I’m testing a dummy project, to see if I understand how actions should work in Confluence 9.2.0. Here is part of my atlassian-plugin.xml file:
<web-item key="google_home" name="Google Home" section="system.header/left" weight="60">
<description key="item.google.home.desc">Simple link to google.com.</description>
<label key="item.google.home.label" />
<link linkId="google_home">/dummy.action</link>
</web-item>
<xwork key="viewCloverResult" name="View Clover Result">
<package name="cloverPlugin" extends="default">
<action name="dummy" class="com.dummy.test.action.DummyAction">
<result name="notpermitted" type="redirect">/pages/pagenotpermitted.action</result>
</action>
</package>
</xwork>
<velocity-allowlist key="velocity-allowlist">
<method>com.dummy.test.action.DummyAction#dummy()</method>
</velocity-allowlist>
And the dummy action class:
public class DummyAction extends ConfluenceActionSupport {
public String dummy() {
return SUCCESS;
}
}
I’m always seeing the Method Not Allowed message. If I change something in the allowlist, for example, dumm instead dummy, it detects the error, but if not everything seems ok but still not working.
Stupid question - you did build and install everything from scratch, right? Because for us, just rebuilding the plugin with (atlas-)package had no effect in that regard…
BTW, do you GET or POST? For GET, you also need to allow said access… for reference, this is how our (working) snippet:
<xwork name="Administrator Actions" key="graphity-admin-actions">
<description>Allows to configure the plugin</description>
<package name="graphity-admin" extends="default" namespace="/admin/plugins/graphity">
<default-interceptor-ref name="defaultStack"/>
<action name="graphity-admin" class="com.yworks.plugins.confluence.AdminAction">
<param name="permittedMethods">GET,POST</param>
<result name="success" type="velocity">/templates/admin.vm</result>
</action>
</package>
</xwork>
And the allowlist:
<velocity-allowlist key="velocity-allowlist" name="Velocity Allowlist">
<description key="com.yworks.plugins.confluence.velocity.allowlist">
Allowlist for Graphity
</description>
<method>com.yworks.plugins.confluence.AdminAction#getPaletteText(java.lang.String)</method>
</velocity-allowlist>
Thank you for your answer, Jasmine. I’ve just discovered it by myself, and you are right, I was missing allowing the GET method. In my case, I used annotations:
@PermittedMethods({HttpMethod.GET})
Anyway, now it is working 
So that we have more information, if a method is not working because it it not allowed in a velocity-allowlist module, the log will show a message like:
2025-02-03 20:07:33,406 WARN [http-nio-8090-exec-7 url: /confluence/admin/plugins/your-plugin/your-action.action; user: admin] [velocity] log Invocation blocked as method is not allowlisted: com.test.your.package.YourAction#yourMethod(java.lang.String)