You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2015/09/24 20:29:31 UTC
svn commit: r966663 [1/2] - in /websites/production/struts/content: ./ docs/
Author: lukaszlenart
Date: Thu Sep 24 18:29:30 2015
New Revision: 966663
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-026.html
websites/production/struts/content/docs/version-notes-23241.html
Modified:
websites/production/struts/content/announce.html
websites/production/struts/content/archetype-catalog.xml
websites/production/struts/content/docs/action-configuration.html
websites/production/struts/content/docs/migration-guide.html
websites/production/struts/content/docs/rest-plugin.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/docs/struts-next.html
websites/production/struts/content/docs/webxml.html
websites/production/struts/content/download.html
websites/production/struts/content/downloads.html
websites/production/struts/content/index.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Thu Sep 24 18:29:30 2015
@@ -124,6 +124,30 @@
Skip to: <a href="announce-2014.html">Announcements - 2014</a>
</p>
+<h4 id="a20150924">24 September 2015 - Struts 2.3.24.1 General Availability with Security Fix Release</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.3.24.1 is available as a âGeneral Availabilityâ
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.</p>
+
+<p>One medium security issue was solved with this release:</p>
+
+<ul>
+ <li><a href="/docs/s2-026.html">S2-026</a>
+Special <code>top</code> object can be used to access Strutsâ internals</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
+<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.</p>
+
+<p>Should any issues arise with your use of any version of the Struts framework,
+please post your comments to the user list, and, if appropriate, file a tracking ticket.</p>
+
<h4 id="a20150826">26 August 2015 - Security Bulletin S2-025</h4>
<p>The Apache Struts group is pleased to announce that a new security bulletin was published -
Modified: websites/production/struts/content/archetype-catalog.xml
==============================================================================
Binary files - no diff available.
Modified: websites/production/struts/content/docs/action-configuration.html
==============================================================================
--- websites/production/struts/content/docs/action-configuration.html (original)
+++ websites/production/struts/content/docs/action-configuration.html Thu Sep 24 18:29:30 2015
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The action mappings are the basic "unit-of-work" in the framework. Essentially, the action maps an identifier to a handler class. When a request matches the action's name, the framework uses the mapping to determine how to process the request.</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1440488847319 {padding: 0px;}
-div.rbtoc1440488847319 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1440488847319 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1443119320931 {padding: 0px;}
+div.rbtoc1443119320931 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1443119320931 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1440488847319">
+/*]]>*/</style></p><div class="toc-macro rbtoc1443119320931">
<ul class="toc-indentation"><li><a shape="rect" href="#ActionConfiguration-ActionMappings">Action Mappings</a></li><li><a shape="rect" href="#ActionConfiguration-ActionNames">Action Names</a></li><li><a shape="rect" href="#ActionConfiguration-ActionMethods">Action Methods</a></li><li><a shape="rect" href="#ActionConfiguration-WildcardMethod">Wildcard Method</a></li><li><a shape="rect" href="#ActionConfiguration-DynamicMethodInvocation">Dynamic Method Invocation</a></li><li><a shape="rect" href="#ActionConfiguration-ActionSupportDefault">ActionSupport Default</a></li><li><a shape="rect" href="#ActionConfiguration-Post-BackDefault">Post-Back Default</a></li><li><a shape="rect" href="#ActionConfiguration-ActionDefault">Action Default</a>
<ul class="toc-indentation"><li><a shape="rect" href="#ActionConfiguration-WildcardDefault">Wildcard Default</a></li></ul>
</li><li><a shape="rect" href="#ActionConfiguration-Next:">Next: Wildcard Mappings</a></li></ul>
@@ -151,9 +151,17 @@ div.rbtoc1440488847319 li {margin-left:
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><action name="Logon" class="tutorial.Logon">
<result type="redirectAction">Menu</result>
<result name="input">/Logon.jsp</result>
-</action>
-</pre>
-</div></div><h2 id="ActionConfiguration-ActionNames">Action Names</h2><p>In a web application, the <code>name</code> attribute is matched as part of the location requested by a browser (or other HTTP client). The framework will drop the host and application name and the extension and match what's in the middle: the action name. So, a request for <code><a shape="rect" class="external-link" href="http://www.planetstruts.org/struts2-mailreader/Welcome.action" rel="nofollow">http://www.planetstruts.org/struts2-mailreader/Welcome.action</a></code> will map to the <code>Welcome</code> action.</p><p>Within an application a link to an action is usually generated by a Struts Tag. The tag can specify the action by name, and the framework will render the default extension and anything else that is needed. Forms may also submit directly to a Struts Action name (rather than a "raw" URI).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="bord
er-bottom-width: 1px;"><b>A Hello Form</b></div><div class="codeContent panelContent pdl">
+</action> </pre>
+</div></div><p> </p><p>When using <a shape="rect" href="convention-plugin.html">Convention Plugin</a> the action mapping can be configured with annotations:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>A Logon Action with annotations</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">package tutorial
+
+@Action("Logon") // actually that is not necessary as it is added by convention
+@Results(
+ @Result(type="redirectAction", location="Menu"),
+ @Result(name="input", location="/Logon.jsp")
+)
+public class Logon {</pre>
