Apache Struts Changelog

What's new in Apache Struts 6.4.0

Apr 21, 2024

Bug:
[WW-5192] - Radio tag not setting enum key values
[WW-5319] - StrutsUtils is not defined in validation.js
[WW-5357] - Struts anchor tag doesn't support "disabled" even though docs indicate it does
[WW-5365] - Radio tag does not support value objects of type Boolean when setting the default value
[WW-5373] - CspReportAction JavaDoc wrong
[WW-5382] - Stale configuration persists after configuration reload
[WW-5387] - ApplicationMap.remove does not remove the entry from the ServletContext
[WW-5392] - Tiles-Plugin unable to load tiles definition XML if the file names are specified with wild char
[WW-5396] - Javatemplates s:file shows server/file location
[WW-5403] - Struts 2.5 to 6.x migration issues caused by removal of deprecated code within a minor release
New Feature
[WW-5402] - Auto loading the Tiles definition files from the classpath dependent JAR
Improvement:
[WW-5225] - add accessor to the original filename into JakartaMultiPartRequest & MultiPartRequestWrapper
[WW-5328] - Removes deprecated methods from SecurityMemberAccess & MemberAccessValueStack
[WW-5333] - Refactor AttributeMap
[WW-5338] - Remove deprecated OgnlTool
[WW-5339] - Mitigate against custom class ASTMap node construction
[WW-5340] - Introduce optional AST node exclusion list
[WW-5341] - Ensure exclusion list applies to objects from all ClassLoaders
[WW-5342] - Block classes in default package
[WW-5343] - Make SecurityMemberAccess extensible and a prototype bean
[WW-5346] - CDI Plugin: Replace deprecated BeanManager::createInjectionTarget
[WW-5348] - Allow overriding of logging behaviour in DefaultAcceptedPatternsChecker
[WW-5349] - Remove core dependency on ognl.ASTVarRef
[WW-5350] - Implement optional strict class/package allowlist for OGNL
[WW-5352] - Implement annotation mechanism for injectable fields via parameters
[WW-5354] - Add actionErrors, actionMessages, fieldErrors to parameter excluded patterns
[WW-5355] - Integrate and use WTLFU cache by default
[WW-5358] - Expand exclusion list
[WW-5359] - Improved the StrutsUrlDecoder so that charset retrieval is performed only once
[WW-5360] - Struts 2 and JDK 17 numbers of iterator tag when using different locale
[WW-5362] - Remove type attribute out of <s:script/> tag
[WW-5363] - Look up Stack last in Velocity context
[WW-5364] - Automatically populate OGNL allowlist
[WW-5369] - Re-define a minimal library set for Struts 6.x
[WW-5370] - Make HttpParameters case-insensitive
[WW-5371] - Use action based callback to transfer information about uploaded files
[WW-5374] - CspInterceptor reportUri with context
[WW-5377] - trouble with Struts tags nested within <s:script> one
[WW-5378] - Add option to not fallback to context lookup when finding value in OgnlValueStack
[WW-5379] - Implement alternative mechanism for Velocity directives to obtain stack
[WW-5381] - Introduce extension points for CompoundRootAccessor and MethodAccessor
[WW-5383] - Exclude JAR files by default when scanning for actions on JDK9+
[WW-5391] - Add interface for VelocityManager extension point
[WW-5401] - Adds more logging statements around validating and accepting MultiPartRequest
Task:
[WW-5394] - Use request encoding in rest plugin
Dependency:
[WW-5344] - Un-deprecate the Sitemesh plugin and upgrade Sitemesh to ver. 2.5.0
[WW-5347] - Upgrade to commons-digester3 version 3.2
[WW-5389] - Upgrade Log4j to version 2.21.1
[WW-5395] - Upgrade commons-logging:commons-logging from 1.2 to 1.3.0
[WW-5397] - Upgrade net.sf.jasperreports:jasperreports from 6.20.6 to 6.21.0
[WW-5398] - Upgrade commons-validator:commons-validator from 1.6 to 1.8.0
[WW-5399] - Upgrade org.apache.commons:commons-compress from 1.25.0 to 1.26.0
[WW-5404] - Bump log4j2.version from 2.21.1 to 2.23.1

New in Apache Struts 6.3.0.2 (Dec 7, 2023)

New in Apache Struts 6.3.0.1 (Sep 13, 2023)

New in Apache Struts 6.3.0 (Sep 5, 2023)

New in Apache Struts 6.2.0 (Jul 10, 2023)

