升级struts的一点见闻

todayEric

                   有一段时间没看struts，上次开发公司的样式管理系统，选择了struts和DWR,这次开始规划新的jsw系统开发平台，想在开始的时候，升级一下类库，看了下
struts
主页，才发现struts项目变成了含有两个子项目的“大工程”，按照他们的说法，既要保持成熟的request-based framework,叫做Struts Action,又要为want to use lastest technology的用户提供component-based framework,named Struts Shale.

   先不去研究shale,Struts Action按照计划将升级为版本2，essentially,struts action2 will be webwork2.3!

   呵呵，真是事事难料！

   struts action framework现在可用的版本是1.2.9，这个版本主要修正了三个安全问题：

The first issue is due to an error when handling a request with a "org.apache.struts.taglib.html.Constants.CANCEL" parameter, which could be exploited by attackers to cause the action to be canceled without being detected from applications that do not use the "isCancelled" check.
The second flaw is due to an error in BeanUtils that does not properly handle a "multipart/form-data" encoded form with a parameter name that references the public "getMultipartRequestHandler()" method, which could be exploited by attackers to cause a denial of service or gain access to elements in the "CommonsMultipartRequestHandler" implementation and BeanUtils.
The third vulnerability is due to input validation errors in "LookupDispatchAction" when handling a parameter name that does not correspond to an entry in the "lookupMap", which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

    更详细的release notes,可以看这个网址
http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html

    下载文件，看一下要升级到1.2.9需要的工作（大家具体的根据自己的情况看一下这个列表
http://wiki.apache.org/struts/StrutsUpgrade
）

    我要做的工作首先是把ActionError升级为ActionMessage,ActionError已经被deprecated,但是ActionErrors并没有被deprecated，struts开发团队也想这么做，但是有一些core api使用了ActionErrors（例如ActionForm.validate()返回的就是ActionErrors），所以他们只是建议你尽量使用ActionMessages啦，呵呵

   升级后的代码这样写：

   ActionMessages am = new ActionMessages();
   am.add( ActionMessages.GLOBAL_MESSAGE,  
           new ActionMessage( "not.authorized.for.account" ) );
   saveErrors( request, am );
   ActionMessages am = new ActionMessages();
   am.add( ActionMessages.GLOBAL_MESSAGE,  
           new ActionMessage( "not.authorized.for.account" ) );
   saveErrors( request, am );
   ActionMessages am = new ActionMessages();
   am.add( ActionMessages.GLOBAL_MESSAGE,  
           new ActionMessage( "not.authorized.for.account" ) );
   saveErrors( request, am );

然后输出：
   
      
   
   具体详见：
http://wiki.apache.org/struts/StrutsDeprecatedActionErrors

   好了，今天先写到这里，已经半夜了，大家做个好梦：）

  
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/17133/showart_112367.html