Is there a way to pass a list to RESTFul web service method in Jersey? Something like #PathParam("list") List list?
Hope that this will help you
Java code
import java.util.List;
#Path("/customers")
public class CustomerResource {
#GET
#Produces("application/xml")
public String getCustomers(
#QueryParam("start") int start,
#QueryParam("size") int size,
#QueryParam("orderBy") List<String> orderBy) {
// ...
}
}
Passing value from javascript using AJAX
Ajax call url : /customers?orderBy=name&orderBy=address&orderBy=...
I found out that the best way to send a list via POST from the client to a REST service is by using the #FormParam.
If you add a parameter twice or more times to the form, it will result into a list on the server's side.
Using the #FormParammeans on client side you generate a com.sun.jersey.api.representation.Form and add some form parameters like shown below. Then you add the filled form to the post like that: service.path(..) ... .post(X.class, form) (see example code).
Example-code for the client side:
public String testMethodForList() {
Form form = new Form();
form.add("list", "first String");
form.add("list", "second String");
form.add("list", "third String");
return service
.path("bestellung")
.path("add")
.type(MediaType.APPLICATION_FORM_URLENCODED)
.accept(MediaType.TEXT_XML)
.post(String.class, form);
}
Example-Code for server side:
#POST
#Path("/test")
#Produces(MediaType.TEXT_XML)
#Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public String testMethodForList(
#FormParam("list") List<String> list {
return "The list has " + list.size() + " entries: "
+ list.get(0) + ", " + list.get(1) + ", " + list.get(2) +".";
}
The return String will be:
The list has 3 entries: first String, second String, third String.
Note:
The MediaTypes of #Consumes on server side and .type() on client
side have to be identical as well as #Produces and .accept().
You can NOT send objects other than String, Integer etc. via
#FormParam. In case of an object you'll have to convert it to XML
or JSON String and re-convert it on the server side. For how to convert see here.
You can also pass a List to the form like form.add(someList), but this will result in a String containing the list's entries on server side. It will look like: [first String, second String, third String]. You'd have to split the String on server side at "," and cut off the square brackets for extracting the single entiries from it.
If I'm understanding what you're trying to do, you could serialize the List object and pass it as a string.
Related
I have a Spring Boot app I'm writing that uses Angular for the front end.
One REST API accepts an array of strings as input:
#RequestMapping(value = "/import", method = RequestMethod.POST)
#CrossOrigin
public void importComicFiles(#RequestParam("filenames") String[] filenames)
{
for (String filename : filenames) { ... }
}
When the front end sends an array of string values using the following:
importFiles(filenames: string[]): Observable<Response> {
const formData: FormData = new FormData();
for (let index = 0; index < filenames.length; index++) {
formData.append('filenames', filenames[index]);
}
return this.http.post(`${this.apiUrl}/files/import`, formData);
}
then the Java code receives each string as a separate element in the array. Even if those strings have spaces in them.
HOWEVER, when the importFiles method is called with a single string then the Java code behaves as if the value received is an array spit on a single space at the end of the string. An example input string is:
/Users/mcpierce/Google Drive/comics/DC/2018-01-17/Superman Vol.2016 #39 (March, 2018).cbz
Java treats this string as if it were two strings:
/Users/mcpierce/Google Drive/comics/DC/2018-01-17/Superman Vol.2016 #39 (March,
and
2018).cbz
If I change the Java code to just treat the filenames parameter as a string (rather than as a List or a String[]) then I get the whole string. If it's more than one then each is separated by a common (,).
Any ideas?
I would say Spring is operating just fine. But the way we use the request params is wrong. Spring delimits the request parameters and injects as array.
GET http://example.com?filenames=1,2,3,4
Above can be injected into #RequestParam("filenames[]") String[] filenames with each one entry in array.
In your case it would be treated as different entries coz of the comma. Try posting it as request body object instead as a request param and use to get the array?
You can try by adding the [] to the parameter value as well.