Bug:
[WW-4434] - datetextfield.ftl is missing
[WW-5199] - StrutsPrepareFilter and StrutsExecuteFilter do not support forwarding to another action
[WW-5263] - CSP related interceptors have wrong short names
[WW-5270] - Forwarding from a Struts excluded URL to an Action not working
[WW-5271] - Select tag NOT working when using list="#{ ... }"
[WW-5272] - java.lang.UnsupportedOperationException in the Time component
[WW-5276] - Cleanup method of request is not called
[WW-5289] - Execute and Wait Interceptor prevents JVM shutdown
[WW-5295] - s:date ignores LocalTime
[WW-5296] - Wrong DTD version
[WW-5301] - Impossible to select alternate default VelocityManager bean
[WW-5302] - Autogenerated html ID bases on unevaluated value of the name/action/method attributes
[WW-5307] - Confusing documentation about ognl
[WW-5309] - NamedVariablePatternMatcher throws when pattern begins with a variable
[WW-5310] - s:url does not handle equal sign correctly
[WW-5311] - NamedVariablePatternMatcher throws an IllegalArgumentException when named variable is not the last part of the sequence
[WW-5312] - ExecuteAndWaitInterceptor inconsistent wait processing behaviour
New Feature:
[WW-5275] - Allow to configure more flexible Content-Security-Policy
Improvement:
[WW-4404] - Implement HttpInterceptor
[WW-5196] - Make RequestMap and ApplicationMap to use generics, also correct SessionMap to always be of type <String, Object>
[WW-5243] - Removes support for "struts.mapper.action.prefix.crossNamespaces"
[WW-5251] - Remove deprecated interfaces used with ServletConfigInterceptor
[WW-5253] - Remove deprecated methods from DefaultUrlHelper
[WW-5261] - Refactor TagUtils#getStack()
[WW-5262] - Extract excluded classes and beans out of struts-default.xml
[WW-5264] - Extract XSLT result into a dedicated plugin
[WW-5265] - Allow removal of a single/specific container provider
[WW-5266] - Add configuration option for a per-file max size for multipart requests
[WW-5268] - Add configuration option to exempt classes from OGNL package exclusions
[WW-5273] - Support fileupload using native Servlet API 3.1 logic
[WW-5280] - Cleanup NoParameters interfaces
[WW-5283] - Update Struts Archetypes
[WW-5285] - Upgrade commons-fileupload to ver 1.5 and add option to limit number of accepted files
[WW-5288] - Make excluded package exemption logic more strict
[WW-5290] - Refactor ConfigurationManager
[WW-5292] - Allow overriding of Operations classes in two filter setup and assorted clean up
[WW-5293] - Allow loading XML configuration from other than filesystem
[WW-5304] - Drop deprecated methods from ActionContext
[WW-5308] - Add minlength and maxlength to textarea on javatemplates plugin
[WW-5314] - Do not log warnings for bad user input from JakartaMultiPartRequest
Task:
[WW-5278] - Clean up duplicated code across ActionValidatorManagers
[WW-5279] - Improve readability of XmlConfigurationProvider class
[WW-5284] - Further clean up ActionValidatorManager implementations
[WW-5298] - Clean up StrutsVelocityContext
[WW-5299] - Clean up ActionChainResult
[WW-5300] - Make Dispatcher methods overridable
Dependency:
[WW-5269] - Upgrade Jackson to version 2.14.1
[WW-5274] - Mark Pell Multipart plugin as deprecated
[WW-5277] - Upgrade Freemarker to version 3.2.32

New in Apache Struts 6.1.2 (Mar 10, 2023)

New in Apache Struts 6.1.1 (Nov 28, 2022)

Bug:
[WW-3529] - NamedVariablePatternMatcher does not properly escape characters
[WW-3737] - Parsing of excludePattern breaks regex
[WW-4514] - DefaultUrlHelper.buildParametersString appends just ? if collection is empty
[WW-5145] - Checkbox with multiple values do not default correctly
[WW-5214] - When value for SELECT element is greater than 2147483647, the value does not pre-select
[WW-5238] - Strict Method Invocation (SMI) too strict or wrong ActionMapping?
[WW-5239] - regression btw struts 2.5.30 and 6.0.30 / submit s:checkbox unchecked -> NPE
[WW-5241] - <s:url includeParams="all"> is generating an invalid url when used in conjunction with ExecuteAndWait interceptor
[WW-5247] - Related to: [WW-5117] - %{id} evaluates different for data-* and value attribute
[WW-5248] - action attribute on submit tag not working as espected
[WW-5255] - <s:script> and <s:link> tags are broken
New Feature:
[WW-4173] - Add option to disable a given interceptor
Improvement:
[WW-2815] - No way to configure XStream engine
[WW-3691] - BackgroundProcess should use a java.util.concurrent.Executor alternatively to spawning a new thread
[WW-3715] - Allow for dynamic validation xml files, by building validator cache based on action AND context
[WW-3725] - Remove unused tag templates from core/src/main/resources/template/archive
[WW-4440] - Add basic README.md to all subprojects
[WW-4567] - Drop unused dependencies or put a proper scope
[WW-4692] - Extract encoding logic from UrlHelper into a dedicated bean
[WW-5133] - Remove deprecated labelposition
[WW-5137] - Remove class attribute
[WW-5184] - Add optional parameter value check to ParametersInterceptor
[WW-5219] - Move TestNGXWorkTestCase from the Core into the TestNG plugin
[WW-5220] - Move XWorkJUnit4TestCase from the Core into the JUnit plugin
[WW-5232] - Use Github Actions instead of Travis to build PRs
[WW-5234] - Normalise DTD definitions
[WW-5235] - Reduce "OGNL Expression Max Length enabled with 256" log entry to trace
[WW-5240] - doubleOnchange attribute of the doubleselect tag is not supported
[WW-5242] - Make "struts.mapper.action.prefix.crossNamespaces" deprecated
[WW-5252] - Completely disable external entities declarations in XML config
[WW-5254] - Document how to use the Async plugin
[WW-5257] - <s:checkbox> output is followed by a newline in simple theme (diff to Struts 2)
[WW-5259] - Extract UrlHelper#parseQueryString into a dedicated plugin
[WW-5260] - Checkbox tag default value for attribute submitUnchecked
Dependency:
[WW-5213] - Bump javax.el from 3.0.1-b11 to 3.0.1-b12
[WW-5226] - Upgrade weld-core to version 2.4.8.Final
[WW-5227] - Upgrade Apache Log4j to version 2.19.0
[WW-5228] - Upgrade dependency-check-maven from 7.1.2 to 7.2.0
[WW-5229] - Upgrade Spring to version 5.3.23
[WW-5230] - Upgrade OGNL to version 3.3.4
[WW-5231] - Upgrade apache-rat-plugin to version 0.15
[WW-5244] - Upgrade commons-text to ver. 1.10.0
[WW-5245] - Upgrade jackson-databind to version 2.13.4.1
[WW-5258] - Upgrade Struts Annotation to version 1.0.8

