Preface:
Most people now have a resume that says they are familiar with the SSH framework, especially if they have just come out of school or training institutions. However, the Java that the school speaks is according to the textbook, the textbook update speed is slow, cannot catch up with the Internet development speed, generally speaking is popular technology a few years ago. At this time, students need to learn by themselves, so the self-study course comes from various training institutions on the Internet, some large training institutions update technology is good, to catch up with the pace of the Internet. But some small training institutions, not so strong teacher force, this time is more pit dad, for complete laymen are simple training the basic Java grammar, Java Web, teaching SSH, SSM use, and then do a simple actual project, help you do a good resume, even if the training is completed. Small training institutions are not good at technology, but brag and brainwashing. Finally, when you come out of the interview after the training, you will find that after a century, you will silently ask yourself why the training is different from the requirements of the enterprise.
SSH was really popular many years ago, but now Struts has declined, spring is very spring, hibernate is not popular, I think training institutions are still teaching this is a bit outdated, it takes students’ time, and they may not be able to find a job, because now in Internet enterprises, Struts is rarely used anymore, unless it’s a very old project, which is probably still being maintained by Struts, but what’s the use of working on a very old project?
* * * *
Struts introduction
Struts2 is a Web application framework based on MVC design pattern, which is essentially equivalent to a Servlet. In MVC design pattern, Struts2 acts as Controller to establish data interaction between model and view. Struts2 is the next generation of Struts. It is a new Struts2 framework combining Struts1 and WebWork technology. The architecture of its new Struts2 is very different from that of Struts1. Struts2 takes WebWork as the core and uses the interceptor mechanism to process user requests. This design also enables the business logic controller to be completely separated from the ServletAPI, so Struts2 can be understood as the updated product of WebWork. It’s a big change from Struts1 to Struts2, but it’s very small compared to WebWork.
* * * *
Struts from prosperity to decline
Struts2 is very popular in its popular years, no matter which company you go to interview, all require SSH (Spring+Struts2+Hibernate), here SS refers to Spring and Struts2. But now the once popular Struts2 has been replaced by SpringMVC. If you’ve been doing development for more than five years, you know that Struts2 configuration files can be the biggest headache, and servlets and configuration can drive people crazy if the project gets big. In addition, a common problem of Struts is that its requests are class-based, whereas SpringMVC is method-based and has a different scope of request domains, which is much more flexible. As Spring grows rapidly, so will the number of people using SpringMVC. From another point of view, SpringBoot everyone is familiar with it, zero XML configuration, all in the form of JavaBean, so that maintenance is more convenient. Struts2, by comparison, is bloated and has too many configuration items.
If SpringMVC is the initial elimination of Struts2, then the rise of SpringBoot is basically the complete elimination of Struts2, except some old projects are still in maintenance, other new projects are basically using SpringBoot, no one wants to use a complex maintenance, configuration of many projects.
The main problem is Struts itself, and the Spring family is so powerful that it’s called the law of the jungle.
Struts vulnerability
Let’s take two well-known vulnerabilities: S2-045 (CVE-2017-5638) and S2-046 (CVE-2017-5638). After the news of the vulnerability was published, it caused an uproar in the Internet community.
No. S2-045 is a Struts remote code execution vulnerability based on the Jakarta Plugin. This vulnerability causes RCE remote code execution. Malicious users can modify the Content-Type value in the HTTP request header when uploading files to trigger this vulnerability, and then execute system commands, which can directly cause the system to be controlled. The hacker remotely executed the code using the Jakarta file upload plug-in.
The vulnerability s2-046 allows an attacker to construct malicious OGNL Content through either Content-Length or Content-disposition, also resulting in remote code execution.
A previous incident in which 12GB user information packets were leaked on the network was caused by a security breach in Struts 2 in 2013. The leaked data packets contain the user name, password, email, QQ number, phone number, ID card information and so on, with tens of millions of internal data. A certain east also confirmed and responded to this incident through its official wechat public account on December 10, 2016.
There are many other vulnerabilities, almost every one of them fatal, so that’s why companies have abandoned Struts, and that’s why I don’t want you to learn Struts. What my brother says to you is honest and will not harm you, so do not be brainwashed by bad training institutions. If you’re offered Struts, there’s no future for that company. Run away.