外文文献
Struts 2 Technology
The name comes from Struts supported metal frame used in the building and the old in aircraft. Its purpose is to reduce the use of the MVC design model to the development of Web applications. You still need to study and application of the framework, but it will be completed some of the heavy work. Struts and Tomcat, Turbine and other Apache projects, open source software, it is a big advantage, so that developers can have a better understanding of their internal implementation mechanism. In addition, the advantages of Struts are mainly reflected in two aspects: Taglib and page navigation. Taglib is the Struts tag library, flexible use, can greatly improve the efficiency of development. In addition, the current domestic JSP developers, in addition to tag using JSP built-in, rarely develop their own label, Struts might be a good starting point.
Struts 2 is the next generation of Struts products, is the Struts with new base technology in struts 1 and WebWork 2 framework. The huge difference between the system structure of the new Struts 2 system structure and Struts 1. Struts 2 to WebWork as the core, the interceptor mechanism to deal with the user's request, this design also makes business logic controller with ServletAPI completely off, so the Struts 2 can be understood as the product of WebWork. Although from Struts 1 to Struts 2 have too big change, but compared to WebWork, Struts 2 small changes. After six years of development, Struts1 has become a highly mature framework, whether stability or reliability has been proved. The market share of over 20%, has a wealth of development groups, has become almost a de facto standard. But as time goes on, the progress of technology, the limitations of Struts1 are also increasingly exposed, and restrict the continued development of Struts1.
For the Struts1 framework, the coupling is very closely with the JSP/Servlet, which led to some serious problems. First of all, a single Struts1 presentation layer technology support. Since the Struts1 appeared as early as the age of, at that time did not FreeMarker, Velocity technology, so it is unlikely to be integrated with the view layer template technique. Secondly, the serious coupling between Struts1 and Servlet API, the application is difficult to test. Finally, the Struts1 code is heavily dependent on the Struts1 API, which belongs to the invasive framework.
From the technical level of current point of view, the view layer framework of many competing with Struts1, such as JSF, Tapestry and SpringMVC etc.. These frameworks due to appear in more recent, using the latest design concept, but also from the Struts1 experience, overcomes many shortcomings. The framework also promotes the development of Struts. At present, Struts has been divided into two frameworks: the first one is based on the traditional Struts1, combines an excellent Web framework WebWork another Struts2. Although Struts2 is developed on the basis of Struts1, but in essence is WebWork as the core. Struts2 is a traditional Struts1 into WebWork's advanced design idea, unified Struts1 and WebWork two framework. Another framework Struts1 differentiation is out of Shale. This framework is far beyond the design thought of Struts1 original, rarely associated with the Struts1 original, the use of new design thoughts. Shale is more like a new framework rather than the Struts1 upgrade.
A process, application notes
When the Web container receives the request (HttpServletRequest) it passes the request to the filter chain a standard including flow (ActionContextCleanUp) filter, and then through the Other filters (SiteMesh, etc), then call the FilterDispatcher core controller, then it calls the ActionMapper request to determine the Action, ActionMapper returns a collection of Action detailed information about the ActionMaping object. The FilterDispatcher control will be delegated to the ActionProxy, call ActionProxy Configuration Manager (ConfigurationManager) to read configuration information from the configuration file (struts.xml), and then create a ActionInvocation object, ActionInvocation will configure interceptor used are called before calling Action (Interceptor N) once the execution returns to the result string ActionInvocation is responsible for finding the result string. (Result) and executes the Result Result will call some template (JSP)
To show the page, then the interceptor (Interceptor N) will be executed (in sequence before and Action execute instead) finally response (HttpServletResponse) is returned to the configuration in web.xml (controller) and the filter (FilterDispatcher).
Technical improvement of Struts1 Struts2 was a huge improvement. Mainly manifested in the following aspects:
1) in the Action implementation:
Struts1 requires a unified extended from the Action class, and the Struts2 can be an ordinary POJO.
2) thread model:
Struts1 Action is a single instance of a Action, all instances of a processing request. Struts2 Action is a request for an example (every request a new new object), no thread safety issues.
3) Servlet dependence:
Struts1 Action relies on the Servlet API, such as the parameter to the execute method of Action including request and response objects. This allows the program to test. Struts2 Action is no longer dependent on the Servlet API, to test, and the realization of TDD.
4) package of request parameters:
Parameters of Struts1 in the mandatory use of the request ActionForm object encapsulation. Struts2 parameters can be selected using the POJO class to encapsulate a request, or directly use the Action attribute.
5) expression language:
Struts1 integrated with EL, but EL collection and indexing support is not strong, the integration of Struts2 OGNL (Object Graph NavigationLanguage).
