Skip to content

WW-5294 Add warning when JSP tags accessed directly#1569

Merged
lukaszlenart merged 1 commit intomainfrom
feat/WW-5294-jsp-direct-access-warning
Feb 17, 2026
Merged

WW-5294 Add warning when JSP tags accessed directly#1569
lukaszlenart merged 1 commit intomainfrom
feat/WW-5294-jsp-direct-access-warning

Conversation

@lukaszlenart
Copy link
Member

@lukaszlenart lukaszlenart commented Feb 6, 2026

Summary

  • Add security warning to TagUtils.getStack() that logs when JSP tags are rendered outside of action scope
  • Warning is triggered when ActionInvocation is null or when the action is null (direct JSP access)
  • Warning message includes link to security documentation

Fixes WW-5294

Changes

File Change
TagUtils.java Added ActionInvocation check with warning log
TagUtilsTest.java New test class with 5 test methods
ActionTagTest.java Updated mocks to expect getAction() call

Test plan

  • TagUtilsTest - 5 tests covering all scenarios (null ActionInvocation, null action, valid action, security URL in message)
  • All 578 tag-related tests pass
  • No regressions in existing functionality

🤖 Generated with Claude Code

@lukaszlenart @claude
feat(security): WW-5294 add warning when JSP tags accessed directly
c2293ea 
Add security warning to TagUtils.getStack() that logs when JSP tags
are rendered outside of action scope (direct JSP access). This helps
developers identify potential security issues where JSPs are accessed
directly without going through the Struts action flow.

The warning message includes a link to the security documentation at
https://struts.apache.org/security/#never-expose-jsp-files-directly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lukaszlenart lukaszlenart force-pushed the feat/WW-5294-jsp-direct-access-warning branch from 3ff8275 to c2293ea Compare February 6, 2026 07:42
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 6, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@lukaszlenart lukaszlenart added this to the 7.2.0 milestone Feb 12, 2026
@lukaszlenart lukaszlenart merged commit a0a213f into main Feb 17, 2026
10 checks passed
@lukaszlenart lukaszlenart deleted the feat/WW-5294-jsp-direct-access-warning branch February 17, 2026 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgielen rgielen Awaiting requested review from rgielen

@jogep jogep Awaiting requested review from jogep

@aleksandr-m aleksandr-m Awaiting requested review from aleksandr-m

@yasserzamani yasserzamani Awaiting requested review from yasserzamani

@sdutry sdutry Awaiting requested review from sdutry

@cnenning cnenning Awaiting requested review from cnenning

@kusalk kusalk Awaiting requested review from kusalk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

7.2.0

Development

Successfully merging this pull request may close these issues.

1 participant

@lukaszlenart