New in Apache Struts 6.0.3 (Sep 16, 2022)

New in Apache Struts 6.0.0 (Jun 7, 2022)

Version change:
You can be surprised by the version change, previously we have been using Struts 2.5.x versioning schema, but this was a bit misleading. Struts 2 is a different framework than Struts 1 and its versioning is supposed to start with 1.0.0, yet that never happened. With each breaking changes release (like Struts 2.5), we had been only upgrading the MINOR part of the versioning schema. To fix that problem as from Struts 2 ver. 6.0.0 (aka Struts 2.6) we adopt a proper SemVer to avoid such confusion.
Internal Changes:
The framework requires Java 8 at runtime. Also Servlet API 3.1 capable container is required.
OGNL expressions are limited to 256 characters by default. See WW-5179 - Set 'struts.ognl.expressionMaxLength' to 256 by default Resolved and docs for more details.
Yasser's PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation. How to test:
Run all your app tests, you shouldn't see any WARN log like below:
Expression [so-and-so] isn't allowed by pattern [so-and-so]! See Accepted / Excluded patterns at
https://struts.apache.org/security/
See if following components are still functioning correctly regarding java-scripts:
forms with client side validations
doubleselect
combobox
Check also StreamResults, AliasInterceptors and JasperReportResults if they are still working as expected.
Support to access static methods via OGNL expressions has been removed, use action instance methods instead.
Bug:
[WW-3534] - PrepareOperations.createActionContext does not detect existing context correctly
[WW-3730] - action tag accepts only String arrays as parameters
[WW-4723] - s:url incompatible with JDK 1.5
[WW-4742] - Problem with escape when the key from getText has no value
[WW-4865] - Struts s:checkbox conversion fails to List<Integer>
[WW-4866] - ASM 5.2 and Java 9 leads to IllegalArgumentException
[WW-4897] - KEYS, sigs and hashes should use https (SSL)
[WW-4902] - Struts 2 fails to init Dispatcher - Tomcat Embedded
[WW-4928] - Setting struts.devMode from system property not working as described
[WW-4930] - SMI cannot be diasabled for action-packages found via the convention-plugin
[WW-4941] - [jar_cache] Some jar_cache******.tmp files are generated into a temporary directory(/tmp) during web service start
[WW-4943] - opensymphony.xwork2.util.LocalizedTextUtil can't get i18n resources
[WW-4944] - Struts 2 REST Tiles integration issue
[WW-4945] - TagUtils#buildNamespace should throw an exception when invocation is null
[WW-4946] - Strtus 2 spring integrations is failing - fails to init Dispatcher - Tomcat Embedded
[WW-4948] - Struts 2.5.16 is creating jar_cache files in temp folder
[WW-4951] - MD5 and SHA1 should no longer be provided on download pages
[WW-4954] - xml-validation fails since struts 2.5.17
[WW-4957] - Update struts version from 2.5.10 to 2.5.17. LocalizedTextUtil class is removed and GlobalLocalizedTextProvider&StrutsLocalizedTextProvider cannot be used instead.
[WW-4958] - File upload fails from certain clients
[WW-4964] - Missing javascript in form-validate.ftl
[WW-4968] - combining s:set and s:property where the property retrieved is null has unexpected results
[WW-4971] - s:include tag fails with truncated content in certain circumstances
[WW-4974] - NullPointerException in DefaultStaticContentLoader#findStaticResource
[WW-4977] - Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest
[WW-4984] - Static files like css and js files in struts-core not properly served
[WW-4986] - Race condition reloading config results in actions not found
[WW-4987] - Setting Struts2 <s:select> options Css Class
[WW-4991] - Not existing property in listValueKey throws exception
[WW-4997] - <s:debug> can't be resolved
[WW-4999] - Can't get OgnlValueStack log even if enable logMissingProperties
[WW-5002] - Package Level Properties in Global Results
[WW-5004] - No more calling of a static variable in Struts 2.8.20 available
[WW-5006] - NullPointerException in ProxyUtil class when accessing static member
[WW-5009] - EmptyStackException in JSON plugin due to concurrency
[WW-5011] - Tiles bug when parsing file:// URLs including # as part of the URL
[WW-5013] - Accessing static variable via OGNL returns nothing
[WW-5022] - Struts 2.6 escaping behaviour change for s:a (anchor) tag
[WW-5024] - HttpParameters.Builder can wrap objects in two layers of Parameters
[WW-5025] - Binding Integer Array upon form submission
[WW-5026] - Double-submit of TokenSessionStoreInterceptor broken since 2.5.16
[WW-5027] - xerces tries to load resources from the internet
[WW-5028] - Dispatcher prints stacktraces directly to the console
[WW-5029] - The content allowed-methods tag of the XML configuration is sometimes truncated
[WW-5030] - ClassNotFoundException - MockPortletResponse
[WW-5031] - OGNL: An illegal reflective access operation has occurred
[WW-5043] - trouble with Enum subclassing
[WW-5054] - Debugging Interceptor debug=browser not working
[WW-5058] - Invalid link in primer.html
[WW-5059] - primer.html link to spring-security is broken
[WW-5065] - AbstractMatcher adds values to the map passed into replaceParameters
[WW-5072] - Minor bug in single file upload example of the Showcase application
