Struts was a good framework when it came out in the year 2000. It still works, but over the decades since, two things have happened: first, cybercriminals have had way too much time to come up with exploits to compromise Struts applications, and second, competing frameworks like Spring have been developed that have a much deeper skills base (more programmers available) and better security. And, the security problems in Struts are not isolated programming errors, they are tied to the very foundation of the framework and the way it was built.
Who knew?
Struts is pervasive. If it is used, it exists in many parts of a Java application — in the JSP pages and in the back-end Java code, too. If your application is large, you can’t easily get rid of it through any manual process. It’s a rewrite! Nobody undertakes a $10 million rewrite unless they have to, and the Struts problem is not urgent. “After all, as far as we know, nobody has gotten into our system yet.” That’s what Equifax probably said before they were hit with a $500 – 700 million fine and compensation expense for a Struts data breach.
We looked for a tool on behalf of a customer who DID understand that sitting on top of a ticking Struts time bomb was not a good place to be. The short answer is that there was no tool available — all Google could find was slide ware. But now THERE IS A SOLUTION – a special capability in ResQSoft Engineer 5.1 for migrating a Struts application to the Spring Framework in a single step — and you get updated to modern Java at the same time. Yes, there is still some hand finishing to be done, but it’s very small compared to rewriting your system.
See https://www.resqsoft.com/migrating-struts-to-spring.html for more information.