+</div></div><p> </p><h2 id="ActionConfiguration-ActionNames">Action Names</h2><p>In a web application, the <code>name</code> attribute is matched as part of the location requested by a browser (or other HTTP client). The framework will drop the host and application name and the extension and match what's in the middle: the action name. So, a request for <code><a shape="rect" class="external-link" href="http://www.planetstruts.org/struts2-mailreader/Welcome.action" rel="nofollow">http://www.planetstruts.org/struts2-mailreader/Welcome.action</a></code> will map to the <code>Welcome</code> action.</p><p>Within an application a link to an action is usually generated by a Struts Tag. The tag can specify the action by name, and the framework will render the default extension and anything else that is needed. Forms may also submit directly to a Struts Action name (rather than a "raw" URI).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl
" style="border-bottom-width: 1px;"><b>A Hello Form</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><s:form action="Hello">
<s:textfield label="Please enter your name" name="name"/>
<s:submit/>
@@ -168,14 +176,22 @@ div.rbtoc1440488847319 li {margin-left:
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><action name="delete" class="example.CrudAction" method="delete">
...
</pre>
-</div></div><p><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> If there is no <code>execute</code> method and no other method specified in the configuration the framework will throw an exception.</p><h2 id="ActionConfiguration-WildcardMethod">Wildcard Method</h2><p>Many times, a set of action mappings will share a common pattern. For example, all your <code>edit</code> actions might start with the word "edit", and call the <code>edit</code> method on the Action class. The <code>delete</code> actions might use the same pattern, but call the <code>delete</code> method instead.</p><p>Rather than code a separate mapping for each action class that uses this pattern, you can write it once as a wildcard mapping.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> If there is no <code>execute</code> method and no other method specified in the configuration the framework will throw an exception.</p><p> </p><p><a shape="rect" href="convention-plugin.html">Convention Plugin</a> allows that by annotating methods:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Annotated action method</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">@Action("crud")
+public class CrudAction {
+ @Action("delete")
+ public String delete() {
+ ...
+
+</pre>
+</div></div><p> </p><h2 id="ActionConfiguration-WildcardMethod">Wildcard Method</h2><p>Many times, a set of action mappings will share a common pattern. For example, all your <code>edit</code> actions might start with the word "edit", and call the <code>edit</code> method on the Action class. The <code>delete</code> actions might use the same pattern, but call the <code>delete</code> method instead.</p><p>Rather than code a separate mapping for each action class that uses this pattern, you can write it once as a wildcard mapping.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><action name="*Crud" class="example.Crud" method="{1}">
...
</pre>
</div></div><p>Here, a reference to "editCrud" will call the <code>edit</code> method on an instance of the Crud Action class. Likewise, a reference to "deleteCrud" will call the <code>delete</code> method instead.</p><p>Another common approach is to postfix the method name and set it off with an exclamation point (aka "bang"), underscore, or other special character.</p><ul><li>"action=Crud_input"</li><li>"action=Crud_delete"</li></ul><p>To use a postfix wildcard, just move the asterisk and add an underscore.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><action name="Crud_*" class="example.Crud" method="{1}">
</pre>
-</div></div><p>From the framework's perspective, a wildcard mapping creates a new "virtual" mapping with all the same attributes as a conventional, static mapping. As a result, you can use the expanded wildcard name as the name of validation, type conversion, and message resource files, just as if it were an Action name (which it is!).</p><ul><li><code>Crud_input-validation.xml</code></li><li><code>Crud_delete-conversion.xml</code></li></ul><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If Wildcard Method mapping uses a "!" in the action name, the Wildcard Method will overlap with another flexible approach to mapping, <a shape="rect" href="action-configuration.html">Dynamic Method Invocation</a>. To use action names that include the "!" character, set <code>struts.enable.DynamicMethodInvocation</code> to <
code>FALSE</code> in the application configuration.</p></div></div><h2 id="ActionConfiguration-DynamicMethodInvocation">Dynamic Method Invocation</h2><p>There's a feature embedded in WebWork 2 that lets the "!" (bang) character invoke a method other than <code>execute</code>. In WebWork, it doesn't really have a name. During the S2 discussions, we coined the term "dynamic method invocation" to describe how WW/S2 use the bang notation.</p><p>Dynamic Method Invocation (DMI) will use the string following a "!" character in an action name as the name of a method to invoke (instead of <code>execute</code>). A reference to "<code>Category!create.action</code>", says to use the "Category" action mapping, but call the <code>create</code> method instead.</p><p>For Struts 2, we added a switch to disable DMI for two reasons. First, DMI can cause security issues if POJO actions are used. Second, DMI overlaps with the Wildcard Method feature that we brought over from Struts 1 (and from Cocoon be
