You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Lukasz Lenart <lu...@apache.org> on 2016/03/22 09:19:12 UTC
[ANN] Apache Struts 2.3.28 GA
The Apache Struts group is pleased to announce that Struts 2.3.28 is
available as a “General Availability” release. The GA designation is
our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.
This release addresses three potential security vulnerabilities:
S2-028 Possible XSS vulnerability in pages not using UTF-8 was fixed.
S2-029 Forced double OGNL evaluation, when evaluated on raw user input
in tag attributes, may lead to remote code execution.
S2-030 I18NInterceptor narrows selected locale to those available in
JVM to reduce possibility of another XSS vulnerability.
All developers are strongly advised to perform this action.
This release contains several changes and improvements just to mention
few of them:
- New Configurationprovider type was introduced -
ServletContextAwareConfigurationProvider, see WW-4410
- Setting status code in HttpHeaders isn’t ignored anymore, see WW-4545
- Spring BeanPostProcessor(s) are called only once to constructed
objects., see WW-4554
- OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
- MessageStoreInterceptor was refactored to use PreResultListener to
store messages, see WW-4605
- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606
and many other improvements, please check the version notes
The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.
Struts 2.3.28 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page
* http://struts.apache.org/download.cgi#struts2328
The release is also available from the central Maven repository under
Group ID "org.apache.struts".
The 2.3.28 version of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 6
The release notes are available online at:
* http://struts.apache.org/docs/version-notes-2328.html
Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Re: Different name mapping in Struts 2.3.28 (was Re: [ANN] Apache
Struts 2.3.28 GA)
Posted by Markus Fischer <Ma...@knipp.de>.
Hi Martin,
>>>> after migrating from Struts 2.3.24.1 to 2.3.28, I get several FreeMarker
>>>> template errors for missing/null elements for expressions that worked
>>>> fine before, like this:
>>>>
>>>> ==> iPhone (Method name: isIPhone)
>>>>
>>>> Expr. | 2.3.24.1 | 2.3.28
>>>> iPhone | OK | error
>>>> IPhone | OK | OK
>
> MG>markus ..who/what generates text string iPhone instead of IPhone?..can i assume this is USER-AGENT HTTP Header?
"iPhone" is variable in a Freemarker template named that way by a
programmer to refer to the underlying isIPhone Java method. So nothing
that is automatically generated.
> MG>does anyone know if new Freemarker 2.3.28+ will provide OGNL workaround for this testcase?
I'm afraid I don't.
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Different name mapping in Struts 2.3.28 (was Re: [ANN] Apache
Struts 2.3.28 GA)
Posted by Martin Gainty <mg...@hotmail.com>.
> Subject: Re: Different name mapping in Struts 2.3.28 (was Re: [ANN] Apache Struts 2.3.28 GA)
> To: user@struts.apache.org
> From: Markus.Fischer@knipp.de
> Date: Wed, 30 Mar 2016 15:20:25 +0200
>
> Hi Łukasz,
>
> >> after migrating from Struts 2.3.24.1 to 2.3.28, I get several FreeMarker
> >> template errors for missing/null elements for expressions that worked
> >> fine before, like this:
> >>
> >> ==> iPhone (Method name: isIPhone)
> >>
> >> Expr. | 2.3.24.1 | 2.3.28
> >> iPhone | OK | error
> >> IPhone | OK | OK
MG>markus ..who/what generates text string iPhone instead of IPhone?..can i assume this is USER-AGENT HTTP Header?
MG>does anyone know if new Freemarker 2.3.28+ will provide OGNL workaround for this testcase?
>
> > It's due to fixed OGNL version which properly supports JavaBean
> > Specifications now. You can revert to prior version of OGNL to keep
> > the old behaviour.
>
> thank you very much for the quick reply (and all your work for the
> Struts project).
>
> Cheers,
> Markus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
Re: Different name mapping in Struts 2.3.28 (was Re: [ANN] Apache
Struts 2.3.28 GA)
Posted by Markus Fischer <Ma...@knipp.de>.
Hi Łukasz,
>> after migrating from Struts 2.3.24.1 to 2.3.28, I get several FreeMarker
>> template errors for missing/null elements for expressions that worked
>> fine before, like this:
>>
>> ==> iPhone (Method name: isIPhone)
>>
>> Expr. | 2.3.24.1 | 2.3.28
>> iPhone | OK | error
>> IPhone | OK | OK
> It's due to fixed OGNL version which properly supports JavaBean
> Specifications now. You can revert to prior version of OGNL to keep
> the old behaviour.
thank you very much for the quick reply (and all your work for the
Struts project).
Cheers,
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Different name mapping in Struts 2.3.28 (was Re: [ANN] Apache
Struts 2.3.28 GA)
Posted by Lukasz Lenart <lu...@apache.org>.