6) bound value to view technology:
Struts1 uses the standard JSP, Struts2 use "ValueStack" technology.
7) type conversion:
The Struts1 property in the basic use of ActionForm type String. Struts2 in the use of OGNL conversion, can be more convenient to use.
Struts1 support to override the validate method or the use of Validator framework. Struts2 validation framework support override the validate method or the use of XWork.
8) executive control of Action:
Struts1 support each module corresponds to a request processing, but all of the Action modules must share the same life cycle. Struts2 is supported by the interceptor stack to create different life cycle for each Action.
Application of two, interceptor:
The interceptor, in AOP (Aspect-Oriented Programming) for use in a method or field is ahead of the visit, to intercept and before or after adding some operation. Interception is a kind of implementation method of AOP. Webwork Chinese document explanation for the interceptor is object dynamically intercepting Action calls it provides a mechanism to enable developers can be defined in a action before and after the execution of the code, also can be in a action executive stopped before its execution. Also provides a action can be extracted in reusable part ways. When it comes to the interceptor, there is a word you should know the interceptor chain (Interceptor Chain, referred to as the interceptor stack Interceptor Stack in Struts 2). The interceptor chain is the interceptor into a chain in order to connect certain. In the method of access is blocked or fields, the interceptor chain of interceptor will according to the definitions are called in the order before.
1) the realization principle of interceptor:
Most of the time, the interceptor method is through the agent to call. Struts 2 interceptor is relatively simple to implement. When a request arrives at the Struts 2 ServletDispatcher, Struts 2 will find the configuration, and the configuration of the interceptor instantiated relative object, then the string into a list (list), the last one in the invocation list of the interceptor.
2) interceptor configuration:
Struts 2 is to provide you with rich, full-featured interceptors. We can to Struts2 jar package struts-default.xml view and the interceptor interceptor chain about the default configuration.
The definition of the interceptor in struts.xml documents, interceptor stack:
<package name= "my" extends= "struts-default" namespace= "/manage" >
<interceptors>
Struts and Webwork with a MVC framework for service in the Web, to some extent, Struts2 is upgrading from WebWork2 is. Even the official Apache documentation also say: WebWork2 to Struts2 is a smooth transition. We can even say that Struts2 is WebWork2.3. In many ways, Struts is only changed the name to WebWork. Struts2 corresponding to it's own label, and powerful. Webwork has its own label. In 2005 December, WebWork and Struts Ti decided to merge, and at the same time, Struts Ti renamed the Struts Action Framework 2 Struts, as the next generation of real.
3) process Velocity template:
Org.apache.struts2.dispatcher.VelocityResult
With the template technology is more and more popular, more and more developers View layer demonstrate the use of Freemarker or Velocity templates. Same as Result Struts2 as template to support. Because the display of template template (Template) and data (Model) closely, so in Struts2, the main work of the two Result is to prepare the data for the template.
4) used to treat Action chain:
Com.opensymphony.xwork2.ActionChainResult
Chain really just after a action is executed, the forward to another action, so they are shared between HttpServletRequest. In the use of chain as a Result, often with the use of ChainingInterceptor. The role of ChainingInterceptor is to transfer data in Action. In fact, ValueStack source data in Action will be a Copy, so, in the 2 Action data in ValueStack, makes the front desk, to collect the data through ValueStack, is transparent and sharing. For example, one page, you may have a lot of data to display, and access to some of the data may be a lot of different page sharing (typically, "recommended article" the small columns of data acquisition, may be shared by many pages). In this case, use the logic extraction to a separate Action, and use chain, the Action and Action series. So, to reach the final page, the page can always get in each Action data.
From a practical perspective, the use of chain as a Result does exist a lot of problems mentioned above, I also very not respected the abuse of this Result. Especially, for the use of Spring and Hibernate friends, if you open the OpenSessionInView mode, then the Hibernate session is with HttpServletRequest, so session shared throughout the action chain. This will bring great trouble to our programming. Because we know that Hibernate session will keep a copy of a cache, in the action chain, sharing a cache will undoubtedly bring great inconvenience for your debugging.
Three, there is a loophole:
1) showed the high risk vulnerabilities
Struts2 discovered the 2 high-risk security vulnerabilities, one is the navigation parameter prefix use abbreviations when the Remote Code Execution Vulnerability, another is open to redirect redirection parameter prefixes vulnerability when using abbreviations. These vulnerabilities allow hackers to obtain web server "the highest authority", so as to make the enterprise server into broiler hacker hands".