fore that). If you have security concerns, or would like to use the "!" character with Wildcard Method actions, then set <code>struts.enable.DynamicMethodInvocation</code> to <code>FALSE</code> in the application configuration.</p><p>The framework does support DMI, just like WebWork 2, but there are problems with way DMI is implemented. Essentially, the code scans the action name for a "!" character, and finding one, tricks the framework into invoking the other method instead of <code>execute</code>. The other method is invoked, but it uses the same configuration as the <code>execute</code> method, including validations. The framework "believes" it is invoking the <code>Category</code> action with the <code>execute</code> method.</p><p>The Wildcard Method feature is implemented differently. When a Wildcard Method action is invoked, the framework acts as if the matching action had been hardcoded in the configuration. The framework "believes" it's executing the action <code>Category!c
reate</code> and "knows" it is executing the <code>create</code> method of the corresponding Action class. Accordingly, we can add for a Wildcard Method action mapping its own validations, message resources, and type converters, just like a conventional action mapping. For this reason, the <a shape="rect" href="action-configuration.html">Wildcard Method</a> is preferred.</p><p>In Struts 2.3, an option was added to restrict the methods that DMI can invoke. First, set the attribute <code>strict-method-invocation="true"</code> on your <code><package></code> element. This tells Struts to reject any method that is not explicitly allowed via either the <code>method</code> attribute (including wildcards) or the <code><allowed-methods></code> tag. Then specify <code><allowed-methods></code> as a comma-separated list of method names in your <code><action></code>. (If you specify a <code>method</code> attribute for your action, you do not need to list it in <code><a
llowed-methods></code>.)</p><p>Note that you can specify <code><allowed-methods></code> even without <code>strict-method-invocation</code>. This restricts access only for the specific actions that have <code><allowed-methods></code>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Example struts.xml</b></div><div class="codeContent panelContent pdl">
+</div></div><p>From the framework's perspective, a wildcard mapping creates a new "virtual" mapping with all the same attributes as a conventional, static mapping. As a result, you can use the expanded wildcard name as the name of validation, type conversion, and message resource files, just as if it were an Action name (which it is!).</p><ul><li><code>Crud_input-validation.xml</code></li><li><code>Crud_delete-conversion.xml</code></li></ul><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If Wildcard Method mapping uses a "!" in the action name, the Wildcard Method will overlap with another flexible approach to mapping, <a shape="rect" href="action-configuration.html">Dynamic Method Invocation</a>. To use action names that include the "!" character, set <code>struts.enable.DynamicMethodInvocation</code> to <
code>FALSE</code> in the application configuration.</p></div></div><h2 id="ActionConfiguration-DynamicMethodInvocation">Dynamic Method Invocation</h2><p>There's a feature embedded in WebWork 2 that lets the "!" (bang) character invoke a method other than <code>execute</code>. In WebWork, it doesn't really have a name. During the S2 discussions, we coined the term "dynamic method invocation" to describe how WW/S2 use the bang notation.</p><p>Dynamic Method Invocation (DMI) will use the string following a "!" character in an action name as the name of a method to invoke (instead of <code>execute</code>). A reference to "<code>Category!create.action</code>", says to use the "Category" action mapping, but call the <code>create</code> method instead.</p><p>Another way to use DMI is to provide HTTP parameters prefixed with "<code>method:</code>". For example in the URL it could be "<code>Category.action?method:create=foo</code>", the parameter value is ignored. In POST-Requests that can b
e used e.g. with a hidden parameter (<code><s:hidden name="method:create" value="foo" /></code>) or along with a button (<code><s:submit method="create" /></code>).</p><p> </p><p>For Struts 2, we added a switch to disable DMI for two reasons. First, DMI can cause security issues if POJO actions are used. Second, DMI overlaps with the Wildcard Method feature that we brought over from Struts 1 (and from Cocoon before that). If you have security concerns, or would like to use the "!" character with Wildcard Method actions, then set <code>struts.enable.DynamicMethodInvocation</code> to <code>FALSE</code> in the application configuration.</p><p>The framework does support DMI, just like WebWork 2, but there are problems with way DMI is implemented. Essentially, the code scans the action name for a "!" character, and finding one, tricks the framework into invoking the other method instead of <code>execute</code>. The other method is invoked, but it uses the same configurat
ion as the <code>execute</code> method, including validations. The framework "believes" it is invoking the <code>Category</code> action with the <code>execute</code> method.</p><p>The Wildcard Method feature is implemented differently. When a Wildcard Method action is invoked, the framework acts as if the matching action had been hardcoded in the configuration. The framework "believes" it's executing the action <code>Category!create</code> and "knows" it is executing the <code>create</code> method of the corresponding Action class. Accordingly, we can add for a Wildcard Method action mapping its own validations, message resources, and type converters, just like a conventional action mapping. For this reason, the <a shape="rect" href="action-configuration.html">Wildcard Method</a> is preferred.</p><p>In Struts 2.3, an option was added to restrict the methods that DMI can invoke. First, set the attribute <code>strict-method-invocation="true"</code> on your <code><package></code>
element. This tells Struts to reject any method that is not explicitly allowed via either the <code>method</code> attribute (including wildcards) or the <code><allowed-methods></code> tag. Then specify <code><allowed-methods></code> as a comma-separated list of method names in your <code><action></code>. (If you specify a <code>method</code> attribute for your action, you do not need to list it in <code><allowed-methods></code>.)</p><p>Note that you can specify <code><allowed-methods></code> even without <code>strict-method-invocation</code>. This restricts access only for the specific actions that have <code><allowed-methods></code>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Example struts.xml</b></div><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
