For those looking for a deeper answer, what the security checks are protecting are the standard objects of the ValueStack. The ValueStack is a list of named objects of just about everything, including the invoked Action and aspects of servlet context, so your JSP code and submitted forms can read and set them as properties. When asked to read or set data, the ValueStack finds the first property or object matching.

When the author's form is submitted, Struts 2 sets the 'application.appName' property. If the security didn't discard it, the Action instance would match as it has the 'application' property, then the 'appName' property of said 'application' property would be set (though that would fail because the 'application' property is null).

Alas, 'application' is a named object in the ValueStack, which is all the application scope properties. In a Jakarta EE server, these are the ServletContext attributes. If the Action doesn't have an 'application' property and security doesn't happen, Struts 2 matches the application object and sets the 'appName' attribute. Setting an application scope property.

For form submission, the property names to be set come from the form field names, which the user can hack, whether your receiving Action expects them or not. Without the security checks, random users can hack various objects, including session-based data. Got the customer's account in session? If the user can guess the attribute and property names, he can change the account no. Hence, form field names starting with 'applicaton, 'session', 'request' and the like are silently thrown away.