(tick) These are the notes for the Struts version 6.4.0 distribution.

(tick) For prior notes in this release series, see Version Notes

Maven users

If you are a Maven user, you might want to get started using the Maven Archetype.

Maven Dependency

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

Internal changes

This version uses Caffeine, which "is a high performance, near optimal caching library" that implements the W-TinyLfu algorithm. More details can be found in WW-5355 and PR #766


  • [WW-5192] - Radio tag not setting enum key values
  • [WW-5319] - StrutsUtils is not defined in validation.js
  • [WW-5357] - Struts anchor tag doesn't support "disabled" even though docs indicate it does
  • [WW-5365] - Radio tag does not support value objects of type Boolean when setting the default value
  • [WW-5373] - CspReportAction JavaDoc wrong
  • [WW-5382] - Stale configuration persists after configuration reload
  • [WW-5387] - ApplicationMap.remove does not remove the entry from the ServletContext
  • [WW-5392] - Tiles-Plugin unable to load tiles definition XML if the file names are specified with wild char
  • [WW-5396] - Javatemplates s:file shows server/file location
  • [WW-5403] - Struts 2.5 to 6.x migration issues caused by removal of deprecated code within a minor release

New Feature

  • [WW-5402] - Auto loading the Tiles definition files from the classpath dependent JAR


  • [WW-5225] - add accessor to the original filename into JakartaMultiPartRequest & MultiPartRequestWrapper
  • [WW-5328] - Removes deprecated methods from SecurityMemberAccess & MemberAccessValueStack
  • [WW-5333] - Refactor AttributeMap
  • [WW-5338] - Remove deprecated OgnlTool
  • [WW-5339] - Mitigate against custom class ASTMap node construction
  • [WW-5340] - Introduce optional AST node exclusion list
  • [WW-5341] - Ensure exclusion list applies to objects from all ClassLoaders
  • [WW-5342] - Block classes in default package
  • [WW-5343] - Make SecurityMemberAccess extensible and a prototype bean
  • [WW-5346] - CDI Plugin: Replace deprecated BeanManager::createInjectionTarget
  • [WW-5348] - Allow overriding of logging behaviour in DefaultAcceptedPatternsChecker
  • [WW-5349] - Remove core dependency on ognl.ASTVarRef
  • [WW-5350] - Implement optional strict class/package allowlist for OGNL
  • [WW-5352] - Implement annotation mechanism for injectable fields via parameters
  • [WW-5354] - Add actionErrors, actionMessages, fieldErrors to parameter excluded patterns
  • [WW-5355] - Integrate and use WTLFU cache by default
  • [WW-5358] - Expand exclusion list
  • [WW-5359] - Improved the StrutsUrlDecoder so that charset retrieval is performed only once
  • [WW-5360] - Struts 2 and JDK 17 numbers of iterator tag when using different locale
  • [WW-5362] - Remove type attribute out of <s:script/> tag
  • [WW-5363] - Look up Stack last in Velocity context
  • [WW-5364] - Automatically populate OGNL allowlist
  • [WW-5369] - Re-define a minimal library set for Struts 6.x
  • [WW-5370] - Make HttpParameters case-insensitive
  • [WW-5371] - Use action based callback to transfer information about uploaded files
  • [WW-5374] - CspInterceptor reportUri with context
  • [WW-5377] - trouble with Struts tags nested within <s:script> one
  • [WW-5378] - Add option to not fallback to context lookup when finding value in OgnlValueStack
  • [WW-5379] - Implement alternative mechanism for Velocity directives to obtain stack
  • [WW-5381] - Introduce extension points for CompoundRootAccessor and MethodAccessor
  • [WW-5383] - Exclude JAR files by default when scanning for actions on JDK9+
  • [WW-5391] - Add interface for VelocityManager extension point
  • [WW-5401] - Adds more logging statements around validating and accepting MultiPartRequest


  • [WW-5394] - Use request encoding in rest plugin


  • [WW-5344] - Un-deprecate the Sitemesh plugin and upgrade Sitemesh to ver. 2.5.0
  • [WW-5347] - Upgrade to commons-digester3 version 3.2
  • [WW-5389] - Upgrade Log4j to version 2.21.1
  • [WW-5395] - Upgrade commons-logging:commons-logging from 1.2 to 1.3.0
  • [WW-5397] - Upgrade net.sf.jasperreports:jasperreports from 6.20.6 to 6.21.0
  • [WW-5398] - Upgrade commons-validator:commons-validator from 1.6 to 1.8.0
  • [WW-5399] - Upgrade org.apache.commons:commons-compress from 1.25.0 to 1.26.0
  • [WW-5404] - Bump log4j2.version from 2.21.1 to 2.23.1

Issue Detail

Issue List

Other resources