Modified: websites/production/struts/content/docs/processing-forms.html ============================================================================== --- websites/production/struts/content/docs/processing-forms.html (original) +++ websites/production/struts/content/docs/processing-forms.html Fri Mar 11 11:02:24 2016 @@ -138,7 +138,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This tutorial assumes you've completed the <a shape="rect" class="unresolved" href="#">Coding Struts 2 Actons</a> tutorial and have a working coding_actions project. The example code for this tutorial, form_processing, is available for checkout from the Struts 2 GitHub subversion repository: <a shape="rect" class="external-link" href="https://github.com/apache/struts-examples"; rel="nofollow">https://github.com/apache/struts-examples</a>.</p></div></div><h3 id="ProcessingForms-Introduction">Introduction</h3><p>In this tutorial we'll explore using Struts 2 to do more involved processing of a form submission. We'll cover how to use a Java model class to store the form input and how to create the Struts 2 form to match up with that model class.</p><p>The code provided in this tutorial may be added to the <a shape="rect" href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> example or you can download this complete example from Google Code - <a shape="rect" class="external-link" href="http://code.google.com/p/struts2-examples/downloads/list"; rel="nofollow">http://code.google.com/p/struts2-examples/downloads/list</a>.</p><div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The <a shape="rect" class="external-link" href="http://struts.apache.org/mail.html";>Struts 2 user mailing list</a> is an excellent place to get help. If you are having a problem getting the tutorial example applications to work search the Struts 2 mailing list. If you don't find an answer to your problem, post a question on the mailing list.</p></div></d iv><h3 id="ProcessingForms-FormsandAJavaModelClass">Forms and A Java Model Class</h3><p>For this tutorial let's say we need to provide a form that a user may submit to register for a prize drawing. Our business rules state the user must provide his/her first name, last name, email address, and age.</p><p>To encapsulate this data, we'll use a simple Java class that follows the basic Java Bean specifications (public set/get methods for each instance field). If you're following along add this class to package org.apache.struts.register.model in the <a shape="rect" href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> example.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Person.java</b></div><div class="codeContent panelContent pdl"> + <div id="ConfluenceContent"><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This tutorial assumes you've completed the <a shape="rect" class="createlink" href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=Coding+Struts+2+Actons&linkCreation=true&fromPageId=14811889";>Coding Struts 2 Actons</a> tutorial and have a working coding_actions project. The example code for this tutorial, form_processing, is available for checkout from the Struts 2 GitHub subversion repository: <a shape="rect" class="external-link" href="https://github.com/apache/struts-examples"; rel="nofollow">https://github.com/apache/struts-examples</a>.</p></div></div><h3 id="ProcessingForms-Introduction">Introduction</h3><p>In this tutorial we'll explore using Struts 2 to do more involv ed processing of a form submission. We'll cover how to use a Java model class to store the form input and how to create the Struts 2 form to match up with that model class.</p><p>The code provided in this tutorial may be added to the <a shape="rect" href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> example or you can download this complete example from Google Code - <a shape="rect" class="external-link" href="http://code.google.com/p/struts2-examples/downloads/list"; rel="nofollow">http://code.google.com/p/struts2-examples/downloads/list</a>.</p><div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The <a shape="rect" class="external-link" href="http://struts.apache.org/mail.html";>Struts 2 user mailing list</a> is an excellent place to get help. If you are having a problem getting the tutorial example applications to work search the Struts 2 mailing list. If you don't find an answer to your problem, post a question on the mailing list.</p></div></div><h3 id="ProcessingForms-FormsandAJavaModelClass">Forms and A Java Model Class</h3><p>For this tutorial let's say we need to provide a form that a user may submit to register for a prize drawing. Our business rules state the user must provide his/her first name, last name, email address, and age.</p><p>To encapsulate this data, we'll use a simple Java class that follows the basic Java Bean specifications (public set/get methods for each instance field). If you're following along add this class to package org.apache.struts.register.model in the <a shape="rect" href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> example.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Person.java</b></div><div class="codeContent panelContent pdl"> <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public class Person { private String firstName;
