Restrict HTTP requests to 'POST' only in Struts 1.x

Asked 15/6, 2009 at 14:37 Answered 22/5, 2015 at 18:39

Is there a configurable way in Struts 1.x so my action classses are only executed on HTTP 'POST' only.

I understand I can use request.getMethod() within my action class and then do certain 'stuff' based on that.

Regards, Jonathan

Blowzy answered 15/6, 2009 at 14:37 Comment(3)

What would you want to happen if someone sends a GET? – Proceleusmatic 15/6, 2009 at 14:57

It's only a simply data capture app and if it was GET we would not save the data to the DB. I just wanted to check if there was xml 'configurable' way of doing other than programatically. – Blowzy 15/6, 2009 at 16:3

Finally how did you implement this ? – Illegalize 12/8, 2012 at 2:31

You can use your web.xml to define access permissions. This constraint prevents GET requests:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>struts action servlet</web-resource-name>
      <url-pattern>*.do</url-pattern>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <!-- no one! -->
    </auth-constraint>
  </security-constraint>

Venitavenite answered 1/11, 2009 at 15:18 Comment(2)

How do you customize what happens if the application receives a GET request in this scenario ? – Illegalize 12/8, 2012 at 2:33

@Illegalize - that would be better asked as a new question explaining what you want to do. – Venitavenite 12/8, 2012 at 7:58

Here's and idea that is both some programmatic and config solution. You can create a custom ActionMapping...

public class YourPOSTRequiredActionMapping extends ActionMapping { }

... and use in your struts config for the mappings that are POST only.

<action path="/your/path" type="YourAction" className="YourPOSTRequiredActionMapping" />

Then, you could extend the struts RequestProcessor and override processMapping

public class YourRequestProcessor extends RequestProcessor {
    protected ActionMapping processMapping(HttpServletRequest request, HttpServletResponse response, String path) throws IOException {
        ActionMapping mapping = super.processMapping(request, response, path);
        if (mapping instanceof YourPOSTRequiredActionMapping) {
            if (!request.getMethod().equals("POST")) {
                mapping = null;
            }
        }
        return mapping;
    }
}

Make sure to configure your struts config to use YourRequestProcessor.

<controller processorClass="YourRequestProcessor" nocache="true" contentType="text/html; charset=UTF-8" locale="false" />

I based this on some old working code, but I haven't even compiled the sample code above.

Scenarist answered 15/6, 2009 at 16:44 Comment(0)

One way of doing this without changing your application is to write a servlet Filter which rejects non-POST requests. You can then plug this filter into your web.xml file and configure its url-patterns to match your Struts controllers' paths.

Proceleusmatic answered 15/6, 2009 at 19:7 Comment(0)

McDowell answer is far from acceptable unless you do have some specific requirements. You should get a 503 HTTP error that you can catch to show meaningfull info to users or just leave it to actual errors management from your current web config.

Gorlin answered 22/5, 2015 at 18:39 Comment(0)

Recommended topics

Hot tags