You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2022/11/28 14:28:13 UTC
[struts-site] 01/01: Adds missing info about CPS interceptor
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch csp-interceptor
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 5584851658228c499c9b3b3db32ab0ccb5090daf
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Mon Nov 28 15:28:06 2022 +0100
Adds missing info about CPS interceptor
---
source/core-developers/csp-interceptor.md | 42 ++++++++++++++++
source/core-developers/interceptors.md | 79 ++++++++++++++++---------------
2 files changed, 82 insertions(+), 39 deletions(-)
diff --git a/source/core-developers/csp-interceptor.md b/source/core-developers/csp-interceptor.md
new file mode 100644
index 000000000..82ed7e631
--- /dev/null
+++ b/source/core-developers/csp-interceptor.md
@@ -0,0 +1,42 @@
+---
+layout: default
+title: CSP Interceptor
+parent:
+ title: Interceptors
+ url: interceptors.html
+---
+
+# Content Security Policy Interceptor
+
+## Description
+
+Interceptor that implements Content Security Policy on incoming requests.
+
+Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
+including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft,
+to site defacement, to malware distribution.
+
+CSP can work in two modes, either **enforce** or **report**. In the report mode the `Content-Security-Policy-Report-Only`
+header is sent and `Content-Security-Policy` header is used when using the enforce mode.
+
+CSP is now supported by all major browsers.
+
+[More information about CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
+
+## Parameters
+
+- `enforcingMode` (default `false`) - When set to "true", the enforce mode has been enabled, and the provided policy
+ is going to be enforced.
+- `reportUri` - an uri under, which the violations have to be reported.
+
+## Examples
+
+```xml
+<action name="someAction" class="com.examples.SomeAction">
+ <interceptor-ref name="defaultStack">
+ <param name="csp.enforcingMode">true</param>
+ <param name="csp.reportUri">/csp-report.action</param>
+ </interceptor-ref>
+ <result name="success">good_result.ftl</result>
+</action>
+```
diff --git a/source/core-developers/interceptors.md b/source/core-developers/interceptors.md
index ad050f667..8d041c12a 100644
--- a/source/core-developers/interceptors.md
+++ b/source/core-developers/interceptors.md
@@ -106,45 +106,46 @@ specified below come specified in [struts-default.xml](struts-default-xml). If y
package, then you can use the names below. Otherwise, they must be defined in your package with a name-class pair
specified in the `<interceptors/>` tag.
-|Interceptor|Name|Description|
-|-----------|----|-----------|
-|[Alias Interceptor](alias-interceptor)|alias|Converts similar parameters that may be named differently between requests.|
-|[Annotation Parameter Filter Interceptor](annotation-parameter-filter-interceptor)|annotationParameterFilter|Annotation based version of [Parameter Filter Interceptor](parameter-filter-interceptor).|
-|[Annotation Workflow Interceptor](annotation-workflow-interceptor)|annotationWorkflow|Invokes any annotated methods on the action.|
-|[Chaining Interceptor](chaining-interceptor)|chain|Makes the previous Action's properties available to the current Action. Commonly used together with <result type="chain"> (in the previous Action).|
-|[Checckbox Interceptor](checkbox-interceptor)|checkbox|Adds automatic checkbox handling code that detect an unchecked checkbox and add it as a parameter with a default (usually 'false') value. Uses a specially named hidden field to detect unsubmitted checkboxes. The default unchecked value is overridable for non-boolean value'd checkboxes.|
-|[COEP Interceptor](coep-interceptor)|coep|Implements the Cross-Origin Embedder Policy on incoming requests used to protect a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded.|
-|[Conversion Error Interceptor](conversion-error-interceptor)|conversionError|Adds conversion errors from the ActionContext to the Action's field errors|
-|[Cookie Interceptor](cookie-interceptor)|cookie|Inject cookie with a certain configurable name / value into action. (Since 2.0.7.)|
-|[Cookie Provider Interceptor](cookie-provider-interceptor)|cookieProvider|Transfer cookies from action to response (Since 2.3.15.)|
-|[COOP Interceptor](coop-interceptor)|coop|Implements the Cross-Origin Opener Policy on incoming requests used to isolate resources against side-channel attacks and information leaks.|
-|[Create Session Interceptor](create-session-interceptor)|createSession|Create an HttpSession automatically, useful with certain Interceptors that require a HttpSession to work properly (like the TokenInterceptor)|
-|[Clear Session Interceptor](clear-session-interceptor)|clearSession|This interceptor clears the HttpSession.|
-|[Debugging Interceptor](debugging-interceptor)|debugging|Provides several different debugging screens to provide insight into the data behind the page.|