Modified: websites/production/struts/content/docs/release-notes-202.html ============================================================================== --- websites/production/struts/content/docs/release-notes-202.html (original) +++ websites/production/struts/content/docs/release-notes-202.html Fri Mar 11 11:02:24 2016 @@ -172,7 +172,7 @@ under the License. <h2 id="ReleaseNotes2.0.2-NewFeaturesandPlugins">New Features and Plugins</h2> -<ul><li>Plugins are now documented in the <a shape="rect" class="unresolved" href="#">Apache Struts 2 Plugin Registry</a>.</li><li><a shape="rect" href="annotations.html">Annotations</a>: @Result annotation now supports parameters (WW-1575).</li><li><a shape="rect" href="ajax-tags.html">Ajax Tags</a>: The Autocompleter AJAX tag wraps Dojo's ComboBox and supports remote, static, and JSON content.</li><li><a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33274";>Spring Plugin</a>: Integrate Spring with your application using a plugin (WW-1499). Or, if you prefer, use the <a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33365";>Plexus Plugin</a> instead.</li><li><a shape="rect" href="file-upload-interceptor.html">File Uploading</a> Explore multiple file uploading through our new Showcase example (WW-1479).</li><li><a shape="rect" href="action.html">Action tag</a>: Eliminate unwanted exceptions with the new <code>f lush</code> attribute (WW-1472).</li><li><a shape="rect" href="checkboxlist.html">Checkboxlist</a> tag: Use Maps with CheckboxList (WW-1471).</li><li><a shape="rect" href="roles-interceptor.html">Roles Interceptor</a>: Integrate JAAS with a new interceptor - now on the default stack (WW-1469).</li><li><a shape="rect" href="textfield.html">Localized Links</a>: Use the new <code>key</code> attribute to streamline link markup (WW-1458).</li><li><a shape="rect" href="constant-configuration.html">Constant Configuration</a>: Override factory default settings from any XML configurtion document, including <code>web.xml</code>! (WW-1421).</li><li><a shape="rect" href="strutsxml-examples.html">Action Class Ref</a>: Configure a custom default Action for any package to use instead of ActionSupport (WW-1420).</li><li><a shape="rect" href="struts-maven-archetypes.html">Struts Maven Archetypes</a> The standard archetype includes sample code from the <a shape="rect" href="bootstrap.html">Bootstrap </a> tutorial {WW-1412).</li><li><a shape="rect" href="result-types.html">Direct Results</a>: Create a custom Result Type directly from an Action class (WW-1393).</li></ul> +<ul><li>Plugins are now documented in the <a shape="rect" class="createlink" href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=S2PLUGINS&title=Angosso";>Apache Struts 2 Plugin Registry</a>.</li><li><a shape="rect" href="annotations.html">Annotations</a>: @Result annotation now supports parameters (WW-1575).</li><li><a shape="rect" href="ajax-tags.html">Ajax Tags</a>: The Autocompleter AJAX tag wraps Dojo's ComboBox and supports remote, static, and JSON content.</li><li><a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33274";>Spring Plugin</a>: Integrate Spring with your application using a plugin (WW-1499). Or, if you prefer, use the <a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33365";>Plexus Plugin</a> instead.</li><li><a shape="rect" href="file-upload-interceptor.html">File Uploading</a> Explore multiple file uploading through our new Showcase example (WW-1479).</li><li><a sha pe="rect" href="action.html">Action tag</a>: Eliminate unwanted exceptions with the new <code>flush</code> attribute (WW-1472).</li><li><a shape="rect" href="checkboxlist.html">Checkboxlist</a> tag: Use Maps with CheckboxList (WW-1471).</li><li><a shape="rect" href="roles-interceptor.html">Roles Interceptor</a>: Integrate JAAS with a new interceptor - now on the default stack (WW-1469).</li><li><a shape="rect" href="textfield.html">Localized Links</a>: Use the new <code>key</code> attribute to streamline link markup (WW-1458).</li><li><a shape="rect" href="constant-configuration.html">Constant Configuration</a>: Override factory default settings from any XML configurtion document, including <code>web.xml</code>! (WW-1421).</li><li><a shape="rect" href="strutsxml-examples.html">Action Class Ref</a>: Configure a custom default Action for any package to use instead of ActionSupport (WW-1420).</li><li><a shape="rect" href="struts-maven-archetypes.html">Struts Maven Archetypes</a> The s tandard archetype includes sample code from the <a shape="rect" href="bootstrap.html">Bootstrap</a> tutorial {WW-1412).</li><li><a shape="rect" href="result-types.html">Direct Results</a>: Create a custom Result Type directly from an Action class (WW-1393).</li></ul> <h2 id="ReleaseNotes2.0.2-ExperimentalFeaturesandPlugins">Experimental Features and Plugins </h2> Modified: websites/production/struts/content/docs/release-plan-200.html ============================================================================== --- websites/production/struts/content/docs/release-plan-200.html (original) +++ websites/production/struts/content/docs/release-plan-200.html Fri Mar 11 11:02:24 2016 @@ -224,7 +224,7 @@ under the License. <h2 id="ReleasePlan2.0.0-TestBuildDistributionChecklist(A)">Test Build Distribution Checklist (A)</h2> -<p>See also <a shape="rect" class="unresolved" href="#">Creating and Signing Releases</a></p> +<p>See also <a shape="rect" class="createlink" href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=Creating+and+Signing+Releases&linkCreation=true&fromPageId=19602";>Creating and Signing Releases</a></p> <div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p> # </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> Description </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> Completed </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A1. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Setup new JIRA version level or update release on Roadmap </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png"; data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A2. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Tag release in svn: ${STRUTS_2_0_0} </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emo ticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png"; data-emoticon-name="tick" alt="(tick)"> Done (r447072) </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A3. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Update POM version level and run Distribution Target </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png"; data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A4. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Create Sums and Sign Distributions </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb 3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A5. