You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/06 08:15:54 UTC
svn commit: r908155 [2/3] -
/websites/production/struts/content/development/2.x/docs/
Modified: websites/production/struts/content/development/2.x/docs/rest-plugin.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/rest-plugin.html (original)
+++ websites/production/struts/content/development/2.x/docs/rest-plugin.html Tue May 6 06:15:53 2014
@@ -19,7 +19,7 @@ under the License.
-->
<html>
<head>
- <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
<style type="text/css">
.dp-highlighter {
width:95% !important;
@@ -37,10 +37,9 @@ under the License.
<link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
<link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
<script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
- <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
- <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
- <script src='http://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
-
+ <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+
<script type="text/javascript">
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -142,14 +141,12 @@ under the License.
<p>This plugin is only available with Struts 2.1.1 or later</p>
</div>
</div>
+<p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1398534731878 {padding: 0px;}
+div.rbtoc1398534731878 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1398534731878 li {margin-left: 0px;padding-left: 0px;}
-
-<style type="text/css">/*<![CDATA[*/
-div.rbtoc1396727465264 {padding: 0px;}
-div.rbtoc1396727465264 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1396727465264 li {margin-left: 0px;padding-left: 0px;}
-
-/*]]>*/</style><div class="toc-macro rbtoc1396727465264">
+/*]]>*/</style></p><div class="toc-macro rbtoc1398534731878">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#RESTPlugin-Overview">Overview</a>
<ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a shape="rect" href="#RESTPlugin-Features">Features</a></li><li><span class="TOCOutline">1.2</span> <a shape="rect" href="#RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</a>
<ul class="toc-indentation"><li><span class="TOCOutline">1.2.1</span> <a shape="rect" href="#RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</a></li></ul>
@@ -163,178 +160,72 @@ div.rbtoc1396727465264 li {margin-left:
</li><li><span class="TOCOutline">3</span> <a shape="rect" href="#RESTPlugin-AdvancedTopics">Advanced Topics</a>
<ul class="toc-indentation"><li><span class="TOCOutline">3.1</span> <a shape="rect" href="#RESTPlugin-CustomContentTypeHandlers">Custom ContentTypeHandlers</a></li><li><span class="TOCOutline">3.2</span> <a shape="rect" href="#RESTPlugin-Settings">Settings</a></li></ul>
</li><li><span class="TOCOutline">4</span> <a shape="rect" href="#RESTPlugin-Resources">Resources</a></li><li><span class="TOCOutline">5</span> <a shape="rect" href="#RESTPlugin-VersionHistory">Version History</a></li></ul>
-</div>
-
-
-
-<h2 id="RESTPlugin-Overview">Overview</h2>
-
-<p>The REST Plugin provides high level support for the implementation of RESTful resource based web applications. The REST plugin can cooperate with the <a shape="rect" href="convention-plugin.html">Convention Plugin</a> to support a zero configuration approach to declaring your actions and results, but you can always use the REST plugin with XML style configuration if you like.</p>
-
-<p>If you prefer to see a working code example, instead of reading through an explanation, you can download the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/index.html">struts2 sample apps</a> and check out the <code>struts2-rest-showcase</code> application, a complete WAR file, that demonstrates a simple REST web program.</p>
-
-
-<h3 id="RESTPlugin-Features">Features</h3>
-
-<ul><li>Ruby on Rails REST-style URLs</li><li>Zero XML config when used with Convention Plugin</li><li>Built-in serialization and deserialization support for XML and JSON</li><li>Automatic error handling</li><li>Type-safe configuration of the HTTP response</li><li>Automatic conditional GET support</li></ul>
-
-
-<h3 id="RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</h3>
-
-<p>The main functionality of the REST plugin lies in the interpretation of incoming request URL's according the RESTful rules. In the Struts 2 framework, this 'mapping' of request URL's to Actions is handled by in implementation of the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/ActionMapper.html"><code>ActionMapper</code></a> interface. Out of the box, Struts 2 uses the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.html"><code>DefaultActionMapper</code></a> to map URL's to Actions via the logic you are probably already familiar with. </p>
-
- <div class="aui-message warning shadowed information-macro">
+</div><h2 id="RESTPlugin-Overview">Overview</h2><p>The REST Pluginprovides high level support for the implementation of RESTful resource based web applicationsThe REST plugin can cooperate with the <a shape="rect" href="convention-plugin.html">Convention Plugin</a> to support a zero configuration approach to declaring your actions and results, but you can always use the REST plugin with XML style configuration if you like.</p><p>If you prefer to see a working code example, instead of reading through an explanation, you can download the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/index.html">struts2 sample apps</a> and check out the <code>struts2-rest-showcase</code> application, a complete WAR file, that demonstrates a simple REST web program.</p><h3 id="RESTPlugin-Features">Features</h3><ul><li>Ruby on Rails REST-style URLs</li><li>Zero XML config when used with Convention Plugin</li><li>Built-in serialization and deserialization support for XML and JSO
N</li><li>Automatic error handling</li><li>Type-safe configuration of the HTTP response</li><li>Automatic conditional GET support</li></ul><h3 id="RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 2 Actions</h3><p>The main functionality of the REST plugin lies in the interpretation of incoming request URL's according the RESTful rules. In the Struts 2 framework, this 'mapping' of request URL's to Actions is handled by in implementation of the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/ActionMapper.html"><code>ActionMapper</code></a> interface. Out of the box, Struts 2 uses the <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.html"><code>DefaultActionMapper</code></a> to map URL's to Actions via the logic you are probably already familiar with.</p> <div class="aui-message
warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
- <p><em>Actions or Controllers</em>? Most Struts 2 developers are familiar with the Action. They are the things that get executed by the incoming requests. In the context of the REST plugin, just to keep you on your toes, we'll adopt the RESTful lingo and refer to our Actions as <em>Controllers</em>. Don't be confused; it's just a name!</p>
