Last checked and updated on 13 Jun 2026
What Is New in Apache Struts 2.5
This release focuses on modernizing the framework and tightening security. We've added support for newer Java versions, deprecated older constructs, and patched several vulnerabilities. The table below summarizes the key changes.
| Category | Key Changes |
|---|---|
| New Features & Support | Java 8 minimum requirement, new plugin structure, Jakarta EE compatibility package. |
| Improvements | OSGi support enhancements, updated dependencies (Log4j 2, Tiles 3), internal refactoring. |
| Deprecations | Deprecated the JSON plugin, BeanUtils.copy() method, and several internal classes. |
| Bug Fixes | Multiple fixes for issues in REST plugin, configuration handling, and UI tags. |
| Security | Security fixes for potential RCE and DoS vulnerabilities. Mandatory update from older versions. |
What are the major Java version requirements?
Struts 2.5 requires Java 8 as a minimum. This is a hard requirement; the framework will not run on Java 7 or earlier. In practice, this lets us use modern Java language features and APIs for cleaner, more efficient code. You should plan your JDK/JRE upgrades accordingly if you're coming from an older Struts version.
How does the new plugin architecture work?
The plugin system was reworked to be more modular. Plugins must now explicitly declare their package dependencies. This change prevents classloading issues and makes the framework more stable, especially in complex deployments. You'll need to ensure your custom plugins follow the new structure.
What security issues were addressed?
This release includes fixes for a few critical vulnerabilities. One could potentially lead to remote code execution if a malicious Content-Type value was used, while another involved a denial-of-service risk with specially crafted URLs. Always update promptly to mitigate these risks in production.
What functionality has been deprecated?
We deprecated the JSON plugin, recommending you use the REST plugin instead for better performance and features. The BeanUtils.copy() method is also on the list due to its limitations. Several internal classes were marked for removal in future versions, so check your code for any usage.
FAQ
Is Struts 2.5 backwards compatible with my Struts 2.3 application?
Mostly, but not entirely. While many applications will work, the mandatory Java 8 requirement and the deprecated JSON plugin are the main breaking changes. You'll need to test thoroughly and likely replace the JSON plugin with the REST alternative.
Why was the JSON plugin deprecated?
It was superseded by the more powerful and flexible REST Plugin, which handles JSON serialization and deserialization more effectively. The old plugin had limitations and didn't align with the modernized direction of the framework.
I use OSGi; what improvements should I expect?
The OSGi support is more robust now. The core bundles have better metadata and the plugin mechanism is better suited for the OSGi environment, reducing classloader conflicts and making deployment smoother.
What's the deal with the Jakarta EE compatibility package?
It's a separate optional package (struts2-jakarta-compat) that allows Struts to run on Jakarta EE 9+ servers where the javax.* namespace has been replaced with jakarta.*. You only need this if you're deploying to a modern application server like Tomcat 10+.
Should I be concerned about the internal class deprecations?
Only if you're directly using them in your application code. These deprecations are a warning that those classes may be removed or changed in the next major release. Avoid using internal Struts classes directly to prevent future breakage.