java - Deny direct access to JSP files in Struts2 with Naming Convention plugin

Question

I've been struggling with this issue as I'm new to Struts2 development, and just started using this naming Convention Plugin recently.

I'm trying to create a simple webapp which at first will only consist in two pages:

1. Login page (login.jsp)
2. Home page (home.jsp)

First a login page is shown to the user, and if the correct username and password are provided, they log in and get redirected to the home page.

I've successfully managed to create my small webapp, writing down a custom login interceptor and everything's OK and working as expected. I'm able to redirect the user to the login page if he/she tries to call the HomeAction( which results in home.jspif you previously logged in) directly like http://myserver/homeAction.

Problem comes when I try to access JSPs directly like this:

http://myserver/home

As I'm using this Convention plugin, Struts fetches my home.jspplugin and displays it. This is not the behaviour I expected, as home.jspshould be shown only as a loginAction successful result.

Things I tried to solve this issue

Well, as far as I googled, putting my JSPs inside /WEB-INF/directory should prevent them to be accessed, but it doesn't, as all my JSPs are in /WEB-INF/content/.

Another thing I tried was blocking access to any JSPresource (blocking *.JSP requests). This does the trick as long as you try to access myserver/home.jsp , but fails (as expected) when accessing myserver/home.

EDIT: There's another question in stackoverflow about this issue but I can't understand the answer: Struts 2 Convention Plugin and JSP files under WEB-INF

INFORMATION UPDATE: I've found that Struts2 convention plugin uses something called "actionless results" so you can access your JSPs inside your WEB-INF/contentdirectory by invoking the JSP without it's extension and it will deal with it as a dummy action which returns that JSP on success. This is an example to illustrate what I'm trying to explain:

If I have home.jsp in my WEB-INF/contentdirectory and call http://myserver/home, Struts2 will "trigger" an action whose result is going to be home.jsp. The solution for the problem then is going to be disabling this "actionless" results.

I'll keep updating the question as I head towards the solution if nobody provides an answer.

Answer 1

Here how d'you want to disable this feature.

Create a dummy bean:

package com.struts.handler;

import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.Result;
import com.opensymphony.xwork2.UnknownHandler;
import com.opensymphony.xwork2.XWorkException;
import com.opensymphony.xwork2.config.entities.ActionConfig;

/**
 * Created by Roman C on 22.03.2015.
 */
public class MyUnknownHandler implements UnknownHandler {
  @Override
  public ActionConfig handleUnknownAction(String namespace, String actionName) throws XWorkException {
    return null;
  }

  @Override
  public Result handleUnknownResult(ActionContext actionContext, String actionName, ActionConfig actionConfig, String resultCode) throws XWorkException {
    return null;
  }

  @Override
  public Object handleUnknownActionMethod(Object action, String methodName) throws NoSuchMethodException {
    return null;
  }
}

Then configure it in the struts.xml:

  <bean type="com.opensymphony.xwork2.UnknownHandler" name="handler" class="com.struts.handler.MyUnknownHandler"/>
  <unknown-handler-stack>
    <unknown-handler-ref name="handler"/>
  </unknown-handler-stack>

Explained here:

The convention plugin along with configuration it creates mentioned above also put an unknown handler which should handle URLs for which a configuration is not exist (i.e. not created by the convention). This is the source of the problem.

---

Now putting your own handler will disable convention's one. Thus it will no longer handle results by convention.