[Struts 2.3 Upgrading Issue]Struts2.0因安全漏洞升级到2.3的操作手册和遇到的问题

[u][i]Struts 2.3 Upgrading Issue[/i][/u]
[b][i]版本升级原因：struts2.0漏洞[/i][/b]
[url]http://struts.apache.org/download.cgi#struts221[/url]
[url]http://struts.apache.org/release/2.3.x/docs/s2-014.html[/url]


[i][b]升级方法和问题:[/b][/i]
[color=olive][url]https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30743764[/url]
[url]http://bbs.csdn.net/topics/390598510[/url][/color]
[url]http://stackoverflow.com/questions/11543959/struts-2-3-upgrading-ognl-issue[/url]


[b]Step 1 - 更新Struts 2的jar文件到Class Path[/b]
【Struts2.0的jar依赖包】
asm.jar
commons-fileupload-1.2.1.jar
commons-io-1.3.2.jar
freemarker-2.3.8.jar
ognl-2.6.11.jar
struts2-core-2.0.14.jar
xwork-2.0.7.jar
commons-lang-2.5.jar（保留）


【Struts2.3的jar依赖包】
工具：maven、jar_search等
我们添加Struts 2最小需求的jar包。我们将把这些jar包拷贝到WEB-INF\lib这个文件夹中。
找到并拷贝这些文件
asm-3.3.jar
asm-commons-3.3.jar
asm-tree-3.3.jar
commons-fileupload-1.3.1.jar
commons-io-2.2.jar
commons-lang3-3.1.jar
freemarker-2.3.19.jar
ognl-3.0.6.jar
struts2-core-2.3.16.3.jar
xwork-core-2.3.16.3.jar




[b]Step 2 - 更新Struts 2 Servlet Filter[/b]
【truts2.0的servlet过滤器】
[code="java"]
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.action</url-pattern>
      <url-pattern>*.jsp</url-pattern>
      <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
</filter-mapping>
[/code]
【struts2.3的servlet过滤器】
为了要Struts 2 框架在你的web应用中工作，你需要在web.xml文件中添加Servlet Filter类和Filter mappingr。下面是你要添加的内容。
[code="java"]
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
[/code]




[b]Step 3 - 创建struts.xml文件[/b]
【打开DMI】
2.3+默认DMI是关闭的，动态方法调用官方推荐的做法是，使用通配符的形式，因可能存在安全隐患：
<constant name="struts.enable.DynamicMethodInvocation" value="true" />


否则总是跳转到default action execute中或报错：TTP Status 404 - There is no Action mapped for namespace [/] and action name [login!login.action] associated with context path [/]


[b]Step 4 - 关闭开发模式[/b]
struts.xml : 
[code="java"]<constant name="struts.devMode" value="false" />[/code]
否则表单提交时action中没有bean的set方法就会报错如：
http://localhost/login!login.action?test=2
Error setting expression 'test' with value ['2', ] 
或者给每个提交的properties在action中添加bean和get/set方法。


[b]Step 5 - 提高log4j级别[/b]
log4j.properties ：
[code="java"]#The problem is that the page including the inventory search has several other fields 
#which are not related to the inventory search (and do not have a getter/settter 
#in the inventorySearch action). Under Struts 2.0, these extra fields are ignored 
#by the inventorySearch action. However, Struts 2.3 throws the above exception 
#when these extra fields are posted with the form. 
log4j.logger.com.opensymphony.xwork2=ERROR[/code]


否则报类似错误：
[code="java"][STDOUT] WARN [com.opensymphony.xwork2.ognl.OgnlValueStack] - CommonsLogger.warn(60) | Error setting expression 'nonInventoryRelatedField' with value '[Ljava.lang.String;@833d35'
ognl.OgnlException: target is null for setProperty(null, "9", [Ljava.lang.String;@833d35) [/code]