Apache Struts

Apache Struts is a mature and battle-tested Java framework for building complex and modern Java Web applications.

These applications use a modern MVC design architecture and can easily be extended via plugins,

Support is included for modern-day technologies like AJAX, JSON, REST, and SOAP, all bundled into one powerful core that has been used by many developers and big-name companies around the Internet.

Struts is very well-documented and also benefits from a broad range of plugins contributed by a dedicated community, for both its 2.x and 1.x branches. While the 1.x branch was a success when it came out and become one of the most used Java frameworks around, it is now deprecated and unsupported.

Struts 2 was originally known as WebWork 2. After working independently for several years, the WebWork and Struts communities joined forces to launch the 2.x branch of Struts.

What is new in this release:

• Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
• Extended existing security mechanism to block access to given Java packages and Classes
• Collection Parameters for RedirectResult
• Make ParametersInterceptor supports chinese in hash key by default
• themes.properties can be loaded using ServletContext allows to put template folder under WEB-INF or on classpath
• New tag datetextfield
• Only valid Ognl expressions are cached
• Custom TextProvider can be used for validation errors of model driven actions
• datetimepicker's label fixed
• PropertiesJudge removed and properties are checked in SecurityMemberAccess
• resource reloading works in IBM JVM
• Default reloading settings were removed from default.properties

What is new in version 2.3.24:

• Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
• Extended existing security mechanism to block access to given Java packages and Classes
• Collection Parameters for RedirectResult
• Make ParametersInterceptor supports chinese in hash key by default
• themes.properties can be loaded using ServletContext allows to put template folder under WEB-INF or on classpath
• New tag datetextfield
• Only valid Ognl expressions are cached
• Custom TextProvider can be used for validation errors of model driven actions
• datetimepicker's label fixed
• PropertiesJudge removed and properties are checked in SecurityMemberAccess
• resource reloading works in IBM JVM
• Default reloading settings were removed from default.properties

What is new in version 2.3.20.1:

• Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
• Extended existing security mechanism to block access to given Java packages and Classes
• Collection Parameters for RedirectResult
• Make ParametersInterceptor supports chinese in hash key by default
• themes.properties can be loaded using ServletContext allows to put template folder under WEB-INF or on classpath
• New tag datetextfield
• Only valid Ognl expressions are cached
• Custom TextProvider can be used for validation errors of model driven actions
• datetimepicker's label fixed
• PropertiesJudge removed and properties are checked in SecurityMemberAccess
• resource reloading works in IBM JVM
• Default reloading settings were removed from default.properties

What is new in version 2.3.20:

• Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
• Extended existing security mechanism to block access to given Java packages and Classes
• Collection Parameters for RedirectResult
• Make ParametersInterceptor supports chinese in hash key by default
• themes.properties can be loaded using ServletContext allows to put template folder under WEB-INF or on classpath
• New tag datetextfield
• Only valid Ognl expressions are cached
• Custom TextProvider can be used for validation errors of model driven actions
• datetimepicker's label fixed
• PropertiesJudge removed and properties are checked in SecurityMemberAccess
• resource reloading works in IBM JVM
• Default reloading settings were removed from default.properties

What is new in version 2.3.16.3:

• Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals.

What is new in version 2.3.15.3:

• Broken access control issue fixed.

What is new in version 2.3.15.1:

• Remote code execution vulnerability when using short-circuit navigation parameter prefixes.
• Open redirect vulnerability when using short-circuit redirect parameter prefixes.

What is new in version 2.3.1.2:

• Default acceptedParamNames were further updated to more restrictive values to solve security vulnerabilities in ParameterInterceptor.

What is new in version 2.1.8.1:

• Updated assembly building process to create Windows-friendly filenames and to retrieve all documentation.

Requirements:

• Java 5 or higher