This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch docs/struts-720-content-audit in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 95d0b1e64c0382b5ae58198ec982a58595ed47eb Author: Lukasz Lenart <[email protected]> AuthorDate: Sun Jun 14 19:50:02 2026 +0200 docs: document cookie interceptor @StrutsParameter authorization (WW-5627) Co-Authored-By: Claude Opus 4.8 <[email protected]> --- source/core-developers/cookie-interceptor.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source/core-developers/cookie-interceptor.md b/source/core-developers/cookie-interceptor.md index 6381b4f51..768e6bc27 100644 --- a/source/core-developers/cookie-interceptor.md +++ b/source/core-developers/cookie-interceptor.md @@ -23,6 +23,19 @@ into Struts' action. The action could implement `CookiesAware` in order to have a `Map` of filtered cookies set into it. +## Parameter Authorization + +Cookie values are injected through the same `@StrutsParameter` authorization path +as the [Parameters Interceptor](parameters-interceptor.html) (previously the +interceptor wrote directly to the value stack and bypassed authorization). + +> **Behaviour change in 7.2.0:** when annotation enforcement is active (the +> default `struts.parameters.requireAnnotations=true`), cookies will only populate +> setters marked with [`@StrutsParameter`](struts-parameter-annotation.html). +> Applications that relied on cookies populating un-annotated setters must either +> add the annotation to those setters or stop using `cookiesName=*`. +{:.alert .alert-warning} + ## Parameters - `cookiesName` (mandatory) - Name of cookies to be injected into the action. If more than one cookie name is desired
