我有一个行动,我应该保护它免受CSRF攻击。我使用了Strut的tokenSession Interceptor来实现这一目标。
<action name="showBranchSelection" class="action.Request.BranchSelectionAction"
method="showBranchSelection">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="basicStack" />
<result name="success">
/jsp/customer/request/branchSelection.jsp
</result>
</action>
并且可以直接从jsp调用此操作。
<s:form id="frmRequestShowBranchSelection" action="../../showBranchSelection" method="post" theme="simple" onsubmit="return false;">
<s:token name="tknRequestShowBranchSelection" />
<s:submit />
</s:form>
但我也有其他行为(受保护但未受保护),在某些情况下会被锁定在此行动中。
<!-- not protected action chains to protected one -->
<action name="entranceCustomerLoginAction" class="action.Request.CustomerLoginAction"
method="entrance">
<result name="success">/jsp/login/success.jsp</result>
<result name="showBranchSelection" type="chain"> showBranchSelection
</result>
</action>
<!-- protected action chains to another protected one -->
<action name="continueReimTable" class="action.Request.ReimburseTableControllerAction"
method="continueReimTable">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="basicStack" />
<result name="showBranchSelection" type="chain">
showBranchSelection
</result>
<result name="success" type="chain">
showBranchPage
</result>
</action>
在这样的链条中使用令牌的正确方法是什么?!即两者中,当一个未受保护的动作链接到受保护的动作时,以及受保护的动作链接到另一个受保护的动作时。