2) solutions
The Apache Struts team has released its latest Struts 2.3.15.1, repair the loophole, the proposal uses Struts 2 to Struts 2.3 web developers as soon as possible to upgrade to the latest version.
3) impact
According to cloud platform bug reports, Taobao, Jingdong, Tencent large Internet companies are affected by this, but also exploit code has been strengthened, can be directly through the browser to submit any operation on the server and access to sensitive content. Struts vulnerability tremendous impact, affected by the site on the business, banking, government portal, the majority, but some automation, fool and using tools began to appear, fill in the address can be directly executed server command, read data directly and even shutdown operation. Rising security experts, the exposure of 2 vulnerability is due to short of navigation and redirect the prefix "action:", "redirect:", "redirectAction:" caused by. Rising security experts said, because these parameters is not correct prefix filtering, lead hackers can execute commands by vulnerability, get the target server information, and further achieve the highest control server. At the appointed time, attacked the website database will face the full disclosure threat, meanwhile hackers can also redirect the loopholes, fishing attack or to attack other netizen horse.
Struts was first used as part of the ApacheJakarta project, the founders hope that through this project, to improve and enhance the technical level of JavaServer, Servlet, Pages tag library and object oriented. The name comes from Struts supported metal frame used in the building and the old in aircraft. The framework is called "Struts", is to remind us that hold up our houses, buildings, bridges, and even when we walk on stilts based support. This is a wonderful description interpretation of Struts plays in the development of Web application role. When establishing a physical building, construction engineers use prop for the construction of each layer to provide support. Similarly, software engineers use Struts to each layer of a business application support. Its purpose is to help us to reduce the use of the MVC design model to the development of Web applications. We still need to study and application of the framework, but it will be completed some of the heavy work. If you want to mix advantages of Servlets and JSP to build expanded application, Struts is a good choice.
附录译文:
Struts 2技术
Struts这个名字来源于在建筑和旧式飞机中使用的支持金属架。它的目的是为了减少在运用MVC设计模型来开发Web应用的时间。你仍然需要学习和应用该架构,不过它将可以完成其中一些繁重的工作。Struts跟Tomcat、Turbine等诸多Apache项目一样,是开源软件,这是它的一大优点,使开发者能更深入的了解其内部实现机制。除此之外,Struts的优点主要集中体现在两个方面:Taglib和页面导航。Taglib是Struts的标记库,灵活动用,能大大提高开发效率。另外,就目前国内的JSP开发者而言,除了使用JSP自带的常用标记外,很少开发自己的标记,或许Struts是一个很好的起点。