[WW-5074] - Multiple ASM jar conflict in 2.6 build
[WW-5076] - struts2 redirecting to https to http
[WW-5077] - Unable to set long pathname variables
[WW-5079] - Could not find StrutsPrepareAndExecuteFilter sometime in WAS server
[WW-5081] - Struts default textarea template fails w3c validation
[WW-5082] - struts2 update from 2.1.6 to 2.3.37
[WW-5086] - s:set with empty body
[WW-5087] - AliasInterceptor doesn't properly handle Parameter.Empty
[WW-5088] - Empty file upload gives wrong error message
[WW-5091] - Switched hash and PGP links
[WW-5093] - inconsistent scope for variables created with s:set and s:url
[WW-5095] - Junit plugin does not push ACTION_MAPPING into the context resulting in NPE
[WW-5096] - Struts2 StaticParametersInterceptor's addParametersToContext method is not working as expected.
[WW-5100] - incorrect content-type behavior after upgrading to struts 2.5.*
[WW-5102] - Download page issues
[WW-5104] - Please delete old releases
[WW-5106] - The call chains of ActionContext.getContext() in ServletActionContext are dangerious
[WW-5107] - JQuery plugin does not handle dynamic component ids correctly
[WW-5108] - No errors are reported locally. On linux environment, tomcat runs alone and reports java.lang.annotation.AnnotationTypeMismatchException
[WW-5109] - Ognl issue after migrating from strut 2.3 to 2.5
[WW-5116] - PostbackResult uses wrong regex range
[WW-5117] - %{id} evaluates different for data-* and value attribute
[WW-5119] - Blocking Threads in retrieving text from resource bundle
[WW-5121] - Contention when injecting Scope.SINGLETON instances
[WW-5123] - CheckboxTag value missing for labelposition
[WW-5124] - Tag attribute values cached
[WW-5125] - forbidden name attribute values (size, clone...?) in <s:textfield> using the default theme
[WW-5129] - Dynamic Attributes are not working for doubleselect, optiontransferselect, inputtransferselect tags
[WW-5130] - ID param not being set
[WW-5140] - Cannot download struts from the main page
[WW-5146] - Empty file upload ends in error
[WW-5147] - OGNL valid expression is not cached and is parsed over again in some situations
[WW-5160] - Template not found for name "Empty{name='templateDir'}/simple/hidden.ftl"
[WW-5163] - Error executing FreeMarker template
[WW-5169] - Key Technologies Primer: Broken link to ResourceBundles
New Feature:
[WW-4598] - async Actions
[WW-4760] - Switch to Servlet API 2.5
[WW-4874] - Asynchronous action method
[WW-5005] - Struts2 convention plugin lacks Java 11 support
[WW-5049] - Move Velocity support into a dedicated plugin
[WW-5083] - Fetch Metadata support
[WW-5084] - Content Security Policy support
[WW-5085] - Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy Support
[WW-5101] - AbstractLocalizedTextProvider illegal reflective access operation has occurred
Improvement:
[WW-685] - Generic error message - Type Conversion Error Handling
[WW-2040] - Struts 1 vs. Struts 2 benchmarking application
[WW-2411] - Add a maxlength attribute to the textarea tag
[WW-2537] - Fix generics in all codebase
[WW-3788] - Convert ServletActionContext to be more as ActionContext
[WW-3877] - Remove altSyntax option
[WW-4043] - Duplicated class TestUtils
[WW-4069] - Upgrade DWR plugin to use the latest available version
[WW-4348] - Remove access to static methods
[WW-4713] - Drop "searchValueStack" attribute from tag <s:text/>
[WW-4763] - Drop deprecated logging layer
[WW-4779] - Remove profiling layer
[WW-4789] - ActionContext should be immutable
[WW-4792] - Removes deprecated XWork constants
[WW-4796] - Rename Spring related flags to use the same pattern
[WW-4799] - make DateConverter configurable
[WW-4875] - Java configuration
[WW-4889] - Implement REST content handlers using Apache Juneau
[WW-4910] - Align OptGroup with Select
[WW-4915] - Replace deprecated commons-lang3 classes
[WW-4927] - Use immutable version of OGNL without access to #context
[WW-4929] - Fallback i18n Locale
[WW-4932] - Conversion fails when generic type is an interface
[WW-4937] - Add SortedSet field support to JSON plugin
[WW-4938] - ObjectFactory should use Container to instantiate actions and inject dependencies
[WW-4952] - Upgrade to apache-master version 21
[WW-4963] - Implement new Aware interfaces that are using withXxxx pattern instead of setters
[WW-4972] - Switch to latest freemarker version when defining incompatible_improvements
[WW-4995] - Enhancement for s:set tag to improve tag body whitespace control.
[WW-4996] - Refactor DefaultTypeConverterCreator to use ObjectFactory#buildConverter
[WW-5000] - Replace string literals with proper constants in @Inject
[WW-5001] - Allow to define converters in "struts-conversion.properties" file
[WW-5003] - Use StrutsException instead of XWorkException
[WW-5012] - Make a public state check the first acceptance check in SecurityMemberAccess
[WW-5017] - Drop @Validation annotation as not needed
[WW-5018] - Add maven enforce plugin to control certain environmental constraints
[WW-5023] - Upgrade SLF4J to latest 1.7.x version
[WW-5034] - Minor enhancement/fix to AbstractLocalizedTextProvider
[WW-5035] - Provide mechanism to clear OgnlUtil caches
[WW-5036] - update JFreeChart plugin for compatibility with JFreeChart 1.5
[WW-5052] - Use TypeConversionException instead of StrutsException
