Apache Struts launched to fix vulnerable Feature

Apache Software Foundation recently released the latest version of Apache Struts named Struts to fix the security issues sue to which the developers were facing problems. Struts fixes the issues related with Dynamic Method Invocation (DMI) and "action:" prefix for which the developers were complaining.

Apache Struts launched to fix vulnerable Feature

Apache Struts launched to fix vulnerable Feature

In a recent development to Apache framework, Apache Software Foundation recently released a new version of Apache Struts development framework to overcome two major problems faced by developers.

Apache Struts commonly referred as Apache is a popular open-source framework used to build, deploy and maintain web applications both on web as well as intranet. It is a powerful web server application developing Java-based Web applications and the recently launched version of Apache Struts called Struts has been released in order to fix some issue for which the software developer's were facing difficulty.

A mechanism in Struts 2 known as Dynamic Method Invocation (DMI), which is considered to be a source of possible security vulnerabilities has been disabled in the new version Struts by default.

Though, this feature was enabled in earlier versions of Struts but was recommended to switch it off if possible. To do this, user had to set the struts.enable.DynamicMethodInvocation option to false in struts.xml.

With the release of the latest version, developers relying more on DMI might need to refactor them if they upgrade to the new version of Struts .i.e. Struts

Struts also fixes one more problems related to "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.

However, additional details about this has not been disclosed for now keeping in mind the security reasons and may be revealed later after a large number of users upgrade to the new version.

Following the critical security vulnerabilities of Struts default action mapping mechanism in the earlier versions, the latest version of the framework ahs added additional codes to clean "action:"-prefixed information and has removed support for the "redirect:" and "redirectAction:" prefixes completely.

Moreover, one more alternative to this for the developers is to integrate their own action mapping implementation and stop using the "action:" prefix completely if they do not need need support for multiple submit buttons in their applications.