+ <p><em>Actions or Controllers</em>? Most Struts 2 developers are familiar with the Action. They are the things that get executed by the incoming requests. In the context of the REST plugin, just to keep you on your toes, we'll adopt the RESTful lingo and refer to our Actions as <em>Controllers</em>. Don't be confused; it's just a name!</p>
</div>
</div>
-
-
-<p>The REST plugin provides an alternative implementation, <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/RestActionMapper.html"><code>RestActionMapper</code></a>, that provides the RESTful logic that maps a URL to a give action class ( aka 'controller' in RESTful terms ) and, more specifically, to the invocation of a method on that controller class. The following section, which comes from the Javadoc for the class, details this logic. </p>
-
-<h4 id="RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</h4>
-
-<div class="error"><span class="error">Error formatting macro: snippet: java.lang.IllegalArgumentException: Invalid url: must begin with a configured prefix.</span> </div>
-
-<p>Or, expressed as a table:</p>
-<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p> HTTP method </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> URI </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> Class.method </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> parameters </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> GET </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.index </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> POST </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.create </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> PUT </p><
/td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie/Thrillers </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.update </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> id="Thrillers" </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> DELETE </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie/Thrillers </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.destroy </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> id="Thrillers" </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> GET </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie/Thrillers </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.show </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> id="Thrillers" </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> GET </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie/Thrillers/edi
t </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.edit </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> id="Thrillers" </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> GET </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> /movie/new </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Movie.editNew </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr></tbody></table></div>
-
-
-<h3 id="RESTPlugin-ContentTypes">Content Types</h3>
-
-<p>In addition to providing mapping of RESTful URL's to Controller ( Action ) invocations, the REST plugin also provides the ability to produce multiple representations of the resource data. By default, the plugin can return the resource in the following content types: </p>
-
-<p>*HTML<br clear="none">
-*XML <br clear="none">
-*JSON</p>
-
-<p>There is nothing configure here, just add the conent type extension to your RESTful URL. The framework will take care of the rest. So, for instance, assuming a Controller called Movies and a movie with the id of superman, the following URL's will all hit the </p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-http://my.company.com/myapp/movies/superman
+<p>The REST plugin provides an alternative implementation, <a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-plugins/struts2-rest-plugin/apidocs/org/apache/struts2/rest/RestActionMapper.html"><code>RestActionMapper</code></a>, that provides the RESTful logic that maps a URL to a give action class ( aka 'controller' in RESTful terms ) and, more specifically, to the invocation of a method on that controller class. The following section, which comes from the Javadoc for the class, details this logic.</p><h4 id="RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping Logic</h4><p>This Restful action mapper enforces Ruby-On-Rails REST-style mappings. If the method is not specified (via '!' or 'method:' prefix), the method is "guessed" at using REST-style conventions that examine the URL and the HTTP method. Special care has been given to ensure this mapper works correctly with the codebehind plugin so that XML configuration is unnecessary.</p><p>Th
is mapper supports the following parameters:</p><ul style="list-style-type: square;"><li><span style="line-height: 1.4285715;"><code>struts.mapper.idParameterName</code> - If set, this value will be the name</span><span style="line-height: 1.4285715;"> of the parameter under which the id is stored. The id will then be removed</span><span style="line-height: 1.4285715;"> from the action name. Whether or not the method is specified, the mapper will </span><span style="line-height: 1.4285715;"> try to truncate the identifier from the url and store it as a parameter.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.indexMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with no id parameter. Defaults to <strong>index</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.getMethodName</code> - The method name to call for a GET</span><span style="line-heigh
t: 1.4285715;"> request with an id parameter. Defaults to <strong>show</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.postMethodName</code> - The method name to call for a POST</span><span style="line-height: 1.4285715;"> request with no id parameter. Defaults to <strong>create</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.putMethodName</code> - The method name to call for a PUT</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>update</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.deleteMethodName</code> - The method name to call for a DELETE</span><span style="line-height: 1.4285715;"> request with an id parameter. Defaults to <strong>destroy</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.editMethodName</code> - The method name to call for a GET</span><span style="line-height
: 1.4285715;"> request with an id parameter and the <strong>edit</strong> view specified. Defaults to <strong>edit</strong>.</span></li><li><span style="line-height: 1.4285715;"><code>struts.mapper.newMethodName</code> - The method name to call for a GET</span><span style="line-height: 1.4285715;"> request with no id parameter and the <strong>new</strong> view specified. Defaults to <strong>editNew</strong>.</span></li></ul><p>The following URL's will invoke its methods:</p><ul style="list-style-type: square;"><li><code>GET: /movies</code> => method=<strong>index</strong></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers</code> => method=<strong>show</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/Thrillers;edit</code> => method=<strong>edit</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/
