This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 5134b1bd8 Updates stage by Jenkins
5134b1bd8 is described below
commit 5134b1bd84d629b6368f4c80bce5fb4440004c4c
Author: jenkins <[email protected]>
AuthorDate: Sun Oct 5 08:33:59 2025 +0000
Updates stage by Jenkins
---
content/core-developers/annotations.html | 21 +-
content/core-developers/default-properties.html | 3 +
.../struts-parameter-annotation.html | 230 +++++++++++++++++++++
3 files changed, 253 insertions(+), 1 deletion(-)
diff --git a/content/core-developers/annotations.html
b/content/core-developers/annotations.html
index fdb905e29..91f984b40 100644
--- a/content/core-developers/annotations.html
+++ b/content/core-developers/annotations.html
@@ -154,6 +154,7 @@
<h1 class="no_toc" id="annotations">Annotations</h1>
<ul id="markdown-toc">
+ <li><a href="#security-annotation"
id="markdown-toc-security-annotation">Security annotation</a></li>
<li><a href="#action-annotations"
id="markdown-toc-action-annotations">Action Annotations</a></li>
<li><a href="#workflow-annotations"
id="markdown-toc-workflow-annotations">Workflow Annotations</a></li>
<li><a href="#interceptor-annotations"
id="markdown-toc-interceptor-annotations">Interceptor Annotations</a></li>
@@ -168,6 +169,25 @@
<p>In many places, applications can use Java 5 annotations as an alternative
to XML and Java properties configuration.
This page serves as a reference for all annotations across the framework.</p>
+<h2 id="security-annotation">Security annotation</h2>
+
+<p>This a group of annotation used to improve security of your application.</p>
+
+<table>
+ <thead>
+ <tr>
+ <th>Annotation</th>
+ <th>Description</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><a href="struts-parameter-annotation">StrutsParameter
Annotation</a></td>
+ <td>Marks which fields and methods in your Action class can receive
values from user requests.</td>
+ </tr>
+ </tbody>
+</table>
+
<h2 id="action-annotations">Action Annotations</h2>
<p>Since Struts 2.1, these annotations are provided by the <a
href="../plugins/convention/">Convention Plugin</a>. Codebehind and Zero Config
@@ -447,7 +467,6 @@ Instead tiles definitions can be created by annotating
actions.</p>
</tbody>
</table>
-
</section>
</article>
diff --git a/content/core-developers/default-properties.html
b/content/core-developers/default-properties.html
index b487b256a..3edf686ba 100644
--- a/content/core-developers/default-properties.html
+++ b/content/core-developers/default-properties.html
@@ -466,6 +466,9 @@ struts.url.queryStringParser=strutsQueryStringParser
struts.url.encoder=strutsUrlEncoder
struts.url.decoder=strutsUrlDecoder
+### Defines source to read nonce value from, possible values are: request,
session
+struts.csp.nonceSource=session
+
### END SNIPPET: complete_file</code></pre></figure>
diff --git a/content/core-developers/struts-parameter-annotation.html
b/content/core-developers/struts-parameter-annotation.html
new file mode 100644
index 000000000..26e0db78e
--- /dev/null
+++ b/content/core-developers/struts-parameter-annotation.html
@@ -0,0 +1,230 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <meta name="Date-Revision-yyyymmdd" content="20140918"/>
+ <meta http-equiv="Content-Language" content="en"/>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+
+ <title>StrutsParameter Annotation</title>
+
+ <link href="/css/source-sans-pro.css" rel="stylesheet" type="text/css">
+ <link href="/css/font-awesome.css" rel="stylesheet">
+ <link href="/css/main.css" rel="stylesheet">
+ <link href="/css/custom.css" rel="stylesheet">
+ <link href="/css/syntax.css" rel="stylesheet">
+
+ <script src="/js/jquery-1.11.0.min.js"></script>
+ <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
+ <script type="text/javascript" src="/js/community.js"></script>
+
+ <!-- Matomo -->
+ <script>
+ var _paq = window._paq = window._paq || [];
+ /* tracker methods like "setCustomDimension" should be called before
"trackPageView" */
+ /* We explicitly disable cookie tracking to avoid privacy issues */
+ _paq.push(['disableCookies']);
+ _paq.push(['trackPageView']);
+ _paq.push(['enableLinkTracking']);
+ (function() {
+ var u="//analytics.apache.org/";
