Here are some notes I did for a client a LONG while ago....
1. Overview 1.1 Purpose
The purpose of this document is to introduce the reader to the process to
upgrade a Struts 2 project to version 2.5.10.1 due to a vulnerability
discovered in earlier versions of Struts. Although the likelihood of
CLIENT servers being susceptible to this vulnerability is small, it is
still recommended to perform this update.
This is a fairly major update to the struts2 family, and as such, has a few
caveats.
- Tiles 3 has been merged back into the core struts2-tiles-plugin
- Xwork is now in the core of Struts2 and is no longer a separate
dependency
- Xwork static message keys have been removed.
- Filters and Interceptors have been re-factored into better packages
As this is a structural change, you must carefully clean the project both
externally and internally in your IDE. At a minimum, use these steps:
- Delete all files under the struts fileset in the modules/facets
- Close the project in the IDE
- Delete the target directory
- Re-open the project from the POM, using the “delete and re-import”
feature
- Add the new Struts-2.5 files in the modules/facets
2. Versions and Dependencies 2.1 Set the properties
<*struts.version*>2.5.10.1</*struts.version*>
<*tiles.version*>3.0.7</*tiles.version*>
Figure 2‑1. Struts and Tiles Version Properties
2.2 Revert tiles plugin
Revert the “struts2-tiles3-plugin” back to “struts2-tiles-plugin”:
<*dependency*>
<*groupId*>org.apache.struts</*groupId*>
<*artifactId*>struts2-tiles-plugin</*artifactId*>
<*version*>${struts.version}</*version*>
</*dependency*>
Figure 2‑2. Struts Tiles Dependency
2.3 Remove the xwork dependency:
<*dependency*>
<*groupId*>org.apache.struts.xwork</*groupId*>
<*artifactId*>xwork-core</*artifactId*>
<*version*>${struts.version}</*version*>
</*dependency*>
Figure 2‑3. Removing Xwork
2.4 Replace the Static with its value:
In the BaseAction, replace:
XWorkMessages.DEFAULT_INVALID_FIELDVALUE
With:
"xwork.default.invalid.fieldvalue"
2.5 Package and Reference Changes
2.5.1 ValidationAware
Old:
import com.opensymphony.xwork2.ValidationAware;
New:
import com.opensymphony.xwork2.interceptor.ValidationAware;
2.5.2 Struts Filter (in web.xml)
Old:
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
New:
<filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</filter-class>
2.5.3 DTD Reference (in struts.xml)
Old:
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.1.7//EN"
"http://struts.apache.org/dtds/struts-2.1.7.dtd";>
New:
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.5//EN"
"http://struts.apache.org/dtds/struts-2.5.dtd";>
3. Troubleshooting 3.1 Module Dependencies
Be sure to re-open the project module window and re-set the struts facet
files. Make sure that only version 2.5.10.1 files are in the fileset.
3.2 Duplicate Entries
If necessary, close the project in your IDE and physically delete the
/target sub-directory to remove the old libraries. Use the Maven
dependency viewer window to ensure that the old versions of the struts
libraries are no longer in the project.
Louis
On Thu, Jul 16, 2020 at 10:40 AM Manas <[email protected]> wrote:
> Hi all,
> I have an application running in Struts 2.1.6. Can you please advise some
> migration strategy from Struts 2.1.6 to Struts 2.5?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
