This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch docs/struts-720-content-audit
in repository https://gitbox.apache.org/repos/asf/struts-site.git

commit 95d0b1e64c0382b5ae58198ec982a58595ed47eb
Author: Lukasz Lenart <[email protected]>
AuthorDate: Sun Jun 14 19:50:02 2026 +0200

    docs: document cookie interceptor @StrutsParameter authorization (WW-5627)
    
    Co-Authored-By: Claude Opus 4.8 <[email protected]>
---
 source/core-developers/cookie-interceptor.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source/core-developers/cookie-interceptor.md 
b/source/core-developers/cookie-interceptor.md
index 6381b4f51..768e6bc27 100644
--- a/source/core-developers/cookie-interceptor.md
+++ b/source/core-developers/cookie-interceptor.md
@@ -23,6 +23,19 @@ into Struts' action.
 
 The action could implement `CookiesAware` in order to have a `Map` of filtered 
cookies set into it.
 
+## Parameter Authorization
+
+Cookie values are injected through the same `@StrutsParameter` authorization 
path
+as the [Parameters Interceptor](parameters-interceptor.html) (previously the
+interceptor wrote directly to the value stack and bypassed authorization).
+
+> **Behaviour change in 7.2.0:** when annotation enforcement is active (the
+> default `struts.parameters.requireAnnotations=true`), cookies will only 
populate
+> setters marked with [`@StrutsParameter`](struts-parameter-annotation.html).
+> Applications that relied on cookies populating un-annotated setters must 
either
+> add the annotation to those setters or stop using `cookiesName=*`.
+{:.alert .alert-warning}
+
 ## Parameters
 
  - `cookiesName` (mandatory) - Name of cookies to be injected into the action. 
If more than one cookie name is desired 

Reply via email to