Author: lukaszlenart
Date: Thu Sep 24 18:29:30 2015
New Revision: 966663
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-026.html
websites/production/struts/content/docs/version-notes-23241.html
Modified:
websites/production/struts/content/announce.html
websites/production/struts/content/archetype-catalog.xml
websites/production/struts/content/docs/action-configuration.html
websites/production/struts/content/docs/migration-guide.html
websites/production/struts/content/docs/rest-plugin.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/docs/struts-next.html
websites/production/struts/content/docs/webxml.html
websites/production/struts/content/download.html
websites/production/struts/content/downloads.html
websites/production/struts/content/index.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Thu Sep 24 18:29:30 2015
@@ -124,6 +124,30 @@
Skip to: <a href="announce-2014.html">Announcements - 2014</a>
</p>
+<h4 id="a20150924">24 September 2015 - Struts 2.3.24.1 General Availability
with Security Fix Release</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.3.24.1 is
available as a âGeneral Availabilityâ
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from
building, to deploying,
+to maintaining applications over time.</p>
+
+<p>One medium security issue was solved with this release:</p>
+
+<ul>
+ <li><a href="/docs/s2-026.html">S2-026</a>
+Special <code>top</code> object can be used to access Strutsâ internals</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<p>The 2.3.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.</p>
+
+<p>Should any issues arise with your use of any version of the Struts
framework,
+please post your comments to the user list, and, if appropriate, file a
tracking ticket.</p>
+
<h4 id="a20150826">26 August 2015 - Security Bulletin S2-025</h4>
<p>The Apache Struts group is pleased to announce that a new security bulletin
was published -
Modified: websites/production/struts/content/archetype-catalog.xml
==============================================================================
Binary files - no diff available.
Modified: websites/production/struts/content/docs/action-configuration.html
==============================================================================
--- websites/production/struts/content/docs/action-configuration.html (original)
+++ websites/production/struts/content/docs/action-configuration.html Thu Sep
24 18:29:30 2015
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The action mappings are the basic
"unit-of-work" in the framework. Essentially, the action maps an identifier to
a handler class. When a request matches the action's name, the framework uses
the mapping to determine how to process the request.</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1440488847319 {padding: 0px;}
-div.rbtoc1440488847319 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1440488847319 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1443119320931 {padding: 0px;}
+div.rbtoc1443119320931 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1443119320931 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1440488847319">
+/*]]>*/</style></p><div class="toc-macro rbtoc1443119320931">
<ul class="toc-indentation"><li><a shape="rect"
href="#ActionConfiguration-ActionMappings">Action Mappings</a></li><li><a
shape="rect" href="#ActionConfiguration-ActionNames">Action
Names</a></li><li><a shape="rect"
href="#ActionConfiguration-ActionMethods">Action Methods</a></li><li><a
shape="rect" href="#ActionConfiguration-WildcardMethod">Wildcard
Method</a></li><li><a shape="rect"
href="#ActionConfiguration-DynamicMethodInvocation">Dynamic Method
Invocation</a></li><li><a shape="rect"
href="#ActionConfiguration-ActionSupportDefault">ActionSupport
Default</a></li><li><a shape="rect"
href="#ActionConfiguration-Post-BackDefault">Post-Back Default</a></li><li><a
shape="rect" href="#ActionConfiguration-ActionDefault">Action Default</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#ActionConfiguration-WildcardDefault">Wildcard Default</a></li></ul>
</li><li><a shape="rect" href="#ActionConfiguration-Next:">Next: Wildcard
Mappings</a></li></ul>
@@ -151,9 +151,17 @@ div.rbtoc1440488847319 li {margin-left:
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><action name="Logon" class="tutorial.Logon">
<result type="redirectAction">Menu</result>
<result name="input">/Logon.jsp</result>
-</action>
-</pre>
-</div></div><h2 id="ActionConfiguration-ActionNames">Action Names</h2><p>In a
web application, the <code>name</code> attribute is matched as part of the
location requested by a browser (or other HTTP client). The framework will drop
the host and application name and the extension and match what's in the middle:
the action name. So, a request for <code><a shape="rect" class="external-link"
href="http://www.planetstruts.org/struts2-mailreader/Welcome.action";
rel="nofollow">http://www.planetstruts.org/struts2-mailreader/Welcome.action</a></code>
will map to the <code>Welcome</code> action.</p><p>Within an application a
link to an action is usually generated by a Struts Tag. The tag can specify the
action by name, and the framework will render the default extension and
anything else that is needed. Forms may also submit directly to a Struts Action
name (rather than a "raw" URI).</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="bord
er-bottom-width: 1px;"><b>A Hello Form</b></div><div class="codeContent
panelContent pdl">
+</action> </pre>
+</div></div><p> </p><p>When using <a shape="rect"
href="convention-plugin.html">Convention Plugin</a> the action mapping can be
configured with annotations:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>A Logon Action with
annotations</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">package tutorial
+
+@Action("Logon") // actually that is not necessary as it is added by convention
+@Results(
+ @Result(type="redirectAction", location="Menu"),
+ @Result(name="input", location="/Logon.jsp")
+)
+public class Logon {</pre>
+</div></div><p> </p><h2 id="ActionConfiguration-ActionNames">Action
Names</h2><p>In a web application, the <code>name</code> attribute is matched
as part of the location requested by a browser (or other HTTP client). The
framework will drop the host and application name and the extension and match
what's in the middle: the action name. So, a request for <code><a shape="rect"
class="external-link"
href="http://www.planetstruts.org/struts2-mailreader/Welcome.action";
rel="nofollow">http://www.planetstruts.org/struts2-mailreader/Welcome.action</a></code>
will map to the <code>Welcome</code> action.</p><p>Within an application a
link to an action is usually generated by a Struts Tag. The tag can specify the
action by name, and the framework will render the default extension and
anything else that is needed. Forms may also submit directly to a Struts Action
name (rather than a "raw" URI).</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl
" style="border-bottom-width: 1px;"><b>A Hello Form</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><s:form action="Hello">
<s:textfield label="Please enter your name" name="name"/>
<s:submit/>
@@ -168,14 +176,22 @@ div.rbtoc1440488847319 li {margin-left:
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><action name="delete" class="example.CrudAction"
method="delete">
...
