apache · tranquac · Apr 9, 2026 · Apr 10, 2026 · Apr 11, 2026 · Apr 11, 2026
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -551,6 +551,13 @@ public final class StrutsConstants {
      */
     public static final String STRUTS_PROXYSERVICE = "struts.proxyService";
 
+    /**
+     * The {@link org.apache.struts2.interceptor.parameter.ParameterAuthorizer} implementation class.
+     *
+     * @since 7.2.0
+     */
+    public static final String STRUTS_PARAMETER_AUTHORIZER = "struts.parameterAuthorizer";
+
     /**
      * Enables evaluation of OGNL expressions
      *

diff --git a/core/src/main/java/org/apache/struts2/config/StrutsBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/StrutsBeanSelectionProvider.java
@@ -73,6 +73,7 @@
 import org.apache.struts2.url.UrlEncoder;
 import org.apache.struts2.util.ContentTypeMatcher;
 import org.apache.struts2.util.PatternMatcher;
+import org.apache.struts2.interceptor.parameter.ParameterAuthorizer;
 import org.apache.struts2.util.ProxyService;
 import org.apache.struts2.util.TextParser;
 import org.apache.struts2.util.ValueStackFactory;
@@ -446,6 +447,7 @@ public void register(ContainerBuilder builder, LocatableProperties props) {
         alias(BeanInfoCacheFactory.class, StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_FACTORY, builder, props, Scope.SINGLETON);
         alias(ProxyCacheFactory.class, StrutsConstants.STRUTS_PROXY_CACHE_FACTORY, builder, props, Scope.SINGLETON);
         alias(ProxyService.class, StrutsConstants.STRUTS_PROXYSERVICE, builder, props, Scope.SINGLETON);
+        alias(ParameterAuthorizer.class, StrutsConstants.STRUTS_PARAMETER_AUTHORIZER, builder, props, Scope.SINGLETON);
 
         alias(SecurityMemberAccess.class, StrutsConstants.STRUTS_MEMBER_ACCESS, builder, props, Scope.PROTOTYPE);
         alias(OgnlGuard.class, StrutsConstants.STRUTS_OGNL_GUARD, builder, props, Scope.SINGLETON);

diff --git a/core/src/main/java/org/apache/struts2/config/impl/DefaultConfiguration.java b/core/src/main/java/org/apache/struts2/config/impl/DefaultConfiguration.java
@@ -92,6 +92,8 @@
 import org.apache.struts2.ognl.accessor.CompoundRootAccessor;
 import org.apache.struts2.ognl.accessor.RootAccessor;
 import org.apache.struts2.ognl.accessor.XWorkMethodAccessor;
+import org.apache.struts2.interceptor.parameter.StrutsParameterAuthorizer;
+import org.apache.struts2.interceptor.parameter.ParameterAuthorizer;
 import org.apache.struts2.util.StrutsProxyService;
 import org.apache.struts2.util.OgnlTextParser;
 import org.apache.struts2.util.PatternMatcher;
@@ -406,6 +408,7 @@ public static ContainerBuilder bootstrapFactories(ContainerBuilder builder) {
                 .factory(BeanInfoCacheFactory.class, DefaultOgnlBeanInfoCacheFactory.class, Scope.SINGLETON)
                 .factory(ProxyCacheFactory.class, StrutsProxyCacheFactory.class, Scope.SINGLETON)
                 .factory(ProxyService.class, StrutsProxyService.class, Scope.SINGLETON)
+                .factory(ParameterAuthorizer.class, StrutsParameterAuthorizer.class, Scope.SINGLETON)
                 .factory(OgnlUtil.class, Scope.SINGLETON)
                 .factory(SecurityMemberAccess.class, Scope.PROTOTYPE)
                 .factory(OgnlGuard.class, StrutsOgnlGuard.class, Scope.SINGLETON)

diff --git a/core/src/main/java/org/apache/struts2/interceptor/parameter/ParameterAuthorizer.java b/core/src/main/java/org/apache/struts2/interceptor/parameter/ParameterAuthorizer.java
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.interceptor.parameter;
+
+/**
+ * Service for determining whether a given parameter name is authorized for injection into a target object, based on
+ * {@link StrutsParameter} annotation presence and depth.
+ *
+ * <p>This service extracts the authorization logic from {@link ParametersInterceptor} so that it can be reused by other
+ * input channels (e.g. JSON plugin, REST plugin) that also need to enforce {@code @StrutsParameter} rules.</p>
+ *
+ * <p>Implementations must NOT perform OGNL ThreadAllowlist side effects — those remain specific to
+ * {@link ParametersInterceptor}.</p>
+ *
+ * @since 7.2.0
+ */
+public interface ParameterAuthorizer {
+
+    /**
+     * Determines whether a parameter with the given name is authorized for injection into the given target object.
+     *
+     * <p>When {@code struts.parameters.requireAnnotations} is {@code false}, this method always returns {@code true}
+     * for backward compatibility.</p>
+     *
+     * @param parameterName the parameter name (e.g. "name", "address.city", "items[0].name")
+     * @param target        the object receiving the parameter value (the action, or the model for ModelDriven actions)
+     * @param action        the action instance; used to detect ModelDriven exemption (when {@code target != action},
+     *                      the target is the model and is exempt from annotation requirements)
+     * @return {@code true} if the parameter is authorized for injection, {@code false} otherwise
+     */
+    boolean isAuthorized(String parameterName, Object target, Object action);
+}
diff --git a/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
@@ -100,6 +100,7 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
     private AcceptedPatternsChecker acceptedPatterns;
     private Set<Pattern> excludedValuePatterns = null;
     private Set<Pattern> acceptedValuePatterns = null;
+    private ParameterAuthorizer parameterAuthorizer;
 
