Version Notes 6.6.0

These are the notes for the Struts version 6.6.0 distribution.

For prior notes in this release series, see Version Notes 6.4.0

Maven users

If you are a Maven user, you might want to get started using the Maven Archetype.

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>6.6.0</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

Internal changes

Improved security by updating OGNL member access criteria, see WW-5417 and extending SecurityMemberAccess proxy detection to Hibernate proxies, see WW-5407

Bug

• [WW-5060] - Struts 2 Rest Plugin Conversion Issue
• [WW-5310] - s:url does not handle equal sign correctly
• [WW-5406] - Action excluded patterns are not updated following a configuration reload
• [WW-5414] - AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
• [WW-5415] - Struts2 Validator is failing in OGNL with constructor call
• [WW-5417] - Update OGNL member access criteria
• [WW-5418] - Forbid Enums and Jasper classes
• [WW-5419] - Autoloading of tiles.xml fails in Struts-6.4.0
• [WW-5422] - I18nInterceptor and invalid locale
• [WW-5424] - ClassCastException with tag "set" when variable name has length=1
• [WW-5436] - Select tag NOT working when using list of org.apache.commons.beanutils.LazyDynaBean
• [WW-5437] - EnvsValueSubstitutor ignores Environment variables if default value is present

Improvement

• [WW-5250] - Address TODO in DefaultActionValidatorManagerTest
• [WW-5400] - CSP interceptor only allows very limited configuration
• [WW-5407] - Extend SecurityMemberAccess proxy detection to Hibernate proxies
• [WW-5408] - Add option to NOT fallback to empty namespace when unresolved
• [WW-5409] - Introduce final attribute to package elements which makes them unextendable
• [WW-5412] - Upgrade to Apache Struts Master 15
• [WW-5428] - Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set
• [WW-5429] - Log parameter annotation issues at ERROR level when in DevMode
• [WW-5431] - Mark as deprecated unused constants in FreemarkerManager
• [WW-5432] - Replace ClassTemplateLoader with WebappClassTemplateLoader
• [WW-5439] - Fix and clean up DevMode excluded class configuration
• [WW-5442] - Enforce allowlist for OgnlReflectionProvider

Dependency

• [WW-5420] - Upgrade commons-text to ver. 1.12.0
• [WW-5421] - Upgrade ASM to version 9.7
• [WW-5425] - Bump jackson.version from 2.16.1 to 2.17.1
• [WW-5426] - Upgrade Apache FreeMarker to version 2.3.33
• [WW-5434] - Bump commons-validator:commons-validator from 1.8.0 to 1.9.0
• [WW-5435] - Bump org.apache.felix:org.apache.felix.main from 6.0.3 to 7.0.5
• [WW-5441] - Bump net.sf.jasperreports:jasperreports from 6.21.0 to 6.21.3
• [WW-5443] - Bump Spring dependencies from 5.3.31 to 5.3.37

Issue Detail

• JIRA Release Notes 6.6.0

Issue List

• Struts 6.6.0 DONE
• Struts x.x.x TODO

Other resources

• Commit Logs
• Source Code Repository