</pre>
-</div></div><p><img class="emoticon emoticon-warning"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png";
data-emoticon-name="warning" alt="(warning)"> If there is no
<code>execute</code> method and no other method specified in the configuration
the framework will throw an exception.</p><h2
id="ActionConfiguration-WildcardMethod">Wildcard Method</h2><p>Many times, a
set of action mappings will share a common pattern. For example, all your
<code>edit</code> actions might start with the word "edit", and call the
<code>edit</code> method on the Action class. The <code>delete</code> actions
might use the same pattern, but call the <code>delete</code> method
instead.</p><p>Rather than code a separate mapping for each action class that
uses this pattern, you can write it once as a wildcard mapping.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+</div></div><p><img class="emoticon emoticon-warning"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png";
data-emoticon-name="warning" alt="(warning)"> If there is no
<code>execute</code> method and no other method specified in the configuration
the framework will throw an exception.</p><p> </p><p><a shape="rect"
href="convention-plugin.html">Convention Plugin</a> allows that by annotating
methods:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Annotated action method</b></div><div class="codeContent panelContent
pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">@Action("crud")
+public class CrudAction {
+ @Action("delete")
+ public String delete() {
+ ...
+
+</pre>
+</div></div><p> </p><h2 id="ActionConfiguration-WildcardMethod">Wildcard
Method</h2><p>Many times, a set of action mappings will share a common pattern.
For example, all your <code>edit</code> actions might start with the word
"edit", and call the <code>edit</code> method on the Action class. The
<code>delete</code> actions might use the same pattern, but call the
<code>delete</code> method instead.</p><p>Rather than code a separate mapping
for each action class that uses this pattern, you can write it once as a
wildcard mapping.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><action name="*Crud" class="example.Crud"
method="{1}">
...
</pre>
</div></div><p>Here, a reference to "editCrud" will call the <code>edit</code>
method on an instance of the Crud Action class. Likewise, a reference to
"deleteCrud" will call the <code>delete</code> method instead.</p><p>Another
common approach is to postfix the method name and set it off with an
exclamation point (aka "bang"), underscore, or other special
character.</p><ul><li>"action=Crud_input"</li><li>"action=Crud_delete"</li></ul><p>To
use a postfix wildcard, just move the asterisk and add an underscore.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><action name="Crud_*" class="example.Crud"
method="{1}">
</pre>
-</div></div><p>From the framework's perspective, a wildcard mapping creates a
new "virtual" mapping with all the same attributes as a conventional, static
mapping. As a result, you can use the expanded wildcard name as the name of
validation, type conversion, and message resource files, just as if it were an
Action name (which it
is!).</p><ul><li><code>Crud_input-validation.xml</code></li><li><code>Crud_delete-conversion.xml</code></li></ul><div
class="confluence-information-macro
confluence-information-macro-warning"><span class="aui-icon aui-icon-small
aui-iconfont-error confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>If Wildcard Method mapping uses a
"!" in the action name, the Wildcard Method will overlap with another flexible
approach to mapping, <a shape="rect" href="action-configuration.html">Dynamic
Method Invocation</a>. To use action names that include the "!" character, set
<code>struts.enable.DynamicMethodInvocation</code> to <
code>FALSE</code> in the application configuration.</p></div></div><h2
id="ActionConfiguration-DynamicMethodInvocation">Dynamic Method
Invocation</h2><p>There's a feature embedded in WebWork 2 that lets the "!"
(bang) character invoke a method other than <code>execute</code>. In WebWork,
it doesn't really have a name. During the S2 discussions, we coined the term
"dynamic method invocation" to describe how WW/S2 use the bang
notation.</p><p>Dynamic Method Invocation (DMI) will use the string following a
"!" character in an action name as the name of a method to invoke (instead of
<code>execute</code>). A reference to "<code>Category!create.action</code>",
says to use the "Category" action mapping, but call the <code>create</code>
method instead.</p><p>For Struts 2, we added a switch to disable DMI for two
reasons. First, DMI can cause security issues if POJO actions are used. Second,
DMI overlaps with the Wildcard Method feature that we brought over from Struts
1 (and from Cocoon be
fore that). If you have security concerns, or would like to use the "!"
character with Wildcard Method actions, then set
<code>struts.enable.DynamicMethodInvocation</code> to <code>FALSE</code> in the
application configuration.</p><p>The framework does support DMI, just like
WebWork 2, but there are problems with way DMI is implemented. Essentially, the
code scans the action name for a "!" character, and finding one, tricks the
framework into invoking the other method instead of <code>execute</code>. The
other method is invoked, but it uses the same configuration as the
<code>execute</code> method, including validations. The framework "believes" it
is invoking the <code>Category</code> action with the <code>execute</code>
method.</p><p>The Wildcard Method feature is implemented differently. When a
Wildcard Method action is invoked, the framework acts as if the matching action
had been hardcoded in the configuration. The framework "believes" it's
executing the action <code>Category!c
reate</code> and "knows" it is executing the <code>create</code> method of the
corresponding Action class. Accordingly, we can add for a Wildcard Method
action mapping its own validations, message resources, and type converters,
just like a conventional action mapping. For this reason, the <a shape="rect"
href="action-configuration.html">Wildcard Method</a> is preferred.</p><p>In
Struts 2.3, an option was added to restrict the methods that DMI can invoke.