Modified: websites/production/struts/content/docs/migration-guide.html
==============================================================================
--- websites/production/struts/content/docs/migration-guide.html (original)
+++ websites/production/struts/content/docs/migration-guide.html Thu Sep 24 18:29:30 2015
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><p>Getting here from there.</p><h3 id="MigrationGuide-VersionNotes2.5.x">Version Notes 2.5.x</h3><ul><li><a shape="rect" href="version-notes-25.html">Version Notes 2.5</a></li></ul><h3 id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a shape="rect" href="version-notes-2324.html">Version Notes 2.3.24</a></li><li><a shape="rect" href="version-notes-23201.html">Version Notes 2.3.20.1</a></li><li><a shape="rect" href="version-notes-2320.html">Version Notes 2.3.20</a></li><li><a shape="rect" href="version-notes-23163.html">Version Notes 2.3.16.3</a></li><li><a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect" href="version-notes-23153.html">Version Notes 2.3.15.3</a></li><li><a shape="rect" href="version-notes-23152.html">
Version Notes 2.3.15.2</a></li><li><a shape="rect" href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a shape="rect" href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a shape="rect" href="version-notes-23142.html">Version Notes 2.3.14.2</a></li><li><a shape="rect" href="version-notes-23141.html">Version Notes 2.3.14.1</a></li><li><a shape="rect" href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect" href="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes 2.3.4</a></li><li><a shape="rect" href="version-notes-233.html">Version Notes 2.3.3</a></l
i><li><a shape="rect" href="version-notes-2312.html">Version Notes 2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.html">Version Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">
Version Notes 2.1.5</a></li><li><a shape="rect" href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect" href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect" href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect" href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect" href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3 id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a shape="rect" href="release-notes-20112.html">Release Notes 2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release Notes 2.0.11.1</a></li><li><a shape="rect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect
" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3 id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" ro
wspan="1" class="confluenceTh"><p><a shape="rect" href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2 alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1 Solutions</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-strategies.html">Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-tools.html">Migration Tools</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"
><p>Development tools to help aid the migration process.</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.infoq.com/news/migrating-struts2" rel="nofollow">Migrating Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A three-part series by Ian Roughley (Sep 2006)</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://struts.apache.org/roadmap.html#new">Roadmap FAQ</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts 2?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="extern
al-link" href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html" rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don Brown's summary of events</p></td></tr></tbody></table></div><h3 id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="key-changes-from-webwork-2.html">Key Changes From WebWork 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="webwork-2-migration-strategies.html">WebWork 2 Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating WebWork 2 applications to Struts 2.</p></td></tr></tbody></table></div><h2 id
="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect" href="where-do-we-get-the-latest-version-the-framework.html">Where do we get the latest version the framework</a>?</li><li><a shape="rect" href="what-are-some-of-the-frameworks-best-features.html">What are some of the framework's best features</a>?</li><li><a shape="rect" href="what-is-the-actioncontext.html">What is the ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect" href="contributors-guide.html">Contributors Guide</a></h2></div>
+ <div id="ConfluenceContent"><p>Getting here from there.</p><h3 id="MigrationGuide-VersionNotes2.5.x">Version Notes 2.5.x</h3><ul><li><a shape="rect" href="version-notes-25.html">Version Notes 2.5</a></li></ul><h3 id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a shape="rect" href="version-notes-23241.html">Version Notes 2.3.24.1</a></li><li><a shape="rect" href="version-notes-2324.html">Version Notes 2.3.24</a></li><li><a shape="rect" href="version-notes-23201.html">Version Notes 2.3.20.1</a></li><li><a shape="rect" href="version-notes-2320.html">Version Notes 2.3.20</a></li><li><a shape="rect" href="version-notes-23163.html">Version Notes 2.3.16.3</a></li><li><a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect" href="version-notes-23153.html">
Version Notes 2.3.15.3</a></li><li><a shape="rect" href="version-notes-23152.html">Version Notes 2.3.15.2</a></li><li><a shape="rect" href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a shape="rect" href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a shape="rect" href="version-notes-23142.html">Version Notes 2.3.14.2</a></li><li><a shape="rect" href="version-notes-23141.html">Version Notes 2.3.14.1</a></li><li><a shape="rect" href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect" href="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes 2.3.4</