[WW-5056] - Standard Accepted Patterns in DefaultAcceptedPatternsChecker
[WW-5057] - Cleanup and/or improvements to Showcase Applications
[WW-5062] - Use downloads.a.o instead of archive
[WW-5063] - Use null check of passed in invocation in all the results
[WW-5064] - Move XWork Spring support into struts2-spring-plugin
[WW-5069] - Improve build behaviour on JDK9+
[WW-5070] - JSONResult default root object should be set explicitly, rather than from result of ValueStack.peek()
[WW-5073] - Use TextParser in AbstractMatcher
[WW-5078] - Remove support for <xwork> DTD
[WW-5080] - Allow write directly to a response - define a new result
[WW-5099] - Upgrade JFreeChart plugin to use version 1.5.1 of JFreeChart
[WW-5112] - Add ability (control flag) for TextProviders to prioritize reads from the default resource bundlest.
[WW-5113] - Drop deprecated constant "struts.xworkTextProvider"
[WW-5114] - Drop deprecated constant "struts.localeProvider"
[WW-5115] - Reduce logging for DMI excluded parameters
[WW-5126] - inconsistancy between Model Driven and Model Driven Interceptor documentations
[WW-5136] - Make class attribute deprecated
[WW-5152] - Make OVal plugin deprecated
[WW-5153] - Make Portlet, Portlet Mocks and Portlet Tiles plugins deprecated
[WW-5154] - Make GXP plugin deprecated
[WW-5155] - Make OSGi plugin deprecated
[WW-5156] - Make Plexus plugin deprecated
[WW-5157] - Make Sitemesh plugin deprecated
[WW-5164] - Remove deprecated ConversionDescription class
[WW-5168] - Fix missing submitUnchecked and broken disabled attributes in Javatemplates checkbox tag
[WW-5175] - Add basic LocalDateTime support
[WW-5179] - Set 'struts.ognl.expressionMaxLength' to 256 by default
[WW-5181] - Stop supporting accessing static methods via OGNL expressions
[WW-5182] - Upgrade to Servlet API 3.1
Task:
[WW-4845] - run, test, and validate Struts2 with Java9
[WW-4981] - Add support for Java 11
[WW-4982] - Remove the deprecated JsonLibHandler and outdated json-lib dependency
[WW-4983] - Set private access modifier for HttpParameters.toMap
[WW-4998] - I18nInterceptor's default storage should store locale
[WW-5010] - Switch to Java 8
[WW-5016] - Support Java 8 date time in the date tag
[WW-5020] - delete deprecated sitegraph plugin
[WW-5021] - Serve static resources from different path
[WW-5118] - OGNL long conversion
Dependency:
[WW-4887] - Upgrade to Tiles 3.0.8
[WW-4926] - Upgrade commons-beanutils to version 1.9.3
[WW-4931] - Upgrade to Apache FreeMarker 2.3.28 version
[WW-4947] - server errors generated by secure-jakarta-multipart-parser-plugin
[WW-4955] - Upgrade to OGNL 3.2.6
[WW-4956] - Upgrade to Log4j2 2.11.1
[WW-4965] - Upgrade to OGNL 3.2.7
[WW-4967] - Upgrade to Jackson 2.9.6
[WW-4973] - Upgrade to OGNL 3.2.8
[WW-4975] - Upgraded commons-fileupload to version 1.4
[WW-4976] - Upgrade ASM to version 7.0
[WW-4979] - Update multiple Struts 2.6.x libraries to more recent versions
[WW-4980] - Update maven-wrapper to 3.5.4 and add maven-wrapper.jar to .gitignore
[WW-4985] - Update persistence-api from 1.0 to 1.0.2 for CDI Plugin
[WW-4988] - Upgrade DWR from 1.x to 2.x (for DWR plugin)
[WW-4989] - Use JacksonXML handler instead of XStream as a default handler for XML in the REST plugin
[WW-4992] - Mark the Embedded JSP plugin as depracted
[WW-4993] - Update OGNL versions for 2.6 and 2.5.x builds
[WW-5007] - Upgrade Jackson library to the latest version
[WW-5019] - Upgrade Log4j to version 2.13.3
[WW-5032] - Struts 2 Junit Plugin is not working with Zulu JDK11
[WW-5033] - Update a few Struts 2.5.x libraries to more recent versions
[WW-5037] - Upgrade commons-beanutils to version 1.9.4
[WW-5038] - Upgrade jackson-databind to version 2.9.9.3
[WW-5042] - Upgrade jackson-databind to version 2.10.0
[WW-5045] - Update jasperreports to 6.10.0
[WW-5047] - Upgrade Velocity to 2.1 and Velocity Tools to 3.0
[WW-5048] - Update various dependencies to newest version
[WW-5050] - Upgrade to OGNL 3.2.12
[WW-5061] - CVEs in the library dependencies
[WW-5068] - Update multiple Struts 2.6.x libraries / Maven build plugin versions
[WW-5075] - Upgrade OSGi to the latest version
[WW-5092] - ASM dependency update to 8.*
[WW-5094] - Upgrade Spring Framework to version 4.3.29.RELEASE
[WW-5097] - Upgrade to OGNL 3.2.16
[WW-5098] - Upgrade ASM to version 9.0
[WW-5103] - Upgrade XStream to version 1.4.14
[WW-5120] - Upgrade Velocity Engine & Velocity Tools
[WW-5122] - Upgrade XStream to version 1.4.16
[WW-5131] - Upgrade commons-io to version 2.9
[WW-5134] - Upgrade JasperReports to version 6.17.0
[WW-5135] - Upgrade XStream to version 1.4.17
[WW-5142] - Upgrade XStream to version 1.4.18
[WW-5143] - Upgrade Oval library to ver. 3.2.1
[WW-5144] - Mark OVal plugin as deprecated
[WW-5148] - Upgrade ASM to version 9.2
[WW-5151] - Bump to 2.15.0 to fix log4j vulnerability
[WW-5158] - Upgrade Log4j to version 2.16.0 to address security vulnerability
[WW-5161] - Update spring to 4.3.30
[WW-5162] - Upgrade Log4j to version 2.17.1 to address security vulnerability
[WW-5165] - Update spring to 5.3.x b/c 4.3.x is EOL
[WW-5166] - Update OGNL to 3.3.2
[WW-5167] - Upgrade XStream to version 1.4.19
[WW-5171] - Upgrade Apache Log4j 2.17.2
[WW-5172] - Upgrade freemarker to 2.3.31
[WW-5174] - Upgrade Jackson-Core to version 2.13.2 and Jackson-Databind to 2.13.2.1

