This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch docs/struts-720-content-audit
in repository https://gitbox.apache.org/repos/asf/struts-site.git

commit 0912a841a3c52ad44858c766e2805b205f5f16dd
Author: Lukasz Lenart <[email protected]>
AuthorDate: Sun Jun 14 19:50:24 2026 +0200

    docs: make @StrutsParameter page the authorization hub (WW-5626/5631/5627)
    
    Co-Authored-By: Claude Opus 4.8 <[email protected]>
---
 source/core-developers/struts-parameter-annotation.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source/core-developers/struts-parameter-annotation.md 
b/source/core-developers/struts-parameter-annotation.md
index 1e043dcd6..95bb0d414 100644
--- a/source/core-developers/struts-parameter-annotation.md
+++ b/source/core-developers/struts-parameter-annotation.md
@@ -12,6 +12,19 @@ parent:
 
 Why it matters: by default (when annotations are required), Struts will only 
inject request parameters into fields or setter methods that have this 
annotation. This prevents attackers from setting values on fields you didn't 
intend to expose.
 
+## Where authorization applies
+
+As of Struts 7.2.0 the `@StrutsParameter` authorization is enforced across 
every
+channel that can populate an action from request data:
+
+- [Parameters Interceptor](parameters-interceptor.html) — request parameters
+  (default, governed by `struts.parameters.requireAnnotations`).
+- [Chaining Interceptor](chaining-interceptor.html) — value-stack copying 
during
+  action chaining (opt-in via `struts.chaining.requireAnnotations`).
+- [Cookie Interceptor](cookie-interceptor.html) — cookie values.
+- [JSON](../../plugins/json) and [REST](../../plugins/rest) plugins — 
per-property
+  authorization performed during deserialization, so unauthorized fields are 
never set.
+
 ## Usage
 
 The placement of the `@StrutsParameter` annotation is crucial and depends on 
how you want to populate your action properties.

Reply via email to