a></li><li><a shape="rect" href="version-notes-233.html">Version Notes 2.3.3</a></li><li><a shape="rect" href="version-notes-2312.html">Version Notes 2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.h
tml">Version Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">Version Notes 2.1.5</a></li><li><a shape="rect" href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect" href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect" href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect" href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect" href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3 id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a shape="rect" href="release-notes-20112.html">Release Notes 2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release Notes 2.0.11.1</a></li><li><a shape="r
ect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3 id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><
div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2 alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1 Solutions</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-strategies.html">Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-tools
.html">Migration Tools</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Development tools to help aid the migration process.</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.infoq.com/news/migrating-struts2" rel="nofollow">Migrating Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A three-part series by Ian Roughley (Sep 2006)</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://struts.apache.org/roadmap.html#new">Roadmap FAQ</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts 2?</p></td></tr><t
r><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html" rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don Brown's summary of events</p></td></tr></tbody></table></div><h3 id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="key-changes-from-webwork-2.html">Key Changes From WebWork 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="webwork-2-migration-strategies.html">WebWork 2 Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migr
ating WebWork 2 applications to Struts 2.</p></td></tr></tbody></table></div><h2 id="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect" href="where-do-we-get-the-latest-version-the-framework.html">Where do we get the latest version the framework</a>?</li><li><a shape="rect" href="what-are-some-of-the-frameworks-best-features.html">What are some of the framework's best features</a>?</li><li><a shape="rect" href="what-is-the-actioncontext.html">What is the ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect" href="contributors-guide.html">Contributors Guide</a></h2></div>
</div>
<div class="tabletitle">
@@ -140,6 +140,9 @@ under the License.
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
Modified: websites/production/struts/content/docs/rest-plugin.html
==============================================================================
--- websites/production/struts/content/docs/rest-plugin.html (original)
+++ websites/production/struts/content/docs/rest-plugin.html Thu Sep 24 18:29:30 2015
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This plugin is only available with Struts 2.1.1 or later</p></div></div><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1440489225220 {padding: 0px;}
-div.rbtoc1440489225220 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1440489225220 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1443119322444 {padding: 0px;}
+div.rbtoc1443119322444 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1443119322444 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1440489225220">
+/*]]>*/</style></p><div class="toc-macro rbtoc1443119322444">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#RESTPlugin-Overview">Overview</a>
<ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a shape="rect" href="#RESTPlugin-Features">Features</a></li><li><span class="TOCOutline">1.2</span> <a shape="rect" href="#RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</a>
<ul class="toc-indentation"><li><span class="TOCOutline">1.2.1</span> <a shape="rect" href="#RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</a></li></ul>
@@ -157,7 +157,7 @@ div.rbtoc1440489225220 li {margin-left:
</li><li><span class="TOCOutline">3</span> <a shape="rect" href="#RESTPlugin-AdvancedTopics">Advanced Topics</a>
<ul class="toc-indentation"><li><span class="TOCOutline">3.1</span> <a shape="rect" href="#RESTPlugin-CustomContentTypeHandlers">Custom ContentTypeHandlers</a></li><li><span class="TOCOutline">3.2</span> <a shape="rect" href="#RESTPlugin-UseJacksonframeworkasJSONContentTypeHandler">Use Jackson framework as JSON ContentTypeHandler</a></li><li><span class="TOCOutline">3.3</span> <a shape="rect" href="#RESTPlugin-Settings">Settings</a></li></ul>
</li><li><span class="TOCOutline">4</span> <a shape="rect" href="#RESTPlugin-Resources">Resources</a></li><li><span class="TOCOutline">5</span> <a shape="rect" href="#RESTPlugin-VersionHistory">Version History</a></li></ul>
-</div><h2 id="RESTPlugin-Overview">Overview</h2><p>The REST Pluginprovides high level support for the implementation of RESTful resource based web applicationsThe REST plugin can cooperate with the <a shape="rect" href="convention-plugin.html">Convention Plugin</a> to support a zero configuration approach to declaring your actions and results, but you can always use the REST plugin with XML style configuration if you like.</p><p>If you prefer to see a working code example, instead of reading through an explanation, you can download the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/index.html">struts2 sample apps</a> and check out the <code>struts2-rest-showcase</code> application, a complete WAR file, that demonstrates a simple REST web program.</p><h3 id="RESTPlugin-Features">Features</h3><ul><li>Ruby on Rails REST-style URLs</li><li>Zero XML config when used with Convention Plugin</li><li>Built-in serialization and deserialization support for XML and JSO
