Why do Java webapps use .do extension? Where did it come from?

To my knowledge, this convention has been spread by Struts1. The user guide puts it like this:

5.4.2 Configure the ActionServlet Mapping

Note: The material in this section is not specific to Struts. The configuration of servlet mappings is defined in the Java Servlet Specification. This section describes the most common means of configuring a application.

There are two common approaches to defining the URLs that will be processed by the controller servlet -- prefix matching and extension matching. An appropriate mapping entry for each approach will be described below.

Prefix matching means that you want all URLs that start (after the context path part) with a particular value to be passed to this servlet. Such an entry might look like this:

<servlet-mapping>    <servlet-name>action</servlet-name>    <url-pattern>/do/*</url-pattern></servlet-mapping>

which means that a request URI to match the /logon path described earlier might look like this:

http://www.mycompany.com/myapplication/do/logon

where /myapplication is the context path under which your application is deployed.

Extension mapping, on the other hand, matches request URIs to the action servlet based on the fact that the URI ends with a period followed by a defined set of characters. For example, the JSP processing servlet is mapped to the *.jsp pattern so that it is called to process every JSP page that is requested. To use the *.do extension (which implies "do something"), the mapping entry would look like this:

<servlet-mapping>    <servlet-name>action</servlet-name>    <url-pattern>*.do</url-pattern></servlet-mapping>

and a request URI to match the /logon path described earlier might look like this:

http://www.mycompany.com/myapplication/logon.do

WARNING - The framework will not operate correctly if you define more than one <servlet-mapping> element for the controller servlet.

WARNING - If you are using the new module support since version 1.1, you should be aware that only extension mapping is supported.

And I think this convention has been kept (sometimes to not change URLs even after replacing Struts1, sometimes just because people were happy with it).

It was common practice to map your struts servlet to *.do in web.xml to pass URLs to the struts servlet. For example:

<!-- Standard Action Servlet Mapping --><servlet-mapping>    <servlet-name>action</servlet-name>    <url-pattern>*.do</url-pattern></servlet-mapping>

There is really no reason except convention for this. If you use no extension you need to do some magic to handle images and other static content in a way that doesn't send them to your sevlet. Often this gets done at a load balancer of a fronting web server.

Just a security tip!

It is good practice to use some unusual extension for your controller, in this way the intruders will need to spend more time to find some info about the site.

So if you change the default extension, plus some few statics in your framework which may reveal your hand, your MVC framework can be completely unknown.

Even change extension to php or aspx could be good idea.

Well indeed this is security by obfuscation, but this isn't the opposite of good security. Layering security by obscurity on top of an already secure system might help. There are interesting pros and cons of security by obfuscation and when they can be both used in the internet.