-|[Default Workflow Interceptor](default-workflow-interceptor)|workflow|Calls the validate method in your Action class. If Action errors are created then it returns the INPUT view.|
-|[Exception Interceptor](exception-interceptor)|exception|Maps exceptions to a result.|
-|[Execute and Wait Interceptor](execute-and-wait-interceptor)|execAndWait|Executes the Action in the background and then sends the user off to an intermediate waiting page.|
-|[Fetch Metadata Interceptor](fetch-metadata-interceptor)|fetchMetadata|Implements the Resource Isolation Policies on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks.|
-|[File Upload Interceptor](file-upload-interceptor)|fileUpload|An Interceptor that adds easy access to file upload support.|
-|[I18n Interceptor](i18n-interceptor)|i18n|Remembers the locale selected for a user's session.|
-|[Logging Interceptor](logging-interceptor)|logger|Outputs the name of the Action.|
-|[Message Store Interceptor](message-store-interceptor)|store|Store and retrieve action messages / errors / field errors for action that implements ValidationAware interface into session.|
-|[Model Driven Interceptor](model-driven-interceptor.htm)|modelDriven|If the Action implements ModelDriven, pushes the getModel Result onto the Value Stack.|
-|[Multiselect Interceptor](multiselect-interceptor)|multiselect|Like the checkbox interceptor detects that no value was selected for a field with multiple values (like a select) and adds an empty parameter|
-|[NoOp Interceptor](no-op-interceptor)|noop|Does nothing, just passes invocation further, used in empty stack|
-|[Parameter Filter Interceptor](parameter-filter-interceptor)|parameterFilter|Removes parameters from the list of those available to Actions|
-|[Parameters Interceptor](parameters-interceptor)|params|Sets the request parameters onto the Action.|
-|[Parameter Remover Interceptor](parameter-remover-interceptor)|paramRemover|Removes a parameter from parameters map.|
-|[Prepare Interceptor](prepare-interceptor)|prepare|If the Action implements Preparable, calls its prepare method.|
-|[Roles Interceptor](roles-interceptor)|roles|Action will only be executed if the user has the correct JAAS role.|
-|[Scope Interceptor](scope-interceptor)|scope|Simple mechanism for storing Action state in the session or application scope.|
-|[Scoped Model Driven Interceptor](scoped-model-driven-interceptor)|scopedModelDriven|If the Action implements ScopedModelDriven, the interceptor retrieves and stores the model from a scope and sets it on the action calling setModel.|
-|[Servlet Config Interceptor](servlet-config-interceptor)|servletConfig|Provide access to Maps representing HttpServletRequest and HttpServletResponse.|
-|[Static Parameters Interceptor](static-parameters-interceptor)|staticParams|Sets the struts.xml defined parameters onto the action. These are the <param> tags that are direct children of the <action> tag.|
-|[Timer Interceptor](timer-interceptor)|timer|Outputs how long the Action takes to execute (including nested Interceptors and View)|
-|[Token Interceptor](token-interceptor)|token|Checks for valid token presence in Action, prevents duplicate form submission.|
-|[Token Session Interceptor](token-session-interceptor)|tokenSession|Same as Token Interceptor, but stores the submitted data in session when handed an invalid token|
-|[Validation Interceptor](validation-interceptor)|validation|Performs validation using the validators defined in _action_ -validation.xml|
+| Interceptor | Name | Description |
+|------------------------------------------------------------------------------------|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Alias Interceptor](alias-interceptor) | alias | Converts similar parameters that may be named differently between requests. |
+| [Annotation Parameter Filter Interceptor](annotation-parameter-filter-interceptor) | annotationParameterFilter | Annotation based version of [Parameter Filter Interceptor](parameter-filter-interceptor). |
+| [Annotation Workflow Interceptor](annotation-workflow-interceptor) | annotationWorkflow | Invokes any annotated methods on the action. |
+| [Chaining Interceptor](chaining-interceptor) | chain | Makes the previous Action's properties available to the current Action. Commonly used together with <result type="chain"> (in the previous Action). |
+| [Checckbox Interceptor](checkbox-interceptor) | checkbox | Adds automatic checkbox handling code that detect an unchecked checkbox and add it as a parameter with a default (usually 'false') value. Uses a specially named hidden field to detect unsubmitted checkboxes. The default unchecked value is overridable for non-boolean value'd checkboxes. |
+| [COEP Interceptor](coep-interceptor) | coep | Implements the Cross-Origin Embedder Policy on incoming requests used to protect a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. |
+| [Conversion Error Interceptor](conversion-error-interceptor) | conversionError | Adds conversion errors from the ActionContext to the Action's field errors |
