Apache Struts 2 Documentation > Home > Guides > Migration Guide > Release Notes 2.0.10
Added by James Holmes, last edited by Antonio Petrelli on Sep 17, 2007  (view change)

These are the notes for the Struts 2.0.10 distribution.

Struts 2.0.10 corrects a serious security flaw in the Struts 2 tags where using JSP EL expressions could allow malicious OGNL expressions through. All users are encouraged to update to Struts 2.0.10. Note that existing pages that utilize JSP EL expressions with Struts 2 tags will no longer work as of this release.

For prior notes in this release series, see Release Notes 2.0.9

  • If you are a Maven user, you might want to get started using the Maven Archetype.
  • Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
Maven Dependency
<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.0.10</version>
</dependency>
Snapshot Repository
<repositories>
  <repository>
    <id>apache.snapshots</id>
    <name>ASF Maven 2 Snapshot</name>
    <url>http://people.apache.org/repo/m2-snapshot-repository</url>
  </repository>
</repositories>

Significant Fixes

  • This release fixes a security flaw in the Struts 2 tags where using JSP EL expressions could allow malicious OGNL expressions through.
  • Portlet support has been significantly improved in this release to fix issues related to using several of the pre-bundled Struts 2 interceptors.
  • For other changes, see the JIRA release notes.

API changes

  • The org.apache.struts2.components.Component.determineActionURL signature has changed: now it has two more parameters. Extension developers are invited to modify their code accordingly.

Experimental Features and Plugins

Please help us test these brave new features. Feedback appreciated!

  • Java 1.4 support: We are backporting the core Struts and XWork JARs, and, as a courtesy, bundling them with the distribution. However, Struts 2 is being coded for Java 5 and backward compatibility is not assured.
  • Cookie Interceptor: Inject cookie with a certain configurable name / value into action (since 2.0.7) (WW-1678).
  • Portlets: Automatic portlet support allows portal and servlet deployments with no code changes (WW-1645).
  • AJAX Theme: AJAX tags look and feel just like standard Struts tags but provide greater interactivity and flexibility. The AJAX theme is backed by the popular Dojo Toolkit (WW-1609).
  • Zero Configuration: Optionally, eliminate or reduce XML configuration with convention and annotation (WW-1491).
  • REST-ful URLs: Use search-engine friendly URLs, like category/action/movie/Thrillers (WW-1475).
  • Experimental Plugins
    • Codebehind Plugin: Reduce mundane configuration by using "page controller" conventions (WW-1515).
    • Plexus Plugin - A new plugin that enables Struts Actions, Interceptors, and Results to be created and injected by Plexus.
    • Scope Plugin - Initial version of scope plugin that mimics JBoss Seam-style of scoped bijection (presently in the Sandbox).
    • Struts1 Plugin - A new plugin that allows you to use existing Struts 1 Actions and ActionForms in Struts 2 applications..
    • Tiles Plugin - A new plugin allows your Struts actions to return Tiles pages. The Tiles plugin is dependant on Tiles 2, which is still in beta.

Issue Detail

Issue List

Other resources

Release Plan

  • Struts 2.0.10 is a milestone version in the 2.0.x series. Struts 2.0.9 is the prior GA release.
  • The Release Managers are James Holmes and Ted Husted.
  • The tag date for the release is 9 Sep 2007.