Thrillers/edit</code> => method=<strong>edit</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>GET: /movies/new</code> => method=<strong>editNew</strong></span></li><li><span style="line-height: 1.4285715;"><code>POST: /movies</code> => method=<strong>create</strong></span></li><li><span style="line-height: 1.4285715;"><code>PUT: /movies/Thrillers</code> => method=<strong>update</strong>, id=<strong>Thrillers</strong></span></li><li><span style="line-height: 1.4285715;"><code>DELETE: /movies/Thrillers</code> => method=<strong>destroy</strong>, id=<strong>Thrillers</strong></span></li></ul> <div class="aui-message warning shadowed information-macro">
+ <span class="aui-icon icon-warning">Icon</span>
+ <div class="message-content">
+ <p>To simulate the HTTP methods PUT and DELETE, since they aren't supported by HTML, the HTTP parameter "_method" will be used.</p>
+ </div>
+ </div>
+<p>Or, expressed as a table:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>HTTP method</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>URI</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Class.method</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>parameters</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.index</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>POST</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.create</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><
p>PUT</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.update</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>DELETE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.destroy</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.show</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/Thrillers/edit</p></td><td c
olspan="1" rowspan="1" class="confluenceTd"><p>Movie.edit</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>id="Thrillers"</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>GET</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>/movie/new</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Movie.editNew</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr></tbody></table></div><h3 id="RESTPlugin-ContentTypes">Content Types</h3><p>In addition to providing mapping of RESTful URL's to Controller ( Action ) invocations, the REST plugin also provides the ability to produce multiple representations of the resource data. By default, the plugin can return the resource in the following content types:</p><ul style="list-style-type: square;"><li>HTML</li><li><span style="line-height: 1.4285715;">XML </span></li><li><span style="line-height: 1.4285715;">JSON</span></li></ul><p>There is nothing configure here, just add
the conent type extension to your RESTful URL. The framework will take care of the rest. So, for instance, assuming a Controller called Movies and a movie with the id of superman, the following URL's will all hit the</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[http://my.company.com/myapp/movies/superman
http://my.company.com/myapp/movies/superman.xml
http://my.company.com/myapp/movies/superman.xhtml
http://my.company.com/myapp/movies/superman.json
]]></script>
-</div></div>
-
- <div class="aui-message warning shadowed information-macro">
+</div></div> <div class="aui-message warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
- <p>Note, these content types are supported as incoming data types as well. And, if you need, you can extend the functionality by writing your own implementations of org.apache.struts2.rest.handler.ContentTypeHandler and registering them with the system. </p>
+ <p>Note, these content types are supported as incoming data types as well. And, if you need, you can extend the functionality by writing your own implementations of org.apache.struts2.rest.handler.ContentTypeHandler and registering them with the system.</p>
</div>
</div>
-
-
-<h2 id="RESTPlugin-Usage">Usage</h2>
-<p>This section will walk you through a quick demo. Here are the steps in the sequence that we will follow.</p>
-
-<p>*Setting Up your Project<br clear="none">
-*Configuring your Project<br clear="none">
-*Writing your Controllers</p>
-
-<h3 id="RESTPlugin-SettingUp">Setting Up</h3>
-
-<p>Assuming you have a normal Struts 2 application, all you need to do for this REST demo is to add the following two plugins:</p>
-
-<p> *Struts 2 Rest Plugin<br clear="none">
- *<a shape="rect" class="external-link" href="http://struts.apache.org/2.3.8/docs/convention-plugin.html">Struts 2 Convention Plugin </a></p>
-
-<p>Note, you can download the jars for these plugins from <a shape="rect" class="external-link" href="http://search.maven.org/#search%7Cga%7C1%7Cstruts2-convention-plugin" rel="nofollow">Maven Central</a></p>
-
-<h4 id="RESTPlugin-Configuration(struts.xml)">Configuration ( <code>struts.xml</code> )</h4>
-
-<p>Just dropping the plugin's into your application may not produce exactly the desired effect. There are a couple of considerations. The first consideration is whether you want to have any non-RESTful URL's coexisting with your RESTful URL's. We'll show two configurations. The first assumes all you want to do is REST. The second assumes you want to keep other non-RESTful URL's alive in the same Struts 2 application.</p>
-
- <div class="aui-message warning shadowed information-macro">
+<h2 id="RESTPlugin-Usage">Usage</h2><p>This section will walk you through a quick demo. Here are the steps in the sequence that we will follow.</p><ul style="list-style-type: square;"><li>Setting Up your Project</li><li><span style="line-height: 1.4285715;">Configuring your Project</span></li><li><span style="line-height: 1.4285715;">Writing your Controllers</span></li></ul><h3 id="RESTPlugin-SettingUp">Setting Up</h3><p>Assuming you have a normal Struts 2 application, all you need to do for this REST demo is to add the following two plugins:</p><ul style="list-style-type: square;"><li>Struts 2 Rest Plugin</li><li><a shape="rect" class="external-link" href="http://struts.apache.org/2.3.8/docs/convention-plugin.html" style="line-height: 1.4285715;">Struts 2 Convention Plugin</a></li></ul><p>Note, you can download the jars for these plugins from <a shape="rect" class="external-link" href="http://search.maven.org/#search%7Cga%7C1%7Cstruts2-convention-plugin" rel="nofollow">Maven Centra
l</a></p><h4 id="RESTPlugin-Configuration(struts.xml)">Configuration ( <code>struts.xml</code> )</h4><p>Just dropping the plugin's into your application may not produce exactly the desired effect. There are a couple of considerations. The first consideration is whether you want to have any non-RESTful URL's coexisting with your RESTful URL's. We'll show two configurations. The first assumes all you want to do is REST. The second assumes you want to keep other non-RESTful URL's alive in the same Struts 2 application.</p> <div class="aui-message warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
