Apache Struts 7 has been released. This version adds support for JEE 9+, and implements stronger security defaults.

Apache Struts is a free open-source extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. The framework is popular in large enterprises and government agencies.

Struts is designed to help developers create web applications that utilize a Model-View-Controller (MVC) architecture. The Model represents the business or database code, the View represents the page design code, and the Controller represents the navigational code. The Struts framework. The framework provides three key components: a "request" handler provided by the application developer that is mapped to a standard URI;  a "response" handler that transfers control to another resource which completes the response; and a tag library that helps developers create interactive form-based applications with server pages. Struts works well with conventional REST applications and with technologies like SOAP and AJAX.

The developers say that unlike other component oriented frameworks, they do not aim to hide the stateless nature of the web. Instead, they think it is perfectly acceptable to build upon a Request/Response cycle. They also defend the MVC pattern, saying that just because it's old, doesn't make it bad. However, they acknowledge that developers who wish to build components on the server side which render on the front end side are most likely wrong with Struts, and instead would be better choosing projects such as Wicket and Tapestry which serve this purpose very well.

This release has breaking changes to ensure that the default behavior of the Struts framework is more predictable and/or more secure. The developers say many of the measures were developed in direct response to real exploits and common critical developer errors.

The first improvement is that the default values for various namespace mapping options have changed to the more sensible behavior of requiring exact matches. This prevents Actions being accessed from more namespaces than intended.

Static field access has been disabled because they could be of any type with arbitrary attached methods, and there are now limits on the ability to instantiate arbitrary map classes directly from OGNL expressions because it can be used to craft exploit payloads. OGNL proxied object access has also been restricted to prevent its use in template injection exploits.

Action parameter injection has been tightened, so that all parameter injection points must be explicitly marked with a new @StrutsParameter annotation.

Struts 7 is available now. 

More Information

Struts Website

Related Articles

Apache Software Foundation - 21 Years Following the Apache Way

Apache Updates Wicket

MVC - it's the routing stupid!

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info