[ https://issues.apache.org/jira/browse/WW-5352?focusedWorklogId=897838&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-897838 ]
ASF GitHub Bot logged work on WW-5352: -------------------------------------- Author: ASF GitHub Bot Created on: 03/Jan/24 11:25 Start Date: 03/Jan/24 11:25 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #832: URL: https://github.com/apache/struts/pull/832 WW-5352 -- WIP! -- The final piece of the Struts 6.4 security overhaul. When this capability is enabled alongside the OGNL allowlist, security is greatly heightened with no additional complex configuration. The only code change required by applications is to annotate all Action class parameters with this new annotation. This can be scripted for large codebases by scanning for public members on classes which implement the Action interface. In addition to assisting OGNL allowlist configuration, the primary benefit of this new annotation is that it prevents inexperienced Struts developers from inadvertently introducing parameter injection points as they often do not realise any public members on an Action class are parameter injectable. Issue Time Tracking ------------------- Worklog Id: (was: 897838) Time Spent: 2.5h (was: 2h 20m) > Implement annotation mechanism for injectable fields via parameters > ------------------------------------------------------------------- > > Key: WW-5352 > URL: https://issues.apache.org/jira/browse/WW-5352 > Project: Struts 2 > Issue Type: Improvement > Components: Core, Core Interceptors > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.4.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > struts.parameters.requireAnnotations > > Require an explicit annotation '@StrutsParameter' on one of: > Getter/Setter/Field/ReturnType for injecting parameters. > > This mechanism is intended to be a more usable replacement for > 'ParameterNameAware' -- This message was sent by Atlassian Jira (v8.20.10#820010)