- <p>As with all configuration of Struts 2, we prefer using <code><constant/></code> elements in our <code>struts.xml</code>. </p>
+ <p>As with all configuration of Struts 2, we prefer using <code><constant/></code> elements in our <code>struts.xml</code>.</p>
</div>
</div>
-
-
-<h5 id="RESTPlugin-RESTOnlyConfiguration">REST Only Configuration</h5>
-
-<p>Instruct Struts to use the REST action mapper:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<constant name="struts.mapper.class" value="rest" />
+<h5 id="RESTPlugin-RESTOnlyConfiguration">REST Only Configuration</h5><p>Instruct Struts to use the REST action mapper:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<constant name="struts.mapper.class" value="rest" />
]]></script>
-</div></div>
-
-<p>At this point, the REST mapper has replaced the DefaultActionMapper so all incoming URL's will be interpreted as RESTful URL's. </p>
-
-<p>We're relying on the Convention plugin to find our controllers, so we need to configure the convention plugin a bit:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<constant name="struts.convention.action.suffix" value="Controller"/>
+</div></div><p>At this point, the REST mapper has replaced the DefaultActionMapper so all incoming URL's will be interpreted as RESTful URL's.</p><p>We're relying on the Convention plugin to find our controllers, so we need to configure the convention plugin a bit:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<constant name="struts.convention.action.suffix" value="Controller"/>
<constant name="struts.convention.action.mapAllMatches" value="true"/>
<constant name="struts.convention.default.parent.package" value="rest-default"/>
<constant name="struts.convention.package.locators" value="example"/>
]]></script>
-</div></div>
-
- <div class="aui-message warning shadowed information-macro">
+</div></div> <div class="aui-message warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
- <p>Note, you don't have to use the Convention plugin just to use the REST plugin. The actions of your RESTful application can be defined in XML just as easily as by convention. The REST mapper doesn't care how the application came to know about your actions when it maps a URL to an invocation of one of it's methods.</p>
+ <p>Note, you don't have to use the Convention plugin just to use the REST plugin. The actions of your RESTful application can be defined in XML just as easily as by convention. The REST mapper doesn't care how the application came to know about your actions when it maps a URL to an invocation of one of it's methods.</p>
</div>
</div>
-
-
-<h5 id="RESTPlugin-RESTandnon-RESTfulURL'sTogetherConfiguration">REST and non-RESTful URL's Together Configuration</h5>
-
-<p>If you want to keep using some non-RESTful URL's alongside your REST stuff, then you'll have to provide for a configuration that utilizes to mappers. </p>
-
- <div class="aui-message warning shadowed information-macro">
+<h5 id="RESTPlugin-RESTandnon-RESTfulURL'sTogetherConfiguration">REST and non-RESTful URL's Together Configuration</h5><p>If you want to keep using some non-RESTful URL's alongside your REST stuff, then you'll have to provide for a configuration that utilizes to mappers.</p> <div class="aui-message warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
- <p>Plugins contain their own configuration. If you look in the Rest plugin jar, you'll see the <code>struts-plugin.xml</code> and in that you'll see some configuration settings made by the plugin. Often, the plugin just sets things the way it wants them. You may frequently need to override those settings in your own <code>struts.xml</code>. </p>
+ <p>Plugins contain their own configuration. If you look in the Rest plugin jar, you'll see the <code>struts-plugin.xml</code> and in that you'll see some configuration settings made by the plugin. Often, the plugin just sets things the way it wants them. You may frequently need to override those settings in your own <code>struts.xml</code>.</p>
</div>
</div>
-
-
-<p>First, you'll need to re-assert the extensions that struts knows about because the rest plugin will have thrown out the default <code>action</code> extension.</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <constant name="struts.action.extension" value="xhtml,,xml,json,action"/>
+<p>First, you'll need to re-assert the extensions that struts knows about because the rest plugin will have thrown out the default <code>action</code> extension.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <constant name="struts.action.extension" value="xhtml,,xml,json,action"/>
]]></script>
-</div></div>
-
-<p>Next, we will configure the <code>PrefixBasedActionMapper</code>, which is part of the core Struts 2 distribution, to have some URL's routed to the Rest mapper and others to the default mapper. </p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <constant name="struts.mapper.class" value="org.apache.struts2.dispatcher.mapper.PrefixBasedActionMapper" />
+</div></div><p>Next, we will configure the <code>PrefixBasedActionMapper</code>, which is part of the core Struts 2 distribution, to have some URL's routed to the Rest mapper and others to the default mapper.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <constant name="struts.mapper.class" value="org.apache.struts2.dispatcher.mapper.PrefixBasedActionMapper" />
<constant name="struts.mapper.prefixMapping" value="/rest:rest,:struts"/>
]]></script>
-</div></div>
-
-<p>And, again, we're relying on the Convention plugin to find our controllers, so we need to configure the convention plugin a bit:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<constant name="struts.convention.action.suffix" value="Controller"/>
+</div></div><p>And, again, we're relying on the Convention plugin to find our controllers, so we need to configure the convention plugin a bit:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<constant name="struts.convention.action.suffix" value="Controller"/>
<constant name="struts.convention.action.mapAllMatches" value="true"/>
<constant name="struts.convention.default.parent.package" value="rest-default"/>
<constant name="struts.convention.package.locators" value="example"/>
]]></script>
-</div></div>
-
-
-<h3 id="RESTPlugin-WriteYourControllerActions">Write Your Controller Actions</h3>
-
-<p>Once everything is configured, you need to create the controllers. Controllers are simply actions created with the purpose of handling requests for a give RESTful resource. As we saw in the mapping logic above, various REST URL's will hit different methods on the controller. Traditionally, normal Struts 2 actions expose the <code>execute</code> method as their target method. Here's a sample controller for a <em>orders</em> resource. Note, this sample doesn't implement all of the methods that can be hit via the RESTful action mapper's interpretation of URL's. </p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-package org.apache.struts2.rest.example;