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Upload Distribution to <code>people.apache.org/builds/struts/2.0.0/</code> </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png"; data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A6. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Deploy JAR to Apache Java-Repository </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticon s/check.png" data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>$ mvn deploy -P pre-assembly</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> A7. </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Post release-quality vote on dev@ lists </p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> ${STATUS} </p></th></tr></tbody></table></div> Modified: websites/production/struts/content/docs/rest-plugin.html ============================================================================== --- websites/production/struts/content/docs/rest-plugin.html (original) +++ websites/production/struts/content/docs/rest-plugin.html Fri Mar 11 11:02:24 2016 @@ -139,11 +139,11 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> <div id="ConfluenceContent"><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This plugin is only available with Struts 2.1.1 or later</p></div></div><p><style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773665918 {padding: 0px;} -div.rbtoc1456773665918 ul {list-style: disc;margin-left: 0px;} -div.rbtoc1456773665918 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1453884501969 {padding: 0px;} +div.rbtoc1453884501969 ul {list-style: disc;margin-left: 0px;} +div.rbtoc1453884501969 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style></p><div class="toc-macro rbtoc1456773665918"> +/*]]>*/</style></p><div class="toc-macro rbtoc1453884501969"> <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#RESTPlugin-Overview">Overview</a> <ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a shape="rect" href="#RESTPlugin-Features">Features</a></li><li><span class="TOCOutline">1.2</span> <a shape="rect" href="#RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</a> <ul class="toc-indentation"><li><span class="TOCOutline">1.2.1</span> <a shape="rect" href="#RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</a></li></ul> Modified: websites/production/struts/content/docs/result-configuration.html ============================================================================== --- websites/production/struts/content/docs/result-configuration.html (original) +++ websites/production/struts/content/docs/result-configuration.html Fri Mar 11 11:02:24 2016 @@ -139,11 +139,11 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773353562 {padding: 0px;} -div.rbtoc1456773353562 ul {list-style: disc;margin-left: 0px;} -div.rbtoc1456773353562 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1457693886833 {padding: 0px;} +div.rbtoc1457693886833 ul {list-style: disc;margin-left: 0px;} +div.rbtoc1457693886833 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style></p><div class="toc-macro rbtoc1456773353562"> +/*]]>*/</style></p><div class="toc-macro rbtoc1457693886833"> <ul class="toc-indentation"><li><a shape="rect" href="#ResultConfiguration-ResultElements">Result Elements</a> <ul class="toc-indentation"><li><a shape="rect" href="#ResultConfiguration-IntelligentDefaults">Intelligent Defaults</a></li><li><a shape="rect" href="#ResultConfiguration-Multiplenames">Multiple names</a></li></ul> </li><li><a shape="rect" href="#ResultConfiguration-GlobalResults">Global Results</a></li><li><a shape="rect" href="#ResultConfiguration-DynamicResults">Dynamic Results</a></li><li><a shape="rect" href="#ResultConfiguration-ReturningResultObjects">Returning Result Objects</a></li></ul> Modified: websites/production/struts/content/docs/result-types.html ============================================================================== --- websites/production/struts/content/docs/result-types.html (original) +++ websites/production/struts/content/docs/result-types.html Fri Mar 11 11:02:24 2016 @@ -138,7 +138,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><p>Most use cases can be divided into two phases. First, we need to change or query the application's state, and then we need to present an updated view of the application. The Action class manages the application's state, and the Result Type manages the view.</p><h2 id="ResultTypes-PredefinedResultTypes">Predefined Result Types</h2><p>The framework provides several implementations of the <code>com.opensymphony.xwork2.Result</code> interface, ready to use in your own applications.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="chain-result.html">Chain Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="action-chaining.html">Action Chaining</a></p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="dispatcher-result.html">Dispatcher Result</a></p></td><td colspan="1 " rowspan="1" class="confluenceTd"><p>Used for web resource integration, including <a shape="rect" href="jsp.html">JSP</a> integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="freemarker-result.html">FreeMarker Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="freemarker.html">FreeMarker</a> integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="httpheader-result.html">HttpHeader Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to control special HTTP behaviors</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="redirect-result.html">Redirect Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to redirect to another URL (web resource)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="redirect-action-result. html">Redirect Action Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to redirect to another action mapping</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="stream-result.html">Stream Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to stream an InputStream back to the browser (usually for file