I am tasked with developing a web application and am thinking of using the Struts framework as it seems to be a standard and is easy to implement.
However, before making a decision I need to know the security features available in Struts.
Is there effective ways to handle the OWASP Top 10 using Struts? And if so, how would I accomplish it?
Struts is there to offer you a MVC framework and it has limited security features, e.g. you can map roles to actions. I will recommend you to look into something more full-fledged like the Spring Security (formerly Acegi).
yc
The best way to handle the OWASP Top ten in struts is to look at the OWASP Enterprise Security API...
Even for the features that YC mentions, you probably don't want to use a Struts configuration file out of the box to set up the ACLs for your actions. It may be better to programmatically examine state in the HttpRequest as it gets out of the ActionServlet, before it reaches your Struts actions (i.e. is this HttpRequest coming from an authenticated and authorized user given the URL?). Alternatively, you could intercept the request with a ServletFilter, though you would have to be careful to make sure it's thread safe.