Class CspInterceptor

java.lang.Object
org.apache.struts2.interceptor.AbstractInterceptor
org.apache.struts2.interceptor.csp.CspInterceptor
All Implemented Interfaces:
Serializable, ConditionalInterceptor, Interceptor

public final class CspInterceptor extends AbstractInterceptor
Interceptor that implements Content Security Policy on incoming requests used to protect against common XSS and data injection attacks. Uses CspSettings to add appropriate Content Security Policy header to the response. These headers determine what the browser will consider a policy violation and the browser's behavior when a violation occurs. A detailed explanation of CSP can be found here.
See Also:
  • Constructor Details

    • CspInterceptor

      public CspInterceptor()
  • Method Details

    • intercept

      public String intercept(ActionInvocation invocation) throws Exception
      Description copied from class: AbstractInterceptor
      Override to handle interception
      Specified by:
      intercept in interface Interceptor
      Specified by:
      intercept in class AbstractInterceptor
      Parameters:
      invocation - the action invocation
      Returns:
      the return code, either returned from ActionInvocation.invoke(), or from the interceptor itself.
      Throws:
      Exception - any system-level error, as defined in Action.execute().
    • setReportUri

      public void setReportUri(String reportUri)
    • setReportTo

      public void setReportTo(String reportTo)
      Sets the report group where csp violation reports will be sent. This will only be used if the reportUri is set.
      Parameters:
      reportTo - the report group where csp violation reports will be sent
      Since:
      Struts 6.5.0
    • setEnforcingMode

      public void setEnforcingMode(boolean enforcingMode)
      Enables enforcing mode, by default all exceptions are only reported
      Parameters:
      enforcingMode - true to enable enforcing mode, false to keep reporting mode.
    • setPrependServletContext

      public void setPrependServletContext(boolean prependServletContext)
      Sets whether to prepend the servlet context path to the reportUri.
      Parameters:
      prependServletContext - true to prepend the location with the servlet context path, false otherwise.
    • setCspSettingsClassName

      public void setCspSettingsClassName(String cspSettingsClassName)
      Sets the class name of the default CspSettings implementation to use when the action does not set its own values. If not set, the default is DefaultCspSettings.
      Since:
      Struts 6.5.0