You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2022/11/28 14:28:12 UTC
[struts-site] branch csp-interceptor created (now 558485165)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a change to branch csp-interceptor
in repository https://gitbox.apache.org/repos/asf/struts-site.git
at 558485165 Adds missing info about CPS interceptor
This branch includes the following new commits:
new 558485165 Adds missing info about CPS interceptor
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[struts-site] 01/01: Adds missing info about CPS interceptor
Posted by lu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch csp-interceptor
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 5584851658228c499c9b3b3db32ab0ccb5090daf
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Mon Nov 28 15:28:06 2022 +0100
Adds missing info about CPS interceptor
---
source/core-developers/csp-interceptor.md | 42 ++++++++++++++++
source/core-developers/interceptors.md | 79 ++++++++++++++++---------------
2 files changed, 82 insertions(+), 39 deletions(-)
diff --git a/source/core-developers/csp-interceptor.md b/source/core-developers/csp-interceptor.md
new file mode 100644
index 000000000..82ed7e631
--- /dev/null
+++ b/source/core-developers/csp-interceptor.md
@@ -0,0 +1,42 @@
+---
+layout: default
+title: CSP Interceptor
+parent:
+ title: Interceptors
+ url: interceptors.html
+---
+
+# Content Security Policy Interceptor
+
+## Description
+
+Interceptor that implements Content Security Policy on incoming requests.
+
+Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
+including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft,
+to site defacement, to malware distribution.
+
+CSP can work in two modes, either **enforce** or **report**. In the report mode the `Content-Security-Policy-Report-Only`
+header is sent and `Content-Security-Policy` header is used when using the enforce mode.
+
+CSP is now supported by all major browsers.
+
+[More information about CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
+
+## Parameters
+
+- `enforcingMode` (default `false`) - When set to "true", the enforce mode has been enabled, and the provided policy
+ is going to be enforced.
+- `reportUri` - an uri under, which the violations have to be reported.
+
+## Examples
+
+```xml
+<action name="someAction" class="com.examples.SomeAction">
+ <interceptor-ref name="defaultStack">
+ <param name="csp.enforcingMode">true</param>
+ <param name="csp.reportUri">/csp-report.action</param>
+ </interceptor-ref>
+ <result name="success">good_result.ftl</result>
+</action>
+```
diff --git a/source/core-developers/interceptors.md b/source/core-developers/interceptors.md
index ad050f667..8d041c12a 100644
--- a/source/core-developers/interceptors.md
+++ b/source/core-developers/interceptors.md
@@ -106,45 +106,46 @@ specified below come specified in [struts-default.xml](struts-default-xml). If y
package, then you can use the names below. Otherwise, they must be defined in your package with a name-class pair
specified in the `<interceptors/>` tag.
-|Interceptor|Name|Description|
-|-----------|----|-----------|
-|[Alias Interceptor](alias-interceptor)|alias|Converts similar parameters that may be named differently between requests.|
-|[Annotation Parameter Filter Interceptor](annotation-parameter-filter-interceptor)|annotationParameterFilter|Annotation based version of [Parameter Filter Interceptor](parameter-filter-interceptor).|
-|[Annotation Workflow Interceptor](annotation-workflow-interceptor)|annotationWorkflow|Invokes any annotated methods on the action.|
-|[Chaining Interceptor](chaining-interceptor)|chain|Makes the previous Action's properties available to the current Action. Commonly used together with <result type="chain"> (in the previous Action).|
-|[Checckbox Interceptor](checkbox-interceptor)|checkbox|Adds automatic checkbox handling code that detect an unchecked checkbox and add it as a parameter with a default (usually 'false') value. Uses a specially named hidden field to detect unsubmitted checkboxes. The default unchecked value is overridable for non-boolean value'd checkboxes.|
-|[COEP Interceptor](coep-interceptor)|coep|Implements the Cross-Origin Embedder Policy on incoming requests used to protect a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded.|
-|[Conversion Error Interceptor](conversion-error-interceptor)|conversionError|Adds conversion errors from the ActionContext to the Action's field errors|
-|[Cookie Interceptor](cookie-interceptor)|cookie|Inject cookie with a certain configurable name / value into action. (Since 2.0.7.)|
-|[Cookie Provider Interceptor](cookie-provider-interceptor)|cookieProvider|Transfer cookies from action to response (Since 2.3.15.)|
-|[COOP Interceptor](coop-interceptor)|coop|Implements the Cross-Origin Opener Policy on incoming requests used to isolate resources against side-channel attacks and information leaks.|
-|[Create Session Interceptor](create-session-interceptor)|createSession|Create an HttpSession automatically, useful with certain Interceptors that require a HttpSession to work properly (like the TokenInterceptor)|
