WW-5352 Implement transition mode

Author: kusalk

core/src/main/java/org/apache/struts2/StrutsConstants.java

@@ -471,6 +471,8 @@ public final class StrutsConstants {
 
     public static final String STRUTS_PARAMETERS_REQUIRE_ANNOTATIONS = "struts.parameters.requireAnnotations";
 
+    public static final String STRUTS_PARAMETERS_REQUIRE_ANNOTATIONS_TRANSITION = "struts.parameters.requireAnnotations.transitionMode";
+
     public static final String STRUTS_CONTENT_TYPE_MATCHER = "struts.contentTypeMatcher";
 
     public static final String STRUTS_SMI_METHOD_REGEX = "struts.strictMethodInvocation.methodRegex";

core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java

@@ -88,6 +88,7 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
 
     protected boolean ordered = false;
     protected boolean requireAnnotations = false;
+    protected boolean requireAnnotationsTransitionMode = false;
 
     private ValueStackFactory valueStackFactory;
     protected ThreadAllowlist threadAllowlist;
@@ -116,6 +117,20 @@ public void setRequireAnnotations(String requireAnnotations) {
         this.requireAnnotations = BooleanUtils.toBoolean(requireAnnotations);
     }
 
+    /**
+     * When 'Transition Mode' is enabled, parameters that are not 'nested' will be accepted without annotations. What
+     * this means in practice is that all public setters on an Action will be exposed for parameter injection again, and
+     * only 'nested' parameters, i.e. public getters on an Action, will require annotations.
+     * <p>
+     * In this mode, the OGNL auto-allowlisting capability is not degraded in any way, and as such, it offers a
+     * convenient option for applications to enable the OGNL allowlist capability whilst they work through the process
+     * of annotating all their Action parameters.
+     */
+    @Inject(value = StrutsConstants.STRUTS_PARAMETERS_REQUIRE_ANNOTATIONS_TRANSITION, required = false)
+    public void setRequireAnnotationsTransitionMode(String transitionMode) {
+        this.requireAnnotationsTransitionMode = BooleanUtils.toBoolean(transitionMode);
+    }
+
     @Inject
     public void setExcludedPatterns(ExcludedPatternsChecker excludedPatterns) {
         this.excludedPatterns = excludedPatterns;
@@ -343,9 +358,13 @@ protected boolean isParameterAnnotatedAndAllowlist(String name, Object action) {
             return true;
         }
 
+        long paramDepth = name.codePoints().mapToObj(c -> (char) c).filter(NESTING_CHARS::contains).count();
+        if (requireAnnotationsTransitionMode && paramDepth == 0) {
+            return true;
+        }
+
         int nestingIndex = indexOfAny(name, NESTING_CHARS_STR);
         String rootProperty = nestingIndex == -1 ? name : name.substring(0, nestingIndex);
-        long paramDepth = name.codePoints().mapToObj(c -> (char) c).filter(NESTING_CHARS::contains).count();
 
         return hasValidAnnotatedMember(rootProperty, action, paramDepth);
     }

core/src/test/java/org/apache/struts2/interceptor/parameter/StrutsParameterAnnotationTest.java

@@ -234,6 +234,18 @@ public void publicPojoMapDepthTwoMethod() {
         assertThat(threadAllowlist.getAllowlist()).containsExactlyInAnyOrder(Map.class, String.class, Pojo.class);
     }
 
+    @Test
+    public void publicStrNotAnnotated_transitionMode() {
+        parametersInterceptor.setRequireAnnotationsTransitionMode(Boolean.TRUE.toString());
+        testParameter(new FieldAction(), "publicStrNotAnnotated", true);
+    }
+
+    @Test
+    public void publicStrNotAnnotatedMethod_transitionMode() {
+        parametersInterceptor.setRequireAnnotationsTransitionMode(Boolean.TRUE.toString());
+        testParameter(new MethodAction(), "publicStrNotAnnotated", true);
+    }
+
 
     class FieldAction {
         @StrutsParameter