Blog
November 29, 2023
If you have developed a large-scale Java web application in the last 20 years, chances are that you have used, or at least considered using, Apache Struts. Recently, that trend has changed as Java developers turn to alternative Java web frameworks like Vaadin, Grails, and Spring Framework.
In this blog, we give an overview of Apache Struts, what it is, how it's used, and discuss why this monolithic Java web framework is still an enterprise mainstay.
What Is Apache Struts?
Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.
Struts is open source and freely available. The framework itself is written in Java and is maintained by Apache Software Foundation. It works with technologies such as Java Servlets, JavaBeans, XML, and many more.
📖 Further Reading: Popular Java Microservices Frameworks
Back to topWhat Is Apache Struts Used For?
Back to topStruts help developers to create flexible, maintainable, and secure web applications in Java. The framework is based on the MVC architecture, where each component takes care of different aspects of the application.
How Apache Struts Works
Whenever there is an incoming request to the application, the request is processed by Controller. In the case of Struts, it is an ActionServlet (FilterDispatcher in Struts 2.x). The View component is responsible for presenting information to the user or to accept the input form from them. The business logic of the application is in the Model component.
⚙️ Further Reading: Discover everything you need to know about Spring Boot vs. Spring MVC
Back to topDiscover what technologies your development peers are using in their Java tech stacks in our 2024 Java Development Productivity Report. Download your free copy today.
Apache Struts 1
Originally released in May, 2000, Apache Struts 1 marked the first generation of Apache Struts. The last released version of Apache Struts 1 is version 1.3.10, which was published in 2008. The first generation was replaced by the second generation, Apache Struts 2. In 2013, Apache Struts 1 was designated end of life.
When first released, Struts 1 brought a completely new experience into the web application development and was strongly adopted by many companies. Struts was highly influential, and inspired the release of many subsequent web frameworks.
Back to topApache Struts 2
Apache Struts 2, released in October 2006, is the second generation of the Apache Struts framework. It was developed concurrently with Apache Struts 1; i.e., the first release of Struts 2 was two years before the last release of Struts 1.
There are some differences between those two generations, including changes in threading, action classes or validation.
Struts 2 development is still active and the latest version is 6.3.0.1 (as of December 2023). If you would like to start with Struts 2, remember that minimum requirements are: Servlet API 3.1, JSP API 2.1, and Java 8.7. In October 2023, the Apache Foundation issued an End-of-Life (EOL) announcement for all 2.5.x versions of Struts.
Back to topApache Struts Vulnerabilities
CVE stands for common vulnerabilities and exposures. There is evidence of 70+ vulnerabilities in Apache Struts, but CVE-2017-5638 had an outsized impact on the reputation of Apache Struts.
CVE-2017-5638
CVE-2017-5638 is a now infamous vulnerability became of the role it played in the 2017 Equifax breach. Equifax administrators failed to patch (released two months prior) the vulnerability in a timely manner, and the resulting breach exposed the personal information of 147 million people. The attacker was able to remotely execute a command due to vulnerable code in the Jakarta Multipart parser.
The official description of the issue is:
Back to topThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Final Thoughts
Apache Struts has now been around for more than two decades. In the beginning, it was a Java web framework that changed how to develop web applications by following the MVC architecture. Over the years, the framework has become a legacy mainstay that's fallen in popularity in place of frameworks like Spring Boot, but Apache Struts still sees widespread enterprise use.
Save upwards of a month of development time annually by eliminating rebuilds. Discover how much time your team can save with JRebel during your free 14-day trial.
This blog was originally published in October 2020 and has been updated for technical relevancy.