October 2, 2020

Java Basics: What Is Apache Struts?

Java Frameworks
Open Source

By

If you have developed a large-scale Java web application in the last 20 years, chances are that you have used, or at least considered using, Apache Struts.

In this blog, we give an overview of Apache Struts, what it is, how it's used, and discuss how this enterprise Java web framework has remained relevant for so long.

Table of Contents

  1. What Is Apache Struts?
  2.  
  3. Apache Struts 1
  4. Apache Struts 2
  5. Apache Struts Vulnerabilities
  6. Final Thoughts
Back to top

What Is Apache Struts?

Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.

Struts is open source and freely available. The framework itself is written in Java and is maintained by Apache Software Foundation. It works with technologies such as Java Servlets, JavaBeans, XML, and many more.

What Is Apache Struts Used For?

Struts help developers to create flexible, maintainable, and secure web applications in Java. As mentioned above, the framework is based on the MVC architecture, where each component takes care of different aspects of the application.

How Apache Struts Works

Whenever there is an incoming request to the application, the request is processed by Controller. In the case of Struts, it is an ActionServlet (FilterDispatcher in Struts 2.x). The View component is responsible for presenting information to the user or to accept the input form from them. The business logic of the application is in the Model component.

Apache Struts 2 MVC Architecture Diagram
Apache Struts 2 Example: Simplified MVC Architecture Diagram

Curious what technologies your development peers are using in their Java tech stacks? Find out in our 2023 Java Development Productivity Report. Download your free copy today

Get the report

 

Back to top

Apache Struts 1

Originally released in May, 2000, Apache Struts 1 marked the first generation of Apache Struts. Since then, more releases were published until the last one in 2008. The last released version of Apache Struts 1 is version 1.3.10. The first generation was replaced by the second generation, Apache Struts 2. In 2013, it was designated end of life.

When first released, Struts 1 brought a completely new experience into the web application development and was strongly adopted by many companies. Struts was highly influential, and inspired the release of many subsequent web frameworks.

Back to top

Apache Struts 2

Apache Struts 2, released in October 2006, is the second generation of the Apache Struts framework.. It was developed alongside Apache Struts 1, with its first release appearing two years before the last release of Struts 1.

There are some differences between those two generations, including changes in threading, action classes or validation. 

Struts 2 development is still active and, as of writing this article, the newest version is 2.5.25. If you would like to start with Struts 2, remember that minimum requirements are Servlet API 2.4, JSP 2.0 and Java 7.

Back to top

Apache Struts Vulnerabilities

Every piece of software has bugs of varying criticality, and Apache Struts is no exception — there's evidence of 70 Apache Struts vulnerabilities. All of them are now fixed, but some of them, like CVE-2017-5638, had a big impact on the reputation of Struts. (CVE stands for common vulnerabilities and exposures.)

CVE-2017-5638

According to the CVE score, this one was the toughest one with 10 points (out of 10). The attacker was able to remotely execute a command. This was possible due to vulnerable code in the Jakarta Multipart parser.

The official description of the issue is:

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

This now infamous vulnerability became mainstream via the 2017 Equifax breach, where Equifax administrators failed to patch (released two months prior) the vulnerability in a timely manner.

Back to top

Final Thoughts

Apache Struts has now been around for over 20 years. In the beginning, it was something new that changed how to develop web applications by following the MVC architecture. Over the years, the framework has stayed relevant by delivering crucial features that users want.

It was not always easy for the framework. There have been more web frameworks released (e.g. Spring MVC) or vulnerabilities found in its code — but even in 2020, Apache Struts is still popular for enterprise web application development.

Increase Development Efficiency With JRebel

Save upwards of a month of development time annually by eliminating rebuilds and redeploys. Discover how much time your team can save with JRebel during your free 14-day trial.

Try JRebel Free

Additional Resources

Looking for more information on enterprise Java technologies? These resources are a good place to start.

 

 

Related Resources

Back to top
Image Author Pavel Fol

Pavel Fol

Solutions Consultant, JRebel by Perforce

Pavel is a Solutions Consultant at JRebel by Perforce. Pavel is passionate about helping Java development teams increase development efficiency with our tools, while providing continued support for ongoing success.