+| [Cookie Interceptor](cookie-interceptor) | cookie | Inject cookie with a certain configurable name / value into action. (Since 2.0.7.) |
+| [Cookie Provider Interceptor](cookie-provider-interceptor) | cookieProvider | Transfer cookies from action to response (Since 2.3.15.) |
+| [COOP Interceptor](coop-interceptor) | coop | Implements the Cross-Origin Opener Policy on incoming requests used to isolate resources against side-channel attacks and information leaks. |
+| [Create Session Interceptor](create-session-interceptor) | createSession | Create an HttpSession automatically, useful with certain Interceptors that require a HttpSession to work properly (like the TokenInterceptor) |
+| [Clear Session Interceptor](clear-session-interceptor) | clearSession | This interceptor clears the HttpSession. |
+| [Content Security Policy Interceptor](csp-interceptor) | csp | Adds support for Content Security policy. |
+| [Debugging Interceptor](debugging-interceptor) | debugging | Provides several different debugging screens to provide insight into the data behind the page. |
+| [Default Workflow Interceptor](default-workflow-interceptor) | workflow | Calls the validate method in your Action class. If Action errors are created then it returns the INPUT view. |
+| [Exception Interceptor](exception-interceptor) | exception | Maps exceptions to a result. |
+| [Execute and Wait Interceptor](execute-and-wait-interceptor) | execAndWait | Executes the Action in the background and then sends the user off to an intermediate waiting page. |
+| [Fetch Metadata Interceptor](fetch-metadata-interceptor) | fetchMetadata | Implements the Resource Isolation Policies on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks. |
+| [File Upload Interceptor](file-upload-interceptor) | fileUpload | An Interceptor that adds easy access to file upload support. |
+| [I18n Interceptor](i18n-interceptor) | i18n | Remembers the locale selected for a user's session. |
+| [Logging Interceptor](logging-interceptor) | logger | Outputs the name of the Action. |
+| [Message Store Interceptor](message-store-interceptor) | store | Store and retrieve action messages / errors / field errors for action that implements ValidationAware interface into session. |
+| [Model Driven Interceptor](model-driven-interceptor.htm) | modelDriven | If the Action implements ModelDriven, pushes the getModel Result onto the Value Stack. |
+| [Multiselect Interceptor](multiselect-interceptor) | multiselect | Like the checkbox interceptor detects that no value was selected for a field with multiple values (like a select) and adds an empty parameter |
+| [NoOp Interceptor](no-op-interceptor) | noop | Does nothing, just passes invocation further, used in empty stack |
+| [Parameter Filter Interceptor](parameter-filter-interceptor) | parameterFilter | Removes parameters from the list of those available to Actions |
+| [Parameters Interceptor](parameters-interceptor) | params | Sets the request parameters onto the Action. |
+| [Parameter Remover Interceptor](parameter-remover-interceptor) | paramRemover | Removes a parameter from parameters map. |
+| [Prepare Interceptor](prepare-interceptor) | prepare | If the Action implements Preparable, calls its prepare method. |
+| [Roles Interceptor](roles-interceptor) | roles | Action will only be executed if the user has the correct JAAS role. |
+| [Scope Interceptor](scope-interceptor) | scope | Simple mechanism for storing Action state in the session or application scope. |
+| [Scoped Model Driven Interceptor](scoped-model-driven-interceptor) | scopedModelDriven | If the Action implements ScopedModelDriven, the interceptor retrieves and stores the model from a scope and sets it on the action calling setModel. |
+| [Servlet Config Interceptor](servlet-config-interceptor) | servletConfig | Provide access to Maps representing HttpServletRequest and HttpServletResponse. |
+| [Static Parameters Interceptor](static-parameters-interceptor) | staticParams | Sets the struts.xml defined parameters onto the action. These are the <param> tags that are direct children of the <action> tag. |
+| [Timer Interceptor](timer-interceptor) | timer | Outputs how long the Action takes to execute (including nested Interceptors and View) |
+| [Token Interceptor](token-interceptor) | token | Checks for valid token presence in Action, prevents duplicate form submission. |
+| [Token Session Interceptor](token-session-interceptor) | tokenSession | Same as Token Interceptor, but stores the submitted data in session when handed an invalid token |
+| [Validation Interceptor](validation-interceptor) | validation | Performs validation using the validators defined in _action_ -validation.xml |
Since 2.0.7, Interceptors and Results with hyphenated names were converted to camelCase. (The former model-driven is
now modelDriven.) The original hyphenated names are retained as "aliases" until Struts 2.1.0. For clarity,