-|[Clear Session Interceptor](clear-session-interceptor)|clearSession|This interceptor clears the HttpSession.|
-|[Debugging Interceptor](debugging-interceptor)|debugging|Provides several different debugging screens to provide insight into the data behind the page.|
-|[Default Workflow Interceptor](default-workflow-interceptor)|workflow|Calls the validate method in your Action class. If Action errors are created then it returns the INPUT view.|
-|[Exception Interceptor](exception-interceptor)|exception|Maps exceptions to a result.|
-|[Execute and Wait Interceptor](execute-and-wait-interceptor)|execAndWait|Executes the Action in the background and then sends the user off to an intermediate waiting page.|
-|[Fetch Metadata Interceptor](fetch-metadata-interceptor)|fetchMetadata|Implements the Resource Isolation Policies on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks.|
-|[File Upload Interceptor](file-upload-interceptor)|fileUpload|An Interceptor that adds easy access to file upload support.|
-|[I18n Interceptor](i18n-interceptor)|i18n|Remembers the locale selected for a user's session.|
-|[Logging Interceptor](logging-interceptor)|logger|Outputs the name of the Action.|
-|[Message Store Interceptor](message-store-interceptor)|store|Store and retrieve action messages / errors / field errors for action that implements ValidationAware interface into session.|
-|[Model Driven Interceptor](model-driven-interceptor.htm)|modelDriven|If the Action implements ModelDriven, pushes the getModel Result onto the Value Stack.|
-|[Multiselect Interceptor](multiselect-interceptor)|multiselect|Like the checkbox interceptor detects that no value was selected for a field with multiple values (like a select) and adds an empty parameter|
-|[NoOp Interceptor](no-op-interceptor)|noop|Does nothing, just passes invocation further, used in empty stack|
-|[Parameter Filter Interceptor](parameter-filter-interceptor)|parameterFilter|Removes parameters from the list of those available to Actions|
-|[Parameters Interceptor](parameters-interceptor)|params|Sets the request parameters onto the Action.|
-|[Parameter Remover Interceptor](parameter-remover-interceptor)|paramRemover|Removes a parameter from parameters map.|
-|[Prepare Interceptor](prepare-interceptor)|prepare|If the Action implements Preparable, calls its prepare method.|
-|[Roles Interceptor](roles-interceptor)|roles|Action will only be executed if the user has the correct JAAS role.|
-|[Scope Interceptor](scope-interceptor)|scope|Simple mechanism for storing Action state in the session or application scope.|
-|[Scoped Model Driven Interceptor](scoped-model-driven-interceptor)|scopedModelDriven|If the Action implements ScopedModelDriven, the interceptor retrieves and stores the model from a scope and sets it on the action calling setModel.|
-|[Servlet Config Interceptor](servlet-config-interceptor)|servletConfig|Provide access to Maps representing HttpServletRequest and HttpServletResponse.|
-|[Static Parameters Interceptor](static-parameters-interceptor)|staticParams|Sets the struts.xml defined parameters onto the action. These are the <param> tags that are direct children of the <action> tag.|
-|[Timer Interceptor](timer-interceptor)|timer|Outputs how long the Action takes to execute (including nested Interceptors and View)|
-|[Token Interceptor](token-interceptor)|token|Checks for valid token presence in Action, prevents duplicate form submission.|
-|[Token Session Interceptor](token-session-interceptor)|tokenSession|Same as Token Interceptor, but stores the submitted data in session when handed an invalid token|
-|[Validation Interceptor](validation-interceptor)|validation|Performs validation using the validators defined in _action_ -validation.xml|
+| Interceptor | Name | Description |
+|------------------------------------------------------------------------------------|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Alias Interceptor](alias-interceptor) | alias | Converts similar parameters that may be named differently between requests. |
+| [Annotation Parameter Filter Interceptor](annotation-parameter-filter-interceptor) | annotationParameterFilter | Annotation based version of [Parameter Filter Interceptor](parameter-filter-interceptor). |
+| [Annotation Workflow Interceptor](annotation-workflow-interceptor) | annotationWorkflow | Invokes any annotated methods on the action. |
+| [Chaining Interceptor](chaining-interceptor) | chain | Makes the previous Action's properties available to the current Action. Commonly used together with <result type="chain"> (in the previous Action). |
+| [Checckbox Interceptor](checkbox-interceptor) | checkbox | Adds automatic checkbox handling code that detect an unchecked checkbox and add it as a parameter with a default (usually 'false') value. Uses a specially named hidden field to detect unsubmitted checkboxes. The default unchecked value is overridable for non-boolean value'd checkboxes. |
+| [COEP Interceptor](coep-interceptor) | coep | Implements the Cross-Origin Embedder Policy on incoming requests used to protect a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. |
