy detection to avoid repeated
exception overhead when Hibernate is absent
[WW-5626] - Refactor JSON/REST @StrutsParameter enforcement to
per-property authorization
[WW-5627] - CookieInterceptor bypasses @StrutsParameter authorization
[WW-5635] - TokenHelper.validToken() includes session token in WARN log output

Task
[WW-5615] - Adapt to renamed methods in Apache Commons FileUpload 2.0.0-M5

Dependency
[WW-5536] - Bump ognl:ognl from 3.3.5 to 3.4.8
[WW-5579] - @DoubleRangeFieldValidator and @ShortRangeFieldValidator
missing from @Validations container annotation
[WW-5582] - Bump asm.version from 9.8 to 9.9
[WW-5583] - Bump commons-validator:commons-validator from 1.9.0 to 1.10.0
[WW-5595] - Bump org.apache.commons:commons-text from 1.14.0 to 1.15.0
[WW-5596] - Bump byte-buddy.version from 1.17.7 to 1.18.2
[WW-5598] - Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.20.1
[WW-5601] - Bump commons-io:commons-io from 2.20.0 to 2.21.0
[WW-5605] - Bump org.apache.juneau:juneau-marshall from 8.1.3 to 9.2.0
[WW-5607] - Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.21.0
[WW-5625] - Bump commons-io:commons-io from 2.21.0 to 2.22.0
[WW-5628] - bump asm.version from 9.9.1 to 9.10
[WW-5629] - bump log4j2.version from 2.25.4 to 2.26.0
[WW-5633] - Bumps com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0.
[WW-5634] - Bumps org.htmlunit:htmlunit from 4.21.0 to 5.1.0.

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.2.1

Github release
* https://github.com/apache/struts/releases/tag/STRUTS_7_2_1

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/7.2.1/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 72 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.

As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.

On behalf of the Apache Struts project
Ɓukasz

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to