fix: harden struts auth responses

2026-04-01 10:33:02 +08:00
parent 589f33dc92
commit fb18c4d99a
6 changed files with 26 additions and 12 deletions
--- a/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
+++ b/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
@@ -3,7 +3,9 @@ package com.demo.action.interceptor;
 import com.demo.action.LoginAction;
 import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
+import org.apache.struts2.ServletActionContext;

+import javax.servlet.http.HttpServletResponse;
 import java.util.Map;

 public class AuthInterceptor extends AbstractInterceptor {
@@ -14,6 +16,18 @@ public class AuthInterceptor extends AbstractInterceptor {
        if (session != null && session.get(LoginAction.SESSION_USER) != null) {
            return invocation.invoke();
        }
+
+        String namespace = invocation.getProxy().getNamespace();
+        if (namespace != null && namespace.startsWith("/api")) {
+            HttpServletResponse response = ServletActionContext.getResponse();
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            response.setCharacterEncoding("UTF-8");
+            response.setContentType("application/json;charset=UTF-8");
+            response.getWriter().write("{\"success\":false,\"code\":401,\"message\":\"请先登录后再访问 API / Please log in before calling this API.\"}");
+            response.getWriter().flush();
+            return null;
+        }
+
        return "login";
    }
 }