#RequestParam("filenames[]") String[] filenames
I have a Rest Service that I want to respond to requests with the following paths
1) /v1/config/type/service
2) /v1/config/type/service, service2
What I'd like is to be able to store the path param serviceName as a List where each element is delimited by a comma. For example, if someone types v1/config/foo/bar1,bar2,bar3 I'd like serviceName to be a List with 3 elements (bar1, bar2, bar3). Right now it just returns a list with 1 element that contains all three service strings. Is that even possible? Or is that something I'll simply have to parse. The code I have is shown below, it's pretty rough as I'm in the beginning stages of the project:
#ApplicationPath("/")
#Path("/v1/config")
public class ServiceRetriever extends Application {
#GET
#Produces(MediaType.TEXT_PLAIN)
public String getHelloWorld() {
return "Hello World";
}
#GET
#Path("{type}/{serviceName}")
#Produces("application/zip")
public Response getServices(#PathParam("type") String type, #PathParam("serviceName")List<String> serviceNames,
#QueryParam("with_config") boolean withConfig, #QueryParam("with_drive") boolean withDriver) throws IOException
{
//some random file i made to test that we can return a zip
File file = new File(System.getProperty("user.home")+"/dummy.zip");
System.out.println(serviceNames.size()); //returns 1
//we can change the zip file name to be whatever
return Response.ok(file).header("Content-Type","application/zip").
header("Content-Disposition", "attachment; filename="+file.getName()).build();
}
The problems is that you have to alter the deserialization process of that variable. Typically only query parameters are lists so this might not be compatible with some libraries.
You could:
Capture the parameter as a string and parse it internally via helper method (obvious)
Create your own annotation like #PathParamMutli and return Arrays.asList(parameter.split(","));. Ideally you should have access to the framework source code and branching privileges.
Use a query parameter instead
I am trying to receive a list of String as comma separated value in the REST URI ( sample :
http://localhost:8080/com.vogella.jersey.first/rest/todo/test/1/abc,test
, where abc and test are the comma separated values passed in).
Currently I am getting this value as string and then splitting it to get the individual values.
Current code :
#Path("/todo")
public class TodoResource {
// This method is called if XMLis request
#GET
#Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
#Path("/test/{id: .*}/{name: .*}")
public Todo getXML(#PathParam("id") String id,
#PathParam("name") String name) {
Todo todo = new Todo();
todo.setSummary("This is my first todo, id received is : " + id
+ "name is : " + Arrays.asList(name.split("\\s*,\\s*")));
todo.setDescription("This is my first todo");
TodoTest todoTest = new TodoTest();
todoTest.setDescription("abc");
todoTest.setSummary("xyz");
todo.setTodoTest(todoTest);
return todo;
}
}
Is there any better method to achieve the same?
I am not sure what you are trying to achieve with your service, however, it may be better to use query parameters to get multiple values for a single parameter. Consider the below URL.
http://localhost:8080/rest/todos?name=name1&name=name2&name=name3
And here is the code snippet for the REST service.
#GET
#Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
#Path("/todos")
public Response get(#QueryParam("name") List<String> names) {
// do whatever you need to do with the names
return Response.ok().build();
}
If you don't know how many comma separated values you will get, then the split you do is as far as I've been able to find the best way to do it. If you know you will always have 3 values as comma separated, then you can get those 3 directly. (for instance if you have lat,long or x,y,z then you could get it with 3 pathvariables. (see one of the stackoverflow links posted below)
there are a number of things you can do with matrix variables but those require ; and key/value pairs which is not what you're using.
Things I found (apart from the matrix stuff)
How to pass comma separated parameters in a url for the get method of rest service
How can I map semicolon-separated PathParams in Jersey?
I'm trying to make sure my Jersey request parameters are sanitized.
When processing a Jersey GET request, do I need to filter non String types?
For example, if the parameter submitted is an integer are both option 1 (getIntData) and option 2 (getStringData) hacker safe? What about a JSON PUT request, is my ESAPI implementation enough, or do I need to validate each data parameter after it is mapped? Could it be validated before it is mapped?
Jersey Rest Example Class:
public class RestExample {
//Option 1 Submit data as an Integer
//Jersey throws an internal server error if the type is not Integer
//Is that a valid way to validate the data?
//Integer Data, not filtered
#Path("/data/int/{data}/")
#GET
#Produces(MediaType.TEXT_HTML)
public Response getIntData(#PathParam("data") Integer data){
return Response.ok("You entered:" + data).build();
}
//Option 2 Submit data as a String, then validate it and cast it to an Integer
//String Data, filtered
#Path("/data/string/{data}/")
#GET
#Produces(MediaType.TEXT_HTML)
public Response getStringData(#PathParam("data") String data) {
data = ESAPI.encoder().canonicalize(data);
if (ESAPI.validator().isValidInteger("data", data, 0, 999999, false))
{
int intData = Integer.parseInt(data);
return Response.ok("You entered:" + intData).build();
}
return Response.status(404).entity("404 Not Found").build();
}
//JSON data, HTML encoded
#Path("/post/{requestid}")
#POST
#Consumes({MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON})
#Produces(MediaType.TEXT_HTML)
public Response postData(String json) {
json = ESAPI.encoder().canonicalize(json);
json = ESAPI.encoder().encodeForHTML(json);
//Is there a way to iterate through each JSON KeyValue and filter here?
