This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch docs/struts-720-content-audit
in repository https://gitbox.apache.org/repos/asf/struts-site.git

commit 92ea4270f69b419db8929b8d307d75778312c74f
Author: Lukasz Lenart <[email protected]>
AuthorDate: Sun Jun 14 19:49:37 2026 +0200

    docs: document chaining interceptor @StrutsParameter enforcement (WW-5631)
    
    Co-Authored-By: Claude Opus 4.8 <[email protected]>
---
 source/core-developers/chaining-interceptor.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/source/core-developers/chaining-interceptor.md 
b/source/core-developers/chaining-interceptor.md
index 34d6d0139..be4c591d6 100644
--- a/source/core-developers/chaining-interceptor.md
+++ b/source/core-developers/chaining-interceptor.md
@@ -37,6 +37,27 @@ the below three constants in struts.properties or struts.xml:
 <constant name="struts.xwork.chaining.copyErrors" value="true"/>
 ```
 
+## Parameter Authorization
+
+By default the Chaining Interceptor copies **all** properties of the objects on
+the value stack into the target action, regardless of any `@StrutsParameter`
+annotation. To restrict copying to annotated properties only, set the global
+constant:
+
+```xml
+<constant name="struts.chaining.requireAnnotations" value="true"/>
+```
+
+When enabled (default is `false`):
+
+- Only properties whose target setters carry 
[`@StrutsParameter`](struts-parameter-annotation.html)
+  are copied; rejected properties are skipped and logged at `WARN`.
+- Authorization uses the same `ParameterAuthorizer` service as the
+  [Parameters Interceptor](parameters-interceptor.html), keeping semantics 
consistent.
+- The behaviour is **fail-closed**: if the target action cannot be 
introspected,
+  no properties are copied.
+- This is a **global** constant only — there is no per-interceptor override.
+
 ## Parameters
 
  - `excludes` (optional) - the list of parameter names to exclude from copying 
(all others will be included)

Reply via email to