+| [Conversion Error Interceptor](conversion-error-interceptor) | conversionError | Adds conversion errors from the ActionContext to the Action's field errors |
+| [Cookie Interceptor](cookie-interceptor) | cookie | Inject cookie with a certain configurable name / value into action. (Since 2.0.7.) |
+| [Cookie Provider Interceptor](cookie-provider-interceptor) | cookieProvider | Transfer cookies from action to response (Since 2.3.15.) |
+| [COOP Interceptor](coop-interceptor) | coop | Implements the Cross-Origin Opener Policy on incoming requests used to isolate resources against side-channel attacks and information leaks. |
+| [Create Session Interceptor](create-session-interceptor) | createSession | Create an HttpSession automatically, useful with certain Interceptors that require a HttpSession to work properly (like the TokenInterceptor) |
+| [Clear Session Interceptor](clear-session-interceptor) | clearSession | This interceptor clears the HttpSession. |
+| [Content Security Policy Interceptor](csp-interceptor) | csp | Adds support for Content Security policy. |
+| [Debugging Interceptor](debugging-interceptor) | debugging | Provides several different debugging screens to provide insight into the data behind the page. |
+| [Default Workflow Interceptor](default-workflow-interceptor) | workflow | Calls the validate method in your Action class. If Action errors are created then it returns the INPUT view. |
+| [Exception Interceptor](exception-interceptor) | exception | Maps exceptions to a result. |
+| [Execute and Wait Interceptor](execute-and-wait-interceptor) | execAndWait | Executes the Action in the background and then sends the user off to an intermediate waiting page. |
+| [Fetch Metadata Interceptor](fetch-metadata-interceptor) | fetchMetadata | Implements the Resource Isolation Policies on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks. |
+| [File Upload Interceptor](file-upload-interceptor) | fileUpload | An Interceptor that adds easy access to file upload support. |
+| [I18n Interceptor](i18n-interceptor) | i18n | Remembers the locale selected for a user's session. |
+| [Logging Interceptor](logging-interceptor) | logger | Outputs the name of the Action. |
+| [Message Store Interceptor](message-store-interceptor) | store | Store and retrieve action messages / errors / field errors for action that implements ValidationAware interface into session. |
+| [Model Driven Interceptor](model-driven-interceptor.htm) | modelDriven | If the Action implements ModelDriven, pushes the getModel Result onto the Value Stack. |
+| [Multiselect Interceptor](multiselect-interceptor) | multiselect | Like the checkbox interceptor detects that no value was selected for a field with multiple values (like a select) and adds an empty parameter |
+| [NoOp Interceptor](no-op-interceptor) | noop | Does nothing, just passes invocation further, used in empty stack |
+| [Parameter Filter Interceptor](parameter-filter-interceptor) | parameterFilter | Removes parameters from the list of those available to Actions |
+| [Parameters Interceptor](parameters-interceptor) | params | Sets the request parameters onto the Action. |
+| [Parameter Remover Interceptor](parameter-remover-interceptor) | paramRemover | Removes a parameter from parameters map. |
+| [Prepare Interceptor](prepare-interceptor) | prepare | If the Action implements Preparable, calls its prepare method. |
+| [Roles Interceptor](roles-interceptor) | roles | Action will only be executed if the user has the correct JAAS role. |
+| [Scope Interceptor](scope-interceptor) | scope | Simple mechanism for storing Action state in the session or application scope. |
+| [Scoped Model Driven Interceptor](scoped-model-driven-interceptor) | scopedModelDriven | If the Action implements ScopedModelDriven, the interceptor retrieves and stores the model from a scope and sets it on the action calling setModel. |
+| [Servlet Config Interceptor](servlet-config-interceptor) | servletConfig | Provide access to Maps representing HttpServletRequest and HttpServletResponse. |
+| [Static Parameters Interceptor](static-parameters-interceptor) | staticParams | Sets the struts.xml defined parameters onto the action. These are the <param> tags that are direct children of the <action> tag. |
+| [Timer Interceptor](timer-interceptor) | timer | Outputs how long the Action takes to execute (including nested Interceptors and View) |
+| [Token Interceptor](token-interceptor) | token | Checks for valid token presence in Action, prevents duplicate form submission. |
+| [Token Session Interceptor](token-session-interceptor) | tokenSession | Same as Token Interceptor, but stores the submitted data in session when handed an invalid token |
+| [Validation Interceptor](validation-interceptor) | validation | Performs validation using the validators defined in _action_ -validation.xml |
Since 2.0.7, Interceptors and Results with hyphenated names were converted to camelCase. (The former model-driven is
now modelDriven.) The original hyphenated names are retained as "aliases" until Struts 2.1.0. For clarity,