问题描述
我们目前有一个 Java Web 应用程序正在从 Struts 1 迁移到 Struts 2.我们想配置 X-Frame-Options 和 Content-Security-Policy 我们所有 Struts 2 动作的标题.我们有很多动作,我想尽可能避免单独修改它们.
We currently have a java web application in the middle of migration from Struts 1 to Struts 2. We would like to configure X-Frame-Options and Content-Security-Policy headers for all our Struts 2 actions. We have a lot of actions and I want to avoid modifying them all separately if at all possible.
我目前的想法是将以下拦截器添加到默认堆栈中:
the idea I currently have is the following interceptor which would be added to the default stack:
import javax.servlet.http.HttpServletResponse; import org.apache.struts2.ServletActionContext; import com.opensymphony.xwork2.ActionInvocation; import com.opensymphony.xwork2.interceptor.Interceptor; public class HttpHeaderInterceptor implements Interceptor { private static final long serialVersionUID = 1L; @Override public void destroy() { // TODO Auto-generated method stub } @Override public void init() { // TODO Auto-generated method stub } @Override public String intercept(ActionInvocation Invocation) throws Exception { HttpServletResponse response = ServletActionContext.getResponse(); response.addHeader("X-Frame-Options", "SAMEORIGIN"); response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED"); response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED"); return Invocation.invoke(); } }
上面我试过了,还是不行,就是没有设置headers.
I tried the above, and it does not work, it does not set the headers.
我需要进行哪些更改才能修复此拦截器?甚至可以以这种方式更改响应标头吗?
What changes do I need to make to fix this interceptor? Is it even possible to change response headers in this way?
推荐答案
在 Interceptor 中获取响应(和请求)的正确方法是通过 InvocationContext,而不是通过 <代码>ServletActionContext:
The correct way to get the the response (and the request) inside an Interceptor is through the InvocationContext, instead that through the ServletActionContext:
public String intercept(ActionInvocation Invocation) throws Exception { final ActionContext ac = invocation.getInvocationContext(); HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RE??SPONSE); //HttpServletResponse response = ServletActionContext.getResponse(); response.addHeader("X-Frame-Options", "SAMEORIGIN"); response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED"); response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED"); return Invocation.invoke(); }