ObjectMapper mapper = new ObjectMapper();
DataMap dm = new DataMap();
try {
dm = mapper.readValue(json, DataMap.class);
} catch (Exception e) {
e.printStackTrace();
}
//Do we need to validate each DataMap object value and is there a dynamic way to do it?
if (ESAPI.validator().isValidInput("strData", dm.strData, "HTTPParameterValue", 25, false, true))
{
//Is Integer validation needed or will the thrown exception be good enough?
return Response.ok("You entered:" + dm.strData + " and " + dm.intData).build();
}
return Response.status(404).entity("404 Not Found").build();
}
}
Data Map Class:
public class DataMap {
public DataMap(){}
String strData;
Integer intData;
}
The short answer is yes, though by "filter" I interpret it as "validate," because no amount of "filtering" will EVER provide you with SAFE data. You can still run into integer overflows in Java, and while those may not have immediate security concerns, they could still put parts of your application in an unplanned for state, and hacking is all about perturbing the system in ways you can control.
You packed waaaaay too many questions into one "question," but here we go:
First off, the lines
json = ESAPI.encoder().canonicalize(json);
json = ESAPI.encoder().encodeForHTML(json);
Aren't doing what you think they're doing. If your JSON is coming in as a raw String right here, these two calls are going to be applying mass rules across the entire string, when you really need to handle these with more surgical precision, which you seem to at least be subconsciously aware of in the next question.
//Is there a way to iterate through each JSON KeyValue and filter
here?
Partial duplicate of this question.
While you're in the loop discussed here, you can perform any data transformations you want, but what you should really be considering is using the JSONObject class referenced in that first link. Then you'll have JSON parsed into an object where you'll have better access to JSON key/value pairs.
//Do we need to validate each DataMap object value and is there a
dynamic way to do it?
Yes, we validate everything that comes from a user. All users are assumed to be trained hackers, and smarter than you. However if you handled filtering before you do your data mapping transformation, you don't need to do it a second time. Doing it dynamically?
Something like:
JSONObject json = new JSONObject(s);
Iterator iterator = json.keys();
while( iterator.hasNext() ){
String data = iterator.next();
//filter and or business logic
}
^^That syntax is skipping typechecks but it should get you where you need to go.
/Is Integer validation needed or will the thrown exception be good
enough?
I don't see where you're throwing an exception with these lines of code:
if (ESAPI.validator().isValidInput("strData", dm.strData, "HTTPParameterValue", 25, false, true))
{
//Is Integer validation needed or will the thrown exception be good enough?
return Response.ok("You entered:" + dm.strData + " and " + dm.intData).build();
}
Firstly, in java we have autoboxing which means this:
int foo = 555555;
String bar = "";
//the code
foo + bar;
Will be cast to a string in any instance. The compiler will promote the int to an Integer and then silently call the Integer.toString() method. Also, in your Response.ok( String ); call, THIS is where you're going to want to encodeForHTML or whatever the output context may be. Encoding methods are ALWAYS For outputting data to user, whereas canonicalize you want to call when receiving data. Finally, in this segment of code we also have an error where you're assuming that you're dealing with an HTTPParameter. NOT at this point in the code. You'll validate http Parameters in instances where you're calling request.getParameter("id"): where id isn't a large blob of data like an entire JSON response or an entire XML response. At this point you should be validating for things like "SafeString"
Usually there are parsing libraries in Java that can at least get you to the level of Java objects, but on the validation side you're always going to be running through every item and punting whatever might be malicious.
As a final note, while coding, keep these principles in mind your code will be cleaner and your thought process much more focused:
user input is NEVER safe. (Yes, even if you've run it through an XSS filter.)
Use validate and canonicalize methods whenever RECEIVING data, and encode methods whenever transferring data to a different context, where context is defined as "Html field. Http attribute. Javascript input, etc...)
Instead of using the method isValidInput() I'd suggest using getValidInput() because it will call canonicalize for you, making you have to provide one less call.
Encode ANY time your data is going to be passed to another dynamic language, like SQL, groovy, Perl, or javascript.
I am trying to write a Spring REST Controller getting an array of strings as input parameter of a HTTP GET request.
