(tick) These are the notes for the Struts 2.5.12 distribution.

(tick) For prior notes in this release series, see Version Notes

  • If you are a Maven user, you might want to get started using the Maven Archetype.
Maven Dependency

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
    <name>ASF Nexus Staging</name>

Internal Changes

  • (warning) Possible DoS attack when using URLValidator, see S2-047
  • (warning) A DoS attack is available for Spring secured actions, see S2-049
  • Bug

    • [WW-3171] - "double" and "Double" are not validated with the same decimal séparator
    • [WW-3357] - ognl.MethodFailedException when you do not enter a value for a field mapped to an int.
    • [WW-3650] - Double Value Conversion with requestLocale=de
    • [WW-3659] - strange behavior of s:a tag with s:include tag inside
    • [WW-3905] - The TextProvider injection in ActionSupport isn't quite integrated into the framework's core DI
    • [WW-4105] - Struts2 raise java.lang.ClassCastException when Result type is chain
    • [WW-4472] - @InputConfig annotation is not working when integrating with spring aop
    • [WW-4528] - ChainingInterceptor does not handle lists correctly for excludes and includes
    • [WW-4578] - Validators do not work for multiple values
    • [WW-4581] - BigDecimal are not converted according context locale
    • [WW-4663] - NullPointerException when displaying a form without action attribute
    • [WW-4665] - Struts2 JSR286 Portlet fileupload not working
    • [WW-4694] - AnnotationWorkflowInterceptor doesn't work with spring proxied action
    • [WW-4736] - Upgrade to Log4j2 version 2.8
    • [WW-4737] - Array-of-null parameters are converted to arrays containing "null"
    • [WW-4739] - <s:reset> tag does not properly interpret the attribute tabindex
    • [WW-4740] - NullPointer in com.opensymphony.xwork2.ActionSupport.getLocale
    • [WW-4741] - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
    • [WW-4746] - cssErrorClass attribute has no effect on label tag
    • [WW-4747] - s:file generates input tag with "value" attribute
    • [WW-4750] - Why JSONValidationInterceptor return Status Code 400 BAD_REQUEST instead of 200 SUCCESS
    • [WW-4758] - @autowired does not work since Struts
    • [WW-4772] - Convention Plugin can't use ${message}
    • [WW-4773] - Mixed content https to http when upgraded to 2.3.32 or
    • [WW-4774] - Upgrding Struts 2.3.1 to - Redirect issues HTTPS to HTTP
    • [WW-4775] - Action class Attributes(value stack) is not getting populated through Ajax url request parms
    • [WW-4784] - <s:url tag is not working after Struts migration
    • [WW-4786] - Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a NoSuchDefinitionException
    • [WW-4788] - Parameters which are added via ServletDispatcherResult aren't availabe in #parameters
    • [WW-4790] - struts upgrade cause more frequent garbage collection
    • [WW-4794] - Subreport call "Caused by: java.lang.ClassCastException: org.apache.struts2.views.jasperreports.ValueStackDataSource cannot be cast to java.util.Collection"
    • [WW-4800] - Aspects are not executed when chaining AOPed actions
    • [WW-4801] - Duplicate hidden input field checkboxListHandler
    • [WW-4804] - inputtransferselect does not auto-select its elements
    • [WW-4810] - Calling empty locale


    • [WW-1534] - The value of checkbox getted in server-side is "false" when no any checkbox been selected.
    • [WW-3924] - refactor file upload framework
    • [WW-3952] - creditCard validator available in Struts 1 missing in Struts 2
    • [WW-4149] - No easy way to have an empty interceptor stack if have default stack
    • [WW-4210] - @TypeConversion converter attribut to class
    • [WW-4714] - Convert LocalizedTextUtil into a bean with default implementation
    • [WW-4743] - NPE in StrutsTilesContainerFactory when resource isn't found
    • [WW-4744] - AnnotationWorkflowInterceptor should supports non-public annotated methods
    • [WW-4748] - Upgrade commons-lang3 to 3.5
    • [WW-4749] - Buffer/Flush behaviour in FreemarkerResult
    • [WW-4751] - Struts2 should know and consider config time class of user's Actions
    • [WW-4752] - getters of exclude-sets in OgnlUtil should return immutable collections
    • [WW-4753] - Make DelegatingValidatorContext injectable
    • [WW-4754] - Mark site-graph plugin as deprecated
    • [WW-4756] - Use TextProviderFactory instead of TextProvider as bean's dependency
    • [WW-4757] - Create LocaleProviderFactory and uses instead of LocaleProvider
    • [WW-4761] - Improve error logging in DefaultDispatcherErrorHandler
    • [WW-4762] - DefaultLocalizedTextProvider refactoring
    • [WW-4764] - Make jakarta-stream multipart parser more extensbile
    • [WW-4767] - Make Multipart parsers more extensible
    • [WW-4768] - Add proper validation if request is a multipart request
    • [WW-4769] - Make SecurityMethodAccess excluded classes & packages definitions immutable
    • [WW-4771] - minor typos in confluence page "security.html"
    • [WW-4780] - Upgrade to Log4j2 2.8.2
    • [WW-4785] - Allow disable file upload support via an configurable option
    • [WW-4787] - TestCase XWorkMapPropertyAccessorTest should be moved to src/test/java
    • [WW-4791] - Stop using DefaultLocalizedTextProvider#localeFromString static util method
    • [WW-4793] - Don't add JBossFileManager as a possible FileManager when not on JBoss
    • [WW-4795] - There is no @LongRangeFieldValidator annotation to support LongRangeFieldValidator
    • [WW-4805] - At least a DoS attack is available for Spring secured actions
    • [WW-4809] - Upgrade to commons-lang 3.6
    • [WW-4812] - Update commons-fileupload

    New Feature

    • [WW-3399] - JCR(JSR-170) Struts2 plugin


This release contains fixes related to S2-047 and S2-049, please read them carefully!

This version contains a new conversion logic which is Locale aware and can affect your application when you are using some uncommon solutions. One of these is to use a number literals in Freemarker template. In such case Freemarker treats them as numbers (as BigDecimals) and Struts logic converts them to a string with decimal zero, see the example below:

<@s.textfield name="userId" value=35/>

this snippet will produce the following Html control:

<input type="text" name="userId" value="35.0"/>

To resolves this problem you must add quotes around the value:

<@s.textfield name="userId" value="35"/>

This is due how Freemarker treats a number literals.


Issue Detail

Issue List

Other resources