拒绝使用Naming Convention插件直接访问Struts2中的JSP文件 [英] Deny direct access to JSP files in Struts2 with Naming Convention plugin

问题描述

我一直在努力解决这个问题，因为我是Struts2开发的新手，最近才开始使用这个命名的Convention插件。

I've been struggling with this issue as I'm new to Struts2 development, and just started using this naming Convention Plugin recently.

我正在尝试创建一个简单的webapp，最初只包含两个页面：

I'm trying to create a simple webapp which at first will only consist in two pages:

1. 登录页面（login.jsp）


2. 主页（home.jsp）

首先向用户显示一个登录页面，如果用户名正确，提供密码，他们登录并重定向到主页。

First a login page is shown to the user, and if the correct username and password are provided, they log in and get redirected to the home page.

我已成功设法创建我的小型webapp，写下自定义登录拦截器，一切正常并按预期工作。如果他/她试图调用 HomeAction （导致 home.jsp 如果你以前登录过）直接像 http：// myserver / homeAction 。

I've successfully managed to create my small webapp, writing down a custom login interceptor and everything's OK and working as expected. I'm able to redirect the user to the login page if he/she tries to call the HomeAction( which results in home.jspif you previously logged in) directly like http://myserver/homeAction.

问题来了当我尝试像这样直接访问JSP时：

Problem comes when I try to access JSPs directly like this:

http：// myserver / home

当我使用这个约定插件时，struts获取我的 home.jsp 插件并显示它。这不是我预期的行为，因为 home.jsp 应仅显示为 loginAction 成功结果。

As I'm using this convention plugin, struts fetches my home.jspplugin and displays it. This is not the behaviour I expected, as home.jspshould be shown only as a loginAction successful result.

我试图解决这个问题的事情

好吧，据我搜索，将我的JSP放在 / WEB-INF / 目录中应该阻止它们被访问，但它没有，因为我的所有JSP都在 / WEB中-INF / content / 。

Well, as far as I googled, putting my JSPs inside /WEB-INF/directory should prevent them to be accessed, but it doesn't, as all my JSPs are in /WEB-INF/content/.

我尝试的另一件事是阻止访问任何 JSP 资源（阻止 *。JSP 请求）。只要您尝试访问 myserver / home.jsp ，这就可以了，但在访问 myserver / home 。

Another thing I tried was blocking access to any JSPresource (blocking *.JSP requests). This does the trick as long as you try to access myserver/home.jsp , but fails (as expected) when accessing myserver/home.

编辑： stackoverflow中有关于此问题的另一个问题，但我无法理解答案：
Struts 2 Convention插件和WEB-INF下的JSP文件

There's another question in stackoverflow about this issue but I can't understand the answer: Struts 2 Convention Plugin and JSP files under WEB-INF

信息更新：我发现Struts2约定插件使用的是无动作结果，因此您可以访问<$通过调用 JSP 在 WEB-INF / content 目录中的c $ c> JSP 没有它的扩展，它将作为一个虚拟动作处理它，成功返回 JSP 。这是一个例子来说明我要解释的内容：

INFORMATION UPDATE: I've found that Struts2 convention plugin uses something called "actionless results" so you can access your JSPs inside your WEB-INF/contentdirectory by invoking the JSP without it's extension and it will deal with it as a dummy action which returns that JSP on success. This is an example to illustrate what I'm trying to explain:

如果我在我的 home.jsp 中 WEB-INF / content 目录并调用 http：// myserver / home ，Struts2将触发一个动作，结果将是 home.jsp 。那么问题的解决方案就是禁用这种无动作的结果。

If I have home.jsp in my WEB-INF/contentdirectory and call http://myserver/home, Struts2 will "trigger" an action whose result is going to be home.jsp. The solution for the problem then is going to be disabling this "actionless" results.

如果没有人提供答案，我将继续更新问题。

I'll keep updating the question as I head towards the solution if nobody provides an answer.

推荐答案

在这里你想如何禁用这个功能。创建一个虚拟bean

Here how d'you want to disable this feature. Create a dummy bean

package com.struts.handler;

import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.Result;
import com.opensymphony.xwork2.UnknownHandler;
import com.opensymphony.xwork2.XWorkException;
import com.opensymphony.xwork2.config.entities.ActionConfig;

/**
 * Created by Roman C on 22.03.2015.
 */
public class MyUnknownHandler implements UnknownHandler {
  @Override
  public ActionConfig handleUnknownAction(String namespace, String actionName) throws XWorkException {
    return null;
  }

  @Override
  public Result handleUnknownResult(ActionContext actionContext, String actionName, ActionConfig actionConfig, String resultCode) throws XWorkException {
    return null;
  }

  @Override
  public Object handleUnknownActionMethod(Object action, String methodName) throws NoSuchMethodException {
    return null;
  }
}

然后在中配置它struts.xml ：

  <bean type="com.opensymphony.xwork2.UnknownHandler" name="handler" class="com.struts.handler.MyUnknownHandler"/>
  <unknown-handler-stack>
    <unknown-handler-ref name="handler"/>
  </unknown-handler-stack>

解释这里：

约定插件及其上面创建的配置也会放置一个未知的处理程序，该处理程序应该处理一个URL配置不存在（即不是由约定创建）。这是问题的根源。

The convention plugin along with configuration it creates mentioned above also put an unknown handler which should handle URLs for which a configuration is not exist (i.e. not created by the convention). This is the source of the problem.

现在放置自己的处理程序将禁用约定的处理程序。因此它将不再按惯例处理结果。

Now putting your own handler will disable convention's one. Thus it will no longer handle results by convention.

这篇关于拒绝使用Naming Convention插件直接访问Struts2中的JSP文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！