如何在 Struts2 拦截器中配置 HTTP 响应 Headers?
How can I configure HTTP Response Headers in a Struts2 Interceptor?
我们目前有一个 java Web 应用程序正在从 Struts 1 迁移到 Struts 2。我们想配置 X-Frame-Options 和 Content-Security-Policy headers 我们所有的 Struts 2 个动作。我们有很多动作,我想尽可能避免单独修改它们。
我目前的想法是将以下拦截器添加到默认堆栈中:
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
public class HttpHeaderInterceptor implements Interceptor {
private static final long serialVersionUID = 1L;
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void init() {
// TODO Auto-generated method stub
}
@Override
public String intercept(ActionInvocation Invocation) throws Exception {
HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}
}
上面的我试过了,还是不行,没有设置headers。
我需要做哪些更改才能修复此拦截器?甚至可以通过这种方式更改响应 headers 吗?
在拦截器中获取响应(和请求)的正确方法是通过 InvocationContext,而不是通过 ServletActionContext:
public String intercept(ActionInvocation Invocation) throws Exception {
final ActionContext ac = invocation.getInvocationContext();
HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RESPONSE);
//HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}
我们目前有一个 java Web 应用程序正在从 Struts 1 迁移到 Struts 2。我们想配置 X-Frame-Options 和 Content-Security-Policy headers 我们所有的 Struts 2 个动作。我们有很多动作,我想尽可能避免单独修改它们。
我目前的想法是将以下拦截器添加到默认堆栈中:
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
public class HttpHeaderInterceptor implements Interceptor {
private static final long serialVersionUID = 1L;
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void init() {
// TODO Auto-generated method stub
}
@Override
public String intercept(ActionInvocation Invocation) throws Exception {
HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}
}
上面的我试过了,还是不行,没有设置headers。
我需要做哪些更改才能修复此拦截器?甚至可以通过这种方式更改响应 headers 吗?
在拦截器中获取响应(和请求)的正确方法是通过 InvocationContext,而不是通过 ServletActionContext:
public String intercept(ActionInvocation Invocation) throws Exception {
final ActionContext ac = invocation.getInvocationContext();
HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RESPONSE);
//HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}