Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.atlassian.xwork.interceptors
Class RestrictHttpMethodInterceptor

java.lang.Object
  extended by com.atlassian.xwork.interceptors.RestrictHttpMethodInterceptor
All Implemented Interfaces:
com.opensymphony.xwork.interceptor.Interceptor, Serializable
public abstract class RestrictHttpMethodInterceptor
extends Object
implements com.opensymphony.xwork.interceptor.Interceptor

Interceptor used to restrict which HTTP methods are allowed to access which Action methods. Best used as a first line of defence against XSRF attacks.

What HTTP methods are permitted may be configured either by adding the PermittedMethods annotation to the method that will be invoked on the action class, enumerating the methods that will be accepted, or by adding a configuration parameter to the action definition in xwork.xml. If both are provided, the xwork.xml configuration will be used, and any annotation-based configuration will be ignored. An example of the parameter configuration: 

<action name="blah" class="com.example.MyAction">
     <param name="permittedMethods">GET, POST, PUT</param>
     <result name="success" type="redirect">/index.html<result>
 </action>

Note that method names are case sensitive, and all upper case. They must correspond to one of the values of the HttpMethod enum.

Implementations should extend this class to configure a SecurityLevel. See the Javadoc of the relevant class for what effect different security levels have on the operation of the interceptor.

If the method execution is rejected, the interceptor returns an "invalidmethod" result. It is up to the implementor to do something useful with that information.

Since:
1.6
See Also:
Serialized Form

Nested Class Summary
static class RestrictHttpMethodInterceptor.SecurityLevel
           
 
Field Summary
static String INVALID_METHOD_RESULT
           
static String PERMITTED_METHODS_PARAM_NAME
           
 
Constructor Summary
RestrictHttpMethodInterceptor()
           
 
Method Summary
 void destroy()
           
protected  RestrictHttpMethodInterceptor.SecurityLevel getSecurityLevel()
          Get the currently configured security level for the interceptor.
 void init()
           
 String intercept(com.opensymphony.xwork.ActionInvocation invocation)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

INVALID_METHOD_RESULT

public static final String INVALID_METHOD_RESULT
See Also:
Constant Field Values

PERMITTED_METHODS_PARAM_NAME

public static final String PERMITTED_METHODS_PARAM_NAME
See Also:
Constant Field Values
Constructor Detail

RestrictHttpMethodInterceptor

public RestrictHttpMethodInterceptor()
Method Detail

intercept

public final String intercept(com.opensymphony.xwork.ActionInvocation invocation)
                       throws Exception
Specified by:
intercept in interface com.opensymphony.xwork.interceptor.Interceptor
Throws:
Exception

destroy

public final void destroy()
Specified by:
destroy in interface com.opensymphony.xwork.interceptor.Interceptor

init

public final void init()
Specified by:
init in interface com.opensymphony.xwork.interceptor.Interceptor

getSecurityLevel

protected RestrictHttpMethodInterceptor.SecurityLevel getSecurityLevel()
Get the currently configured security level for the interceptor. The default implementation will always return SecurityLevel.DEFAULT. Implementors should override this method if they want to provide a mechanism for configuring security levels.

Returns:
the currently configured security level for this interceptor
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2011 Atlassian Pty Ltd. All Rights Reserved.