Struts module

Available:

Confluence 8.5.3 and later
(replaced XWork introduced in 1.4)

This module was previously defined as xwork in Confluence versions prior to 8.5.3. The xwork module will continue to be supported for backward compatibility.

Purpose of this module

Struts plugin modules enable you to deploy Struts actions and views as a part of your plugins.

Additionally, the Struts module should also be used to define multipart request parsing rules. Ordinarily, multipart requests will only be parsed if the request is authorized according to the enforceSiteAccess method in ConfluencePermissionEnforcer:

Unauthenticated multipart requests will only be parsed if the site has enabled global anonymous access
Authenticated multipart requests from license-unassigned users will only be parsed if the site has enabled unlicensed access
Authenticated multipart requests from licensed-assigned users will always be parsed

For endpoints that are intended to parse multipart requests outside the above access criteria, they can be allowlisted using the multipart-upload-allowlist element within a Struts module.

Configuration

The root element for the Struts plugin module is struts. It does not accept a class attribute. It accepts the following child elements for configuration:

Elements

package - standard Struts package definition, multiple permitted per module
- (The namespace attribute is subject to the following RegEx validation: [a-zA-Z0-9/\-]*)
- action - standard Struts action definition
  - (The name attribute is subject to the following RegEx validation: [a-zA-Z0-9\-]*)
  - (The method attribute is subject to the following RegEx validation: [a-zA-Z_]*[0-9]*)
- All other sub-elements supported by Struts are permitted
multipart-upload-allowlist - only 1 multipart-upload-allowlist element is permitted per Struts module
- regex - A RegEx pattern to match against the request URI (excluding the context path). It will parse multipart requests for any matching requests irrespective of the request's authorisation state.

Example

1
2
<struts name="livesearchaction" key="livesearchaction">
    <package name="livesearch" extends="default" namespace="/plugins/livesearch">
        <default-interceptor-ref name="defaultStack" />
        <action name="livesearch" class="com.atlassian.confluence.extra.livesearch.LiveSearchAction" method="doDefault">
            <result name="success" type="velocity">/templates/extra/livesearch/livesearchaction.vm</result>
        </action>
    </package>
    <multipart-upload-allowlist>
        <regex>/admin/test\.action.*</regex>
        <regex>/plugins/livesearch/livesearch\.action.*</regex>
    </multipart-upload-allowlist>
</struts>

Writing an Action

Struts actions should extend ConfluenceActionSupport, which provides a number of helper methods and components that are useful when writing an Action that works within Confluence.

Other action base-classes can be found within Confluence, but we recommend you don't use them - the hierarchy of action classes in Confluence is over-complicated, and likely to be simplified in the future in a way that will break your plugins.

Accessing Your Actions

Actions are added to the Struts core configuration within Confluence, which means they are accessed like any other action.

For example, given the above atlassian-plugin.xml, the livesearch action would be accessed at <host>/<context-path>/plugins/livesearch/livesearch.action.

Creating a Velocity Template for Output

Your Velocity template must be specified with a leading slash (/) in the plugin XML configuration, and the path must correspond to the path inside the plugin JAR file.

In the above example, the Velocity template must be found in /templates/extra/livesearch/livesearchaction.vm inside the plugin JAR file. In the example plugin's source code, this would mean the Velocity template should be created in src/main/resources/template/extra/livesearch/.

Inside your Velocity template, you can use $action to refer to your action, and many other variables to access Confluence functionality. See Confluence Objects Accessible From Velocity for more information.

Security

If you are writing a Struts action, it is very important that you read this: Struts Complex Parameters and Security.

Notes

Some issues to be aware of when developing or configuring a Struts plugin:

Your packages should always extend the default Confluence package. It is useful to be aware of what this provides to you in the way of interceptors and result types. Extending any other package will modify that package's configuration across the entire application, which is not supported or desirable.
You can give your packages any namespace you like, but we recommend using /plugins/unique/value - that is prefixing plugin packages with /plugins and then adding a string globally unique to your plugin. The only name you can't use is servlet as the /plugins/servlet URL pattern is reserved for the Servlet Module.
Views must be bundled in the JAR file in order to be used by your actions. This almost always means using Velocity views.
It is useful to be aware of the actions and features already bundled with Confluence, for example your actions will all be auto-wired by Spring (see Accessing Confluence Components from Plugin Modules) and your actions can use useful interfaces like PageAware and SpaceAware to reduce the amount of work they need to do.
Currently only Struts actions are protected by the temporary secure administrator sessions. Other plugin types, such as REST services or servlets are not checked for an administrator session.
- All Struts actions mounted under /admin will automatically be protected by secure administrator sessions. To opt out of this protection you can mark your class or Struts action method with the WebSudoNotRequired annotation.
- Conversely, all Struts actions mounted outside the /admin namespace are not protected and can be opted in by adding the WebSudoRequired annotation.
- Both of these annotations work on the class or the action method. If you mark a method with the annotation, only action invocations invoking that method will be affected by the annotations. If you annotate the class, any invocation to that class will be affected. Subclasses inherit these annotations.