downloads)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="velocity-result.html">Velocity Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="velocity.html">Velocity</a> integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="xsl-result.html">XSL Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for XML/XSLT integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="plaintext-result.html">Pl ainText Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to display the raw content of a particular page (i.e jsp, HTML)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="tiles-plugin.html">Tiles 2 Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to provide Tiles 2 integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="tiles-3-plugin.html">Tiles 3 Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to provide Tiles 3 integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="postback-result.html">Postback Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to postback request parameters as a form to the specified destination</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" href="json-plugin.html">JSON Result</a></td><td colspan="1" rowspan="1" class="confluenceTd">Used to serialize actions into JSON</td></tr></tbody></table></div><h3 id="ResultTypes-Optional">Optional</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="jasperreports-plugin.html">JasperReports Plugin</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="jasperreports-tutorial.html">JasperReports Tutorial</a> integration</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional, third-party plugin</p></td></tr></tbody></table></div><p>Additional Result Types can be created and plugged into an application by implementing the <code>com.opensymphony.xwork2.Result</code> interface. Custom Result Types might include generating an email or JMS message, generating images, and so forth.</p><h2 id="ResultTypes-DefaultParameters">Default Parameters</h2><p>To minimize configuration, Results can be conf igured with a single value, which will be converted into a parameter, and each Result can specify which parameter this value should be set as. For example, here is a result defined in XML that uses a default parameter:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> + <div id="ConfluenceContent"><p>Most use cases can be divided into two phases. First, we need to change or query the application's state, and then we need to present an updated view of the application. The Action class manages the application's state, and the Result Type manages the view.</p><h2 id="ResultTypes-PredefinedResultTypes">Predefined Result Types</h2><p>The framework provides several implementations of the <code>com.opensymphony.xwork2.Result</code> interface, ready to use in your own applications.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="chain-result.html">Chain Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="action-chaining.html">Action Chaining</a></p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="dispatcher-result.html">Dispatcher Result</a></p></td><td colspan="1 " rowspan="1" class="confluenceTd"><p>Used for web resource integration, including <a shape="rect" href="jsp.html">JSP</a> integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="freemarker-result.html">FreeMarker Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="freemarker.html">FreeMarker</a> integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="httpheader-result.html">HttpHeader Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to control special HTTP behaviors</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="redirect-result.html">Redirect Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to redirect to another URL (web resource)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="redirect-action-result. html">Redirect Action Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to redirect to another action mapping</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="stream-result.html">Stream Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to stream an InputStream back to the browser (usually for file downloads)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="velocity-result.html">Velocity Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="velocity.html">Velocity</a> integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="xsl-result.html">XSL Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for XML/XSLT integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="plaintext-result.html">Pl ainText Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to display the raw content of a particular page (i.e jsp, HTML)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="tiles-2-plugin.html">Tiles 2 Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to provide Tiles 2 integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="tiles-3-plugin.html">Tiles 3 Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to provide Tiles 3 integration</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="postback-result.html">Postback Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to postback request parameters as a form to the specified destination</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" href="json-plugin.html">JSON Result</a></td>< td colspan="1" rowspan="1" class="confluenceTd">Used to serialize actions into JSON</td></tr></tbody></table></div><h3 id="ResultTypes-Optional">Optional</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" href="jasperreports-plugin.html">JasperReports Plugin</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" href="jasperreports-tutorial.html">JasperReports Tutorial</a> integration</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional, third-party plugin</p></td></tr></tbody></table></div><p>Additional Result Types can be created and plugged into an application by implementing the <code>com.opensymphony.xwork2.Result</code> interface. Custom Result Types might include generating an email or JMS message, generating images, and so forth.