Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Abandoned
-
5.1.2
-
None
-
None
Description
This is a fork from ROL-2058.
Using an interceptor instead of a filter would be promising because it enables returning back to the action rather than the general exception page, also it enables resubmit the page with a new salt.
An implementation plan by Greg:
<interceptor-ref name="UIActionSaltInterceptor" > <param name="excludeMethods">*</param> <param name="includeMethods">save</param> </interceptor-ref>
public class UIActionSaltInterceptor extends MethodFilterInterceptor { private static final Logger log = LoggerFactory .getLogger(UIActionSaltInterceptor.class); private String inputResultName = Action.INPUT; /** * Set the <code>inputResultName</code> (result name to be returned when * action fails the salt check). Default to {@link Action#INPUT} * * struts.xml interceptor parameter: * * <param name="inputResultName">input</param> * * @param inputResultName * what result name to use when there is a salt error. */ public void setInputResultName(String inputResultName) { this.inputResultName = inputResultName; } /** * Intercept {@link ActionInvocation} and returns a * <code>inputResultName</code> when action fails the salt check. * * @return String result name */ @Override protected String doIntercept(ActionInvocation invocation) throws Exception { Object action = invocation.getAction(); if (action instanceof UIAction) { UIAction theAction = (UIAction) action; final ActionContext context = invocation.getInvocationContext(); HttpServletRequest request = (HttpServletRequest) context .get(ServletActionContext.HTTP_REQUEST); // Check post if (("POST").equals(request.getMethod())) { SaltCache saltCache = SaltCache.getInstance(); if (saltCache.isCacheEnabled()) { String salt = (String) request.getParameter("salt"); if (salt == null || saltCache.get(salt) == null || saltCache.get(salt).equals(false)) { if (log.isDebugEnabled()) log.debug("Failed salt check on action " + theAction + ", returning result name 'input'"); // Indicate the error to the user theAction.addError("error.permissions.deniedSalt"); return inputResultName; } // Cleanup saltCache.remove(salt); } } } return invocation.invoke(); } }