+ _paq.push(['setTrackerUrl', u+'matomo.php']);
+ _paq.push(['setSiteId', '41']);
+ var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
+ g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
+ })();
+ </script>
+ <!-- End Matomo Code -->
+</head>
+<body>
+
+<a href="https://github.com/apache/struts"; class="github-ribbon">
+ <img decoding="async" loading="lazy" style="position: absolute; right: 0;
border: 0;" width="149" height="149"
src="/img/forkme_right_red_aa0000.webp?resize=149%2C149" class="attachment-full
size-full" alt="Fork me on GitHub" data-recalc-dims="1">
+</a>
+
+<header>
+ <nav>
+ <div role="navigation" class="navbar navbar-default navbar-fixed-top">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" data-toggle="collapse"
data-target="#struts-menu" class="navbar-toggle">
+ Menu
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a href="/index.html" class="navbar-brand logo"><img
src="/img/struts-logo.svg"></a>
+ </div>
+ <div id="struts-menu" class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Home<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/index.html">Welcome</a></li>
+ <li><a href="/download.cgi">Download</a></li>
+ <li><a href="/releases.html">Releases</a></li>
+ <li><a href="/announce-2025.html">Announcements</a></li>
+ <li><a href="http://www.apache.org/licenses/";>License</a></li>
+ <li><a
href="https://www.apache.org/foundation/thanks.html";>Thanks!</a></li>
+ <li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ <li><a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Support<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/mail.html">User Mailing List</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/WW";>Issue
Tracker</a></li>
+ <li><a href="/security.html">Reporting Security Issues</a></li>
+ <li><a href="/commercial-support.html">Commercial
Support</a></li>
+ <li class="divider"></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide";>Version
Notes</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins";>Security
Bulletins</a></li>
+ <li><a href="/idea-plugin">IntelliJ IDEA plugin</a></li>
+ <li class="divider"></li>
+ <li><a href="/maven/project-info.html">Maven Project
Info</a></li>
+ <li><a href="/maven/struts2-core/dependencies.html">Struts
Core Dependencies</a></li>
+ <li><a href="/maven/struts2-plugins/modules.html">Plugin
Dependencies</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Documentation<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/birdseye.html">Birds Eye</a></li>
+ <li><a href="/primer.html">Key Technologies</a></li>
+ <li><a href="/kickstart.html">Kickstart FAQ</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
+ <li class="divider"></li>
+ <li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
+ <li><a href="/core-developers/">Core Developers Guide</a></li>
+ <li><a href="/tag-developers/">Tag Developers Guide</a></li>
+ <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
+ <li><a href="/plugins/">Plugins</a></li>
+ <li><a href="/maven/struts2-core/apidocs/index.html">Struts
Core API</a></li>
+ <li><a href="/tag-developers/tag-reference.html">Tag
reference</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/FAQs";>FAQs</a></li>
+ <li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Contributing<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/youatstruts.html">You at Struts</a></li>
+ <li><a href="/helping.html">How to Help FAQ</a></li>
+ <li><a href="/dev-mail.html">Development Lists</a></li>
+ <li class="divider"></li>
+ <li><a href="/submitting-patches.html">Submitting
patches</a></li>
+ <li><a href="/builds.html">Source Code and Builds</a></li>
+ <li><a href="/coding-standards.html">Coding standards</a></li>
+ <li><a href="/contributors/">Contributors Guide</a></li>
+ <li class="divider"></li>
+ <li><a href="/release-guidelines.html">Release
Guidelines</a></li>
+ <li><a href="/bylaws.html">PMC Charter</a></li>
+ <li><a href="/volunteers.html">Volunteers</a></li>
+ <li><a
href="https://gitbox.apache.org/repos/asf?p=struts.git";>Source
Repository</a></li>
+ <li><a href="/updating-website.html">Updating the
website</a></li>
+ </ul>
+ </li>
