"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork
(hereafter referred to simply as Struts2) development team could add to increase the security of
applications built with Struts2. The version analyzed was version 2.1.6, which was the latest version
available when the project was started. The purpose of this research is not to discover security flaws
within Struts2, but rather to discover how the Struts2 framework allows developers to build security
into applications, and how that process can be improved.
The only non-commercial application security library that covers all necessary security is an expert tool
called Enterprise Security API (ESAPI), which is maintained by OWASP (http://owasp.org/). Throughout
the paper there will be many comparisons to the ESAPI project since it serves as a de-facto model of
security best practices. Acegi Security, recently renamed to Spring Security, is a framework that allows
for excellent enterprise authentication and authorization configuration, but lacks coverage of other
areas covered by ESAPI."