New in Apache Struts 2.5.30 (Apr 4, 2022)

New in Apache Struts 2.5.29 (Jan 23, 2022)

New in Apache Struts 2.5.28.3 (Jan 2, 2022)

New in Apache Struts 2.5.28.2 (Dec 23, 2021)

New in Apache Struts 2.5.28.1 (Dec 22, 2021)

New in Apache Struts 2.5.26 (Dec 7, 2020)

New in Apache Struts 2.5.25 (Sep 28, 2020)

New in Apache Struts 2.5.22 (Nov 29, 2019)

New in Apache Struts 2.5.20 (Jan 16, 2019)

New in Apache Struts 2.3.36 (Oct 15, 2018)

New in Apache Struts 2.5.18 (Oct 15, 2018)

New in Apache Struts 2.5.17 (Aug 22, 2018)

New in Apache Struts 2.5.14.1 (Dec 11, 2017)

New in Apache Struts 2.3.20 (Dec 22, 2014)

New in Apache Struts 2.3.16.3 (May 6, 2014)

New in Apache Struts 2.3.16.2 (Apr 29, 2014)

New in Apache Struts 2.3.16.1 (Mar 6, 2014)

New in Apache Struts 2.3.16 (Dec 14, 2013)

Bug:
[WW-3603] - XWorkMapPropertyAccessor always create new map entries
[WW-3651] - Struts 2 is calling response.setLocale even though it will not handle the request
[WW-3826] - Unit Testing A Portlet Action Using StrutsTestCase Causes A NullPointerException
[WW-3832] - Convention cannot work when "struts.convention.result.flatLayout" set to FALSE
[WW-3873] - file tag leaks server path information
[WW-3909] - Not set parameter value to Action correctlly
[WW-3938] - s:include problem with hrml comment
[WW-4023] - ParametersInterceptor produces a warning when parameter method:* is set
[WW-4044] - executeResult="true" generate an infinite loop wheen the result type is tiles3
[WW-4064] - WW-3698 cause ClassCastException
[WW-4066] - Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[WW-4099] - Javadoc for ActionSupport.getText() incorrectly states null is returned when no message is found
[WW-4100] - "error" result defined in global-results is ignored when using convention plugin
[WW-4103] - When an action is not found an error which cannot be silenced is logged when not in dev mode
[WW-4112] - RestFul2ActionMapper error in documentation
[WW-4113] - Wrong cache key generated in OGNL 3.0.5/3.0.6
[WW-4115] - Wasted work in ValidateVisitor.getJspAttribute()
[WW-4116] - Wasted work in PackageBasedActionConfigBuilder.checkPackageLocators()
[WW-4117] - RolesInterceptor ignores disallowedRoles when allowedRoles are configured
[WW-4119] - Wasted work in RefreshModelBeforeResult.beforeResult()
[WW-4120] - Wasted work in ValidateVisitor.isExpression()
[WW-4121] - Wasted work in RolesInterceptor.isAllowed()
[WW-4122] - Wasted work in AnnotationParameterFilterIntereptor.intercept()
[WW-4123] - Wasted work in MethodFilterInterceptorUtil.applyMethod()
[WW-4124] - Wasted work in ValidateVisitor.checkXmlAttributes()
[WW-4125] - Wasted work in Struts1Factory.convertErrors()
[WW-4126] - Incorrect behavior for ELSupport.containsNulls()
[WW-4127] - different commons-io versions in struts2-core
[WW-4129] - Tag s:chekbox is very slow when devMode is enabled
[WW-4131] - RestActionProxyFactory is handling all requests with PrefixBasedActionMapper
[WW-4132] - OGNL Warning, [even struts.devMode is false] while using ! symbol in struts submit tag
[WW-4134] - MessageStoreInterceptor java.lang.IllegalStateException if there is no session
[WW-4137] - Parameter warnings being generated in logs after 2.3.7 in portlet
[WW-4138] - OgnlTextParser contains a NPE when the expression is passed in as null