The problem arises when in the GET request, in some of the strings of the array, I use special characters like commas ,, blank spaces or forward slash /, no matter if I URL encode the query part of the URL HTTP GET request.
That means that the string "1/4 cup ricotta, yogurt" (edit which needs to be considered as a unique ingredient contained as a string element of the input array) in either this format:
http://127.0.0.1:8080/[...]/parseThis?[...]&ingredients=1/4 cup ricotta, yogurt
This format (please note the blank spaces encoded as + plus, rather than the hex code):
http://127.0.0.1:8080/[...]/parseThis?[...]&ingredients=1%2F4+cup+ricotta%2C+yogurt
Or this format (please note the blank space encoded as hex code %20):
http://127.0.0.1:8080/[...]/parseThis?[...]&ingredients=1%2F4%20cup%20ricotta%2C%20yogurt
is not rendered properly.
The system does not recognize the input string as one single element of the array.
In the 2nd and 3rd case the system splits the input string on the comma and returns an array of 2 elements rather than 1 element. I am expecting 1 element here.
The relevant code for the controller is:
#RequestMapping(
value = "/parseThis",
params = {
"language",
"ingredients"
}, method = RequestMethod.GET, headers = HttpHeaders.ACCEPT + "=" + MediaType.APPLICATION_JSON_VALUE)
#ResponseBody
public HttpEntity<CustomOutputObject> parseThis(
#RequestParam String language,
#RequestParam String[] ingredients){
try {
CustomOutputObject responseFullData = parsingService.parseThis(ingredients, language);
return new ResponseEntity<>(responseFullData, HttpStatus.OK);
} catch (Exception e) {
// TODO
}
}
I need to perform HTTP GET request against this Spring controller, that's a requirement (so no HTTP POST can be used here).
Edit 1:
If I add HttpServletRequest request to the signature of the method in the controller, then I add a log statement like log.debug("The query string is: '" + request.getQueryString() + "'"); then I am seeing in the log a line like The query string is: '&language=en&ingredients=1%2F4+cup+ricotta%2C+yogurt' (So still URL encoded).
Edit 2:
On the other hand if I add WebRequest request to the signature of the method, the the log as log.debug("The query string is: '" + request.getParameter("ingredients") + "'"); then I am getting a string in the log as The query string is: '1/4 cup ricotta, yogurt' (So URL decoded).
I am using Apache Tomcat as a server.
Is there any filter or something I need to add/review to the Spring/webapp configuration files?
Edit 3:
The main problem is in the interpretation of a comma:
#ResponseBody
#RequestMapping(value="test", method=RequestMethod.GET)
public String renderTest(#RequestParam("test") String[] test) {
return test.length + ": " + Arrays.toString(test);
// /app/test?test=foo,bar => 2: [foo, bar]
// /app/test?test=foo,bar&test=baz => 2: [foo,bar, baz]
}
Can this behavior be prevented?
The path of a request parameter to your method argument goes through parameter value extraction and then parameter value conversion. Now what happens is:
Extraction:
The parameter is extracted as a single String value. This is probably to allow simple attributes to be passed as simple string values for later value conversion.
Conversion:
Spring uses ConversionService for the value conversion. In its default setup StringToArrayConverter is used, which unfortunately handles the string as comma delimited list.
What to do:
You are pretty much screwed with the way Spring handles single valued request parameters. So I would do the binding manually:
// Method annotations
public HttpEntity<CustomOutputObject> handlerMethod(WebRequest request) {
String[] ingredients = request.getParameterValues("ingredients");
// Do other stuff
}
You can also check what Spring guys have to say about this.. and the related SO question.
Well, you could register a custom conversion service (from this SO answer), but that seems like a lot of work. :) If it were me, I would ignore the declaration the #RequestParam in the method signature and parse the value using the incoming request object.
May I suggest you try the following format:
ingredients=egg&ingredients=milk&ingredients=butter
Appending &ingredients to the end will handle the case where the array only has a single value.
ingredients=egg&ingredients=milk&ingredients=butter&ingredients
ingredients=milk,skimmed&ingredients
The extra entry would need to be removed from the array, using a List<String> would make this easier.
Alternatively if you are trying to implement a REST controller to pipe straight into a database with spring-data-jpa, you should take a look at spring-data-rest. Here is an example.
You basically annotate your repository with #RepositoryRestResource and spring does the rest :)
A solution from here
public String get(WebRequest req) {
String[] ingredients = req.getParameterValues("ingredients");
for(String ingredient:ingredients ) {
System.out.println(ingredient);
}
...
}
This works for the case when you have a single ingredient containing commas