阻止用户直接访问 Struts2 操作?
我在 struts.xml 中定义了以下操作
<action name="Search" method="prepareLookUpvalues" class="com.mycompany.actions.FrSearchAction">
<result name="success" type="tiles">search.layout</result>
</action>
<action name="List" class="com.mycompany.actions.FrSearchAction">
<result name="success" type="tiles">results.layout</result>
<result name="input" type="tiles">search.layout</result>
</action>
<action name="SearchDetails" class="com.mycompany.actions.FrSearchDetailsAction">
<result name="success" type="tiles">details.layout</result>
</action>
<action name="Logoff" class="com.mycompany.actions.LogoffAction" >
<result name="success" type="tiles">logoff.layout</result>
</action>
假设用户直接进入我的页面主页 http:// localhost:8080/fr/Search.action 一切正常,但发现某些用户正在访问
当用户转到搜索页面并输入条件并提交时,只有在那时才应通过 struts 表单的 action 属性调用“List”操作。我基本上希望阻止用户直接访问“List”、“SearchDetails”和“Logoff”操作,除非这些操作是从我的 JSP 或代码调用的。
我是维护/开发 Struts2 应用程序的新手,我还没有找到明确的答案。任何建议将不胜感激!
I have the following actions defined in my struts.xml
<action name="Search" method="prepareLookUpvalues" class="com.mycompany.actions.FrSearchAction">
<result name="success" type="tiles">search.layout</result>
</action>
<action name="List" class="com.mycompany.actions.FrSearchAction">
<result name="success" type="tiles">results.layout</result>
<result name="input" type="tiles">search.layout</result>
</action>
<action name="SearchDetails" class="com.mycompany.actions.FrSearchDetailsAction">
<result name="success" type="tiles">details.layout</result>
</action>
<action name="Logoff" class="com.mycompany.actions.LogoffAction" >
<result name="success" type="tiles">logoff.layout</result>
</action>
Assuming that a user goes directly to my page home http://localhost:8080/fr/Search.action everything works OK, but it has been discovered hat some users are accessing http://localhost:8080/fr/List.action directly without first going to the search page which is causing problems.
When a user goes to the search page and enters criteria and submits, it is only then that the "List" action should be called via the struts form's action attribute. I basically want to stop users from being able to access the "List", "SearchDetails", and "Logoff" actions directly unless those actions are invoked from my JSPs or code.
I'm new to maintaining/developing Struts2 applications and I haven't found clear answers to this. Any suggestions would be greatly appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
缺少一些细节,因此答案会有点模糊,但列表操作可能会从表单提交中提取值以进行搜索?或者从会话中提取状态?或者...?
无论如何,无论它可能被存储,只需检查然后将用户重定向到搜索(如果状态未按预期设置)。
有关在 struts2 中进行重定向的详细信息,请参阅例如 http ://www.roseindia.net/struts/struts2/actions/struts-2-redirect-action.shtml
There's a few details missing so the answer will be a bit vague, but the list action probably pulls values from a form submission to search? Or pulls state from session? Or...?
Anyways, however that may be stored, simply check and then redirect the user to Search if the state is not set as expected.
For details on doing redirects in struts2, see, for e.g. http://www.roseindia.net/struts/struts2/actions/struts-2-redirect-action.shtml
这不是一个优雅的解决方案,但您可以尝试检查
referer以了解谁调用了该操作。您的操作类需要实现ServletRequestAware。请记住,引用者是客户端控制的值,可以被欺骗或删除。
This isn't an elegant solution but you could try checking for the
refererto see who called the action. You action class will need to implementServletRequestAware.Remember that the referer is a client-controlled value and can be spoofed or removed.