> Hi, > Our project is developed on Struts 1.1 and has been running without > any issues for the past several years. Due to EOL anouncement for > struts 1.x we are planning to move to Struts 2. As per the migration > strategies stated, we are planning to use struts2-struts1-plugin-2. > 3.28.1.jar in our system and for any new development we are planning > to use Struts 2 framework. > With regard to this, we have the following queries:-1)If we are > using this plugin would security vulnerabilities reported on struts > 1.x, struts 2.x get mitigated since we would be using struts 2.3.28 > to handle the incoming request first and delegating to struts-1.3.10 > classes internally. > 2)If above is not so, any recommendations on when to use this plugin. > > Thanks,Vivek
Hi, for our projects we usually migrate like this: - have struts1 and struts2 in the app - struts1 actions are still handled by struts1, we don't use struts2-struts1-plugin - in each release some old actions are rewritten with struts2 - new actions are always written with struts2 - when there are no struts1 actions left -> remove the framework I'm not sure if struts1 vulnerabilities affect struts2-struts1-plugin. Probably it dependes on the type of vuln. So some might affect the plugin and some might not. Regards, Christoph This Email was scanned by Sophos Anti Virus
