fix: harden struts auth responses

2026-04-01 10:33:02 +08:00
parent 589f33dc92
commit fb18c4d99a
6 changed files with 26 additions and 12 deletions
--- a/web/WEB-INF/classes/com/demo/action/LoginAction.java
+++ b/web/WEB-INF/classes/com/demo/action/LoginAction.java
@@ -39,7 +39,7 @@ public class LoginAction extends ActionSupport implements SessionAware {
            return SUCCESS;
        }
-        addActionError("演示账号不正确，请使用 admin / 123456。 / Invalid demo credentials. Use admin / 123456.");
+        addActionError("演示账号或密码不正确，请使用 admin / 123456。/ Invalid demo credentials. Use admin / 123456.");
        return INPUT;
    }
--- a/web/WEB-INF/classes/com/demo/action/ValidationAction.java
+++ b/web/WEB-INF/classes/com/demo/action/ValidationAction.java
@@ -31,13 +31,13 @@ public class ValidationAction extends ActionSupport {
    @Override
    public void validate() {
        if (username == null || username.trim().length() < 3 || username.trim().length() > 20) {
-            addFieldError("username", "用户名长度需在 3 到 20 之间。 / Username must be between 3 and 20 characters.");
+            addFieldError("username", "用户名长度需在 3 到 20 个字符之间。/ Username must be between 3 and 20 characters.");
        }
        if (email == null || !email.contains("@") || email.indexOf('@') == email.length() - 1) {
            addFieldError("email", "请输入有效邮箱。/ Enter a valid email address.");
        }
        if (age == null || age < 18 || age > 60) {
-            addFieldError("age", "年龄需在 18 到 60 之间。 / Age must be between 18 and 60.");
+            addFieldError("age", "年龄需在 18 到 60 岁之间。/ Age must be between 18 and 60.");
        }
        if (bio != null && bio.trim().length() > 240) {
            addFieldError("bio", "简介不能超过 240 个字符。/ Bio must stay under 240 characters.");
--- a/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
+++ b/web/WEB-INF/classes/com/demo/action/interceptor/AuthInterceptor.java
@@ -3,7 +3,9 @@ package com.demo.action.interceptor;
 import com.demo.action.LoginAction;
 import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
 import org.apache.struts2.ServletActionContext;
 import javax.servlet.http.HttpServletResponse;
 import java.util.Map;
 public class AuthInterceptor extends AbstractInterceptor {
@@ -14,6 +16,18 @@ public class AuthInterceptor extends AbstractInterceptor {
        if (session != null && session.get(LoginAction.SESSION_USER) != null) {
            return invocation.invoke();
        }
        String namespace = invocation.getProxy().getNamespace();
        if (namespace != null && namespace.startsWith("/api")) {
            HttpServletResponse response = ServletActionContext.getResponse();
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json;charset=UTF-8");
            response.getWriter().write("{\"success\":false,\"code\":401,\"message\":\"请先登录后再访问 API / Please log in before calling this API.\"}");
            response.getWriter().flush();
            return null;
        }
        return "login";
    }
 }
--- a/web/WEB-INF/classes/struts.xml
+++ b/web/WEB-INF/classes/struts.xml
@@ -5,7 +5,7 @@
 <struts>
    <constant name="struts.devMode" value="false"/>
-    <constant name="struts.enable.DynamicMethodInvocation" value="true"/>
+    <constant name="struts.enable.DynamicMethodInvocation" value="false"/>
    <constant name="struts.i18n.encoding" value="UTF-8"/>
    <constant name="struts.action.extension" value="action"/>