N</li><li>Automatic error handling</li><li>Type-safe configuration of the HTTP response</li><li>Automatic conditional GET support</li></ul><h3 id="RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</h3><p>The main functionality of the REST plugin lies in the interpretation of incoming request URL's according the RESTful rules. In the Struts 2 framework, this 'mapping' of request URL's to Actions is handled by in implementation of the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/ActionMapper.html"><code>ActionMapper</code></a> interface. Out of the box, Struts 2 uses the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.html"><code>DefaultActionMapper</code></a> to map URL's to Actions via the logic you are probably already familiar with.</p><div class="confluence-infor
mation-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><em>Actions or Controllers</em>? Most Struts 2 developers are familiar with the Action. They are the things that get executed by the incoming requests. In the context of the REST plugin, just to keep you on your toes, we'll adopt the RESTful lingo and refer to our Actions as <em>Controllers</em>. Don't be confused; it's just a name!</p></div></div><p>The REST plugin provides an alternative implementation, <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/RestActionMapper.html"><code>RestActionMapper</code></a>, that provides the RESTful logic that maps a URL to a give action class ( aka 'controller' in RESTful terms ) and, more specifically, to the invocation of a method on that controller class. Th
e following section, which comes from the Javadoc for the class, details this logic.</p><h4 id="RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</h4><p>This Restful action mapper enforces Ruby-On-Rails REST-style mappings. If the method is not specified (via '!' or 'method:' prefix), the method is "guessed" at using REST-style conventions that examine the URL and the HTTP method. Special care has been given to ensure this mapper works correctly with the codebehind plugin so that XML configuration is unnecessary.</p><p>This mapper supports the following parameters:</p><ul style="list-style-type: square;"><li><span style="line-height: 1.4285715;"><code>struts.mapper.idParameterName</code> - If set, this value will be the name</span><span style="line-height: 1.4285715;"> of the parameter under which the id is stored. The id will then be removed</span><span style="line-height: 1.4285715;"> from the action name. Whether or not the method is specified, the
mapper will </span><span style="line-height: 1.4285715;"> try to truncate the identifier from the url and store it as a parameter.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.indexMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with no id parameter. Defaults to <strong>index</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.getMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>show</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.postMethodName</code> - The method name to call for a POST</span><span style="line-height: 1.4285715;"> request with no id parameter. Defaults to <strong>create</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.putMethodName</code> - The method name to
call for a PUT</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>update</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.deleteMethodName</code> - The method name to call for a DELETE</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>destroy</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.editMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with an id parameter and the <strong>edit</strong> view specified. Defaults to <strong>edit</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.newMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with no id parameter and the <strong>new</strong> view specified. Defaults to <strong>editNew</strong>.</span></li></ul><
p>The following URL's will invoke its methods:</p><ul style="list-style-type: square;"><li><code>GET: /movies</code> => method=<strong>index</strong></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers</code> => method=<strong>show</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers;edit</code> => method=<strong>edit</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers/edit</code> => method=<strong>edit</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/new</code> => method=<strong>editNew</strong></span></li><li><span style="line-height: 1.4285715;"><code>POST: /movies</code> => method=<strong>create</strong></span></li><li><span style="line-height: 1.4285715;"><code>PUT: /movies/Thrillers</code> => method=<stron
g>update</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>DELETE: /movies/Thrillers</code> => method=<strong>destroy</strong>, id=<strong>Thrillers</strong></span></li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>To simulate the HTTP methods PUT and DELETE, since they aren't supported by HTML, the HTTP parameter "_method" will be used.</p></div></div><p>Or, expressed as a table:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>HTTP method</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>URI</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Class.method</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>parameters</p></th></tr><tr><td cols
pan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.index</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>POST</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.create</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>PUT</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.update</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>DELETE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Movie.destroy</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.show</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers/edit</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.edit</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/new</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.editNew</p></td><td colspan="1" rowspan="1" class="c
