Setup
Installation and configuration guide for NES for Apache Struts 1.1.x
Setup Instructions
NES for Apache Struts 1.1 requires Java 8
Example repositories showing before/after configuration:
Configure Registry
Create or update your registry configuration:
<settings>
<servers>
<server>
<id>herodevs-nes-registry</id>
<username>any_text_here_not_used</username>
<password>YOUR_NES_ACCESS_TOKEN</password>
</server>
</servers>
</settings>
See the guides for Sonatype Nexus or JFrog Artifactory for setup to the HeroDevs NES registry.
Update Build Configuration
Add the NES repository and dependencies to your build configuration:
Look up the latest artifact version in the "Struts 1 Release Notes".
<!-- Update Struts 1.1 dependency versions for packages struts or struts-el -->
<dependencies>
<dependency>
<groupId>struts</groupId>
<artifactId>struts</artifactId>
<version>1.1.0-struts-1.1.2</version><!-- Updated Version -->
</dependency>
<!-- struts-el if used -->
<dependency>
<groupId>struts</groupId>
<artifactId>struts-el</artifactId>
<version>1.1.0-struts-1.1.2</version><!-- Updated Version -->
</dependency>
<!-- Example of using patched NES commons-beanutils 1.7. The recommended version is 1.9.4, which is the default if no override is provided. -->
<dependency> <!-- Don't include this if you're using the default version -->
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.7.0-commons-beanutils-1.7.4</version> <!-- Patched NES Version -->
</dependency>
<!-- Example of using patched NES commons-fileupload nes-v1.5.x. fileupload is optional only add if needed -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.5.0-commons-fileupload-1.5.2</version> <!-- Patched NES Version -->
</dependency>
...
</dependencies>
<!-- Add NES repository -->
<repositories>
<repository>
<id>herodevs-nes-registry</id>
<url>https://registry.nes.herodevs.com/maven</url>
</repository>
</repositories>
Handle Breaking Change
CVE-2006-1546: Validation always skipped with Globals.CANCEL_KEY
Issue: Cancel Processing
The Struts <html:cancel> tag sets a request parameter org.apache.struts.taglib.html.Constants.CANCEL which causes validation to be skipped.
Spoofing this request parameter however, could be used maliciously in order to circumvent an applications validation and proceed with the request processing with erroneous and potentially damaging data.
Resolution: Cancellable Property
A new cancellable property has been introduced which indicates whether an action is allowed to be cancelled or not. In Struts nes-v1.1.2 this is set to true or false for an action in the struts-config.xml using the <set-property> notation. The default value is false and without updating the struts-config.xml, the application will not be able to use the cancel processing.
Now any action where the cancellable property is not set to true will throw an InvalidCancelException.
This change is forward compatible with struts 1.2.x and 1.3.x.
Upgrade Implications
Any existing applications that use the Cancel processing will need to modify their struts-config.xml to set the cancellable property for actions which require it.
In Struts nes-v1.1.2 the <set-property> is used to set the cancellable property for an action.
<action path="/fooAction"
input="/foo.jsp"
validate="true">
<set-property property="cancellable" value="true"/>
<forward name="success" path="/bar.jsp"/>
</action>
In Struts nes-v1.1.2 an exception handler can be configured to handle the InvalidCancelException.
<action path="/fooAction"
input="/foo.jsp"
validate="true"
cancellable="true">
<forward name="success" path="/bar.jsp"/>
<exception key="errors.cancel"
type="org.apache.struts.action.InvalidCancelException"
path="/foo.jsp"/>
</action>
Build
In order to remove potential obstacles before building your project, make sure the following domains are whitelisted by your firewall/networking team:
registry.nes.herodevs.comassets.nes.herodevs.com
This will ensure that your network/firewall allows connection to our registry.
Run your build tool:
mvn clean install
Verification
To verify your installation, check that:
- Dependencies are downloaded successfully
- No version conflicts are reported in your build
- Your application starts without errors
Manual Downloads
The direct download URLs for NES for Apache Struts packages follow this format:
| Portion | Value |
|---|---|
| base_url | https://registry.nes.herodevs.com/maven/org/apache/struts/ |
| package_name | struts |
| version | 1.1.0-struts-1.1.3 |
| filename | package_name + version + extension |