+</div></div><h3 id="RESTPlugin-WriteYourControllerActions">Write Your Controller Actions</h3><p>Once everything is configured, you need to create the controllers. Controllers are simply actions created with the purpose of handling requests for a give RESTful resource. As we saw in the mapping logic above, various REST URL's will hit different methods on the controller. Traditionally, normal Struts 2 actions expose the <code>execute</code> method as their target method. Here's a sample controller for a <em>orders</em> resource. Note, this sample doesn't implement all of the methods that can be hit via the RESTful action mapper's interpretation of URL's.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[package org.apache.struts2.rest.example;
public class OrdersController implements ModelDriven<Order> {
@@ -359,70 +250,22 @@ public class OrdersController implements
// getters and setters
}
]]></script>
-</div></div>
-
-<p>In this example, the <code>ModelDriven</code> interface is used to ensure that only my model, the Order object in this case, is returned to the client, otherwise, the whole <code>OrdersController</code> object would be serialized.</p>
-
- <div class="aui-message warning shadowed information-macro">
+</div></div><p>In this example, the <code>ModelDriven</code> interface is used to ensure that only my model, the Order object in this case, is returned to the client, otherwise, the whole <code>OrdersController</code> object would be serialized.</p> <div class="aui-message warning shadowed information-macro">
<span class="aui-icon icon-warning">Icon</span>
<div class="message-content">
- <p>Where's ActionSupport? Normally, you extend ActionSupport when writing Struts 2 actions. In these case, our controller doesn't do that. Why, you ask? ActionSupport provides a bunch of important functionality to our actions, including support for i18n and validation. All of this functionality, in the RESTful case, is provided by the default interceptor stack defined in the REST plugin's struts-plugin.xml file. Unless you willfully break your controller's membership in the rest-default package in which that stack is defined, then you'll get all that functionality you are used to inheriting from ActionSupport.</p>
+ <p>Where's ActionSupport? Normally, you extend ActionSupport when writing Struts 2 actions. In these case, our controller doesn't do that. Why, you ask? ActionSupport provides a bunch of important functionality to our actions, including support for i18n and validation. All of this functionality, in the RESTful case, is provided by the default interceptor stack defined in the REST plugin's struts-plugin.xml file. Unless you willfully break your controller's membership in the rest-default package in which that stack is defined, then you'll get all that functionality you are used to inheriting from ActionSupport.</p>
</div>
</div>
-
-
-<p>You may wonder why the <code>show()</code> method returns a <code>HttpHeaders</code> object and the <code>update()</code> method returns the expected result code String. The REST Plugin adds support for action methods that return <code>HttpHeaders</code> objects as a way for the action to have more control over the response. In this example, we wanted to ensure the response included the ETag header and a last modified date so that the information will be cached properly by the client. The <code>HttpHeaders</code> object is a convenient way to control the response in a type-safe way.</p>
-
-<p>Also, notice we aren't returning the usual "success" result code in either method. This allows us to use the special features of the <a shape="rect" href="codebehind-plugin.html">Codebehind Plugin</a> to intuitively select the result template to process when this resource is accessed with the <code>.xhtml</code> extension. In this case, we can provide a customized XHTML view of the resource by creating <code>/orders-show.jsp</code> and <code>/orders-update.jsp</code> for the respective methods.</p>
-
-<h2 id="RESTPlugin-AdvancedTopics">Advanced Topics</h2>
-
-<p>The following sections describe some of the non-standard bells and whistles that you might need to utilize for your application's more non-standard requirements.</p>
-
-<h3 id="RESTPlugin-CustomContentTypeHandlers">Custom ContentTypeHandlers</h3>
-
-<p>If you need to handle extensions that aren't supported by the default handlers, you can create your own <code>ContentTypeHandler</code> implementation and define it in your <code>struts.xml</code>:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<bean name="yaml" type="org.apache.struts2.rest.handler.ContentTypeHandler" class="com.mycompany.MyYamlContentHandler" />
+<p>You may wonder why the <code>show()</code> method returns a <code>HttpHeaders</code> object and the <code>update()</code> method returns the expected result code String. The REST Plugin adds support for action methods that return <code>HttpHeaders</code> objects as a way for the action to have more control over the response. In this example, we wanted to ensure the response included the ETag header and a last modified date so that the information will be cached properly by the client. The <code>HttpHeaders</code> object is a convenient way to control the response in a type-safe way.</p><p>Also, notice we aren't returning the usual "success" result code in either method. This allows us to use the special features of the <a shape="rect" href="codebehind-plugin.html">Codebehind Plugin</a> to intuitively select the result template to process when this resource is accessed with the <code>.xhtml</code> extension. In this case, we can provide a customized XHTML view of the resource by c
reating <code>/orders-show.jsp</code> and <code>/orders-update.jsp</code> for the respective methods.</p><h2 id="RESTPlugin-AdvancedTopics">Advanced Topics</h2><p>The following sections describe some of the non-standard bells and whistles that you might need to utilize for your application's more non-standard requirements.</p><h3 id="RESTPlugin-CustomContentTypeHandlers">Custom ContentTypeHandlers</h3><p>If you need to handle extensions that aren't supported by the default handlers, you can create your own <code>ContentTypeHandler</code> implementation and define it in your <code>struts.xml</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<bean name="yaml" type="org.apache.struts2.rest.handler.ContentTypeHandler" class="com.mycompany.MyYamlContentHandler" />
]]></script>
-</div></div>
-
-<p>If the built-in content type handlers don't do what you need, you can override the handling of any extension by providing an alternate handler. First, define your own <code>ContentTypeHandler</code> and declare with its own alias. For example:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<bean name="myXml" type="org.apache.struts2.rest.handler.ContentTypeHandler" class="com.mycompany.MyXmlContentHandler" />
