This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch docs/struts-720-content-audit in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 92ea4270f69b419db8929b8d307d75778312c74f Author: Lukasz Lenart <[email protected]> AuthorDate: Sun Jun 14 19:49:37 2026 +0200 docs: document chaining interceptor @StrutsParameter enforcement (WW-5631) Co-Authored-By: Claude Opus 4.8 <[email protected]> --- source/core-developers/chaining-interceptor.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source/core-developers/chaining-interceptor.md b/source/core-developers/chaining-interceptor.md index 34d6d0139..be4c591d6 100644 --- a/source/core-developers/chaining-interceptor.md +++ b/source/core-developers/chaining-interceptor.md @@ -37,6 +37,27 @@ the below three constants in struts.properties or struts.xml: <constant name="struts.xwork.chaining.copyErrors" value="true"/> ``` +## Parameter Authorization + +By default the Chaining Interceptor copies **all** properties of the objects on +the value stack into the target action, regardless of any `@StrutsParameter` +annotation. To restrict copying to annotated properties only, set the global +constant: + +```xml +<constant name="struts.chaining.requireAnnotations" value="true"/> +``` + +When enabled (default is `false`): + +- Only properties whose target setters carry [`@StrutsParameter`](struts-parameter-annotation.html) + are copied; rejected properties are skipped and logged at `WARN`. +- Authorization uses the same `ParameterAuthorizer` service as the + [Parameters Interceptor](parameters-interceptor.html), keeping semantics consistent. +- The behaviour is **fail-closed**: if the target action cannot be introspected, + no properties are copied. +- This is a **global** constant only — there is no per-interceptor override. + ## Parameters - `excludes` (optional) - the list of parameter names to exclude from copying (all others will be included)
