使用命名约定插件拒绝直接访问 Struts2 中的 JSP 文件 [英] Deny direct access to JSP files in Struts2 with Naming Convention plugin
问题描述
我一直在努力解决这个问题,因为我是 Struts2 开发的新手,最近才开始使用这个命名约定插件.
I've been struggling with this issue as I'm new to Struts2 development, and just started using this naming Convention Plugin recently.
我正在尝试创建一个简单的 web 应用程序,它最初只包含两个页面:
I'm trying to create a simple webapp which at first will only consist in two pages:
- 登录页面(
login.jsp) - 主页(
home.jsp)
首先会向用户显示一个登录页面,如果提供了正确的用户名和密码,他们就会登录并被重定向到主页.
First a login page is shown to the user, and if the correct username and password are provided, they log in and get redirected to the home page.
我已经成功地创建了我的小型 web 应用程序,写下了一个自定义登录拦截器,一切正常并按预期工作.如果他/她尝试直接调用 HomeAction(如果您以前登录,则会导致 home.jsp),我可以将用户重定向到登录页面http://myserver/homeAction.
I've successfully managed to create my small webapp, writing down a custom login interceptor and everything's OK and working as expected. I'm able to redirect the user to the login page if he/she tries to call the HomeAction( which results in home.jspif you previously logged in) directly like http://myserver/homeAction.
当我尝试像这样直接访问 JSP 时出现问题:
Problem comes when I try to access JSPs directly like this:
http://myserver/home
当我使用这个Convention 插件 时,Struts 会获取我的home.jsp插件并显示它.这不是我所期望的行为,因为 home.jsp 应该只显示为 loginAction 成功结果.
As I'm using this Convention plugin, Struts fetches my home.jspplugin and displays it. This is not the behaviour I expected, as home.jspshould be shown only as a loginAction successful result.
我尝试解决此问题的方法
好吧,据我谷歌搜索,将我的 JSP 放在 /WEB-INF/ 目录中应该可以防止它们被访问,但事实并非如此,因为我所有的 JSP 都在 /WEB-INF/content/.
Well, as far as I googled, putting my JSPs inside /WEB-INF/directory should prevent them to be accessed, but it doesn't, as all my JSPs are in /WEB-INF/content/.
我尝试的另一件事是阻止对任何 JSP 资源的访问(阻止 *.JSP 请求).只要您尝试访问 myserver/home.jsp ,但在访问 myserver/home 时会失败(如预期的那样),这就可以解决问题.
Another thing I tried was blocking access to any JSPresource (blocking *.JSP requests). This does the trick as long as you try to access myserver/home.jsp , but fails (as expected) when accessing myserver/home.
stackoverflow 中有另一个关于此问题的问题,但我无法理解答案:WEB-INF下的Struts 2 Convention Plugin和JSP文件
There's another question in stackoverflow about this issue but I can't understand the answer: Struts 2 Convention Plugin and JSP files under WEB-INF
信息更新:我发现 Struts2 约定插件使用了一种叫做无操作结果"的东西.因此,您可以通过调用 JSP 来访问您的 WEB-INF/content 目录中的 JSP 而没有它的扩展名,它将作为成功返回该 JSP 的虚拟操作.这是一个示例来说明我要解释的内容:
INFORMATION UPDATE: I've found that Struts2 convention plugin uses something called "actionless results" so you can access your JSPs inside your WEB-INF/contentdirectory by invoking the JSP without it's extension and it will deal with it as a dummy action which returns that JSP on success. This is an example to illustrate what I'm trying to explain:
如果我的 WEB-INF/content 目录中有 home.jsp 并调用 http://myserver/home,Struts2 将触发"结果将是 home.jsp 的操作.那么问题的解决方案就是禁用这种无动作"的行为.结果.
If I have home.jsp in my WEB-INF/contentdirectory and call http://myserver/home, Struts2 will "trigger" an action whose result is going to be home.jsp. The solution for the problem then is going to be disabling this "actionless" results.
如果没有人提供答案,我会在寻找解决方案的过程中不断更新问题.
I'll keep updating the question as I head towards the solution if nobody provides an answer.
推荐答案
你想怎么禁用这个功能.
Here how d'you want to disable this feature.
创建一个虚拟 bean:
package com.struts.handler;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.Result;
import com.opensymphony.xwork2.UnknownHandler;
import com.opensymphony.xwork2.XWorkException;
import com.opensymphony.xwork2.config.entities.ActionConfig;
/**
* Created by Roman C on 22.03.2015.
*/
public class MyUnknownHandler implements UnknownHandler {
@Override
public ActionConfig handleUnknownAction(String namespace, String actionName) throws XWorkException {
return null;
}
@Override
public Result handleUnknownResult(ActionContext actionContext, String actionName, ActionConfig actionConfig, String resultCode) throws XWorkException {
return null;
}
@Override
public Object handleUnknownActionMethod(Object action, String methodName) throws NoSuchMethodException {
return null;
}
}
然后在struts.xml中配置:
Then configure it in the struts.xml:
<bean type="com.opensymphony.xwork2.UnknownHandler" name="handler" class="com.struts.handler.MyUnknownHandler"/>
<unknown-handler-stack>
<unknown-handler-ref name="handler"/>
</unknown-handler-stack>
解释这里:
上面提到的约定插件以及它创建的配置还放置了一个未知的处理程序,该处理程序应该处理不存在配置的 URL(即不是由约定创建的).这就是问题的根源.
The convention plugin along with configuration it creates mentioned above also put an unknown handler which should handle URLs for which a configuration is not exist (i.e. not created by the convention). This is the source of the problem.
现在放置您自己的处理程序将禁用约定的处理程序.因此它将不再按惯例处理结果.
这篇关于使用命名约定插件拒绝直接访问 Struts2 中的 JSP 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
