This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch docs/struts-720-content-audit
in repository https://gitbox.apache.org/repos/asf/struts-site.git

commit 413876e469be5ab7530775cbc037b55fed418ab6
Author: Lukasz Lenart <[email protected]>
AuthorDate: Sun Jun 14 19:50:50 2026 +0200

    docs: document JSON deserialization limits and per-property authorization 
(WW-5618/5626)
    
    Co-Authored-By: Claude Opus 4.8 <[email protected]>
---
 source/plugins/json/index.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/source/plugins/json/index.md b/source/plugins/json/index.md
index dc4a3341d..cfa7cff04 100644
--- a/source/plugins/json/index.md
+++ b/source/plugins/json/index.md
@@ -562,6 +562,34 @@ and `jsonRpcContentType` params, see example:
 
 Please be aware that those are scoped params per stack, which means, once set 
it will be used by actions in scope of this stack.
 
+### Deserialization limits
+
+To guard against malicious or oversized payloads, JSON deserialization enforces
+the following limits. Each can be set globally as a constant or 
per-interceptor as
+a `<param>` (following the same pattern as the fileUpload interceptor):
+
+| Constant | Default | Controls |
+|----------|---------|----------|
+| `struts.json.maxElements` | `10000` | Maximum number of elements in a single 
JSON array or object |
+| `struts.json.maxDepth` | `64` | Maximum nesting depth of the JSON structure |
+| `struts.json.maxLength` | `2097152` (2 MB) | Maximum length of the JSON 
input |
+| `struts.json.maxStringLength` | `262144` (256 KB) | Maximum length of an 
individual JSON string value |
+| `struts.json.maxKeyLength` | `512` | Maximum length of a JSON object key |
+
+```xml
+<constant name="struts.json.maxLength" value="1048576"/>
+```
+
+The reader and writer implementations are also pluggable via
+`struts.json.reader` and `struts.json.writer` (both default to `struts`).
+
+### Parameter authorization
+
+JSON deserialization enforces the 
[`@StrutsParameter`](../../core-developers/struts-parameter-annotation.html)
+annotation **per property, during deserialization** — unauthorized fields are
+never set on the target object. Annotate the action properties that may be
+populated from the JSON request body.
+
 ## JSON RPC
 
 The json plugin can be used to execute action methods from javascript and 
return the output. This feature was developed 

Reply via email to