These are the notes for the Struts 2.3.24 distribution.

For prior notes in this release series, see Version Notes 2.3.20

• If you are a Maven user, you might want to get started using the Maven Archetype.
• Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.3.24</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

•  fixed flow in DefaultActionInvocation and when using the Convention Plugin, see WW-4433
•  defined new plugin to support Java 8, check Java 8 Support Plugin and see WW-4435
• fixed problem with style attribute, see WW-4430
• fixed problem with converting values from ActionContext, see WW-4427
• converters are again applied to values coming from the context, see WW-4427
•  struts.ognl.allowStaticMethodAccess works again, see WW-4429
• fixed memory leak in CDI plugin, see WW-4441
• fixed problem with hidden field which silently drops 'label' attribute, see WW-4447
• fixed parameters encoding in ServletRedirectAction before checking for valid URI, see WW-4448
• css_xhtml hidden input adding table row markup, see WW-4454
•  FreeMarker was upgraded to the latest available version - 2.3.22, see WW-4484 - which means you can enable incompatible improvements
• support for Log4j2 was added, see WW-4492 
• and many other improvements, please check the version notes

Security Note

This version moves all excluded parameters from struts-default.xml into DefaultExcludedPatternsChecker.java - if you cannot migrate to the latest version it's highly recommendated to re-define defaultStack from struts-default.xml to this one below (or any other which is used in your application and drop excludeParams parameter):

<interceptor-stack name="myDefaultStack">
    <interceptor-ref name="exception"/>
    <interceptor-ref name="alias"/>
    <interceptor-ref name="servletConfig"/>
    <interceptor-ref name="i18n"/>
    <interceptor-ref name="prepare"/>
    <interceptor-ref name="chain"/>
    <interceptor-ref name="scopedModelDriven"/>
    <interceptor-ref name="modelDriven"/>
    <interceptor-ref name="fileUpload"/>
    <interceptor-ref name="checkbox"/>
    <interceptor-ref name="datetime"/>
    <interceptor-ref name="multiselect"/>
    <interceptor-ref name="staticParams"/>
    <interceptor-ref name="actionMappingParams"/>
    <interceptor-ref name="params"/>
    <interceptor-ref name="conversionError"/>
    <interceptor-ref name="validation">
        <param name="excludeMethods">input,back,cancel,browse</param>
    </interceptor-ref>
    <interceptor-ref name="workflow">
        <param name="excludeMethods">input,back,cancel,browse</param>
    </interceptor-ref>
    <interceptor-ref name="debugging"/>
    <interceptor-ref name="deprecation"/>
</interceptor-stack>

and define the following constant in struts.xml

<constant name="struts.additional.excludedPatterns" value="^(action|method):.*"/>

Issue Detail

• JIRA Release Notes 2.3.24

Issue List

• Struts 2.3.24 DONE
• Struts 2.3.x TODO

Other resources

• Commit Logs
• Source Code Repository