First, set the attribute <code>strict-method-invocation="true"</code> on your
<code><package></code> element. This tells Struts to reject any method
that is not explicitly allowed via either the <code>method</code> attribute
(including wildcards) or the <code><allowed-methods></code> tag. Then
specify <code><allowed-methods></code> as a comma-separated list of
method names in your <code><action></code>. (If you specify a
<code>method</code> attribute for your action, you do not need to list it in
<code><a
llowed-methods></code>.)</p><p>Note that you can specify
<code><allowed-methods></code> even without
<code>strict-method-invocation</code>. This restricts access only for the
specific actions that have <code><allowed-methods></code>.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>Example
struts.xml</b></div><div class="codeContent panelContent pdl">
+</div></div><p>From the framework's perspective, a wildcard mapping creates a
new "virtual" mapping with all the same attributes as a conventional, static
mapping. As a result, you can use the expanded wildcard name as the name of
validation, type conversion, and message resource files, just as if it were an
Action name (which it
is!).</p><ul><li><code>Crud_input-validation.xml</code></li><li><code>Crud_delete-conversion.xml</code></li></ul><div
class="confluence-information-macro
confluence-information-macro-warning"><span class="aui-icon aui-icon-small
aui-iconfont-error confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>If Wildcard Method mapping uses a
"!" in the action name, the Wildcard Method will overlap with another flexible
approach to mapping, <a shape="rect" href="action-configuration.html">Dynamic
Method Invocation</a>. To use action names that include the "!" character, set
<code>struts.enable.DynamicMethodInvocation</code> to <
code>FALSE</code> in the application configuration.</p></div></div><h2
id="ActionConfiguration-DynamicMethodInvocation">Dynamic Method
Invocation</h2><p>There's a feature embedded in WebWork 2 that lets the "!"
(bang) character invoke a method other than <code>execute</code>. In WebWork,
it doesn't really have a name. During the S2 discussions, we coined the term
"dynamic method invocation" to describe how WW/S2 use the bang
notation.</p><p>Dynamic Method Invocation (DMI) will use the string following a
"!" character in an action name as the name of a method to invoke (instead of
<code>execute</code>). A reference to "<code>Category!create.action</code>",
says to use the "Category" action mapping, but call the <code>create</code>
method instead.</p><p>Another way to use DMI is to provide HTTP parameters
prefixed with "<code>method:</code>". For example in the URL it could be
"<code>Category.action?method:create=foo</code>", the parameter value is
ignored. In POST-Requests that can b
e used e.g. with a hidden parameter (<code><s:hidden name="method:create"
value="foo" /></code>) or along with a button (<code><s:submit
method="create" /></code>).</p><p> </p><p>For Struts 2, we added a
switch to disable DMI for two reasons. First, DMI can cause security issues if
POJO actions are used. Second, DMI overlaps with the Wildcard Method feature
that we brought over from Struts 1 (and from Cocoon before that). If you have
security concerns, or would like to use the "!" character with Wildcard Method
actions, then set <code>struts.enable.DynamicMethodInvocation</code> to
<code>FALSE</code> in the application configuration.</p><p>The framework does
support DMI, just like WebWork 2, but there are problems with way DMI is
implemented. Essentially, the code scans the action name for a "!" character,
and finding one, tricks the framework into invoking the other method instead of
<code>execute</code>. The other method is invoked, but it uses the same
configurat
ion as the <code>execute</code> method, including validations. The framework
"believes" it is invoking the <code>Category</code> action with the
<code>execute</code> method.</p><p>The Wildcard Method feature is implemented
differently. When a Wildcard Method action is invoked, the framework acts as if
the matching action had been hardcoded in the configuration. The framework
"believes" it's executing the action <code>Category!create</code> and "knows"
it is executing the <code>create</code> method of the corresponding Action
class. Accordingly, we can add for a Wildcard Method action mapping its own
validations, message resources, and type converters, just like a conventional
action mapping. For this reason, the <a shape="rect"
href="action-configuration.html">Wildcard Method</a> is preferred.</p><p>In
Struts 2.3, an option was added to restrict the methods that DMI can invoke.
First, set the attribute <code>strict-method-invocation="true"</code> on your
<code><package></code>
element. This tells Struts to reject any method that is not explicitly
allowed via either the <code>method</code> attribute (including wildcards) or
the <code><allowed-methods></code> tag. Then specify
<code><allowed-methods></code> as a comma-separated list of method names
in your <code><action></code>. (If you specify a <code>method</code>
attribute for your action, you do not need to list it in
<code><allowed-methods></code>.)</p><p>Note that you can specify
<code><allowed-methods></code> even without
<code>strict-method-invocation</code>. This restricts access only for the
specific actions that have <code><allowed-methods></code>.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>Example
struts.xml</b></div><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
Modified: websites/production/struts/content/docs/migration-guide.html
==============================================================================
--- websites/production/struts/content/docs/migration-guide.html (original)
+++ websites/production/struts/content/docs/migration-guide.html Thu Sep 24
18:29:30 2015
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><p>Getting here from there.</p><h3
id="MigrationGuide-VersionNotes2.5.x">Version Notes 2.5.x</h3><ul><li><a
shape="rect" href="version-notes-25.html">Version Notes 2.5</a></li></ul><h3
id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a
shape="rect" href="version-notes-2324.html">Version Notes 2.3.24</a></li><li><a
shape="rect" href="version-notes-23201.html">Version Notes
2.3.20.1</a></li><li><a shape="rect" href="version-notes-2320.html">Version
Notes 2.3.20</a></li><li><a shape="rect"
href="version-notes-23163.html">Version Notes 2.3.16.3</a></li><li><a
shape="rect" href="version-notes-23162.html">Version Notes
2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version
Notes 2.3.16.1</a></li><li><a shape="rect"
href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect"
href="version-notes-23153.html">Version Notes 2.3.15.3</a></li><li><a
shape="rect" href="version-notes-23152.html">
Version Notes 2.3.15.2</a></li><li><a shape="rect"
href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a
shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a
shape="rect" href="version-notes-23143.html">Version Notes
2.3.14.3</a></li><li><a shape="rect" href="version-notes-23142.html">Version
Notes 2.3.14.2</a></li><li><a shape="rect"
href="version-notes-23141.html">Version Notes 2.3.14.1</a></li><li><a
shape="rect" href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a
shape="rect" href="version-notes-23120.html">Version Notes
2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version
Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version
Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version
Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version
Notes 2.3.4</a></li><li><a shape="rect" href="version-notes-233.html">Version
Notes 2.3.3</a></l
i><li><a shape="rect" href="version-notes-2312.html">Version Notes
2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version
Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version
Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version
Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version
Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version
Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version
Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version
Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version
Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version
Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version
Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.html">Version
Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">
Version Notes 2.1.5</a></li><li><a shape="rect"
href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect"
href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect"
href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect"
href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect"
href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3
id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a
shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a
shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a
shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a
shape="rect" href="release-notes-20112.html">Release Notes
2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release
Notes 2.0.11.1</a></li><li><a shape="rect"
href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect
" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a
shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a
shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a
shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a
shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a
shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a
shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a
shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a
shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a
shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a
shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3
id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" ro
wspan="1" class="confluenceTh"><p><a shape="rect"
href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2
alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1
Solutions</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Various issues (and hopefully their solutions!)
encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p><a shape="rect"
href="migration-strategies.html">Migration Strategies</a></p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies
for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect"
href="migration-tools.html">Migration Tools</a></p></th><td colspan="1"
rowspan="1" class="confluenceTd"
><p>Development tools to help aid the migration
>process.</p></td></tr></tbody></table></div><h4
>id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table
>class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
>class="confluenceTh"><p><a shape="rect" class="external-link"
>href="http://www.infoq.com/news/migrating-struts2"; rel="nofollow">Migrating
>Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1"
>class="confluenceTd"><p>A three-part series by Ian Roughley (Sep
>2006)</p></td></tr></tbody></table></div><h4
>id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table
>class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
>class="confluenceTh"><p><a shape="rect" class="external-link"
>href="http://struts.apache.org/roadmap.html#new";>Roadmap FAQ</a></p></th><td
>colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts
>2?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a
>shape="rect" class="extern
al-link"
href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html";
rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Don Brown's summary of
events</p></td></tr></tbody></table></div><h3
id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p><a shape="rect"
href="key-changes-from-webwork-2.html">Key Changes From WebWork
2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been
removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect"
href="webwork-2-migration-strategies.html">WebWork 2 Migration
Strategies</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Steps and overall strategies for migrating WebWork 2
applications to Struts 2.</p></td></tr></tbody></table></div><h2 id
="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect"
href="where-do-we-get-the-latest-version-the-framework.html">Where do we get
the latest version the framework</a>?</li><li><a shape="rect"
href="what-are-some-of-the-frameworks-best-features.html">What are some of the
framework's best features</a>?</li><li><a shape="rect"
href="what-is-the-actioncontext.html">What is the
ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect"
href="contributors-guide.html">Contributors Guide</a></h2></div>
+ <div id="ConfluenceContent"><p>Getting here from there.</p><h3
id="MigrationGuide-VersionNotes2.5.x">Version Notes 2.5.x</h3><ul><li><a
shape="rect" href="version-notes-25.html">Version Notes 2.5</a></li></ul><h3
id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a
shape="rect" href="version-notes-23241.html">Version Notes
2.3.24.1</a></li><li><a shape="rect" href="version-notes-2324.html">Version
Notes 2.3.24</a></li><li><a shape="rect"
href="version-notes-23201.html">Version Notes 2.3.20.1</a></li><li><a
shape="rect" href="version-notes-2320.html">Version Notes 2.3.20</a></li><li><a
shape="rect" href="version-notes-23163.html">Version Notes
2.3.16.3</a></li><li><a shape="rect" href="version-notes-23162.html">Version
Notes 2.3.16.2</a></li><li><a shape="rect"
href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a
shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a
shape="rect" href="version-notes-23153.html">
Version Notes 2.3.15.3</a></li><li><a shape="rect"
href="version-notes-23152.html">Version Notes 2.3.15.2</a></li><li><a
shape="rect" href="version-notes-23151.html">Version Notes
2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version
Notes 2.3.15</a></li><li><a shape="rect"
href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a
shape="rect" href="version-notes-23142.html">Version Notes
2.3.14.2</a></li><li><a shape="rect" href="version-notes-23141.html">Version
Notes 2.3.14.1</a></li><li><a shape="rect"
href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect"
href="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a
shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a
shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a
shape="rect" href="version-notes-2341.html">Version Notes
2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes
2.3.4</
a></li><li><a shape="rect" href="version-notes-233.html">Version Notes
2.3.3</a></li><li><a shape="rect" href="version-notes-2312.html">Version Notes
2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version
Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version
Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version
Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version
Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version
Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version
Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version
Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version
Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version
Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version
Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.h
tml">Version Notes 2.1.6</a></li><li><a shape="rect"
href="version-notes-215.html">Version Notes 2.1.5</a></li><li><a shape="rect"
href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect"
href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect"
href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect"
href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect"
href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3
id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a
shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a
shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a
shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a
shape="rect" href="release-notes-20112.html">Release Notes
2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release
Notes 2.0.11.1</a></li><li><a shape="r
ect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a
shape="rect" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a
shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a
shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a
shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a
shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a
shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a
shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a
shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a
shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a
shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a
shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3
id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><
div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect"
href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2
alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1
Solutions</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Various issues (and hopefully their solutions!)
encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p><a shape="rect"
href="migration-strategies.html">Migration Strategies</a></p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies
for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect"
href="migration-tools
.html">Migration Tools</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Development tools to help aid the migration
process.</p></td></tr></tbody></table></div><h4
id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p><a shape="rect" class="external-link"
href="http://www.infoq.com/news/migrating-struts2"; rel="nofollow">Migrating
Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>A three-part series by Ian Roughley (Sep
2006)</p></td></tr></tbody></table></div><h4
id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p><a shape="rect" class="external-link"
href="http://struts.apache.org/roadmap.html#new";>Roadmap FAQ</a></p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts
2?</p></td></tr><t
r><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect"
class="external-link"
href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html";
rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Don Brown's summary of
events</p></td></tr></tbody></table></div><h3
id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p><a shape="rect"
href="key-changes-from-webwork-2.html">Key Changes From WebWork
2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been
removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect"
href="webwork-2-migration-strategies.html">WebWork 2 Migration
Strategies</a></p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Steps and overall strategies for migr
ating WebWork 2 applications to Struts
2.</p></td></tr></tbody></table></div><h2
id="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect"
href="where-do-we-get-the-latest-version-the-framework.html">Where do we get
the latest version the framework</a>?</li><li><a shape="rect"
href="what-are-some-of-the-frameworks-best-features.html">What are some of the
framework's best features</a>?</li><li><a shape="rect"
href="what-is-the-actioncontext.html">What is the
ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect"
href="contributors-guide.html">Contributors Guide</a></h2></div>
</div>
<div class="tabletitle">
@@ -140,6 +140,9 @@ under the License.
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2
Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
Modified: websites/production/struts/content/docs/rest-plugin.html
==============================================================================
--- websites/production/struts/content/docs/rest-plugin.html (original)
+++ websites/production/struts/content/docs/rest-plugin.html Thu Sep 24
18:29:30 2015
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><div
class="confluence-information-macro
confluence-information-macro-information"><span class="aui-icon aui-icon-small
aui-iconfont-info confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>This plugin is only available with
Struts 2.1.1 or later</p></div></div><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1440489225220 {padding: 0px;}
-div.rbtoc1440489225220 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1440489225220 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1443119322444 {padding: 0px;}
+div.rbtoc1443119322444 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1443119322444 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1440489225220">
+/*]]>*/</style></p><div class="toc-macro rbtoc1443119322444">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a
shape="rect" href="#RESTPlugin-Overview">Overview</a>
<ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a
shape="rect" href="#RESTPlugin-Features">Features</a></li><li><span
class="TOCOutline">1.2</span> <a shape="rect"
href="#RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts
2 Actions</a>
<ul class="toc-indentation"><li><span class="TOCOutline">1.2.1</span> <a
shape="rect" href="#RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping
Logic</a></li></ul>
@@ -157,7 +157,7 @@ div.rbtoc1440489225220 li {margin-left:
</li><li><span class="TOCOutline">3</span> <a shape="rect"
href="#RESTPlugin-AdvancedTopics">Advanced Topics</a>
<ul class="toc-indentation"><li><span class="TOCOutline">3.1</span> <a
shape="rect" href="#RESTPlugin-CustomContentTypeHandlers">Custom
ContentTypeHandlers</a></li><li><span class="TOCOutline">3.2</span> <a
shape="rect" href="#RESTPlugin-UseJacksonframeworkasJSONContentTypeHandler">Use
Jackson framework as JSON ContentTypeHandler</a></li><li><span
class="TOCOutline">3.3</span> <a shape="rect"
href="#RESTPlugin-Settings">Settings</a></li></ul>
</li><li><span class="TOCOutline">4</span> <a shape="rect"
href="#RESTPlugin-Resources">Resources</a></li><li><span
class="TOCOutline">5</span> <a shape="rect"
href="#RESTPlugin-VersionHistory">Version History</a></li></ul>
-</div><h2 id="RESTPlugin-Overview">Overview</h2><p>The REST Pluginprovides
high level support for the implementation of RESTful resource based web
applicationsThe REST plugin can cooperate with the <a shape="rect"
href="convention-plugin.html">Convention Plugin</a> to support a zero
configuration approach to declaring your actions and results, but you can
always use the REST plugin with XML style configuration if you like.</p><p>If
you prefer to see a working code example, instead of reading through an
explanation, you can download the <a shape="rect" class="external-link"
href="http://struts.apache.org/2.x/index.html";>struts2 sample apps</a> and
check out the <code>struts2-rest-showcase</code> application, a complete WAR
file, that demonstrates a simple REST web program.</p><h3
id="RESTPlugin-Features">Features</h3><ul><li>Ruby on Rails REST-style
URLs</li><li>Zero XML config when used with Convention Plugin</li><li>Built-in
serialization and deserialization support for XML and JSO
N</li><li>Automatic error handling</li><li>Type-safe configuration of the HTTP
response</li><li>Automatic conditional GET support</li></ul><h3
id="RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2
Actions</h3><p>The main functionality of the REST plugin lies in the
interpretation of incoming request URL's according the RESTful rules. In the
Struts 2 framework, this 'mapping' of request URL's to Actions is handled by in
implementation of the <a shape="rect" class="external-link"
href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/ActionMapper.html";><code>ActionMapper</code></a>
interface. Out of the box, Struts 2 uses the <a shape="rect"
class="external-link"
href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.html";><code>DefaultActionMapper</code></a>
to map URL's to Actions via the logic you are probably already familiar
with.</p><div class="confluence-infor
mation-macro confluence-information-macro-note"><span class="aui-icon
aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p><em>Actions or Controllers</em>?
