The attacker can inject the given value into session map by clicking following URL.
[[A session value is overwrited by demanding a browser. ]]
1.This problem is caused in struts 2.0.9 and others perhaps.
In that case, it is assumed that it is as follows.
i. SomeAction is implements SessionAware.
ii. And It is defined in struts-default.
iii. devMode is true or false.
["someValue"] of the name of "someKey" enters in SessionMap when the
request shown in that URL is processed.
It is meant that ["someValue"] is an array including "someValue".
This causes ClassCastException in case of almost.
It is thought that this only has to be my mistake ,setting etc.