ResQSoft Wins the 2023 Digital Innovator Award from Intellyx. Click to See the Award

Migrating Struts to Spring

Written byPaul Bowden

June 7, 2019

 

What’s Wrong With Struts?

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.

Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

Equifax has admitted that the breach was due to an Apache Struts vulnerability.
Your system may not process consumer data… but isn’t your financial and engineering data valuable? Do you want hackers to steal it and sell it to others?

The Struts Problem

A critical remote code execution vulnerability affects all versions of the popular application development framework Struts since 2008. The Struts 1.x web framework has reached its end of life and is no longer officially supported. Users should not rely on a properly maintained framework state when utilizing Struts 1 in projects, because Struts 1 is no longer tested or maintained.

One well known vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data.

“Given a major security problem or a serious bug is reported for Struts 1 in near future, can we expect a new release with fixes?” Apache answer: 
“As of now, actually no – that is what the EOL announcement essentially is about. Since the end of support is reached, you will either need to find mitigations, patch the existing Struts 1 source code yourself or migrate your project to another web framework.”

Are you safe if you use Struts 2 instead of Struts 1? No, see the explanation here and here.

The ResQSoft Solution

Remove Struts from your application and replace it with the much more modern, and much more widely supported, Spring MVC Framework.

ResQSoft Engineer analyzes the JSP and Java files, and replaces library files and Struts code automatically.

Templates and analyzers are used to write fresh, properly structured new programming code utilizing the Spring MVC framework instead.

The process involves hand finishing by programmers, but the goal for Engineer is to write over 85% of the routine lines of code that must be changed automatically. In our own testing, we’re hitting over 98% of the changes successfully! But, every code base is different, so 85% is our goal for now. And, if you need more, we’ll work with you to get there. Every code base is different, but we can do an assessment to make a plan to achieve complete removal of Struts — fixed price or by providing Time and Materials support to your in-house team.

Hand finishing by programmers focuses on handling unique logic in tags and other unique features of the code base.

Areas Addressed

  • Libraries – replacing Struts Jars with Spring MVC Jars (Spring 3 or 5, depending on the age of the Struts version)
  • Tags – replacing Struts Tags with HTML Tags
  • Replacing the Dispatcher with an appropriate Spring Dispatcher
  • Automation assisted edit of Controller logic
  • Automation assisted refactoring of application structure
  • Obsolete versions of Java are upgraded to Java 8 (or Java 11 or 12), enabling use of JPA and extending support options for years

Improve your security, and maintainability! Contact us today…

You May Also Like…

Committing to Cloud Native

We're not resting on our laurels. If you commission a custom development project with us now, you can get full Cloud Native architecture by the end of the project. It will match Platform One and other leading CN platforms, with containers, Kubernetes, and all the good...

Benefits of Oracle WebLogic Suite 11g

It is important for businesses and organizations to keep their modern enterprise software in pace with dynamic organizational or business needs. An organization's middleware must evolve along with that organization or business and technical evolution in Information...