About Struts 2 Framework
As we all know,Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
Apache Struts 2 was originally known as WebWork 2. After working independently for several years, the WebWork and Struts communities joined forces to create Struts2. This new version of Struts is simpler to use and closer to how Struts was always meant to be.
It has number of built in features, And that has made Struts 2.x one of the top choice for Web application developers along with Spring MVC .
This blog will explain basic changes that developers needs to do for strtus 2.x upgrade to 2.3.16/2.3.15..
Struts 2 Framework upgrade to latest stable version 2.3.16/2.3.13.x
Last year (sometimes around June-July 2013) struts 2.x community identified following two security issues.- http://struts.apache.org/release/2.3.x/docs/s2-016.html
- http://struts.apache.org/release/2.3.x/docs/s2-017.html
For fix following recommendation was given by struts community:
It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library
So, these vulnerability is there for all the struts 2.x version prior to 2.3.15.1.
My guess is 95% off the apps till date is running on lower version of struts 2. The latest stable version is 2.3.16.
Changes needed for this Struts upgrade
Jar upgrade
Get jar distribution for struts version 2.3.15.3 from
following location.
http://mirrors.gigenet.com/apache//struts/binaries/struts-2.3.15.3-all.zip
Changes in web.xml
org.apache.struts2.dispatcher.FilterDispatcher is deprecated
So instead of using
following filter
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter>
<filter-name>struts2-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
Use
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
Now clean up filter is
not needed if you use StrutsPrepareAndExecuteFilter
filter. Or you can use following two filters.
<filter>
<filter-name>struts-prepare</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter><!-- struts 2 execute filter
-->
<filter>
<filter-name>struts-execute</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>
Note: Apps that is using SiteMesh filter I would
recommend to read struts 2.3.15.3 documentation carefully. Also read StrutsPrepareAndExecuteFilter
documentation.
One change that I have observed is with the secure token (part of token interceptor). The default name of that s:token tag was struts.token. Now in version 2.3.16 it is changed to token.
Example: On jsp/ftl page you have <s:token/> tag.
And you are passing this tag as part of your AJAX post/get reqeuest.
This will be an issue if you have utilize this token as part of your AJAX call using javascript. Typically developers will submit the name of this token as hard coded value. So because of the change in this default token name all AJAX calls will not work (if there is hard coding done). So There are two solution for this.
- Recommended: read token name from the hidden parameter and add post parameter with token name dynemically. So moving forward if the s:token tags default name is changed, you don't have to change anything.
- When you put <s:token/> tag in your jsp/ftl, give name="${!somevalueFromServerConstant}" here "
somevalueFromServerConstant" is a server side constant. The other change you have to do is when you return the new fresh value of this token from action class, create token with the same name (mean value of "somevalueFromServerConstant" should be passed in TokenHelper.setToken(somevalueFromServerConstant); on action side.
Apache Struts 2 basic requirement
- Servlet API 2.4
- JSP API 2.0
- Java 5
Version Notes:
The latest version for struts is 2.3.16 released in December
2013. Feel free to evaluate and use appropriate version for your project.
Note: This
documentation is created after evaluating requirements for upgrade in for POC projects. Specific project requirements might require additional changes.
reference : http://struts.apache.org/development/2.x/