(tick) These are the notes for the Struts 2.3.24 distribution.

(tick) For prior notes in this release series, see Version Notes 2.3.20

  • If you are a Maven user, you might want to get started using the Maven Archetype.
  • Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
Maven Dependency
<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.3.24</version>
</dependency>

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

  • (warning) fixed flow in DefaultActionInvocation and when using the Convention Plugin, see WW-4433
  • (warning) defined new plugin to support Java 8, check Java 8 Support Plugin and see WW-4435
  • fixed problem with style attribute, see WW-4430
  • fixed problem with converting values from ActionContext, see WW-4427
  • converters are again applied to values coming from the context, see WW-4427
  • (warning) struts.ognl.allowStaticMethodAccess works again, see WW-4429
  • fixed memory leak in CDI plugin, see WW-4441
  • fixed problem with hidden field which silently drops 'label' attribute, see WW-4447
  • fixed parameters encoding in ServletRedirectAction before checking for valid URI, see WW-4448
  • css_xhtml hidden input adding table row markup, see WW-4454
  • (warning) FreeMarker was upgraded to the latest available version - 2.3.22, see WW-4484 - which means you can enable incompatible improvements
  • support for Log4j2 was added, see WW-4492 
  • and many other improvements, please check the version notes

Please read information about new internal security mechanism introduced with the previous version and extended in this version!

Security Note

This version moves all excluded parameters from struts-default.xml into DefaultExcludedPatternsChecker.java - if you cannot migrate to the latest version it's highly recommendated to re-define defaultStack from struts-default.xml to this one below (or any other which is used in your application and drop excludeParams parameter):

Redefined defaultStack
<interceptor-stack name="myDefaultStack">
    <interceptor-ref name="exception"/>
    <interceptor-ref name="alias"/>
    <interceptor-ref name="servletConfig"/>
    <interceptor-ref name="i18n"/>
    <interceptor-ref name="prepare"/>
    <interceptor-ref name="chain"/>
    <interceptor-ref name="scopedModelDriven"/>
    <interceptor-ref name="modelDriven"/>
    <interceptor-ref name="fileUpload"/>
    <interceptor-ref name="checkbox"/>
    <interceptor-ref name="datetime"/>
    <interceptor-ref name="multiselect"/>
    <interceptor-ref name="staticParams"/>
    <interceptor-ref name="actionMappingParams"/>
    <interceptor-ref name="params"/>
    <interceptor-ref name="conversionError"/>
    <interceptor-ref name="validation">
        <param name="excludeMethods">input,back,cancel,browse</param>
    </interceptor-ref>
    <interceptor-ref name="workflow">
        <param name="excludeMethods">input,back,cancel,browse</param>
    </interceptor-ref>
    <interceptor-ref name="debugging"/>
    <interceptor-ref name="deprecation"/>
</interceptor-stack>

and define the following constant in struts.xml

<constant name="struts.additional.excludedPatterns" value="^(action|method):.*"/>

Issue Detail

Issue List

Other resources



  • No labels