Thanks, that is a good documentation, except that

@StrutsParameter(depth = 1)  was not sufficant

for the case

    @StrutsParameter(depth = 1)
    public List<User> getUsers() {
        return users;
    }

in my example, I needed

@StrutsParameter(depth = 2)
public List<MyObject> getContents() {
    return contents;
    }

despite that MyObject contains only flat primitives like

private String title;

and the corresponding getter/setters (also annotated).

Best regards
Markus


Am 30.06.26 um 18:52 schrieb Łukasz Lenart:
wt., 30 cze 2026 o 18:[email protected] <[email protected]>
napisał(a):
If you have an Action extends ActionSupport that returns Json (using Gson 
here), it is not sufficient to annotate the setter

@StrutsParameter(depth = 2) public void setContents(final List<MyObject> 
contents) { this.contents = contents; }


2026-06-30 17:47:40 WARN org.apache.struts2.json.JSONInterceptor - JSON body 
parameter [contents[0].title] rejected by @StrutsParameter authorization on [org
.your.NameOfTheAction]

You need also to annotate the getter

@StrutsParameter(depth = 2) public List<MyObject> getContents() { return 
contents; }

Because the new security mechanism first seems to use getContents to check, if there 
is permission to setContents. Also note that depth = 1 is not sufficent, despite that 
MyObject is a flat POJO. Not sure why that is, probably because it is a 
List<MyObject>.

Maybe the documentation should be updated to make this clear. It does not seem 
obvious at least to me, which admittedly doesn't mean much. ;-)
Is it your case?
https://struts.apache.org/core-developers/struts-parameter-annotation#populating-properties-of-objects-within-a-collection


Cheers
Łukasz

---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]

Reply via email to