[WW-4139] - Validation of non-default methods not being executed
[WW-4140] - Security Improvement
[WW-4142] - jQuery plugin menu tag renders an unexpected toString() after upgrading to 2.3.15
[WW-4145] - file.ftl in xhtml theme directly references xhtml controlfooter.ftl
[WW-4152] - Concurrency issue in strust2 app deployed in JBoss AS7
[WW-4153] - Struts2 select tag broken if multiple attribute is used and name attribute is not specified
[WW-4154] - Global settings can be omitted in ParametersInterceptor when action implements ParameterNameAware interface
[WW-4163] - Add DEFAULT_PARAM to JSONResult
[WW-4168] - NullPointerException on Checkboxlist
[WW-4177] - get NPE when upgrade from 2.3.4 to 2.3.15.1
[WW-4182] - NullPointerException in DefaultUrlHelper
[WW-4186] - Constant struts.ognl.enableExpressionCache is not assigned in the property enableExpressionCache in class OgnlUtil
[WW-4191] - Excessive 404 error logging
[WW-4193] - OGNL WARN msg in log when user enters invalid data
[WW-4194] - Using findValue() for value stack to retrieve component parameters always returns not-null object for any parameter name
[WW-4199] - Exclusion of URLs should be done before calling prepare.
[WW-4206] - struts2-cdi-plugin-2.3.15.x.jar missing from 2.3.15.2 distro
[WW-4217] - dead link in cwiki documentation for param
[WW-4218] - Example struts2-archetype-starter is broken if created from catalog
[WW-4223] - tag throws NPE when used with Jetty
[WW-4247] - jetty-maven-plugin configuration problem in struts2-archetype-blank
Improvement:
[WW-3872] - Add Portlet / Tiles example apps
[WW-4088] - Supressing empty parameters on tag
[WW-4108] - small typo in documentation
[WW-4109] - ParameterNameAware Javadoc incorrect
[WW-4111] - Restful2ActionMapper add test to documentation
[WW-4118] - Allow RolesInterceptor to validate role names
[WW-4128] - Document that I18nInterceptor sets the Locale according to browser settings
[WW-4130] - Use SiteExporter instead of wget to export docs
[WW-4136] - Demonstrate proper input sanitizing for file download showcase example
[WW-4141] - Support for saving locale in cookie
[WW-4143] - Add actionMapper that ignores prefixes
[WW-4144] - Have ObjectFactory buildResult obey ParameterNameAware restrictions for a Result
[WW-4162] - Don't check for disallowed ognl expressions if getting from expression cache
[WW-4192] - ParametersInterceptor: Message for missing Parameters is too verbose
[WW-4195] - Provide english texts in 2 files
[WW-4197] - Update Archetypes READMEs
[WW-4213] - Sanitise input params in Config Browser
[WW-4222] - Cleanup struts-default.xml
[WW-4225] - Duplicated code to extract URI
[WW-4226] - Merge security update from 2.3.15.3
[WW-4232] - Introduce new DeprecationInterceptor developed during Strutsathon
[WW-4233] - Add UTF-8 property to all poms
New Feature:
[WW-1328] - Implement theme inheritance
[WW-4078] - Wrong wellcome file (action) in wildcard example
[WW-4158] - Define factories for all types supported by ObjectFactory
[WW-4196] - Add a new Struts2 Archetype for HTML5 web applications with AngularJS
[WW-4229] - PostbackResult
Task:
[WW-4080] - Annotations example fails
[WW-4133] - Update Struts 2 Example Applications To Use Latest Version of Struts 2 and Move Source Code to Apache Repository