</p><h2 id="ResultTypes-DefaultParameters">Default Parameters</h2><p>To minimize configuration, Results can be co nfigured with a single value, which will be converted into a parameter, and each Result can specify which parameter this value should be set as. For example, here is a result defined in XML that uses a default parameter:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><result type="freemarker">foo.fm</result> </pre> </div></div><p>That is the equivalent to this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> Modified: websites/production/struts/content/docs/s2-003.html ============================================================================== --- websites/production/struts/content/docs/s2-003.html (original) +++ websites/production/struts/content/docs/s2-003.html Fri Mar 11 11:02:24 2016 @@ -139,11 +139,11 @@ under the License. <p>So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:</p> -<p>('\u0023' + 'session<a shape="rect" class="unresolved" href="#">\'user\'</a>')(unused)=0wn3d</p> +<p>('\u0023' + 'session<a shape="rect" class="createlink" href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=%5C%27user%5C%27&linkCreation=true&fromPageId=88882";>\'user\'</a>')(unused)=0wn3d</p> <p>which will look as follows once URL encoded:</p> -<p>('\u0023'%20%2b%20'session<a shape="rect" class="unresolved" href="#">\'user\'</a>')(unused)=0wn3d </p> +<p>('\u0023'%20%2b%20'session<a shape="rect" class="createlink" href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=%5C%27user%5C%27&linkCreation=true&fromPageId=88882";>\'user\'</a>')(unused)=0wn3d </p> <h2 id="S2-003-Solution">Solution</h2> Added: websites/production/struts/content/docs/s2-028.html ============================================================================== --- websites/production/struts/content/docs/s2-028.html (added) +++ websites/production/struts/content/docs/s2-028.html Fri Mar 11 11:02:24 2016 @@ -0,0 +1,165 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-028</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-028.html">S2-028</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-028</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62686284";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62686284";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62686284";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62686284";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62686284";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62686284";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major version, preferably 1.8. Alternatively upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2325";>Struts 2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect" class="external-link" href="http://whitehatsec.com"; rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such as ISO-8895-1, an attacker might submit a non-spec URL-encoded p arameter value including multi-byte characters.</p><p>Struts 2 used the standard JRE URLDecoder to decode parameter values. <span>Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, best known solution is found in JRE 1.8.</span></p><h2 id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the most recent 1.8 version.</p><p>Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.25, which includes and uses a safe URLDecoder implementation from Apache Tomcat</span></p><h2 id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style> + .jira-issue { + padding: 0 0 0 2px; + line-height: 20px; + } + + .jira-issue img { + padding-right: 5px; + } + .jira-issue .aui-lozenge { + line-height: 18px; + vertical-align: top; + } + + .jira-issue .icon { + background-position: left center; + background-repeat: no-repeat; + display: inline-block; + font-size: 0; + max-height: 16px; + text-align: left; + text-indent: -9999em; + vertical-align: text-bottom; + } +</style> + + <span class="jira-issue WW-4507"><a shape="rect" class="issue-link" href="https://issues.apache.org/jira/browse/WW-4507?src=confmacro";>WW-4507</a></span> +</p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> Added: websites/production/struts/content/docs/s2-029.html ============================================================================== --- websites/production/struts/content/docs/s2-029.html (added) +++ websites/production/struts/content/docs/s2-029.html Fri Mar 11 11:02:24 2016 @@ -0,0 +1,138 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-029</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-029.html">S2-029</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-029</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687048";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687048";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687048";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687048";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687048";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687048";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user input in tag's attributes.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes. Alternative ly upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2325";>Struts 2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com - <a shape="rect" class="external-link" href="http://www.coverity.com/"; rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2 id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2 id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value that's coming in and it's used in tag's attributes. Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.25.