Most Struts 2 developers are familiar with the Action. They are the things that
get executed by the incoming requests. In the context of the REST plugin, just
to keep you on your toes, we'll adopt the RESTful lingo and refer to our
Actions as <em>Controllers</em>. Don't be confused; it's just a
name!</p></div></div><p>The REST plugin provides an alternative implementation,
<a shape="rect" class="external-link"
href="http://struts.apache.org/2.x/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/RestActionMapper.html";><code>RestActionMapper</code></a>,
that provides the RESTful logic that maps a URL to a give action class ( aka
'controller' in RESTful terms ) and, more specifically, to the invocation of a
method on that controller class. Th
e following section, which comes from the Javadoc for the class, details this
logic.</p><h4 id="RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping
Logic</h4><p>This Restful action mapper enforces Ruby-On-Rails REST-style
mappings. If the method is not specified (via '!' or 'method:' prefix), the
method is "guessed" at using REST-style conventions that examine the URL and
the HTTP method. Special care has been given to ensure this mapper works
correctly with the codebehind plugin so that XML configuration is
unnecessary.</p><p>This mapper supports the following parameters:</p><ul
style="list-style-type: square;"><li><span style="line-height:
1.4285715;"><code>struts.mapper.idParameterName</code> - If set, this value
will be the name</span><span style="line-height: 1.4285715;"> of the
parameter under which the id is stored. The id will then be removed</span><span
style="line-height: 1.4285715;"> from the action name. Whether or not the
method is specified, the
mapper will </span><span style="line-height: 1.4285715;"> try to
truncate the identifier from the url and store it as a
parameter.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.indexMethodName</code> - The method name to
call for a GET</span><span style="line-height: 1.4285715;"> request with
no id parameter. Defaults to <strong>index</strong>.</span></li><li><span
style="line-height: 1.4285715;"><code>struts.mapper.getMethodName</code> - The
method name to call for a GET</span><span style="line-height:
1.4285715;"> request with an id parameter. Defaults to
<strong>show</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.postMethodName</code> - The method name to call
for a POST</span><span style="line-height: 1.4285715;"> request with no id
parameter. Defaults to <strong>create</strong>.</span></li><li><span
style="line-height: 1.4285715;"><code>struts.mapper.putMethodName</code> - The
method name to
call for a PUT</span><span style="line-height: 1.4285715;"> request with
an id parameter. Defaults to <strong>update</strong>.</span></li><li><span
style="line-height: 1.4285715;"><code>struts.mapper.deleteMethodName</code> -
The method name to call for a DELETE</span><span style="line-height:
1.4285715;"> request with an id parameter. Defaults to
<strong>destroy</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.editMethodName</code> - The method name to call
for a GET</span><span style="line-height: 1.4285715;"> request with an id
parameter and the <strong>edit</strong> view specified. Defaults to
<strong>edit</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.newMethodName</code> - The method name to call
for a GET</span><span style="line-height: 1.4285715;"> request with no id
parameter and the <strong>new</strong> view specified. Defaults to
<strong>editNew</strong>.</span></li></ul><
p>The following URL's will invoke its methods:</p><ul style="list-style-type:
square;"><li><code>GET: /movies</code> =>
method=<strong>index</strong></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/Thrillers</code> =>
method=<strong>show</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/Thrillers;edit</code> =>
method=<strong>edit</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/Thrillers/edit</code> =>
method=<strong>edit</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/new</code> =>
method=<strong>editNew</strong></span></li><li><span style="line-height:
1.4285715;"><code>POST: /movies</code> =>
method=<strong>create</strong></span></li><li><span style="line-height:
1.4285715;"><code>PUT: /movies/Thrillers</code> => method=<stron
g>update</strong>, id=<strong>Thrillers</strong></span></li><li><span
style="line-height: 1.4285715;"><code>DELETE:
/movies/Thrillers</code> => method=<strong>destroy</strong>,
id=<strong>Thrillers</strong></span></li></ul><div
class="confluence-information-macro confluence-information-macro-note"><span
class="aui-icon aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>To simulate the HTTP methods PUT
and DELETE, since they aren't supported by HTML, the HTTP parameter
"_method" will be used.</p></div></div><p>Or, expressed as a table:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>HTTP method</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>URI</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Class.method</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>parameters</p></th></tr><tr><td cols
pan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.index</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>POST</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.create</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>PUT</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.update</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>DELETE</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Movie.destroy</p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.show</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers/edit</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Movie.edit</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>/movie/new</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Movie.editNew</p></td><td colspan="1"
rowspan="1" class="c
onfluenceTd"><p> </p></td></tr></tbody></table></div><h3
id="RESTPlugin-ContentTypes">Content Types</h3><p>In addition to providing
mapping of RESTful URL's to Controller ( Action ) invocations, the REST plugin
also provides the ability to produce multiple representations of the resource
data. By default, the plugin can return the resource in the following content
types:</p><ul style="list-style-type: square;"><li>HTML</li><li><span
style="line-height: 1.4285715;">XML </span></li><li><span
style="line-height: 1.4285715;">JSON</span></li></ul><p>There is nothing
configure here, just add the conent type extension to your RESTful URL. The
framework will take care of the rest. So, for instance, assuming a Controller
called Movies and a movie with the id of superman, the following URL's will all
hit the</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div><h2 id="RESTPlugin-Overview">Overview</h2><p>The REST Pluginprovides
high level support for the implementation of RESTful resource based web
applicationsThe REST plugin can cooperate with the <a shape="rect"
href="convention-plugin.html">Convention Plugin</a> to support a zero
configuration approach to declaring your actions and results, but you can
always use the REST plugin with XML style configuration if you like.</p><p>If
you prefer to see a working code example, instead of reading through an
explanation, you can download the <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts-ga";>struts2 sample apps</a>
and check out the <code>struts2-rest-showcase</code> application, a complete
WAR file, that demonstrates a simple REST web program.</p><h3
id="RESTPlugin-Features">Features</h3><ul><li>Ruby on Rails REST-style
URLs</li><li>Zero XML config when used with Convention Plugin</li><li>Built-in
serialization and deserialization support for XML
and JSON</li><li>Automatic error handling</li><li>Type-safe configuration of
the HTTP response</li><li>Automatic conditional GET support</li></ul><h3
id="RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2
Actions</h3><p>The main functionality of the REST plugin lies in the
interpretation of incoming request URL's according the RESTful rules. In the
Struts 2 framework, this 'mapping' of request URL's to Actions is handled by in
implementation of the <a shape="rect" class="external-link"
href="http://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/ActionMapper.html";><code>ActionMapper</code></a>
interface. Out of the box, Struts 2 uses the <a shape="rect"
class="external-link"
href="http://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.html";><code>DefaultActionMapper</code></a>
to map URL's to Actions via the logic you are probably already familiar
with.</p><div class="conf
luence-information-macro confluence-information-macro-note"><span
class="aui-icon aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p><em>Actions or Controllers</em>?