+ <li class="apache"><a href="http://www.apache.org/";><img
src="/img/apache.png"></a></li>
+ </ul>
+ </div>
+ </div>
+ </div>
+ </nav>
+</header>
+
+
+<article class="container">
+ <section class="col-md-12">
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/main/source/core-developers/struts-parameter-annotation.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+
+ <a href="annotations.html" title="back to Annotations"><< back to
Annotations</a>
+
+ <h1 id="strutsparameter-annotation">StrutsParameter Annotation</h1>
+
+<p><code class="language-plaintext highlighter-rouge">@StrutsParameter</code>
is a security annotation that marks which fields and methods in your Action
class can receive values from user requests.</p>
+
+<p>Why it matters: by default (when annotations are required), Struts will
only inject request parameters into fields or setter methods that have this
annotation. This prevents attackers from setting values on fields you didn’t
intend to expose.</p>
+
+<h2 id="usage">Usage</h2>
+
+<p>Used to annotate public <em>getter/setter</em> methods or <em>fields</em>
on Action classes that are intended for parameter injection</p>
+
+<h2 id="parameters">Parameters</h2>
+
+<ul>
+ <li><code class="language-plaintext highlighter-rouge">depth</code> controls
how deep into nested objects parameters can be set:</li>
+</ul>
+
+<h2 id="examples">Examples</h2>
+
+<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="kd">public</span> <span
class="kd">class</span> <span class="nc">MyAction</span> <span
class="o">{</span>
+ <span class="nd">@StrutsParameter</span>
+ <span class="kd">public</span> <span class="nc">String</span> <span
class="n">username</span><span class="o">;</span> <span class="c1">// ✅ Can
receive request parameter</span>
+
+ <span class="kd">public</span> <span class="nc">String</span> <span
class="n">password</span><span class="o">;</span> <span class="c1">// ❌ Cannot
receive request parameter (not annotated)</span>
+<span class="o">}</span>
+</code></pre></div></div>
+
+<p>The <code class="language-plaintext highlighter-rouge">depth</code>
controls how deep into nested objects parameters can be set:</p>
+<ul>
+ <li><code class="language-plaintext highlighter-rouge">depth = 0</code>
(default): Only sets values directly on your action
+ <div class="language-plaintext highlighter-rouge"><div
class="highlight"><pre class="highlight"><code> @StrutsParameter
+ public String name; // Accepts: ?name=value
+</code></pre></div> </div>
+ </li>
+ <li><code class="language-plaintext highlighter-rouge">depth = 1</code>:
Allows one level of nesting
+ <div class="language-plaintext highlighter-rouge"><div
class="highlight"><pre class="highlight"><code> @StrutsParameter(depth = 1)
+ public User user; // Accepts: ?user.name=value
+</code></pre></div> </div>
+ </li>
+ <li><code class="language-plaintext highlighter-rouge">depth = 2</code>:
Allows two levels of nesting
+ <div class="language-plaintext highlighter-rouge"><div
class="highlight"><pre class="highlight"><code> @StrutsParameter(depth = 2)
+ public User user; // Accepts: ?user.address.city=value
+</code></pre></div> </div>
+ </li>
+</ul>
+
+<p>Rule of thumb: The depth equals the number of dots (or brackets) allowed in
the parameter name.</p>
+
+ </section>
+</article>
+
+
+<footer class="container">
+ <div class="col-md-12">
+ Copyright © 2000-2025 <a href="https://www.apache.org/";>The Apache
Software Foundation</a>.
+ Apache Struts, Struts, Apache, the Apache feather logo, and the Apache
Struts project logos are
+ trademarks of The Apache Software Foundation. All Rights Reserved.
+ </div>
+ <div class="col-md-12">Logo and website design donated by <a
href="https://softwaremill.com/";>SoftwareMill</a>.</div>
+</footer>
+
+<a href="https://twitter.com/x?ref_src=twsrc%5Etfw";
class="twitter-follow-button" data-show-count="false">Follow @x</a>
+<script async src="/js/twitter-widgets.js" charset="utf-8"></script>
+
+<div id="fb-root"></div>
+
+<script>(function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "/js/facebook-all.js";
+ fjs.parentNode.insertBefore(js, fjs);
+}(document, 'script', 'facebook-jssdk'));</script>
+
+
+</body>
+</html>
