Nzall Nzall - 12 days ago 13
Java Question

How can I configure HTTP Response Headers in a Struts2 Interceptor?

We currently have a java web application in the middle of migration from Struts 1 to Struts 2. We would like to configure

X-Frame-Options
and
Content-Security-Policy
headers for all our Struts 2 actions. We have a lot of actions and I want to avoid modifying them all separately if at all possible.

the idea I currently have is the following interceptor which would be added to the default stack:

import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;

public class HttpHeaderInterceptor implements Interceptor {

private static final long serialVersionUID = 1L;

@Override
public void destroy() {
// TODO Auto-generated method stub
}

@Override
public void init() {
// TODO Auto-generated method stub
}

@Override
public String intercept(ActionInvocation Invocation) throws Exception {
HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return Invocation.invoke();
}
}


I tried the above, and it does not work, it does not set the headers.

What changes do I need to make to fix this interceptor? Is it even possible to change response headers in this way?

Answer

The correct way to get the the response (and the request) inside an Interceptor is through the InvocationContext, instead that through the ServletActionContext:

public String intercept(ActionInvocation Invocation) throws Exception {

    final ActionContext ac = invocation.getInvocationContext();
    HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RE‌​SPONSE);
    //HttpServletResponse response = ServletActionContext.getResponse();

    response.addHeader("X-Frame-Options", "SAMEORIGIN");
    response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
    response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
    return Invocation.invoke();
}
Comments