Java Basics: What Is Apache Struts?
If you have developed a large-scale Java web application in the last 20 years, chances are that you have used, or at least considered using, Apache Struts.
In this blog, we give an overview of Apache Struts, what it is, how it's used, and discuss how this enterprise Java web framework has remained relevant for so long.
Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.
Struts is open source and freely available. The framework itself is written in Java and is maintained by Apache Software Foundation. It works with technologies such as Java Servlets, JavaBeans, XML, and many more.
What Is Apache Struts Used For?
Struts help developers to create flexible, maintainable, and secure web applications in Java. As mentioned above, the framework is based on the MVC architecture, where each component takes care of different aspects of the application.
How Apache Struts Works
Whenever there is an incoming request to the application, the request is processed by Controller. In the case of Struts, it is an ActionServlet (FilterDispatcher in Struts 2.x). The View component is responsible for presenting information to the user or to accept the input form from them. The business logic of the application is in the Model component.
Apache Struts 1
Originally released in May, 2000, Apache Struts 1 marked the first generation of Apache Struts. Since then, more releases were published until the last one in 2008. The last released version of Apache Struts 1 is version 1.3.10. The first generation was replaced by the second generation, Apache Struts 2. In 2013, it was designated end of life.
When first released, Struts 1 brought a completely new experience into the web application development and was strongly adopted by many companies. Struts was highly influential, and inspired the release of many subsequent web frameworks.
Apache Struts 2
Apache Struts 2, released in October 2006, is the second generation of the Apache Struts framework.. It was developed alongside Apache Struts 1, with its first release appearing two years before the last release of Struts 1.
There are some differences between those two generations, including changes in threading, action classes or validation.
Struts 2 development is still active and, as of writing this article, the newest version is 2.5.25. If you would like to start with Struts 2, remember that minimum requirements are Servlet API 2.4, JSP 2.0 and Java 7.
Apache Struts Vulnerabilities
Every piece of software has bugs of varying criticality, and Apache Struts is no exception. There is now evidence of 70 vulnerabilities related to Apache Struts. All of them are now fixed, but some of them, like CVE-2017-5638, had a big impact on the reputation of Struts. (CVE stands for common vulnerabilities and exposures.)
According to the CVE score, this one was the toughest one with 10 points (out of 10). The attacker was able to remotely execute a command. This was possible due to vulnerable code in the Jakarta Multipart parser.
The official description of the issue is:
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 220.127.116.11 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
This now infamous vulnerability became mainstream via the 2017 Equifax breach, where Equifax administrators failed to patch (released two months prior) the vulnerability in a timely manner.
Apache Struts has now been around for over 20 years. In the beginning, it was something new that changed how to develop web applications by following the MVC architecture. Over the years, the framework has stayed relevant by delivering crucial features that users want.
It was not always easy for the framework. There have been more web frameworks released (e.g. Spring MVC) or vulnerabilities found in its code— but even in 2020, Apache Struts is still popular for enterprise web application development.
Looking for more information on enterprise Java technologies? These resources are a good place to start.
Increase Development Efficiency With JRebel
If you're working in enterprise Java web applications, chances are you know just how annoying application redeploys can be. With JRebel, you can skip redeploys and get back to coding. See how much time JRebel can save you with a free 14-day trial.