+</div></div><p>If the built-in content type handlers don't do what you need, you can override the handling of any extension by providing an alternate handler. First, define your own <code>ContentTypeHandler</code> and declare with its own alias. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<bean name="myXml" type="org.apache.struts2.rest.handler.ContentTypeHandler" class="com.mycompany.MyXmlContentHandler" />
]]></script>
-</div></div>
-
-<p>Then, tell the REST Plugin to override the handler for the desired extension with yours. In <code>struts.properties</code>, it would look like this:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-struts.rest.handlerOverride.xml=myXml
+</div></div><p>Then, tell the REST Plugin to override the handler for the desired extension with yours. In <code>struts.properties</code>, it would look like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[struts.rest.handlerOverride.xml=myXml
]]></script>
-</div></div>
-
-
-<h3 id="RESTPlugin-Settings">Settings</h3>
-
-<p>The following settings can be customized. See the <a shape="rect" class="external-link" href="http://cwiki.apache.org/confluence/display/WW/Configuration+Files">developer guide</a>.<br clear="none">
-For more configuration options see the <a shape="rect" href="convention-plugin.html">Convention Plugin Documentation</a></p>
-
-<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p> Setting </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> Description </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> Default </p></th><th colspan="1" rowspan="1" class="confluenceTh"><p> Possible Values </p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>struts.rest.handlerOverride.EXTENSION</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> The alias for the <code>ContentTypeHandler</code> implementation that handles the EXTENSION value </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> N/A </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Any declared alias for a <code>ContentTypeHandler</code> implementation </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>struts.rest.defaultExtension</code> </p></td><td colspan="1" rowspan="1" class="confluenc
eTd"><p> The default extension to use when none is explicitly specified in the request </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>xhtml</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Any extension </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>struts.rest.validationFailureStatusCode</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> The HTTP status code to return on validation failure </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>400</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Any HTTP status code as an integer </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>struts.rest.namespace</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Optional parameter to specify namespace for REST services </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>/</code> </p></td><td colspan="1" rowspan="1
" class="confluenceTd"><p> eg. /rest </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>struts.rest.content.restrictToGET</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> Optional parameter, if set to true blocks returning content from any other methods than GET, if set to false, the content can be returned for any kind of method </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> <code>true</code> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> eg. put struts.rest.content.restrictToGET = false in struts.properties </p></td></tr></tbody></table></div>
-
-
-
-<h2 id="RESTPlugin-Resources">Resources</h2>
-
-<ul><li><a shape="rect" class="external-link" href="http://www.b-simple.de/documents" rel="nofollow">http://www.b-simple.de/documents</a> - Short RESTful Rails tutorial (PDF, multiple languages)</li><li><a shape="rect" class="external-link" href="http://www.amazon.com/RESTful-Web-Services-Leonard-Richardson/dp/0596529260" rel="nofollow">RESTful Web Services</a> - Highly recommend book from O'Reilly</li><li><a shape="rect" class="external-link" href="http://raibledesigns.com/rd/entry/go_light_with_apache_struts" rel="nofollow">Go Light with Apache Struts 2 and REST</a> - Presentation by Don Brown at ApacheCon US 2008</li></ul>
-
-
-<h2 id="RESTPlugin-VersionHistory">Version History</h2>
-
-<p>From Struts 2.1.1+</p></div>
+</div></div><h3 id="RESTPlugin-Settings">Settings</h3><p>The following settings can be customized. See the <a shape="rect" class="external-link" href="http://cwiki.apache.org/confluence/display/WW/Configuration+Files">developer guide</a>.<br clear="none"> For more configuration options see the <a shape="rect" href="convention-plugin.html">Convention Plugin Documentation</a></p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Setting</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Possible Values</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>struts.rest.handlerOverride.EXTENSION</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The alias for the <code>ContentTypeHandler</code> implementation that handles the EXTENSION val
ue</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>N/A</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Any declared alias for a <code>ContentTypeHandler</code> implementation</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>struts.rest.defaultExtension</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The default extension to use when none is explicitly specified in the request</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>xhtml</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Any extension</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>struts.rest.validationFailureStatusCode</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The HTTP status code to return on validation failure</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>400</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Any HTTP status code as
an integer</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>struts.rest.namespace</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional parameter to specify namespace for REST services</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>/</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>eg. /rest</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>struts.rest.content.restrictToGET</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional parameter, if set to true blocks returning content from any other methods than GET, if set to false, the content can be returned for any kind of method</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>true</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>eg. put struts.rest.content.restrictToGET = false in struts.properties</p></td></tr></tbody></table></div><h2 id="RESTPlugin-Resources">Resource
