BreadcrumbHomeResourcesBlog Java Basics: What Is Apache Struts? November 29, 2023 Java Basics: What Is Apache Struts?Java FrameworksOpen SourceBy Pavel FolIf you have developed a large-scale Java web application in the last 20 years, chances are that you have used, or at least considered using, Apache Struts. Recently, that trend has changed as Java developers turn to alternative Java web frameworks like Vaadin, Grails, and Spring Framework. In this blog, we give an overview of Apache Struts, what it is, how it's used, and discuss why this monolithic Java web framework is still an enterprise mainstay. Table of ContentsWhat Is Apache Struts?What Is Apache Struts Used For?How Apache Struts WorksApache Struts 1Apache Struts 2Apache Struts VulnerabilitiesFinal ThoughtsTable of Contents1 - What Is Apache Struts?2 - What Is Apache Struts Used For?3 - How Apache Struts Works4 - Apache Struts 15 - Apache Struts 26 - Apache Struts Vulnerabilities7 - Final ThoughtsBack to topWhat Is Apache Struts?Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.Struts is open source and freely available. The framework itself is written in Java and is maintained by Apache Software Foundation. It works with technologies such as Java Servlets, JavaBeans, XML, and many more.📖 Further Reading: Popular Java Microservices FrameworksBack to topWhat Is Apache Struts Used For?Struts help developers to create flexible, maintainable, and secure web applications in Java. The framework is based on the MVC architecture, where each component takes care of different aspects of the application.Back to topHow Apache Struts WorksWhenever there is an incoming request to the application, the request is processed by Controller. In the case of Struts, it is an ActionServlet (FilterDispatcher in Struts 2.x). The View component is responsible for presenting information to the user or to accept the input form from them. The business logic of the application is in the Model component.⚙️ Further Reading:Discover everything you need to know about Spring Boot vs. Spring MVCApache Struts 2 Example: Simplified MVC Architecture DiagramDiscover what technologies your development peers are using in their Java tech stacks in our 2024 Java Development Productivity Report. Download your free copy today.Get the reportBack to topApache Struts 1Originally released in May, 2000, Apache Struts 1 marked the first generation of Apache Struts. The last released version of Apache Struts 1 is version 1.3.10, which was published in 2008. The first generation was replaced by the second generation, Apache Struts 2. In 2013, Apache Struts 1 was designated end of life.When first released, Struts 1 brought a completely new experience into the web application development and was strongly adopted by many companies. Struts was highly influential, and inspired the release of many subsequent web frameworks.Back to topApache Struts 2Apache Struts 2, released in October 2006, is the second generation of the Apache Struts framework. It was developed concurrently with Apache Struts 1; i.e., the first release of Struts 2 was two years before the last release of Struts 1.There are some differences between those two generations, including changes in threading, action classes or validation. Struts 2 development is still active and the latest version is 6.3.0.1 (as of December 2023). If you would like to start with Struts 2, remember that minimum requirements are: Servlet API 3.1, JSP API 2.1, and Java 8.7. In October 2023, the Apache Foundation issued an End-of-Life (EOL) announcement for all 2.5.x versions of Struts.Back to topApache Struts VulnerabilitiesCVE stands for common vulnerabilities and exposures. There is evidence of 70+ vulnerabilities in Apache Struts, but CVE-2017-5638 had an outsized impact on the reputation of Apache Struts. CVE-2017-5638CVE-2017-5638 is a now infamous vulnerability became of the role it played in the 2017 Equifax breach. Equifax administrators failed to patch (released two months prior) the vulnerability in a timely manner, and the resulting breach exposed the personal information of 147 million people. The attacker was able to remotely execute a command due to vulnerable code in the Jakarta Multipart parser.The official description of the issue is:The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.Back to topFinal ThoughtsApache Struts has now been around for more than two decades. In the beginning, it was a Java web framework that changed how to develop web applications by following the MVC architecture. Over the years, the framework has become a legacy mainstay that's fallen in popularity in place of frameworks like Spring Boot, but Apache Struts still sees widespread enterprise use. Save upwards of a month of development time annually by eliminating rebuilds. Discover how much time your team can save with JRebel during your free 14-day trial.Try JRebel FreeThis blog was originally published in October 2020 and has been updated for technical relevancy. Back to top
Pavel Fol Solutions Consultant, JRebel by Perforce Pavel is a Solutions Consultant at JRebel by Perforce. Pavel is passionate about helping Java development teams increase development efficiency with our tools, while providing continued support for ongoing success.