onfluenceTd"><p> </p></td></tr></tbody></table></div><h3 id="RESTPlugin-ContentTypes">Content Types</h3><p>In addition to providing mapping of RESTful URL's to Controller ( Action ) invocations, the REST plugin also provides the ability to produce multiple representations of the resource data. By default, the plugin can return the resource in the following content types:</p><ul style="list-style-type: square;"><li>HTML</li><li><span style="line-height: 1.4285715;">XML </span></li><li><span style="line-height: 1.4285715;">JSON</span></li></ul><p>There is nothing configure here, just add the conent type extension to your RESTful URL. The framework will take care of the rest. So, for instance, assuming a Controller called Movies and a movie with the id of superman, the following URL's will all hit the</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h2 id="RESTPlugin-Overview">Overview</h2><p>The REST Pluginprovides high level support for the implementation of RESTful resource based web applicationsThe REST plugin can cooperate with the <a shape="rect" href="convention-plugin.html">Convention Plugin</a> to support a zero configuration approach to declaring your actions and results, but you can always use the REST plugin with XML style configuration if you like.</p><p>If you prefer to see a working code example, instead of reading through an explanation, you can download the <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts-ga">struts2 sample apps</a> and check out the <code>struts2-rest-showcase</code> application, a complete WAR file, that demonstrates a simple REST web program.</p><h3 id="RESTPlugin-Features">Features</h3><ul><li>Ruby on Rails REST-style URLs</li><li>Zero XML config when used with Convention Plugin</li><li>Built-in serialization and deserialization support for XML
and JSON</li><li>Automatic error handling</li><li>Type-safe configuration of the HTTP response</li><li>Automatic conditional GET support</li></ul><h3 id="RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</h3><p>The main functionality of the REST plugin lies in the interpretation of incoming request URL's according the RESTful rules. In the Struts 2 framework, this 'mapping' of request URL's to Actions is handled by in implementation of the <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/ActionMapper.html"><code>ActionMapper</code></a> interface. Out of the box, Struts 2 uses the <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.html"><code>DefaultActionMapper</code></a> to map URL's to Actions via the logic you are probably already familiar with.</p><div class="conf
luence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><em>Actions or Controllers</em>? Most Struts 2 developers are familiar with the Action. They are the things that get executed by the incoming requests. In the context of the REST plugin, just to keep you on your toes, we'll adopt the RESTful lingo and refer to our Actions as <em>Controllers</em>. Don't be confused; it's just a name!</p></div></div><p>The REST plugin provides an alternative implementation, <a shape="rect" class="external-link" href="http://struts.apache.org/maven/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/RestActionMapper.html"><code>RestActionMapper</code></a>, that provides the RESTful logic that maps a URL to a give action class ( aka 'controller' in RESTful terms ) and, more specifically, to the invocation of a method on that contro
ller class. The following section, which comes from the Javadoc for the class, details this logic.</p><h4 id="RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</h4><p>This Restful action mapper enforces Ruby-On-Rails REST-style mappings. If the method is not specified (via '!' or 'method:' prefix), the method is "guessed" at using REST-style conventions that examine the URL and the HTTP method. Special care has been given to ensure this mapper works correctly with the codebehind plugin so that XML configuration is unnecessary.</p><p>This mapper supports the following parameters:</p><ul style="list-style-type: square;"><li><span style="line-height: 1.4285715;"><code>struts.mapper.idParameterName</code> - If set, this value will be the name</span><span style="line-height: 1.4285715;"> of the parameter under which the id is stored. The id will then be removed</span><span style="line-height: 1.4285715;"> from the action name. Whether or not the method is s
pecified, the mapper will </span><span style="line-height: 1.4285715;"> try to truncate the identifier from the url and store it as a parameter.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.indexMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with no id parameter. Defaults to <strong>index</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.getMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>show</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.postMethodName</code> - The method name to call for a POST</span><span style="line-height: 1.4285715;"> request with no id parameter. Defaults to <strong>create</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.putMethodName</code> - The
method name to call for a PUT</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>update</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.deleteMethodName</code> - The method name to call for a DELETE</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>destroy</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.editMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with an id parameter and the <strong>edit</strong> view specified. Defaults to <strong>edit</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.newMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with no id parameter and the <strong>new</strong> view specified. Defaults to <strong>editNew</strong>.</sp
