These are the notes for the Struts 2.3.20 distribution.
For prior notes in this release series, see Version Notes 2.3.16.3
- If you are a Maven user, you might want to get started using the Maven Archetype.
- Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.3.20</version> </dependency>
You can also use Struts Archetype Catalog like below
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
<repositories> <repository> <id>apache.nexus</id> <name>ASF Nexus Staging</name> <url>https://repository.apache.org/content/groups/staging/</url> </repository> </repositories>
Internal Changes
- Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
- Extended existing security mechanism to block access to given Java packages and Classes, see #11 or read Internal security mechanism
- Collection Parameters for RedirectResults, WW-4224
- Make ParametersInterceptor supports chinese in hash key by default, WW-4250
- themes.properties can be loaded using ServletContext allows to put
template
folder under WEB-INF or on classpath, WW-4260 - New tag datetextfield, WW-3493
- Only valid Ognl expressions are cached, WW-4146
- CustomTextProvider can be used for validation errors of model driven actions, WW-4202
- datetimepicker's label fixed, WW-4254
- PropertiesJudge removed and properties are checked in
SecurityMemberAccess
, WW-4257 - resource reloading works in IBM JVM, WW-4266
- default reloading settings were removed from
default.properties
, WW-4267 - commons-fileupload library upgraded to version 1.3.1 to fix potential security vulnerability, WW-4286
- The
scheme
attribute accepts expressions ins:url
tag, WW-4024 - Solves problem with infinite loop in
FastByteArrayOutputStream
, WW-4383 LocalizedTextUtil
supports manyClassLoaders
, WW-4379- Bill of Materials pom was introduced, WW-4326
debug=browser|console
was migrated to jQuery, WW-4322struts_dojo.js
was fixed, WW-4349- interface
org/apache/struts2/views/TagLibrary
was restored and marked as@Depreacted
, WW-4255 <s:hidden/>
tag is wrapped with<tr/>
and<td/>
tags to match layout of other tags inxhtml
theme, WW-4297- and many other small improvements, please see the release notes
Please read information about new internal security mechanism introduced with this version, it can have impact on your application! With version 2.3.20 new internal security mechanism was introduced, if you were setting excludeParams
in your struts.xml
you should remove it as this overlaps those patterns defined by the framework itself. Read more here.
This release contains fix related to S2-023 security bulletin, please read it carefully!