2016-03-30 14:43 GMT+02:00 Markus Fischer <Ma...@knipp.de>:
> Hi all,
>
> after migrating from Struts 2.3.24.1 to 2.3.28, I get several FreeMarker
> template errors for missing/null elements for expressions that worked
> fine before, like this:
>
>> FreeMarker template error
>>
>> The following has evaluated to null or missing:
>> ==> iPhone [in template "..." at line X, column Y]
>
> What the problematic expressions have in common is that the Java methods
> they refer to have camel case names with (at least?) two consecutive
> upper case letters, as in "isIPhone". This seems to be mapped in a
> different way with Struts 2.3.28 than it has been before. (See below for
> two examples of the different mapping behaviour in Struts 2.3.24.1 and
> 2.3.28).
>
> My question is: Is this a bug? Or is this something that was introduced
> intentionally to comply with some standard or convention?
>
> Examples for Freemarker expression evaluation
>
> ==> iPhone (Method name: isIPhone)
>
> Expr. | 2.3.24.1 | 2.3.28
> iPhone | OK | error
> IPhone | OK | OK
>
>
> ==> hCardElements (getHCardElements)
>
> Expression | 2.3.24.1 | 2.3.28
> hCardElements | OK | error
> HCardElements | OK | OK
It's due to fixed OGNL version which properly supports JavaBean
Specifications now. You can revert to prior version of OGNL to keep
the old behaviour.
See those issues
https://issues.apache.org/jira/browse/WW-3909
https://issues.apache.org/jira/browse/WW-4616
and here you have another one
https://github.com/jkuhnert/ognl/pull/21
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Different name mapping in Struts 2.3.28 (was Re: [ANN] Apache Struts
2.3.28 GA)
Posted by Markus Fischer <Ma...@knipp.de>.
Hi all,
after migrating from Struts 2.3.24.1 to 2.3.28, I get several FreeMarker
template errors for missing/null elements for expressions that worked
fine before, like this:
> FreeMarker template error
>
> The following has evaluated to null or missing:
> ==> iPhone [in template "..." at line X, column Y]
What the problematic expressions have in common is that the Java methods
they refer to have camel case names with (at least?) two consecutive
upper case letters, as in "isIPhone". This seems to be mapped in a
different way with Struts 2.3.28 than it has been before. (See below for
two examples of the different mapping behaviour in Struts 2.3.24.1 and
2.3.28).
My question is: Is this a bug? Or is this something that was introduced
intentionally to comply with some standard or convention?
Examples for Freemarker expression evaluation
==> iPhone (Method name: isIPhone)
Expr. | 2.3.24.1 | 2.3.28
iPhone | OK | error
IPhone | OK | OK
==> hCardElements (getHCardElements)
Expression | 2.3.24.1 | 2.3.28
hCardElements | OK | error
HCardElements | OK | OK
TIA
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: tiles2.2.2 error for Struts 2.3.28 GA
Posted by Lukasz Lenart <lu...@apache.org>.
2016-03-22 19:55 GMT+01:00 Emi <em...@encs.concordia.ca>:
> Hello,
>>
>> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see
>> WW-4568
>
> tiles3.x, everything success.
>
> For tiles2.2.2, after migrating from2.3.24.1 to 2.3.28, got the following
> error:
>
> org.apache.tiles.definition.NoSuchDefinitionException: login_page
>
> But "login_page" is in tiles-login.xml file(no change).
>
> <context-param>
> <param-name>
> org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG
> </param-name>
> <param-value>/WEB-INF/tiles/tiles-login.xml</param-value>
> </context-param>
>
> For the new version, do I have to change something for tiles configuration
> with struts?
Here you have an example how to configure
https://github.com/apache/struts-examples/blob/master/tiles/src/main/webapp/WEB-INF/web.xml
Right now Struts Tiles plugin by default loads all "tiles*.xml" defintionions
https://github.com/apache/struts/blob/master/plugins/tiles/src/main/java/org/apache/struts2/tiles/StrutsTilesContainerFactory.java#L98
Just remember to use proper DTD
https://github.com/apache/struts-examples/blob/master/tiles/src/main/webapp/WEB-INF/tiles.xml
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
tiles2.2.2 error for Struts 2.3.28 GA
Posted by Emi <em...@encs.concordia.ca>.
Hello,
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
tiles3.x, everything success.
For tiles2.2.2, after migrating from2.3.24.1 to 2.3.28, got the
following error:
org.apache.tiles.definition.NoSuchDefinitionException: login_page
But "login_page" is in tiles-login.xml file(no change).
<context-param>
<param-name>
org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG
</param-name>
<param-value>/WEB-INF/tiles/tiles-login.xml</param-value>
</context-param>
For the new version, do I have to change something for tiles
configuration with struts?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org