I'm working thorough a gateway, which allows only GET requests, whilst REST endpoints behind it are able to accept the wide range of methods (POST, PUT, DELETE, OPTIONS). Therefore, I'm trying to pass the request method as a parameter, having a filter, which forwards the request with a correct method. From what I can see in the specification, it's only allowed to forward the request w/o any modifications:
request.getRequestDispatcher(route).forward(request, response)
Are there any workarounds?
NOTE: Redirect is not an option for me.
If you have a single Rest servlet that handles the restful services (and this is usually the case), you can extend it and override the service method. There you can invoke doPost(..), doPut(..), etc. depending on the parameter you want. The default implementation of HttpServlet uses request.getMethod().
Another thing you can do (less preferable) is to have your Filter fire a new request to the endpoint, using URL.openConnection (or apache commons http components), and stream the result of that internal request back to the client. There you can specify the request method.
Anyway, I think you should try to overcome the limitation of your gateway, because it puts you in a really awkward situation.
Related
I'm working on a web application using React on the frontend and Java on the backend. From the frontend, I call different resources from the backend, where I have various classes providing #GET methods.
For every method, I'm always using the same check to determine if the user is authorized based on their session ID. That's a very repetitive way to accomplish this. This is especially true when creating a new #GET method, as I have to always remember to add this isUserAuthorized check.
My first thought was using an abstract class for the resources to centralize some of the code, but here I'd still have to add the check to each method.
Is there a way I can implement the authorization check for all HTTP requests, without needing to repeat this code?
I have a use case where some context needs to be transferred from the UI to the backend and backend needs to decide and send the response based on that context.
This can be achieved by sending the context through request body and at the server side, by parsing the request body, the representation can be sent in the response body.
My doubt is which http method is suitable for this?
GET: If we use GET, we can send the request body but it is advised that the body should not have any semantics related to the request.
See this: http-get-with-request-body
So I am left with POST or PUT but these corresponds to updating or creating a resource and using them might be little misleading.
So my question is what is the appropriate HTTP method that could be used in this scenario which is acceptable in the RESTful design standpoint.
Appreciate the response.
I am thinking to use POST or PUT as there are no restrictions on consuming the request body on the server side.
EDIT:
I think POST would serve my purpose.
The rfc HTTP RFC 7231 says that POST can be used for:
Providing a block of data, such as the fields entered into an HTML form, to a data-handling process
So the data handling process for me is the backend server and HTML Form is equivalent to any UI element.
So I can make use POST method to send the data to backend and send the existing resource representation as response body with http-status code being 200
Please bear in mind that GET must be used for data retrieval only, without side effects. That is, GET is both safe and idempotent (see more details here).
If the operation is meant to be idempotent, go for PUT:
4.3.4. PUT
The PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload. A successful PUT of a given representation would suggest that a subsequent GET on that same target resource will result in an equivalent representation being sent in a 200 (OK) response. [...]
Otherwise, go for POST, which is a catch all verb:
4.3.3. POST
The POST method requests that the target resource process the representation enclosed in the request according to the resource's own specific semantics. [...]
I would go for POST because in REST, PUT is used to create a new resource like user.
There is a PATCH post method, that is for changing things maybe thats what you are looking for
So my question is what is the appropriate HTTP method that could be used in this scenario which is acceptable in the RESTful design standpoint.
The world wide web is about as RESTful an example as you are going to find, and HTML forms only support GET (which should not have a request body) and POST. So POST must be fine (and it is).
More generally, POST can be used for anything; the other methods should be used when they are a better semantic fit. For example, you can use POST to make a resource unavailable, but DELETE is more explicit, and generic components can do sensible things because they recognize the semantics. PUT is a better choice than POST when what you are intending is to provide the server with a new representation of a resource, and so on.
I am not able to understand why the payload of the HTTP GET is forbidden
Payload of the HTTP GET is forbidden because the standard says "don't do that".
I believe it is written that way to simplify the rules for caching the response. As written, cache implementations only have to worry about header data (including information on the start-line).
But it could be as simple as the fact that the older versions of the standard didn't require that generic components do anything specific with the message-body of a GET request, and therefore modern specifications say "don't do that" in order to maintain backward compatibility. (One of the important constraints in designing long-lived systems is that you don't break older implementations.)
I've seen several GWT code excerpts where the developer extended DefaultRequestTransport and gave it custom functionality. One such example is in this SO question regarding authentication/login filters. But I have seen several others besides this one example.
