This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Struts
Status
Content to be finalized. First draft
Overview
Struts is an Apache framework aimed at simplifying the creation of dynamic web applications in Java.
Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.
I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the official website.
Security in the Model
Validation
The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...
- A validator-rules.xml file in the WEB-INF folder.
- A validator.xml in the WEB-INF folder.
- All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.
- The commons-validator.jar in WEB-INF. This can be obtained here.
Examples
Struts Validation in an ActionForm
Struts Validation in validator.xml using an ActionForm
Struts Validation in validator.xml using a DynaValidatorForm
Security in the View
Security in the Controller
Common errors and vulnerabilities
Form Does Not Extend Validation Class
