These are the notes for the Struts 2.3.24 distribution.
For prior notes in this release series, see Version Notes 2.3.20
- If you are a Maven user, you might want to get started using the Maven Archetype.
- Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.3.24</version> </dependency>
You can also use Struts Archetype Catalog like below
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
<repositories> <repository> <id>apache.nexus</id> <name>ASF Nexus Staging</name> <url>https://repository.apache.org/content/groups/staging/</url> </repository> </repositories>
Internal Changes
- fixed flow in
DefaultActionInvocation
and when using the Convention Plugin, see WW-4433 - defined new plugin to support Java 8, check Java 8 Support Plugin and see WW-4435
- fixed problem with
style
attribute, see WW-4430 - fixed problem with converting values from
ActionContext
, see WW-4427 - converters are again applied to values coming from the context, see WW-4427
struts.ognl.allowStaticMethodAccess
works again, see WW-4429- fixed memory leak in CDI plugin, see WW-4441
- fixed problem with hidden field which silently drops 'label' attribute, see WW-4447
- fixed parameters encoding in
ServletRedirectAction
before checking for valid URI, see WW-4448 css_xhtml
hidden input adding table row markup, see WW-4454- FreeMarker was upgraded to the latest available version - 2.3.22, see WW-4484 - which means you can enable incompatible improvements
- support for Log4j2 was added, see WW-4492
- and many other improvements, please check the version notes
Please read information about new internal security mechanism introduced with the previous version and extended in this version!
Security Note
This version moves all excluded parameters from struts-default.xml
into DefaultExcludedPatternsChecker.java
- if you cannot migrate to the latest version it's highly recommendated to re-define defaultStack
from struts-default.xml
to this one below (or any other which is used in your application and drop excludeParams
parameter):
<interceptor-stack name="myDefaultStack"> <interceptor-ref name="exception"/> <interceptor-ref name="alias"/> <interceptor-ref name="servletConfig"/> <interceptor-ref name="i18n"/> <interceptor-ref name="prepare"/> <interceptor-ref name="chain"/> <interceptor-ref name="scopedModelDriven"/> <interceptor-ref name="modelDriven"/> <interceptor-ref name="fileUpload"/> <interceptor-ref name="checkbox"/> <interceptor-ref name="datetime"/> <interceptor-ref name="multiselect"/> <interceptor-ref name="staticParams"/> <interceptor-ref name="actionMappingParams"/> <interceptor-ref name="params"/> <interceptor-ref name="conversionError"/> <interceptor-ref name="validation"> <param name="excludeMethods">input,back,cancel,browse</param> </interceptor-ref> <interceptor-ref name="workflow"> <param name="excludeMethods">input,back,cancel,browse</param> </interceptor-ref> <interceptor-ref name="debugging"/> <interceptor-ref name="deprecation"/> </interceptor-stack>
and define the following constant in struts.xml
<constant name="struts.additional.excludedPatterns" value="^(action|method):.*"/>