Struts 2是Struts的下一代产品,是在 struts 1和WebWork的技术基础上进行了合并的全新的Struts 2框架。其全新的Struts 2的体系结构与Struts 1的体系结构差别巨大。Struts 2以WebWork为核心,采用拦截器的机制来处理用户的请求,这样的设计也使得业务逻辑控制器能够与ServletAPI完全脱离开,所以Struts 2可以理解为WebWork的更新产品。虽然从Struts 1到Struts 2有着太大的变化,但是相对于WebWork,Struts 2的变化很小。经过六年多的发展,Struts1已经成为了一个高度成熟的框架,不管是稳定性还是可靠性都得到了广泛的证明。市场占有率超过20%,拥有丰富的开发人群,几乎已经成为了事实上的工业标准。但是随着时间的流逝,技术的进步,Struts1的局限性也越来越多地暴露出来,并且制约了Struts1的继续发展。
对于Struts1框架而言,由于与JSP/Servlet耦合非常紧密,因而导致了一些严重的问题。首先,Struts1支持的表现层技术单一。由于Struts1出现的年代比较早,那个时候没有FreeMarker、Velocity等技术,因此它不可能与这些视图层的模版技术进行整合。其次,Struts1与Servlet API的严重耦合,使应用难于测试。最后,Struts1代码严重依赖于Struts1 API,属于侵入性框架。
从目前的技术层面上看,出现了许多与Struts1竞争的视图层框架,比如JSF、Tapestry和SpringMVC等。这些框架由于出现的年代比较近,应用了最新的设计理念,同时也从Struts1中吸取了经验,克服了很多不足。这些框架的出现也促进了Struts的发展。目前,Struts已经分化成了两个框架:第一个是在传统的Struts1的基础上,融合了另外的一个优秀的Web框架WebWork的Struts2。Struts2虽然是在Struts1的基础上发展起来的,但是实质上是以WebWork为核心的。Struts2为传统的Struts1注入了WebWork的先进的设计理念,统一了Struts1和WebWork两个框架。Struts1分化出来的另外一个框架是Shale。这个框架远远超出了Struts1原有的设计思想,与原有的Struts1关联很少,使用了全新的设计思想。Shale更像一个新的框架而不是Struts1的升级。
一、应用流程注解
当Web容器收到 请求(HttpServletRequest)它将请求传递给一个标准的的过滤链包括流程(ActionContextCleanUp)过滤器,然后经过Other filters(SiteMesh ,etc),接下来需要调用FilterDispatcher核心控制器,然后它调用ActionMapper确定请求那个Action,ActionMapper返回一个收集Action详细信息的ActionMaping对象。接下FilterDispatcher将控制权委派给ActionProxy,ActionProxy调用配置管理器(ConfigurationManager) 从配置文件中读取配置信息(struts.xml),然后创建ActionInvocation对象,ActionInvocation在调用Action之前会依次的调用所用配置拦截器(Interceptor N) 一旦执行结果返回结果字符串ActionInvocation负责查找结果字符串对应的(Result)然后执行这个Result Result会调用一些模版(JSP)
来呈现页面,之后拦截器(Interceptor N)会在被执行(顺序和Action执行之前相反)最后响应(HttpServletResponse)被返回在web.xml中配置的那些过滤器和(核心控制器)(FilterDispatcher)。
技术改进Struts2对Struts1进行了巨大的改进。主要表现在如下几个方面:
1)在Action的实现方面:
Struts1要求必须统一扩展自Action类,而Struts2中可以是一个普通的POJO。
2)线程模型方面:
Struts1的Action是单实例的,一个Action的实例处理所有的请求。Struts2的Action是一个请求对应一个实例(每次请求时都新new出一个对象),没有线程安全方面的问题。
3)Servlet依赖方面:
Struts1的Action依赖于Servlet API,比如Action的execute方法的参数就包括request和response对象。这使程序难于测试。Struts2中的Action不再依赖于Servlet API,有利于测试,并且实现TDD。
4)封装请求参数:
Struts1中强制使用ActionForm对象封装请求的参数。Struts2可以选择使用POJO类来封装请求的参数,或者直接使用Action的属性。
5)表达式语言方面:
Struts1中整合了EL,但是EL对集合和索引的支持不强,Struts2整合了OGNL(Object Graph NavigationLanguage)。
6)绑定值到视图技术:
Struts1使用标准的JSP,Struts2使用“ValueStack”技术。
7)类型转换:
Struts1中的ActionForm基本使用String类型的属性。Struts2中使用OGNL进行转换,可以更方便的使用。
Struts1中支持覆盖validate方法或者使用Validator框架。Struts2支持重写validate方法或者使用XWork的验证框架。
8)Action执行控制的对比:
Struts1支持每一个模块对应一个请求处理,但是模块中的所有Action必须共享相同的生命周期。Struts2支持通过拦截器堆栈为每一个Action创建不同的生命周期。
二、拦截器的应用:
拦截器,在AOP(Aspect-Oriented Programming)中用于在某个方法或字段被访问之前,进行拦截然后在之前或之后加入某些操作。拦截是AOP的一种实现策略。Webwork的中文文档的解释为拦截器是动态拦截Action调用的对象它提供了一种机制可以使开发者可以定义在一个action执行的前后执行的代码,也可以在一个action执行前阻止其执行。同时也是提供了一种可以提取action中可重用的部分的方式。谈到拦截器,还有一个词大家应该知道拦截器链(Interceptor Chain,在Struts 2中称为拦截器栈Interceptor Stack)。拦截器链就是将拦截器按一定的顺序联结成一条链。在访问被拦截的方法或字段时,拦截器链中的拦截器就会按其之前定义的顺序被调用。
