如何在Struts2拦截器中配置HTTP响应头? [英] How can I configure HTTP Response Headers in a Struts2 Interceptor?
问题描述
我们目前在从Struts 1迁移到Struts 2的过程中有一个java Web应用程序。我们想配置 X-Frame-Options
和所有Struts 2操作的Content-Security-Policy
标头。我们有很多动作,如果可能的话,我想避免单独修改它们。
We currently have a java web application in the middle of migration from Struts 1 to Struts 2. We would like to configure X-Frame-Options
and Content-Security-Policy
headers for all our Struts 2 actions. We have a lot of actions and I want to avoid modifying them all separately if at all possible.
我目前拥有的想法是以下拦截器,它将被添加到默认堆栈:
the idea I currently have is the following interceptor which would be added to the default stack:
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
public class HttpHeaderInterceptor implements Interceptor {
private static final long serialVersionUID = 1L;
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void init() {
// TODO Auto-generated method stub
}
@Override
public String intercept(ActionInvocation Invocation) throws Exception {
HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}
}
我尝试了以上操作,但它不起作用,它没有设置标题。
I tried the above, and it does not work, it does not set the headers.
我需要做些什么修改来修复这个拦截器?是否有可能以这种方式更改响应头?
What changes do I need to make to fix this interceptor? Is it even possible to change response headers in this way?
推荐答案
获取响应(和请求)的正确方法拦截器内部是通过 InvocationContext
,而不是通过 ServletActionContext
:
The correct way to get the the response (and the request) inside an Interceptor is through the InvocationContext
, instead that through the ServletActionContext
:
public String intercept(ActionInvocation Invocation) throws Exception {
final ActionContext ac = invocation.getInvocationContext();
HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RESPONSE);
//HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}
这篇关于如何在Struts2拦截器中配置HTTP响应头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!