From fb18c4d99a1862cde5facef118bce73380a54ec3 Mon Sep 17 00:00:00 2001
From: Codex <codex@local.invalid>
Date: Wed, 1 Apr 2026 10:33:02 +0800
Subject: [PATCH] fix: harden struts auth responses

---
 .../classes/com/demo/action/FileUploadAction.java  |  2 +-
 .../classes/com/demo/action/LoginAction.java       |  6 +++---
 .../classes/com/demo/action/UserAction.java        |  6 +++---
 .../classes/com/demo/action/ValidationAction.java  |  8 ++++----
 .../demo/action/interceptor/AuthInterceptor.java   | 14 ++++++++++++++
 web/WEB-INF/classes/struts.xml                     |  2 +-
 6 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/web/WEB-INF/classes/com/demo/action/FileUploadAction.java b/web/WEB-INF/classes/com/demo/action/FileUploadAction.java
index 0876f60..4502f38 100644
--- a/web/WEB-INF/classes/com/demo/action/FileUploadAction.java
+++ b/web/WEB-INF/classes/com/demo/action/FileUploadAction.java
@@ -27,7 +27,7 @@ public class FileUploadAction extends ActionSupport {
         }
 
         if (fileCount == 0) {
-            addActionError("请至少选择一个文件再提交。 / Select at least one file before submitting the demo.");
+            addActionError("请至少选择一个文件再提交。/ Select at least one file before submitting the demo.");
             return INPUT;
         }
 
diff --git a/web/WEB-INF/classes/com/demo/action/LoginAction.java b/web/WEB-INF/classes/com/demo/action/LoginAction.java
index 75a003a..fd82332 100644
--- a/web/WEB-INF/classes/com/demo/action/LoginAction.java
+++ b/web/WEB-INF/classes/com/demo/action/LoginAction.java
@@ -39,7 +39,7 @@ public class LoginAction extends ActionSupport implements SessionAware {
             return SUCCESS;
         }
 
-        addActionError("演示账号不正确，请使用 admin / 123456。 / Invalid demo credentials. Use admin / 123456.");
+        addActionError("演示账号或密码不正确，请使用 admin / 123456。/ Invalid demo credentials. Use admin / 123456.");
         return INPUT;
     }
 
@@ -49,10 +49,10 @@ public class LoginAction extends ActionSupport implements SessionAware {
             return;
         }
         if (username == null || username.length() < 3) {
-            addFieldError("username", "用户名至少 3 个字符。 / Username must be at least 3 characters.");
+            addFieldError("username", "用户名至少 3 个字符。/ Username must be at least 3 characters.");
         }
         if (password == null || password.length() < 6) {
-            addFieldError("password", "密码至少 6 个字符。 / Password must be at least 6 characters.");
+            addFieldError("password", "密码至少 6 个字符。/ Password must be at least 6 characters.");
         }
     }
 
diff --git a/web/WEB-INF/classes/com/demo/action/UserAction.java b/web/WEB-INF/classes/com/demo/action/UserAction.java
index ae9d7a6..76acffd 100644
--- a/web/WEB-INF/classes/com/demo/action/UserAction.java
+++ b/web/WEB-INF/classes/com/demo/action/UserAction.java
@@ -34,15 +34,15 @@ public class UserAction extends ActionSupport {
     private boolean isValid() {
         boolean valid = true;
         if (username == null || username.length() < 3) {
-            addFieldError("username", "用户名至少 3 个字符。 / Username must be at least 3 characters.");
+            addFieldError("username", "用户名至少 3 个字符。/ Username must be at least 3 characters.");
             valid = false;
         }
         if (email == null || !email.contains("@")) {
-            addFieldError("email", "请输入有效邮箱。 / Enter a valid email address.");
+            addFieldError("email", "请输入有效邮箱。/ Enter a valid email address.");
             valid = false;
         }
         if (phone == null || phone.replaceAll("[^0-9]", "").length() < 7) {
-            addFieldError("phone", "手机号至少 7 位数字。 / Enter at least 7 digits for the phone number.");
+            addFieldError("phone", "手机号至少 7 位数字。/ Enter at least 7 digits for the phone number.");
             valid = false;
         }
         return valid;
diff --git a/web/WEB-INF/classes/com/demo/action/ValidationAction.java b/web/WEB-INF/classes/com/demo/action/ValidationAction.java
index 661a7af..55acfae 100644
--- a/web/WEB-INF/classes/com/demo/action/ValidationAction.java
+++ b/web/WEB-INF/classes/com/demo/action/ValidationAction.java
@@ -31,16 +31,16 @@ public class ValidationAction extends ActionSupport {
     @Override
     public void validate() {
         if (username == null || username.trim().length() < 3 || username.trim().length() > 20) {
-            addFieldError("username", "用户名长度需在 3 到 20 之间。 / Username must be between 3 and 20 characters.");
+            addFieldError("username", "用户名长度需在 3 到 20 个字符之间。/ Username must be between 3 and 20 characters.");
         }
         if (email == null || !email.contains("@") || email.indexOf('@') == email.length() - 1) {
-            addFieldError("email", "请输入有效邮箱。 / Enter a valid email address.");
+            addFieldError("email", "请输入有效邮箱。/ Enter a valid email address.");
         }
         if (age == null || age < 18 || age > 60) {
-            addFieldError("age", "年龄需在 18 到 60 之间。 / Age must be between 18 and 60.");
+            addFieldError("age", "年龄需在 18 到 60 岁之间。/ Age must be between 18 and 60.");
         }
         if (bio != null && bio.trim().length() > 240) {
-            addFieldError("bio", "简介不能超过 240 个字符。 / Bio must stay under 240 characters.");
+            addFieldError("bio", "简介不能超过 240 个字符。/ Bio must stay under 240 characters.");
         }
     }
 
diff --git a/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java b/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
index f8cec8a..8adc135 100644
--- a/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
+++ b/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
@@ -3,7 +3,9 @@ package com.demo.action.interceptor;
 import com.demo.action.LoginAction;
 import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
+import org.apache.struts2.ServletActionContext;
 
+import javax.servlet.http.HttpServletResponse;
 import java.util.Map;
 
 public class AuthInterceptor extends AbstractInterceptor {
@@ -14,6 +16,18 @@ public class AuthInterceptor extends AbstractInterceptor {
         if (session != null && session.get(LoginAction.SESSION_USER) != null) {
             return invocation.invoke();
         }
+
+        String namespace = invocation.getProxy().getNamespace();
+        if (namespace != null && namespace.startsWith("/api")) {
+            HttpServletResponse response = ServletActionContext.getResponse();
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            response.setCharacterEncoding("UTF-8");
+            response.setContentType("application/json;charset=UTF-8");
+            response.getWriter().write("{\"success\":false,\"code\":401,\"message\":\"请先登录后再访问 API / Please log in before calling this API.\"}");
+            response.getWriter().flush();
+            return null;
+        }
+
         return "login";
     }
 }
diff --git a/web/WEB-INF/classes/struts.xml b/web/WEB-INF/classes/struts.xml
index 0d96f21..ef4b91e 100644
--- a/web/WEB-INF/classes/struts.xml
+++ b/web/WEB-INF/classes/struts.xml
@@ -5,7 +5,7 @@
 
 <struts>
     <constant name="struts.devMode" value="false"/>
-    <constant name="struts.enable.DynamicMethodInvocation" value="true"/>
+    <constant name="struts.enable.DynamicMethodInvocation" value="false"/>
     <constant name="struts.i18n.encoding" value="UTF-8"/>
     <constant name="struts.action.extension" value="action"/>