1)拦截器的实现原理:
大部分时候,拦截器方法都是通过代理的方式来调用的。Struts 2的拦截器实现相对简单。当请求到达Struts 2的ServletDispatcher时,Struts 2会查找配置文件,并根据其配置实例化相对的拦截器对象,然后串成一个列表(list),最后一个一个地调用列表中的拦截器。
2)拦截器的配置:
Struts 2已经为您提供丰富多样的,功能齐全的拦截器实现。大家可以至struts2的jar包内的struts-default.xml查看关于默认的拦截器与拦截器链的配置。
在struts.xml文件中定义拦截器,拦截器栈:
<package name="my" extends="struts-default" namespace="/manage">
<interceptors>
Struts和Webwork同为服务于Web的一种MVC框架,从某种程度上看,Struts2是从WebWork2上升级得到的。甚至Apache的官方文档也讲:WebWork2到Struts2是平滑的过渡。我们甚至也可以说Struts2就是WebWork2.3而已。在很多方面Struts仅仅是改变了WebWork下的名称。Struts2对应的有自己的标签,并且功能强大。Webwork也有自己的标签。在2005年12月,WebWork与Struts Ti决定合并, 再此同时, Struts Ti 改名为 Struts Action Framework 2.0,成为Struts真正的下一代。
3)处理Velocity模板:
org.apache.struts2.dispatcher.VelocityResult
随着模板技术的越来越流行,使用Freemarker或者Velocity模板进行View层展示的开发者越来越多。Struts2同样为模板作为Result做出了支持。由于模板的显示需要模板(Template)与数据(Model)的紧密配合,所以在Struts2中,这两个Result的主要工作是为模板准备数据。
4)用来处理Action链:
com.opensymphony.xwork2.ActionChainResult
chain其实只是在一个action执行完毕之后,forward到另外一个action,所以他们之间是共享HttpServletRequest的。在使用chain作为Result时,往往会配合使用ChainingInterceptor。ChainingInterceptor的作用是在Action直接传递数据。事实上,源Action中ValueStack的数据会被做一次Copy,这样,2个Action中的数据都在ValueStack中,使得对于前台来说,通过ValueStack来取数据,是透明而共享的。比如说,一张页面中,你可能有许多数据要显示,而某些数据的获取方式可能被很多不同的页面共享(典型来说,“推荐文章”这个小栏目的数据获取,可能会被很多页面所共享)。这种情况下,可以把这部分逻辑抽取到一个独立Action中,并使用chain,将这个Action与主Action串联起来。这样,最后到达页面的时候,页面始终可以得到每个Action中的数据。
从实战上讲,使用chain作为Result也的确存在着上面所说的许多问题,我个人也是非常不推崇滥用这种Result。尤其是,对于使用Spring和Hibernate的朋友来说,如果你开启OpenSessionInView模式,那么Hibernate的session是跟随HttpServletRequest的,所以session在整个action链中共享。这会为我们的编程带来极大的麻烦。因为我们知道Hibernate的session会保留一份一级缓存,在action链中,共享一级缓存无疑会为你的调试工作带来很大的不方便。
三、出现漏洞:
1)曝出高危安全漏洞
Struts2曝出2个高危安全漏洞,一个是使用缩写的导航参数前缀时的远程代码执行漏洞,另一个是使用缩写的重定向参数前缀时的开放式重定向漏洞。这些漏洞可使黑客取得网站服务器的“最高权限”,从而使企业服务器变成黑客手中的“肉鸡”。
2)解决措施
Apache Struts团队已发布了最新的Struts 2.3.15.1,修复了上述漏洞,建议采用Struts 2.0至Struts 2.3的网站开发者尽快升级至最新版。
3)带来影响
据乌云平台漏洞报告,淘宝、京东、腾讯等大型互联网厂商均受此影响,而且漏洞利用代码已经被强化,可直接通过浏览器的提交对服务器进行任意操作并获取敏感内容。Struts漏洞影响巨大,受影响站点以电商、银行、门户、政府居多,而且一些自动化、傻瓜化的利用工具开始出现,填入地址可直接执行服务器命令,读取数据甚至直接关机等操作。瑞星安全专家介绍,本次曝出的2个漏洞是由于缩写的导航和重定向前缀“action:”、 “redirect:”、 “redirectAction:”造成的。瑞星安全专家表示,由于这些参数前缀的内容没有被正确过滤,导致黑客可以通过漏洞执行命令,获取目标服务器的信息,并进一步取得服务器最高控制权。届时,被攻击网站的数据库将面临全面泄密的威胁,同时黑客还可以通过重定向漏洞的手段,对其他网民进行钓鱼攻击或挂马攻击。
Struts最早是作为ApacheJakarta项目的组成部分,项目的创立者希望通过对该项目的研究,改进和提高JavaServer Pages 、Servlet、标签库以及面向对象的技术水准。Struts这个名字来源于在建筑和旧式飞机中使用的支持金属架。这个框架之所以叫"Struts",是为了提醒我们记住那些支撑我们房屋,建筑,桥梁,甚至我们踩高跷时候的基础支撑。这也是一个解释Struts在开发Web应用程序中所扮演的角色的精彩描述。当建立一个物理建筑时,建筑工程师使用支柱为建筑的每一层提供支持。同样,软件工程师使用Struts为业务应用的每一层提供支持。它的目的是为了帮助我们减少在运用MVC设计模型来开发Web应用的时间。我们仍然需要学习和应用该架构,不过它将可以完成其中一些繁重的工作。如果想混合使用Servlets和JSP的优点来建立可扩展的应用,Struts是一个不错的选择。