s</h2><ul><li><a shape="rect" class="external-link" href="http://www.b-simple.de/documents" rel="nofollow">http://www.b-simple.de/documents</a> - Short RESTful Rails tutorial (PDF, multiple languages)</li><li><a shape="rect" class="external-link" href="http://www.amazon.com/RESTful-Web-Services-Leonard-Richardson/dp/0596529260" rel="nofollow">RESTful Web Services</a> - Highly recommend book from O'Reilly</li><li><a shape="rect" class="external-link" href="http://raibledesigns.com/rd/entry/go_light_with_apache_struts" rel="nofollow">Go Light with Apache Struts 2 and REST</a> - Presentation by Don Brown at ApacheCon US 2008</li></ul><h2 id="RESTPlugin-VersionHistory">Version History</h2><p>From Struts 2.1.1+</p></div>
</div>
Modified: websites/production/struts/content/development/2.x/docs/s2-021.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-021.html (original)
+++ websites/production/struts/content/development/2.x/docs/s2-021.html Tue May 6 06:15:53 2014
@@ -134,7 +134,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-021-Summary">Summary</h2>Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>ClassLoader manipulation</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Developers should immediately upgrade to <a shape="rect" class="external-link" href="http://struts.apac
he.org/download.cgi#struts23162">Struts 2.3.16.2</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts 2.3.16.1</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Taki Uchiyama (JPCERT/CC), <br clear="none">Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Yoshiyuki Karezaki (Yoshiyuki.Karezaki at scsk.jp)<br clear="none"><span style="line-height: 1.4285715;">BAKA/ty (<span style="color: rgb(85,85,85);">121605589 at qq.com)</span>, <br clear="none"></span><span style="line-height: 1.4285715;">Shine (1983059165 at qq.com), <br clear="none">NSFOCUS Security Team,<br clear="none"></span><span style="line-height: 1.4285715;">heige (zhoujp at knownsec.com</span>)</p></td></tr><tr><th cols
pan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>CVE-2014-0112 - </span>Incomplete fix for ClassLoader manipulation via ParametersInterceptor</p><p><span>CVE-2014-0113 - </span>ClassLoader manipulation via CookieInterceptor when configured to accept all cookies</p></td></tr></tbody></table></div><h2 id="S2-021-Problem">Problem</h2><p>The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure <code>cookiesName</code> param).</p><h2 id="S2-021-Solution">Solution</h2><p>In Struts 2.3.16.2 improved "class" pattern was introduced directly to ParametersInterceptor and CookieInterceptor.</p><h2 id="S2-021-Backwardcompatibility">Backward compatibility</h2
><p>No backward compatibility problems are expected.</p><h2 id="S2-021-Workaround">Workaround</h2><h2 id="S2-021-Ifyoucannotupgradetoversion2.3.16.2immediately-whichisstronglyadvised-youcanapplybelowworkarounds:"><span style="font-size: 14.0px;line-height: 1.4285715;">If you cannot upgrade to version 2.3.16.2 immediately - <strong>which is strongly advised -</strong> you can apply below workarounds:</span></h2><h3 id="S2-021-Exclude'class'parameter"><span style="line-height: 1.5625;">Exclude 'class' parameter</span></h3><p>Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the list of excludeParams as below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><h2 id="S2-021-Summary">Summary</h2>Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>ClassLoader manipulation</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Developers should immediately upgrade to <a shape="rect" class="external-link" href="http://struts.apac
he.org/download.cgi#struts23162">Struts 2.3.16.2</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts 2.3.16.1</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">NTT-CERT via JPCERT/CC</span>, <br clear="none">Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Yoshiyuki Karezaki (Yoshiyuki.Karezaki at scsk.jp)<br clear="none"><span style="line-height: 1.4285715;">BAKA/ty (<span style="color: rgb(85,85,85);">121605589 at qq.com)</span>, <br clear="none"></span><span style="line-height: 1.4285715;"><span style="color: rgb(34,34,34);">Nebula (</span><span style="color: rgb(34,34,34);">Chibi, Hubei, CN</span><span style="color: rgb(34,34,34);">), Hello
World security team</span>, <br clear="none">NSFOCUS Security Team,<br clear="none"></span><span style="line-height: 1.4285715;">heige (zhoujp at knownsec.com</span>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>CVE-2014-0112 - </span>Incomplete fix for ClassLoader manipulation via ParametersInterceptor</p><p><span>CVE-2014-0113 - </span>ClassLoader manipulation via CookieInterceptor when configured to accept all cookies</p></td></tr></tbody></table></div><h2 id="S2-021-Problem">Problem</h2><p>The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure <code>cookiesName</code> param).</p><h2 id="S2-021-Solution">Solutio
n</h2><p>In Struts 2.3.16.2 improved "class" pattern was introduced directly to ParametersInterceptor and CookieInterceptor.</p><h2 id="S2-021-Backwardcompatibility">Backward compatibility</h2><p>No backward compatibility problems are expected.</p><h2 id="S2-021-Workaround">Workaround</h2><h2 id="S2-021-Ifyoucannotupgradetoversion2.3.16.2immediately-whichisstronglyadvised-youcanapplybelowworkarounds:"><span style="font-size: 14.0px;line-height: 1.4285715;">If you cannot upgrade to version 2.3.16.2 immediately - <strong>which is strongly advised -</strong> you can apply below workarounds:</span></h2><h3 id="S2-021-Exclude'class'parameter"><span style="line-height: 1.5625;">Exclude 'class' parameter</span></h3><p>Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the list of excludeParams as below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[<interceptor-ref name="params">
<param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>]]></script>
Added: websites/production/struts/content/development/2.x/docs/s2-022.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-022.html (added)
+++ websites/production/struts/content/development/2.x/docs/s2-022.html Tue May 6 06:15:53 2014
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-022</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-022.html">S2-022</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="http://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-022</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=40511500">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=40511500">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=40511500">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=40511500">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=40511500">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=40511500">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-022-Summary">Summary</h2>Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possibility to change internal state of session, request, etc</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Developers should immediately upgrade to <a shape="rect" class="external-link" hre