     @Inject
     public void setValueStackFactory(ValueStackFactory valueStackFactory) {
@@ -121,6 +122,11 @@ public void setProxyService(ProxyService proxyService) {
         this.proxyService = proxyService;
     }
 
+    @Inject
+    public void setParameterAuthorizer(ParameterAuthorizer parameterAuthorizer) {
+        this.parameterAuthorizer = parameterAuthorizer;
+    }
+
     @Inject(StrutsConstants.STRUTS_DEVMODE)
     public void setDevMode(String mode) {
         this.devMode = BooleanUtils.toBoolean(mode);
@@ -352,6 +358,9 @@ protected boolean isAcceptableParameterNameAware(String name, Object action) {
      * Checks if the Action class member corresponding to a parameter is appropriately annotated with
      * {@link StrutsParameter} and OGNL allowlists any necessary classes.
      * <p>
+     * Authorization is delegated to {@link ParameterAuthorizer}. If authorized, OGNL allowlisting is performed as a
+     * second pass (this is specific to the OGNL-based parameter injection path and not shared with other input channels).
+     * <p>
      * Note that this logic relies on the use of {@link DefaultAcceptedPatternsChecker#NESTING_CHARS} and may also
      * be adversely impacted by the use of custom OGNL property accessors.
      */
@@ -360,23 +369,67 @@ protected boolean isParameterAnnotatedAndAllowlist(String name, Object action) {
             return true;
         }
 
-        long paramDepth = name.codePoints().mapToObj(c -> (char) c).filter(NESTING_CHARS::contains).count();
+        // Resolve target for ModelDriven: if the ValueStack peek is different from the action, it's the model
+        Object target = action;
+        if (action instanceof ModelDriven<?>) {
+            Object stackTop = ActionContext.getContext().getValueStack().peek();
+            if (!stackTop.equals(action)) {
+                target = stackTop;
+            }
+        }
 
-        if (action instanceof ModelDriven<?> && !ActionContext.getContext().getValueStack().peek().equals(action)) {
-            LOG.debug("Model driven Action detected, exempting from @StrutsParameter annotation requirement");
-            return true;
+        // Delegate authorization check to shared ParameterAuthorizer (no OGNL side effects)
+        if (!parameterAuthorizer.isAuthorized(name, target, action)) {
+            return false;
         }
 
-        if (requireAnnotationsTransitionMode && paramDepth == 0) {
-            LOG.debug("Annotation transition mode enabled, exempting non-nested parameter [{}] from @StrutsParameter annotation requirement", name);
-            return true;
+        // OGNL-specific allowlisting: only needed for nested params (depth >= 1)
+        long paramDepth = name.codePoints().mapToObj(c -> (char) c).filter(NESTING_CHARS::contains).count();
+        if (paramDepth >= 1) {
+            performOgnlAllowlisting(name, target, paramDepth);
         }
+        return true;
+    }
 
+    /**
+     * Performs OGNL ThreadAllowlist side effects for an authorized parameter. This is specific to OGNL-based parameter
+     * injection and must NOT be shared with other input channels (JSON, REST).
+     */
+    private void performOgnlAllowlisting(String name, Object target, long paramDepth) {
         int nestingIndex = indexOfAny(name, NESTING_CHARS_STR);
         String rootProperty = nestingIndex == -1 ? name : name.substring(0, nestingIndex);
         String normalisedRootProperty = Character.toLowerCase(rootProperty.charAt(0)) + rootProperty.substring(1);
 
-        return hasValidAnnotatedMember(normalisedRootProperty, action, paramDepth);
+        BeanInfo beanInfo = getBeanInfo(target);
+        if (beanInfo != null) {
+            Optional<PropertyDescriptor> propDescOpt = Arrays.stream(beanInfo.getPropertyDescriptors())
+                    .filter(desc -> desc.getName().equals(normalisedRootProperty)).findFirst();
+            if (propDescOpt.isPresent()) {
+                PropertyDescriptor propDesc = propDescOpt.get();
+                Method relevantMethod = paramDepth == 0 ? propDesc.getWriteMethod() : propDesc.getReadMethod();
+                if (relevantMethod != null && getPermittedInjectionDepth(relevantMethod) >= paramDepth) {
+                    allowlistClass(propDesc.getPropertyType());
+                    if (paramDepth >= 2) {
+                        allowlistReturnTypeIfParameterized(relevantMethod);
+                    }
+                    return;
+                }
+            }
+        }
+
+        // Fallback: check public field
+        Class<?> targetClass = ultimateClass(target);
+        try {
+            Field field = targetClass.getDeclaredField(normalisedRootProperty);
+            if (Modifier.isPublic(field.getModifiers()) && getPermittedInjectionDepth(field) >= paramDepth) {
+                allowlistClass(field.getType());
+                if (paramDepth >= 2) {
+                    allowlistFieldIfParameterized(field);
+                }
+            }
+        } catch (NoSuchFieldException e) {
+            // No field to allowlist
+        }
     }
 
     /**