an></li></ul><p>The following URL's will invoke its methods:</p><ul style="list-style-type: square;"><li><code>GET: /movies</code> => method=<strong>index</strong></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers</code> => method=<strong>show</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers;edit</code> => method=<strong>edit</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers/edit</code> => method=<strong>edit</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/new</code> => method=<strong>editNew</strong></span></li><li><span style="line-height: 1.4285715;"><code>POST: /movies</code> => method=<strong>create</strong></span></li><li><span style="line-height: 1.4285715;"><code>PUT: /movies/Thrillers</code> =>
method=<strong>update</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>DELETE: /movies/Thrillers</code> => method=<strong>destroy</strong>, id=<strong>Thrillers</strong></span></li></ul><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>To simulate the HTTP methods PUT and DELETE, since they aren't supported by HTML, the HTTP parameter "_method" will be used.</p></div></div><p>Or, expressed as a table:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>HTTP method</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>URI</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Class.method</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>parameters</p></th></t
r><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.index</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>POST</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.create</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>PUT</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.update</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>DELETE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrille
rs</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.destroy</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.show</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers/edit</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.edit</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/new</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.editNew</p></td><td colspan="1" rowspa
n="1" class="confluenceTd"><p> </p></td></tr></tbody></table></div><h3 id="RESTPlugin-ContentTypes">Content Types</h3><p>In addition to providing mapping of RESTful URL's to Controller ( Action ) invocations, the REST plugin also provides the ability to produce multiple representations of the resource data. By default, the plugin can return the resource in the following content types:</p><ul style="list-style-type: square;"><li>HTML</li><li><span style="line-height: 1.4285715;">XML </span></li><li><span style="line-height: 1.4285715;">JSON</span></li></ul><p>There is nothing configure here, just add the conent type extension to your RESTful URL. The framework will take care of the rest. So, for instance, assuming a Controller called Movies and a movie with the id of superman, the following URL's will all hit the</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">http://my.company.com/myapp/movies/superman
http://my.company.com/myapp/movies/superman.xml
http://my.company.com/myapp/movies/superman.xhtml
Added: websites/production/struts/content/docs/s2-026.html
==============================================================================
--- websites/production/struts/content/docs/s2-026.html (added)
+++ websites/production/struts/content/docs/s2-026.html Thu Sep 24 18:29:30 2015
@@ -0,0 +1,154 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-026</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-026.html">S2-026</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-026</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=61317915">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=61317915">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=61317915">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=61317915">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=61317915">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=61317915">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-026-Summary">Summary</h2>Special <code>top</code> object can be used to access Struts' internals<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Manipulation of Struts' internals, altering of user session</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Update regex used to excluded vulnerable incoming parameters. An upgrade to <a shape="rect" class="ext
ernal-link" href="http://struts.apache.org/download.cgi#struts23241">Struts 2.3.24.1</a> is recommended.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="line-height: 1.42857;">rskvp93 at gmail dot com from </span>Viettel Information Security Center</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);"><a shape="rect" class="external-link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5209" rel="nofollow">CVE-2015-5209</a></span></p></td></tr></tbody></table></div><h2 id="S2-026-Problem">Problem</h2><p>ValueStack defines s
pecial <code>top</code> object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings</p><h2 id="S2-026-Solution">Solution</h2><p>Applying better regex which includes pattern to exclude request parameters trying to use <code>top</code> object. We recommend upgrading to Struts 2.3.24.1.</p><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Support for expression using <code>top</code> will be dropped in upcoming Struts version 2.5!</p></div></div><h2 id="S2-026-Backwardcompatibility">Backward compatibility</h2><p>If an application is using parameter named <code>top</code> to access action's properties, it won't be set on the action. In other case no backward compatibility problems are expected.</p><h2 id="S2-02
6-Workaround">Workaround</h2><p>Applying the below patterns will solve the problem as well:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
+"^(action|method):.*"</pre>
+</div></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Thu Sep 24 18:29:30 2015
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -141,6 +141,9 @@ under the License.
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)