问题
I have an action which I should protect it from CSRF attack. I have used Strut's tokenSession Interceptor to achieve this.
<action name="showBranchSelection" class="action.Request.BranchSelectionAction"
method="showBranchSelection">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="basicStack" />
<result name="success">
/jsp/customer/request/branchSelection.jsp
</result>
</action>
and works great where this action has been called directly from jsp.
<s:form id="frmRequestShowBranchSelection" action="../../showBranchSelection" method="post" theme="simple" onsubmit="return false;">
<s:token name="tknRequestShowBranchSelection" />
<s:submit />
</s:form>
But I also have other actions (protected and not protected) which will be chained to this action in some situations.
<!-- not protected action chains to protected one -->
<action name="entranceCustomerLoginAction" class="action.Request.CustomerLoginAction"
method="entrance">
<result name="success">/jsp/login/success.jsp</result>
<result name="showBranchSelection" type="chain"> showBranchSelection
</result>
</action>
<!-- protected action chains to another protected one -->
<action name="continueReimTable" class="action.Request.ReimburseTableControllerAction"
method="continueReimTable">
<interceptor-ref name="tokenSession" />
<interceptor-ref name="basicStack" />
<result name="showBranchSelection" type="chain">
showBranchSelection
</result>
<result name="success" type="chain">
showBranchPage
</result>
</action>
What's the proper way to use token in such chains?! i.e. in both, when a not protected action chains to a protected action and when a protected action chains to another protected action.
来源:https://stackoverflow.com/questions/32797459/how-to-use-token-between-action-chains-properly