Thanks, that is a good documentation, except that
@StrutsParameter(depth = 1) was not sufficant
for the case
@StrutsParameter(depth = 1)
public List<User> getUsers() {
return users;
}
in my example, I needed
@StrutsParameter(depth = 2)
public List<MyObject> getContents() {
return contents;
}
despite that MyObject contains only flat primitives like
private String title;
and the corresponding getter/setters (also annotated).
Best regards
Markus
Am 30.06.26 um 18:52 schrieb Łukasz Lenart:
wt., 30 cze 2026 o 18:[email protected] <[email protected]>
napisał(a):
If you have an Action extends ActionSupport that returns Json (using Gson
here), it is not sufficient to annotate the setter
@StrutsParameter(depth = 2) public void setContents(final List<MyObject>
contents) { this.contents = contents; }
2026-06-30 17:47:40 WARN org.apache.struts2.json.JSONInterceptor - JSON body
parameter [contents[0].title] rejected by @StrutsParameter authorization on [org
.your.NameOfTheAction]
You need also to annotate the getter
@StrutsParameter(depth = 2) public List<MyObject> getContents() { return
contents; }
Because the new security mechanism first seems to use getContents to check, if there
is permission to setContents. Also note that depth = 1 is not sufficent, despite that
MyObject is a flat POJO. Not sure why that is, probably because it is a
List<MyObject>.
Maybe the documentation should be updated to make this clear. It does not seem
obvious at least to me, which admittedly doesn't mean much. ;-)
Is it your case?
https://struts.apache.org/core-developers/struts-parameter-annotation#populating-properties-of-objects-within-a-collection
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]