This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch docs/struts-720-content-audit in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 0912a841a3c52ad44858c766e2805b205f5f16dd Author: Lukasz Lenart <[email protected]> AuthorDate: Sun Jun 14 19:50:24 2026 +0200 docs: make @StrutsParameter page the authorization hub (WW-5626/5631/5627) Co-Authored-By: Claude Opus 4.8 <[email protected]> --- source/core-developers/struts-parameter-annotation.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source/core-developers/struts-parameter-annotation.md b/source/core-developers/struts-parameter-annotation.md index 1e043dcd6..95bb0d414 100644 --- a/source/core-developers/struts-parameter-annotation.md +++ b/source/core-developers/struts-parameter-annotation.md @@ -12,6 +12,19 @@ parent: Why it matters: by default (when annotations are required), Struts will only inject request parameters into fields or setter methods that have this annotation. This prevents attackers from setting values on fields you didn't intend to expose. +## Where authorization applies + +As of Struts 7.2.0 the `@StrutsParameter` authorization is enforced across every +channel that can populate an action from request data: + +- [Parameters Interceptor](parameters-interceptor.html) — request parameters + (default, governed by `struts.parameters.requireAnnotations`). +- [Chaining Interceptor](chaining-interceptor.html) — value-stack copying during + action chaining (opt-in via `struts.chaining.requireAnnotations`). +- [Cookie Interceptor](cookie-interceptor.html) — cookie values. +- [JSON](../../plugins/json) and [REST](../../plugins/rest) plugins — per-property + authorization performed during deserialization, so unauthorized fields are never set. + ## Usage The placement of the `@StrutsParameter` annotation is crucial and depends on how you want to populate your action properties.