f="http://struts.apache.org/download.cgi#struts23163">Struts 2.3.16.3</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts 2.3.16.1</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Zubair Ashraf of IBM X-Force</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="line-height: 1.4285715;"><span style="color: rgb(34,34,34);">CVE-2014-0116</span> - </span><span style="line-height: 1.4285715;">Struts' internals manipulation via CookieInterceptor</span></p></td></tr></tbody></table></div><h2 id="S2-022-Problem">Problem</h2><p>The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases and because of that attacker can c
hange state of session, request and so on (when "*" is used to configure <code>cookiesName</code> param).</p><h2 id="S2-022-Solution">Solution</h2><p>In Struts 2.3.16.3 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe.</p><h2 id="S2-022-Backwardcompatibility">Backward compatibility</h2><p>No backward compatibility problems are expected.</p><h2 id="S2-022-Workaround">Workaround</h2><h2 id="S2-022-Ifyoucannotupgradetoversion2.3.16.3immediately-whichisstronglyadvised-don'tusewildcardmappingtoacceptcookienamesorimplementyourownversionofCookieInterceptorbasedoncodeprovidedinStruts2.3.16.3."><span style="font-size: 14.0px;line-height: 1.4285715;">If you cannot upgrade to version 2.3.16.3 immediately - <strong>which is strongly advised -</strong></span><span style="font-size: 14.0px;line-height: 1.4285715;"> don't use wildcard mapping to accept cookie names or implement
your own version of CookieInterceptor based on code provided in Struts 2.3.16.3.</span></h2><p><span style="font-size: 14.0px;line-height: 1.4285715;"><br clear="none"></span></p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file
Modified: websites/production/struts/content/development/2.x/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/security-bulletins.html (original)
+++ websites/production/struts/content/development/2.x/docs/security-bulletins.html Tue May 6 06:15:53 2014
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <url> and <a> tags</a></url></span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" href="s2
-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li><li><a
shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="smalltext
">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <url> and <a> tags</a></url></span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" href="s2
-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li><li><a
shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="smalltext
">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieIntercept
or to avoid manipulation of Struts' internals</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -200,6 +200,9 @@ under the License.
$page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
+ $page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
</div>
</div>
Modified: websites/production/struts/content/development/2.x/docs/security.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/security.html (original)
+++ websites/production/struts/content/development/2.x/docs/security.html Tue May 6 06:15:53 2014
@@ -19,7 +19,7 @@ under the License.
-->
<html>
<head>
- <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
<style type="text/css">
.dp-highlighter {
width:95% !important;
@@ -37,8 +37,8 @@ under the License.
<link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
<link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
<script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
- <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
-
+ <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+
<script type="text/javascript">
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -134,21 +134,8 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h3 id="Security-Securitytips">Security tips</h3>
-
-<p>The Apache Struts 2 doesn't provide any security mechanism - it is just a pure web framework. Below are few tips you should consider during application development with the Apache Struts 2.</p>
-
-<h4 id="Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</h4>
-
-<p><a shape="rect" href="config-browser-plugin.html">Config Browser Plugin</a> expose internal configuration and should be used only during development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use  Basic Authentication or any other security mechanism (e.g. <a shape="rect" class="external-link" href="http://shiro.apache.org/">Apache Shiro</a>)</p>
-
-<h4 id="Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</h4>
-
-<p>Very often access to different resources is controlled base on URL patterns, see snippet below. Because of that you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace by security level.</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <security-constraint>
+ <div id="ConfluenceContent"><h3 id="Security-Securitytips">Security tips</h3><p>The Apache Struts 2 doesn't provide any security mechanism - it is just a pure web framework. Below are few tips you should consider during application development with the Apache Struts 2.</p><h4 id="Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</h4><p><a shape="rect" href="config-browser-plugin.html">Config Browser Plugin</a> exposes internal configuration and should be used only during development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use  Basic Authentication or any other security mechanism (e.g. <a shape="rect" class="external-link" href="http://shiro.apache.org/">Apache Shiro</a>)</p><h4 id="Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</h4><p>Very often access to different resources is controlled based on URL p
atterns, see snippet below. Because of that you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace by security level.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/secure/*</url-pattern>
Modified: websites/production/struts/content/development/2.x/docs/version-notes-23162.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/version-notes-23162.html (original)
+++ websites/production/struts/content/development/2.x/docs/version-notes-23162.html Tue May 6 06:15:53 2014
@@ -135,7 +135,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.16.2 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-23153.html">Version Notes 2.3.16</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li></ul><div class="code p
anel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.16.2 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-23161.html">Version Notes 2.3.16.1</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li></ul><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>