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> Added: websites/production/struts/content/docs/s2-030.html ============================================================================== --- websites/production/struts/content/docs/s2-030.html (added) +++ websites/production/struts/content/docs/s2-030.html Fri Mar 11 11:02:24 2016 @@ -0,0 +1,138 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-030</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-030.html">S2-030</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-030</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687301";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687301";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687301";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687301";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687301";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687301";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in <code>I18NInterceptor</code><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible XSS vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code> object constructed by <code>I18NInterceptor</code> as it may contain user specific string which may leads to XSS vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/"; rel="nofollow">M<span>iliaris</span></a><span> </span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2 id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses <code>I18NInterceptor</code> to allow users and developers switch language used in the framework and an application built on top of it. The problem is that the in terceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language selected by user based on <code>I18NInterceptor</code> always escape the string before presenting it to the user. Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.25.</span></p><h2 id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a shape="rect" class="external-link" href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html";>StringEscapeUtils</a> from the Apache Commons to escape the string.</p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> Modified: websites/production/struts/content/docs/sample-announcements.html ============================================================================== --- websites/production/struts/content/docs/sample-announcements.html (original) +++ websites/production/struts/content/docs/sample-announcements.html Fri Mar 11 11:02:24 2016 @@ -127,11 +127,11 @@ under the License. <div class="wiki-content"> <div id="ConfluenceContent"><h1 id="Sampleannouncements-Content">Content</h1> <style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773755099 {padding: 0px;} -div.rbtoc1456773755099 ul {list-style: none;margin-left: 0px;} -div.rbtoc1456773755099 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1453884616256 {padding: 0px;} +div.rbtoc1453884616256 ul {list-style: none;margin-left: 0px;} +div.rbtoc1453884616256 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style><div class="toc-macro rbtoc1456773755099"> +/*]]>*/</style><div class="toc-macro rbtoc1453884616256"> <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#Sampleannouncements-Content">Content</a> <ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a shape="rect" href="#Sampleannouncements-SampleStrutsAnnotationsRelease/QualityVote">Sample Struts Annotations Release/Quality Vote</a></li><li><span class="TOCOutline">1.2</span> <a shape="rect" href="#Sampleannouncements-SampleTestBuildAnnouncement">Sample Test Build Announcement</a></li><li><span class="TOCOutline">1.3</span> <a shape="rect" href="#Sampleannouncements-SampleRelease/QualityVote">Sample Release/Quality Vote</a></li><li><span class="TOCOutline">1.4</span> <a shape="rect" href="#Sampleannouncements-SampleReleaseAnnouncement">Sample Release Announcement</a></li><li><span class="TOCOutline">1.5</span> <a shape="rect" href="#Sampleannouncements-Fast-TrackinganImportantSecurityRelease">Fast-Tracking an Important Security Release</a></li></ul> </li></ul> Modified: websites/production/struts/content/docs/security-bulletins.html ============================================================================== --- websites/production/struts/content/docs/security-bulletins.html (original) +++ websites/production/struts/content/docs/security-bulletins.html Fri Mar 11 11:02:24 2016 @@ -126,7 +126,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> <div id="ConfluenceContent"><p>The following security bulletins are available:</p> -<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li> <li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li></ul></div> +<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li> <li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Double OGNL evaluation when using raw user input in tag's attributes.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li></ul></div> </div> <div class="tabletitle"> @@ -141,6 +141,15 @@ under the License. <span class="smalltext">(Apache Struts 2 Documentation)</span> <br> $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> + $page.link($child) <span class="smalltext">(Apache Struts 2 Documentation)</span> <br> $page.link($child) Modified: websites/production/struts/content/docs/security.html ============================================================================== --- websites/production/struts/content/docs/security.html (original) +++ websites/production/struts/content/docs/security.html Fri Mar 11 11:02:24 2016 @@ -139,11 +139,11 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773801895 {padding: 0px;} -div.rbtoc1456773801895 ul {list-style: disc;margin-left: 0px;} -div.rbtoc1456773801895 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1457693901922 {padding: 0px;} +div.rbtoc1457693901922 ul {list-style: disc;margin-left: 0px;} +div.rbtoc1457693901922 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style></p><div class="toc-macro rbtoc1456773801895"> +/*]]>*/</style></p><div class="toc-macro rbtoc1457693901922"> <ul class="toc-indentation"><li><a shape="rect" href="#Security-Securitytips">Security tips</a> <ul class="toc-indentation"><li><a shape="rect" href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</a></li><li><a shape="rect" href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</a></li><li><a shape="rect" href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable devMode</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 encoding</a></li></ul> </li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal security mechanism</a> @@ -212,7 +212,7 @@ public abstract class AbstractAction ext // some logic } }</pre> -</div></div><p>In such case OGNL cannot properly map which method to call when request is coming. This is do the OGNL limitation. To solve the problem don't use the same method's names through the hierarchy, you can simply change the action's method from <code>save()</code> to <code>saveAction()</code> and leaving annotation as is to allow <span style="line-height: 1.4285715;">call this action via </span><code style="line-height: 1.4285715;">/save.action</code><span style="line-height: 1.4285715;"> request.