My question: when & why does someone need to extend this class and override its methods? (In other words, what does this class do, what services do its methods perform, and why would I need to customize them?)
In that one example, the createRequestCallback method was overridden. According to the Javadocs on that method, it's purpose is to:
Create a RequestCallback that maps the HTTP response onto the TransportReceiver interface.
This is still sort of a cryptic explanation to me. Could someone please give me a layman's explanation for what scenarios it would be beneficial to extend this class and override 1+ of its methods?
RequestFactory does not depend on a specific "transport" mechanism; it deals with JSON representations of requests and responses but the way they're exchanged and transferred is out of scope, and deferred to a RequestTransport.
The DefaultRequestTransport uses a RequestBuilder to a given (but configurable) URL; because it uses RequestBuilder, it can only be used in a GWT client (to be compiled to JavaScript). There's also the UrlRequestTransport which uses a java.net.HttpURLConnection and can be used on any client running in a JVM (a server making a call to another server, an Android application, a desktop Java application, etc.)
In theory (because I never tried it and never heard someone else tried it), you could make a RequestTransport that uses Comet or WebSockets, or whichever transport you'd like. Of course, the server side would have to be adapted too (SimpleRequestProcessor can easily reused outside the RequestFactoryServlet; this is a similar separation of concerns)
Back to DefaultRequestTransport: it uses RequestBuilder and provides a few hooks that you can override to customize how it works. The most common use-case is to intercept all requests to add some request header (e.g. credentials) and/or all responses to handle specific HTTP responses before decoding the JSON-encoded RequestFactory response (e.g. intercept "unauthorized" response to ask the user to sign in).
DefaultRequestTransport works as an adapter between the RequestFactory API and the RequestBuilder one, and createRequestCallback is one half of it responsible for adapting the response.
In the example shown they need to extend DefaultRequestTransport in order to inspect all RF server responses and catch 401 status (SC_UNAUTHORIZED) which means that the request was rejected in the server side because the user has not a valid session, and then redirect the user to the application login page.
I've used DefaultRequestTransport as well for changing the requestUrl (the default is set to gwtRequest), so as I can set filters based on the url pattern: for instance authenticated RF services go to /myapp/gwtRequest or non-authenticated RF services go to /myapp/anonymousRequest etc.
I also have a customized RequestTransport using modified versions of RequestBuilder and XMLHttpRequest able to monitor onprogress events, very helpful for large requests.
You could extend it to send customized headers used for doing CORS authentication or whatever.
In summary RequestTransport is the way to modify the client transport layer of RF.
I want to create a Jersey call that allows a user to specify a list of URIs to the server as part of a JSON payload, and have the server call each of them and return the results as one big payload (similar to this scheme employed by Neo4j).
I have figured out a way to get the resource/method that Jersey would call in response to a URI (answered in this question). But what's a good way to actually call the method, inject its parameters/resource members, and get the return value? Would it be necessary to actually get the object and assemble the parameters manually for each call, or is there some way to hook into Jersey's internals to do it automagically? It's probably impractical to figure out ways to resolve the parameters manually for each possible call.
What object can be used to intercept all requests to a web application before they reach the JSP or Servlet? I think the answer might be a filter, but I'm not sure if there is a more specific answer.
The filter is the way to go. You can map a filter much like a servlet so that it can cover the entire web site, or just portions.
Edit for comment -
Yes, that's pretty much what you need to do. Filters are the first part of the request chain. Well, after dispatch by the container, but the first part you as a developer have access to.
Filters can be chained, and each one can pre-empt the request chain (thus never hitting any later Filters or Servlets (JSPs are Servlets), they can proceed down the request chain, and they can usurp the results of the request chain (that is they can change or reject the output from components farther down. You can consider it an implementation of the Decorator pattern.
Some typical filters include security filters (checking whether the request has access to the desired resource), compression filters, request modification filters (the functionality of Apaches mod_rewrite has been implemented as a Filter, for example). Filters can completely replace the actual request and response object (many do so by wrapping the existing ones), so they really do have complete control over the request chain, and eventual Servlet or static resource has no idea the Filter is there.
Filters are a wonderful aspect of the Servlet stack.
The filter is the best way to route all the request to the jsp/servlet ,
Usage:
1. To check whether user has valid session.
2. Add a attribute to the request.
3. Compress the outputstream incase of file download.
4. anlayse request, i.e. frequently visited page for buisness analyst.
Yes Filter is the Right answer . Just wanted to add in a MVC design pattern similiar thing can be done with a controller servlet. Which first takes all the requests before moving somewhere else.