Most Struts 2 developers are familiar with the Action. They are the things that
get executed by the incoming requests. In the context of the REST plugin, just
to keep you on your toes, we'll adopt the RESTful lingo and refer to our
Actions as <em>Controllers</em>. Don't be confused; it's just a
name!</p></div></div><p>The REST plugin provides an alternative implementation,
<a shape="rect" class="external-link"
href="http://struts.apache.org/maven/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/RestActionMapper.html";><code>RestActionMapper</code></a>,
that provides the RESTful logic that maps a URL to a give action class ( aka
'controller' in RESTful terms ) and, more specifically, to the invocation of a
method on that contro
ller class. The following section, which comes from the Javadoc for the class,
details this logic.</p><h4 id="RESTPlugin-RESTfulURLMappingLogic">RESTful URL
Mapping Logic</h4><p>This Restful action mapper enforces Ruby-On-Rails
REST-style mappings. If the method is not specified (via '!' or 'method:'
prefix), the method is "guessed" at using REST-style conventions that examine
the URL and the HTTP method. Special care has been given to ensure this
mapper works correctly with the codebehind plugin so that XML
configuration is unnecessary.</p><p>This mapper supports the following
parameters:</p><ul style="list-style-type: square;"><li><span
style="line-height: 1.4285715;"><code>struts.mapper.idParameterName</code> - If
set, this value will be the name</span><span style="line-height:
1.4285715;"> of the parameter under which the id is stored. The id will
then be removed</span><span style="line-height: 1.4285715;"> from the
action name. Whether or not the method is s
pecified, the mapper will </span><span style="line-height:
1.4285715;"> try to truncate the identifier from the url and store it as a
parameter.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.indexMethodName</code> - The method name to
call for a GET</span><span style="line-height: 1.4285715;"> request with
no id parameter. Defaults to <strong>index</strong>.</span></li><li><span
style="line-height: 1.4285715;"><code>struts.mapper.getMethodName</code> - The
method name to call for a GET</span><span style="line-height:
1.4285715;"> request with an id parameter. Defaults to
<strong>show</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.postMethodName</code> - The method name to call
for a POST</span><span style="line-height: 1.4285715;"> request with no id
parameter. Defaults to <strong>create</strong>.</span></li><li><span
style="line-height: 1.4285715;"><code>struts.mapper.putMethodName</code> - The
method name to call for a PUT</span><span style="line-height:
1.4285715;"> request with an id parameter. Defaults to
<strong>update</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.deleteMethodName</code> - The method name to
call for a DELETE</span><span style="line-height: 1.4285715;"> request
with an id parameter. Defaults to
<strong>destroy</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.editMethodName</code> - The method name to call
for a GET</span><span style="line-height: 1.4285715;"> request with an id
parameter and the <strong>edit</strong> view specified. Defaults to
<strong>edit</strong>.</span></li><li><span style="line-height:
1.4285715;"><code>struts.mapper.newMethodName</code> - The method name to call
for a GET</span><span style="line-height: 1.4285715;"> request with no id
parameter and the <strong>new</strong> view specified. Defaults to
<strong>editNew</strong>.</sp
an></li></ul><p>The following URL's will invoke its methods:</p><ul
style="list-style-type: square;"><li><code>GET: /movies</code> =>
method=<strong>index</strong></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/Thrillers</code> =>
method=<strong>show</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/Thrillers;edit</code> =>
method=<strong>edit</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/Thrillers/edit</code> =>
method=<strong>edit</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>GET: /movies/new</code> =>
method=<strong>editNew</strong></span></li><li><span style="line-height:
1.4285715;"><code>POST: /movies</code> =>
method=<strong>create</strong></span></li><li><span style="line-height:
1.4285715;"><code>PUT: /movies/Thrillers</code> =>
method=<strong>update</strong>,
id=<strong>Thrillers</strong></span></li><li><span style="line-height:
1.4285715;"><code>DELETE: /movies/Thrillers</code> =>
method=<strong>destroy</strong>,
id=<strong>Thrillers</strong></span></li></ul><div
class="confluence-information-macro confluence-information-macro-note"><span
class="aui-icon aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>To simulate the HTTP methods PUT
and DELETE, since they aren't supported by HTML, the HTTP parameter
"_method" will be used.</p></div></div><p>Or, expressed as a table:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>HTTP method</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>URI</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Class.method</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>parameters</p></th></t
r><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Movie.index</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>POST</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.create</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>PUT</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.update</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>DELETE</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrille
rs</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.destroy</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Movie.show</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>/movie/Thrillers/edit</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Movie.edit</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>/movie/new</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Movie.editNew</p></td><td colspan="1" rowspa
n="1" class="confluenceTd"><p> </p></td></tr></tbody></table></div><h3
id="RESTPlugin-ContentTypes">Content Types</h3><p>In addition to providing
mapping of RESTful URL's to Controller ( Action ) invocations, the REST plugin
also provides the ability to produce multiple representations of the resource
data. By default, the plugin can return the resource in the following content
types:</p><ul style="list-style-type: square;"><li>HTML</li><li><span
style="line-height: 1.4285715;">XML </span></li><li><span
style="line-height: 1.4285715;">JSON</span></li></ul><p>There is nothing
configure here, just add the conent type extension to your RESTful URL. The
framework will take care of the rest. So, for instance, assuming a Controller
called Movies and a movie with the id of superman, the following URL's will all
hit the</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">http://my.company.com/myapp/movies/superman
http://my.company.com/myapp/movies/superman.xml
http://my.company.com/myapp/movies/superman.xhtml
Added: websites/production/struts/content/docs/s2-026.html
==============================================================================
--- websites/production/struts/content/docs/s2-026.html (added)
+++ websites/production/struts/content/docs/s2-026.html Thu Sep 24 18:29:30 2015
@@ -0,0 +1,154 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css'
rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css'
rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js'
type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-026</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a
href="security-bulletins.html">Security Bulletins</a> > <a
href="s2-026.html">S2-026</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search";
method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-026</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=61317915";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Edit Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=61317915";>Edit
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Browse Space"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=61317915";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=61317915";>Add
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=61317915";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add News"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=61317915";>Add
News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2
id="S2-026-Summary">Summary</h2>Special <code>top</code> object can be used to
access Struts' internals<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Manipulation of Struts' internals, altering