</span></p><h4 id="Security-Accepted/Excludedpatterns"><span style="line-height: 1.4285715;">Accepted / Excluded patterns</span></h4><p><span style="line-height: 1.4285715;">As from version 2.3.20 the framework provides two new interfaces which are used to accept / exclude param names and values - <a shape="rect" class="external-link" href="http://struts.apache.org/maven/xwork-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html"; >AcceptedPatternsChecker</a> and <a shape="rect" class="external-link" >href="http://struts.apache.org/maven/xwork-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html";>ExcludedPatternsChecker</a> > with default implementations. These two interfaces are used by <a >shape="rect" href="parameters-interceptor.html">Parameters Interceptor</a> >and <a shape="rect" href="cookie-interceptor.html">Cookie >Interceptor</a> to check if param can accepted or must be excluded. If you >were using <code>excludeParams</code> previously please compare patterns >used by you with these provided by the framework in default >implementation.</span></p><h4 id="Security-StrictMethodInvocation"><span >style="line-height: 1.4285715;">Strict Method Invocation</span></h4><p><span >style="line-height: 1.4285715;">This mechanism was introduced in version 2.5. >It allows control what methods can be accessed with the bang "!" operator via ><a shape="rect" href="action-configuration.htm l">Dynamic Method Invocation</a>. Please read more in Strict Method Invocation section of <a shape="rect" href="action-configuration.html">Action Configuration</a>.</span></p></div> +</div></div><p>In such case OGNL cannot properly map which method to call when request is coming. This is do the OGNL limitation. To solve the problem don't use the same method's names through the hierarchy, you can simply change the action's method from <code>save()</code> to <code>saveAction()</code> and leaving annotation as is to allow <span style="line-height: 1.4285715;">call this action via </span><code style="line-height: 1.4285715;">/save.action</code><span style="line-height: 1.4285715;"> request.</span></p><h4 id="Security-Accepted/Excludedpatterns"><span style="line-height: 1.4285715;">Accepted / Excluded patterns</span></h4><p><span style="line-height: 1.4285715;">As from version 2.3.20 the framework provides two new interfaces which are used to accept / exclude param names and values - <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.htm l">AcceptedPatternsChecker</a> and <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html";>ExcludedPatternsChecker</a> with default implementations. These two interfaces are used by <a shape="rect" href="parameters-interceptor.html">Parameters Interceptor</a> and <a shape="rect" href="cookie-interceptor.html">Cookie Interceptor</a> to check if param can accepted or must be excluded. If you were using <code>excludeParams</code> previously please compare patterns used by you with these provided by the framework in default implementation.</span></p><h4 id="Security-StrictMethodInvocation"><span style="line-height: 1.4285715;">Strict Method Invocation</span></h4><p><span style="line-height: 1.4285715;">This mechanism was introduced in version 2.5. It allows control what methods can be accessed with the bang "!" operator via <a shape="rect" href="action-configuration .html">Dynamic Method Invocation</a>. Please read more in Strict Method Invocation section of <a shape="rect" href="action-configuration.html">Action Configuration</a>.</span></p></div> </div> Modified: websites/production/struts/content/docs/struts-2-blank-archetype.html ============================================================================== --- websites/production/struts/content/docs/struts-2-blank-archetype.html (original) +++ websites/production/struts/content/docs/struts-2-blank-archetype.html Fri Mar 11 11:02:24 2016 @@ -149,11 +149,11 @@ under the License. <p><strong>Contents</strong></p> <style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773702121 {padding: 0px;} -div.rbtoc1456773702121 ul {list-style: none;margin-left: 0px;padding-left: 1em;} -div.rbtoc1456773702121 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1453884536773 {padding: 0px;} +div.rbtoc1453884536773 ul {list-style: none;margin-left: 0px;padding-left: 1em;} +div.rbtoc1453884536773 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style><div class="toc-macro rbtoc1456773702121"> +/*]]>*/</style><div class="toc-macro rbtoc1453884536773"> <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#Struts2BlankArchetype-CreatingOurblank-archetypeProject">Creating Our blank-archetype Project</a> <ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a shape="rect" href="#Struts2BlankArchetype-Stagingrepository">Staging repository</a></li></ul> </li><li><span class="TOCOutline">2</span> <a shape="rect" href="#Struts2BlankArchetype-ProjectStructure">Project Structure</a> Modified: websites/production/struts/content/docs/struts-2-maven-archetypes.html ============================================================================== --- websites/production/struts/content/docs/struts-2-maven-archetypes.html (original) +++ websites/production/struts/content/docs/struts-2-maven-archetypes.html Fri Mar 11 11:02:24 2016 @@ -143,11 +143,11 @@ under the License. <p><strong>Contents</strong></p> <style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773703153 {padding: 0px;} -div.rbtoc1456773703153 ul {list-style: none;margin-left: 0px;padding-left: 1em;} -div.rbtoc1456773703153 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1453884535519 {padding: 0px;} +div.rbtoc1453884535519 ul {list-style: none;margin-left: 0px;padding-left: 1em;} +div.rbtoc1453884535519 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style><div class="toc-macro rbtoc1456773703153"> +/*]]>*/</style><div class="toc-macro rbtoc1453884535519"> <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#Struts2MavenArchetypes-Quickstart">Quickstart</a></li><li><span class="TOCOutline">2</span> <a shape="rect" href="#Struts2MavenArchetypes-AvailableArchetypes">Available Archetypes</a> <ul class="toc-indentation"><li><span class="TOCOutline">2.1</span> <a shape="rect" href="#Struts2MavenArchetypes-TheBlankConventionArchetype(struts2-archetype-convention)">The Blank Convention Archetype (struts2-archetype-convention)</a></li><li><span class="TOCOutline">2.2</span> <a shape="rect" href="#Struts2MavenArchetypes-TheBlankArchetype(struts2-archetype-blank)">The Blank Archetype (struts2-archetype-blank)</a></li><li><span class="TOCOutline">2.3</span> <a shape="rect" href="#Struts2MavenArchetypes-TheStarterArchetype(struts2-archetype-starter)">The Starter Archetype (struts2-archetype-starter)</a></li><li><span class="TOCOutline">2.4</span> <a shape="rect" href="#Struts2MavenArchetypes-TheAngularJSArchetype(struts2-archetype-angularjs)">The AngularJS Archetype (struts2-archetype-angularjs)</a></li><li><span class="TOCOutline">2.5</span> <a shape="rect" href="#Struts2MavenArchetypes-ThePortletBlankArchetype(struts2-archetype-portlet)">The Portlet Blank Archetype (struts2-ar chetype-portlet)</a></li><li><span class="TOCOutline">2.6</span> <a shape="rect" href="#Struts2MavenArchetypes-ThePortletDatabaseArchetype(struts2-archetype-dbportlet)">The Portlet Database Archetype (struts2-archetype-dbportlet)</a></li><li><span class="TOCOutline">2.7</span> <a shape="rect" href="#Struts2MavenArchetypes-ThePluginArchetype(struts2-archetype-plugin)">The Plugin Archetype (struts2-archetype-plugin)</a></li></ul> </li><li><span class="TOCOutline">3</span> <a shape="rect" href="#Struts2MavenArchetypes-CreatinganApplicationUsingaMavenArchetype">Creating an Application Using a Maven Archetype</a> Modified: websites/production/struts/content/docs/struts-2-spring-2-jpa-ajax.html ============================================================================== --- websites/production/struts/content/docs/struts-2-spring-2-jpa-ajax.html (original) +++ websites/production/struts/content/docs/struts-2-spring-2-jpa-ajax.html Fri Mar 11 11:02:24 2016 @@ -145,11 +145,11 @@ under the License. <div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Following this tutorial verbatim will require use of a Struts 2 deployment greater than 2.0.3</p></div></div> <style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773601716 {padding: 0px;} -div.rbtoc1456773601716 ul {list-style: none;margin-left: 0px;} -div.rbtoc1456773601716 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1453884419616 {padding: 0px;} +div.rbtoc1453884419616 ul {list-style: none;margin-left: 0px;} +div.rbtoc1453884419616 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style><div class="toc-macro rbtoc1456773601716"> +/*]]>*/</style><div class="toc-macro rbtoc1453884419616"> <ul class="toc-indentation"><li><a shape="rect" href="#Struts2+Spring2+JPA+AJAX-Prerequisites">Prerequisites</a> <ul class="toc-indentation"><li><a shape="rect" href="#Struts2+Spring2+JPA+AJAX-Tomcat">Tomcat</a></li><li><a shape="rect" href="#Struts2+Spring2+JPA+AJAX-MySql">MySql</a></li></ul> </li><li><a shape="rect" href="#Struts2+Spring2+JPA+AJAX-Getthecode">Get the code</a> Modified: websites/production/struts/content/docs/struts-next.html ============================================================================== --- websites/production/struts/content/docs/struts-next.html (original) +++ websites/production/struts/content/docs/struts-next.html Fri Mar 11 11:02:24 2016 @@ -125,12 +125,12 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><h3 id="StrutsNext-/*<![CDATA[*/div.rbtoc1456773756987{padding:0px;}div.rbtoc1456773756987ul{list-style:disc;margin-left:0px;}div.rbtoc1456773756987li{margin-left:0px;padding-left:0px;}/*]]>*/#StrutsNext-Whatshouldbeimproved/changed#StrutsNext-Whatshouldbeimprove"><style type="text/css">/*<![CDATA[*/ -div.rbtoc1456773756987 {padding: 0px;} -div.rbtoc1456773756987 ul {list-style: disc;margin-left: 0px;} -div.rbtoc1456773756987 li {margin-left: 0px;padding-left: 0px;} + <div id="ConfluenceContent"><h3 id="StrutsNext-/*<![CDATA[*/div.rbtoc1453884611957{padding:0px;}div.rbtoc1453884611957ul{list-style:disc;margin-left:0px;}div.rbtoc1453884611957li{margin-left:0px;padding-left:0px;}/*]]>*/#StrutsNext-Whatshouldbeimproved/changed#StrutsNext-Whatshouldbeimprove"><style type="text/css">/*<![CDATA[*/ +div.rbtoc1453884611957 {padding: 0px;} +div.rbtoc1453884611957 ul {list-style: disc;margin-left: 0px;} +div.rbtoc1453884611957 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style></h3><div class="toc-macro rbtoc1456773756987"> +/*]]>*/</style></h3><div class="toc-macro rbtoc1453884611957"> <ul class="toc-indentation"><li><a shape="rect" href="#StrutsNext-"></a></li></ul> <ul><li><a shape="rect" href="#StrutsNext-Whatshouldbeimproved/changed">What should be improved / changed</a></li><li><a shape="rect" href="#StrutsNext-DevelopmentplanofStruts3">Development plan of Struts 3</a> <ul class="toc-indentation"><li><a shape="rect" href="#StrutsNext-M1(akaStruts2.5)">M1 (aka Struts 2.5)</a></li><li><a shape="rect" href="#StrutsNext-M2(alphaStruts3)">M2 (alpha Struts 3)</a></li><li><a shape="rect" href="#StrutsNext-M3(alphaStruts3)">M3 (alpha Struts 3)</a></li><li><a shape="rect" href="#StrutsNext-M4(beta1Struts3)">M4 (beta 1 Struts 3)</a></li></ul>