New in Apache Struts 2.3.15.3 (Oct 18, 2013)

New in Apache Struts 2.3.15.2 (Sep 23, 2013)

New in Apache Struts 2.3.15.1 (Jul 16, 2013)

New in Apache Struts 2.3.15 (Jul 10, 2013)

Internal Changes:
Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3
Resolved problem with memory leak in ContainerHolder
Resolved bug related to struts.convention.action.includeJars, see WW-4038
Improved OSGi support to allow work in Glassfish 3, see WW-3958
Added support to create cookies from whitin an action WW-4037
New interface - ValidationAware - was added to allow notify actions when there are action/field errors WW-4071
Sub-task:
[WW-3623]: ui tags will have improperly generated id attributes when the tag does not have a name specified and is inside a form
Bug:
[WW-3277]: text tag does not work properly inside a tag
[WW-3569]: s:radio does not select the right option on reading the value
[WW-3676]: javatemplates: no radiobutton is selected if property 'name' is not of type integer or string (e.g. short)
[WW-3689]: NullPointerException coming from Settings / LegacyPropertiesConfigurationProvider (thread-safety issue?)
[WW-3752]: Charset encoding incorrect when using parameters in ServletRedirectResult
[WW-4028]: TokenSessionInterceptor can put non-serializable object into Session
[WW-4036]: With javatemplate, dynamic attribute value evaluates to expression text if null
[WW-4038]: struts.convention.action.includeJars didn't work
[WW-4039]: Support for user defined logging factory is broken
[WW-4046]: Failing test when building xwork-core
[WW-4048]: WW-3994 breaks instantiation of CompositeActionMapper
[WW-4052]: "params" attribute in ExceptionMapping not propagated during exception handling
[WW-4054]: API docs are missing from the project homepage
[WW-4056]: requiredPosition can't work! show HTTP Status 500
[WW-4057]: Client Validation——XWork-core Validators Change,BUT Struts2-core /template/xhtml NOT!!!
[WW-4058]: ContainerHolder causes ThreadLocal memory leak
[WW-4067]: Interceptor init() method called twice during initialization
[WW-4083]: ParametersInterceptor acceptParamNames and ParameterNameAware's acceptableParameterName conflicts
[WW-4084]: Query Parameters Not Included
[WW-4089]: struts2-archetype-starter Outdated
[WW-4093]: Javadoc of RegexFieldValidator-annotation out-dated
[WW-4094]: struts.allowed.action.names inconsistency
[WW-4096]: Merge changes from 2.3.14.3 version into trunk
[WW-4097]: JavaDocs of all annotations related to validators are outdated
[WW-4098]: DefaultActionMapper is cleaning up correct action names
[WW-4104]: Action in jar is not be scanned
Improvement:
[WW-3593]: Missing html files for sub-projects
[WW-3958]: Struts2 OSGi plugin does not work with GlassFish
[WW-3999]: Allow XSLT result types to set response code
[WW-4020]: Upgrade to commons-logging 1.1.2
[WW-4021]: CleanUp poms
[WW-4032]: Upgrade to commons-fileupload 1.3
[WW-4061]: Wrong url : Apache Struts 2 Documentation > Home > FAQs > How do we get invalidate the session
[WW-4068]: Refactor ParametersInterceptor so it's easier to extend
[WW-4070]: Remove JDK4 support
[WW-4072]: Upgrade to commons-logging 1.1.3
[WW-4081]: Merge security fix from 2.3.14.1 branch into trunk
[WW-4085]: Add default-action-ref to configuration of example apps
[WW-4086]: Add default-action-ref to Config Browser configuration
[WW-4087]: Add log4j dependency to example apps
[WW-4095]: cleanupActionName should not compile regex every request
[WW-4107]: Omnibus ticket
New Feature:
[WW-600]: Enable Client-side validation for visitor validations
[WW-4037]: Provide functionality to create cookies from an Action
[WW-4071]: ValidationAware add callable method, called from DefaultWorkflowInterceptor
[WW-4073]: Disable eval expressions and simple JSTL accessibility