Apache Struts 1.x has been included in Liferay DXP 7.0. Apache Struts 1.x reached its end of product life in 2013. What is Liferay's stance towards continuing to use Apache Struts in current and future versions?
Liferay’s products only utilize a limited set of Struts 1.x’s capabilities and thus not all reported vulnerabilities apply to Liferay’s products. Liferay has been supporting and patching Struts 1.x on its own since 2013. Specifically, Liferay has been fixing security vulnerabilities found in Struts 1.x when those vulnerabilities pose a security vulnerability to Liferay’s products.
Liferay Product Team has decided not to use Apache Struts 2.x in the upcoming version of Liferay DXP 7.2 (LPS-75763). See the information below specific to your product version regarding Apache Struts 1.x.
Impact to Liferay platforms
Liferay DXP 7.2
Apache Struts 1.x has been completely removed from DXP 7.2. Some of the Liferay DXP code still contains the word
struts. However, Liferay DXP 7.2+ does not have any dependencies on the Apache Struts libraries.
Liferay DXP 7.1
Beginning with DXP 7.1 Fix Pack 3 and higher, Apache Struts has been partially removed from the platform. Apache Portal Bridges was removed from
struts-tiles libraries have also been removed. Other Apache Struts dependencies such as the
struts-core library have not been removed. Specifically, the only feature used within Apache Struts 1.x is the Struts Action and Action Configuration capabilities. Struts’ Action Form, tag libraries, tiles, and other related capabilities are not utilized.
Custom modules which attempt to leverage Apache Struts through Liferay DXP will have to call any Struts classes directly or include third-party dependencies in their module.
Liferay DXP 7.0
Beginning with DXP 7.0 Fix Pack 59 and higher, Struts has been partially removed from the platform. However, this should not cause any negative impact for customers who install Fix Pack 59 regardless of your Apache Struts implementation.
Impact to Developers
Liferay DXP 7.1
Developers using Apache Struts in their custom modules may be affected by this change. It depends on whether they are using Struts actions within a portlet or have created a Struts portlet. The partial removal will break Struts portlet dependencies since the required third-party libraries are unavailable in the Liferay DXP system. There should be no impact if developers are using Struts actions. See this article for more information about updating a Struts portlet and Upgrading Portlet Plugins.