Class CspInterceptor
java.lang.Object
org.apache.struts2.interceptor.AbstractInterceptor
org.apache.struts2.interceptor.csp.CspInterceptor
- All Implemented Interfaces:
Serializable
,ConditionalInterceptor
,Interceptor
Interceptor that implements Content Security Policy on incoming requests used to protect against
common XSS and data injection attacks. Uses
CspSettings
to add appropriate Content Security Policy header
to the response. These headers determine what the browser will consider a policy violation and the browser's behavior
when a violation occurs. A detailed explanation of CSP can be found here.-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionintercept
(ActionInvocation invocation) Override to handle interceptionvoid
setCspSettingsClassName
(String cspSettingsClassName) Sets the class name of the defaultCspSettings
implementation to use when the action does not set its own values.void
setEnforcingMode
(boolean enforcingMode) Enables enforcing mode, by default all exceptions are only reportedvoid
setPrependServletContext
(boolean prependServletContext) Sets whether to prepend the servlet context path to thereportUri
.void
setReportTo
(String reportTo) Sets the report group where csp violation reports will be sent.void
setReportUri
(String reportUri) Methods inherited from class org.apache.struts2.interceptor.AbstractInterceptor
destroy, init, setDisabled, shouldIntercept
-
Constructor Details
-
CspInterceptor
public CspInterceptor()
-
-
Method Details
-
intercept
Description copied from class:AbstractInterceptor
Override to handle interception- Specified by:
intercept
in interfaceInterceptor
- Specified by:
intercept
in classAbstractInterceptor
- Parameters:
invocation
- the action invocation- Returns:
- the return code, either returned from
ActionInvocation.invoke()
, or from the interceptor itself. - Throws:
Exception
- any system-level error, as defined inAction.execute()
.
-
setReportUri
-
setReportTo
Sets the report group where csp violation reports will be sent. This will only be used if the reportUri is set.- Parameters:
reportTo
- the report group where csp violation reports will be sent- Since:
- Struts 6.5.0
-
setEnforcingMode
public void setEnforcingMode(boolean enforcingMode) Enables enforcing mode, by default all exceptions are only reported- Parameters:
enforcingMode
-true
to enable enforcing mode,false
to keep reporting mode.
-
setPrependServletContext
public void setPrependServletContext(boolean prependServletContext) Sets whether to prepend the servlet context path to thereportUri
.- Parameters:
prependServletContext
-true
to prepend the location with the servlet context path,false
otherwise.
-
setCspSettingsClassName
Sets the class name of the defaultCspSettings
implementation to use when the action does not set its own values. If not set, the default isDefaultCspSettings
.- Since:
- Struts 6.5.0
-