arch4架构struts2 2.0.6升级到2.3.7全记录
升级背景:
最近公司对系统进行漏洞扫描,发现struts2 存在S2-005漏洞,公司现在struts2版本为struts2 2.0.6 属于在漏洞范围内,官网给出的建议,需要对struts2版本进行升级来修补漏洞
由于系统架构比较早用的是jdk1.6版本,经过Apach官网查询,支持jdk1.6的最高版本为2.3.7,所以决定升级到2.3.7
升级步骤:
一、从Apach官网下载struts2 2.3.7 Jar包,并对项目jar包进行替换
替换:
struts2-core-2.0.6.jar升级到struts2-core-2.3.37.jar,
struts2-spring-plugin-2.0.8.jar升级到struts2-spring-plugin-2.3.37.jar,
xwork-2.0.4.jar升级到xwork-core-2.3.37.jar,
ognl-2.6.11.jar升级到ognl-3.0.21.jar,
commons-lang-2.6.jar升级到commons-lang3-3.2.jar
新增:
javassist-3.11.0.GA.jar
asm-commons-3.3.jar
freemarker-2.3.28.jar
二、修改WEB-INF/web.xml
org.apache.struts2.dispatcher.FilterDispatcher改成
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
三、新增resources/log4j.properties
# OpenSymphony Stuff
log4j.logger.freemarker=ERROR
log4j.logger.com.opensymphony=ERROR
log4j.logger.com.opensymphony.xwork2.ognl=ERROR
log4j.logger.org.apache.struts2=ERROR
四、修改resources/struts.xml
改成
DOCTYPE版本号由2.0替换成2.3
五、修改resources/struts文件夹下所有xml
DOCTYPE版本号由2.0替换成2.3
redirect-action替换为redirectAction
六、修改resources/validators.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE validators PUBLIC
"-//Apache Struts//XWork Validator Definition 1.0//EN"
"http://struts.apache.org/dtds/xwork-validator-definition-1.0.dtd">
<!-- START SNIPPET: validators-default -->
<validators>
<validator name="required" class="com.opensymphony.xwork2.validator.validators.RequiredFieldValidator"/>
<validator name="requiredstring" class="com.opensymphony.xwork2.validator.validators.RequiredStringValidator"/>
<validator name="int" class="com.opensymphony.xwork2.validator.validators.IntRangeFieldValidator"/>
<validator name="long" class="com.opensymphony.xwork2.validator.validators.LongRangeFieldValidator"/>
<validator name="short" class="com.opensymphony.xwork2.validator.validators.ShortRangeFieldValidator"/>
<validator name="double" class="com.opensymphony.xwork2.validator.validators.DoubleRangeFieldValidator"/>
<validator name="date" class="com.opensymphony.xwork2.validator.validators.DateRangeFieldValidator"/>
<validator name="expression" class="com.opensymphony.xwork2.validator.validators.ExpressionValidator"/>
<validator name="fieldexpression" class="com.opensymphony.xwork2.validator.validators.FieldExpressionValidator"/>
<validator name="email" class="com.opensymphony.xwork2.validator.validators.EmailValidator"/>
<validator name="url" class="com.opensymphony.xwork2.validator.validators.URLValidator"/>
<validator name="visitor" class="com.opensymphony.xwork2.validator.validators.VisitorFieldValidator"/>
<validator name="conversion" class="com.opensymphony.xwork2.validator.validators.ConversionErrorFieldValidator"/>
<validator name="stringlength" class="com.opensymphony.xwork2.validator.validators.StringLengthFieldValidator"/>
<validator name="regex" class="com.opensymphony.xwork2.validator.validators.RegexFieldValidator"/>
<validator name="conditionalvisitor" class="com.opensymphony.xwork2.validator.validators.ConditionalVisitorFieldValidator"/>
</validators>
<!-- END SNIPPET: validators-default -->
七、删除java/ognl/OgnlRuntime.java
八、为兼容原系统程序修改报错的代码
新增java\com\opensymphony\xwork2\ognl\SecurityMemberAccess.java
新增java\org\apache\commons\lang\CharUtils.java
新增java\org\apache\commons\lang\StringUtils.java
将原系统中的引用由org.apache.commons.lang变成org.apache.commons.lang3
如查原系统中存在方法过多(如超过800个方法)的action要进行拆分,否则会崩溃
# A fatal error has been detected by the Java Runtime Environment:
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
九、修改jsp
1.struts2的2.0.11及以上版本 struts标签内部不在支持EL语法(
)
调用,必须使用
O
G
N
L
表达式
(
S
t
a
t
i
c
a
t
t
r
i
b
u
t
e
m
u
s
t
b
e
a
S
t
r
i
n
g
l
i
t
e
r
a
l
,
i
t
s
i
l
l
e
g
a
l
t
o
s
p
e
c
i
f
y
a
n
e
x
p
r
e
s
s
i
o
n
.
所以需要将
<
s
:
i
f
t
e
s
t
=
"
{})调用,必须使用OGNL表达式(%{})否则会提示错误: Static attribute must be a String literal, its illegal to specify an expression. 所以需要将<s:if test="
)调用,必须使用OGNL表达式( StaticattributemustbeaStringliteral,itsillegaltospecifyanexpression.所以需要将<s:iftest="{ 替换为 <s:if test=“%{ ; <s:elseif test=”KaTeX parse error: Expected '}', got 'EOF' at end of input: …pageNo" value="{pageNo }"/> 注释掉
总结:
以上就是struts2升级的记录,其中改动量最大的就是将jsp中el表达改为ongl表达式的部分,需要手动进行调整。