of user session</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Update regex used to excluded vulnerable
incoming parameters. An upgrade to <a shape="rect" class="ext
ernal-link" href="http://struts.apache.org/download.cgi#struts23241";>Struts
2.3.24.1</a> is recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="line-height: 1.42857;">rskvp93
at gmail dot com from </span>Viettel Information Security
Center</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE
Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span
style="color: rgb(34,34,34);"><a shape="rect" class="external-link"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5209";
rel="nofollow">CVE-2015-5209</a></span></p></td></tr></tbody></table></div><h2
id="S2-026-Problem">Problem</h2><p>ValueStack defines s
pecial <code>top</code> object which represents root of execution context. It
can be used to manipulate Struts' internals or can be used to affect
container's settings</p><h2 id="S2-026-Solution">Solution</h2><p>Applying
better regex which includes pattern to exclude request parameters trying to
use <code>top</code> object. We recommend upgrading to Struts
2.3.24.1.</p><div class="confluence-information-macro
confluence-information-macro-warning"><span class="aui-icon aui-icon-small
aui-iconfont-error confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Support for expression using
<code>top</code> will be dropped in upcoming Struts version
2.5!</p></div></div><h2 id="S2-026-Backwardcompatibility">Backward
compatibility</h2><p>If an application is using parameter named
<code>top</code> to access action's properties, it won't be set on the
action. In other case no backward compatibility problems are
expected.</p><h2 id="S2-02
6-Workaround">Workaround</h2><p>Applying the below patterns will solve the
problem as well:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
+"^(action|method):.*"</pre>
+</div></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Thu Sep 24
18:29:30 2015
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins
are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a>
— <span class="smalltext">Remote code exploit on form validation
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> —
<span class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</span></li><li><a shape="rect"
href="s2-003.html">S2-003</a> — <span class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a
shape="rect" href="s2-004.html">S2-004</a> — <span
class="smalltext">Directory traversal vulnerability while serving static
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> —
<span class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a>
— <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork
generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> —
<span class="smalltext">Multiple critical vulnerabilities in
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> —
<span class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a>
— <span class="smalltext">When using Struts 2 token mechanism for CSRF
protection, token check may be bypassed by misusing known session
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> —
<span class="smalltext">Long request parameter names might significantly
promote the effectiveness of DOS attacks</span></li><li><a shape="rect"
href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app
vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span
class="smalltext">A vulnerability, present in the includeParams attribute of
the URL and Anchor Tag, allows remote command execution</span></li><li><a
shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A
vulnerability introduced by forcing parameter inclusion in the URL and Anchor
Tag allows remote command execution, session access and manipulation and XSS
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> —
<span class="smalltext">A vulnerability introduced by wildcard matching
mechanism or double evaluation of OGNL Expression allows remote command
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> —
<span class="smalltext">A vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> —
<span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a
shape="rect" href="s2-018.html">S2-018</a> — <span
class="smalltext">Broken Access Control Vulnerability in Apache
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> —
<span class="smalltext">Dynamic Method Invocation disabled by
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> —
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid
ClassLoader manipulation)</span></li><li><a shape="rect"
href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a>
— <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a
shape="rect" href="s2-023.html">S2-023</a> — <span
class="smalltext">Generated value of token can be predictable</span></li><li><a
shape="rect" href="s2-024.html">S2-024</a> — <span
class="smalltext">Wrong excludeParams overrides those defined in
DefaultExcludedPatternsChecker</span></li><li><a shape="rect"
href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site
Scripting Vulnerability in Debug Mode</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a>
— <span class="smalltext">Remote code exploit on form validation
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> —
<span class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</span></li><li><a shape="rect"
href="s2-003.html">S2-003</a> — <span class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a
shape="rect" href="s2-004.html">S2-004</a> — <span
class="smalltext">Directory traversal vulnerability while serving static
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> —
<span class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a>
— <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork
generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> —
<span class="smalltext">Multiple critical vulnerabilities in
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> —
<span class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a>
— <span class="smalltext">When using Struts 2 token mechanism for CSRF
protection, token check may be bypassed by misusing known session
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> —
<span class="smalltext">Long request parameter names might significantly
promote the effectiveness of DOS attacks</span></li><li><a shape="rect"
href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app
vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span
class="smalltext">A vulnerability, present in the includeParams attribute of
the URL and Anchor Tag, allows remote command execution</span></li><li><a
shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A
vulnerability introduced by forcing parameter inclusion in the URL and Anchor
Tag allows remote command execution, session access and manipulation and XSS
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> —
<span class="smalltext">A vulnerability introduced by wildcard matching
mechanism or double evaluation of OGNL Expression allows remote command
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> —
<span class="smalltext">A vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> —
<span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a
shape="rect" href="s2-018.html">S2-018</a> — <span
class="smalltext">Broken Access Control Vulnerability in Apache
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> —
<span class="smalltext">Dynamic Method Invocation disabled by
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> —
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid
ClassLoader manipulation)</span></li><li><a shape="rect"
href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a>
— <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a
shape="rect" href="s2-023.html">S2-023</a> — <span
class="smalltext">Generated value of token can be predictable</span></li><li><a
shape="rect" href="s2-024.html">S2-024</a> — <span
class="smalltext">Wrong excludeParams overrides those defined in
DefaultExcludedPatternsChecker</span></li><li><a shape="rect"
href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site
Scripting Vulnerability in Debug Mode and in exposed JSP
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> —
<span class="smalltext">Special top object can be used to access Struts'
internals</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -141,6 +141,9 @@ under the License.
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2
Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
![https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png"](https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}