struts2升级到Struts 2.3.15.1的步骤(最新安全版本)

       最近struts安全问题影响很大啊,iteye上面也有新闻:Apache Struts团队6月底发布了Struts 2.3.15版本,由于该版本被发现存在重要的安全漏洞,因此该团队今天发布了Struts 2.3.15.1安全更新版本。 

新闻地址:http://www.iteye.com/news/28053

 

       因此我升级了下当前项目的struts版本,原来是2.2.3,现在升级到2.3.15.1

 

      首先下载jar包:http://struts.apache.org/download.cgi#struts23151

Essential Dependencies Only:

struts-2.3.15.1-lib.zip (19MB) [PGP] [MD5]

 

从下载的jar包拷贝核心包:

antlr-2.7.2

aopalliance-1.0

asm-3.3

asm-commons-3.3

asm-tree-3.3

builder-0.6.2

classworlds-1.1

commons-beanutils-1.8.0

commons-collections-3.1

commons-chain-1.2

commons-digester-2.0

commons-fileupload-1.3

commons-io-2.0.1

commons-lang3-3.1

commons-lang-2.4

commons-logging-1.1.3

commons-logging-api-1.1

commons-validator-1.3.1

freemarker-2.3.19

ognl-3.0.6

struts2-convention-plugin-2.3.15.1

struts2-core-2.3.15.1

struts2-dojo-plugin-2.3.15.1

struts2-jfreechart-plugin-2.3.15.1

struts2-json-plugin-2.3.15.1

struts2-junit-plugin-2.3.15.1

struts2-spring-plugin-2.3.15.1

xwork-core-2.3.15.1

 

到此先备份原来的所有jar,以防万一……

删除项目WEB-INF/lib下:

asm-3.1

struts2-spring-plugin-2.2.3

struts2-junit-plugin-2.2.3

struts2-json-plugin-2.2.3

struts2-jfreechart-plugin-2.2.3

struts2-dojo-plugin-2.2.3

struts2-core-2.2.3

ognl-2.7.3

freemarker-2.3.15

commons-collections-3.1

commons-io-1.3.2

commons-fileupload-1.2.1

commons-beanutils-1.7.0

commons-validator-1.3.1

xwork-core-2.2.3

 

最安全的做法

        以核心jar为准,如果在原lib里有同名但不同版本的jar就replace,没有就直接copy,替换方式遵循“谁新替换谁”的原则。

      (小插曲:我拷贝了核心jar里的antlr-2.7.2,但是我原来的项目里有antlr-2.7.6,我没注意,结果报java.lang.NoSuchMethodError: antlr.collections.AST.getLine()的错误,删除antlr-2.7.2即可)

         对于struts2开头的jar,只要原来有的,都在核心jar里找到替换的版本,没有同名的就不换。

 

请注意:原lib里的commons-collections、commons-lang、commons-logging要保留。

 

 

刷新后(请确保更换lib之前项目是运行无误的…蠢话),重新配置tomcat并运行……

 

如果遇到一些NoSuchMethod或者NotClassFound等等的提示,检查一下是不是误删了原来的某个jar;

 

如果看到如此提示:

 

*********************************************************************** 
*                               WARNING!!!                            * 
*                                                                     * 
* >>> FilterDispatcher <<< is deprecated! Please use the new filters! * 
*                                                                     * 
*           This can be a source of unpredictable problems!           * 
*                                                                     * 
*              Please refer to the docs for more details!             * 
*            http://struts.apache.org/2.x/docs/webxml.html            * 
*                                                                     * 
***********************************************************************

 

在web.xml里把FilterDispatcher 替换成StrutsPrepareAndExecuteFilter(org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter)

 

 

如果看到如此提示:

 

*********************************************************************** 
*                               WARNING!!!                            * 
*                                                                     * 
* >>> ActionContextCleanUp<<< is deprecated! Please use the new filters! * 

*                                                                     * 
*           This can be a source of unpredictable problems!           * 
*                                                                     * 
*              Please refer to the docs for more details!             * 
*            http://struts.apache.org/2.x/docs/webxml.html            * 
*                                                                     * 
***********************************************************************

 

同样是在web.xml里把ActionContextCleanUp替换成StrutsPrepareAndExecuteFilter(org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter)

 

       若原来就配置有StrutsPrepareAndExecuteFilter,则把ActionContextCleanUp去掉。

       

       比如我这里修改后的样子:

   

<!-- STRUTS配置 -->
	 <!-- <filter>  升级到2.3.15.1后要去掉
		<filter-name>struts2-cleanup</filter-name>
		<filter-class>
			org.apache.struts2.dispatcher.ActionContextCleanUp
		</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>struts2-cleanup</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>  -->
	
     
	<filter>
		<filter-name>struts2</filter-name>
		<filter-class>
		org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
		</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>struts2</filter-name>
		<url-pattern>*.action</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>

 

 

关于升级后的web.xml配置请参考:

http://struts.apache.org/development/2.x/docs/webxml.html

 

 

 

 

      

你可能感兴趣的:(struts2)