批量分配:不安全的Binder配置:如何在Jersey框架中使用Spring Framework的@initBinder

时间:2018-05-14 16:28:07

标签: java spring security filter jersey-2.0

我想避免使用在Jersey框架中编写的应用程序的批量分配:不安全的Binder配置问题。我想是否有任何其他方式我们可以从spring使用@InitBinder,并且对于此服务的每个请求只允许设置允许的属性并将所有其他属性设置为null。 

@Controller
@Path("/ar")
@Api(tags = { "Request" })
public class RequestService extends AbstractService {
    static final Logger logger = Logger
            .getLogger("RequestServiceLogger");

@InitBinder
    public void customizeBinding (WebDataBinder binder) {
        System.out.println("Inside init binder ============== ");
        //I want to allow the allowed field only for AccountRequest object
         binder.setAllowedFields(allowedFields);
    }

    @Path("/submitrequest")
    @POST
    @Consumes({ "application/json" })
    @Produces({ "application/json" })
    @ApiOperation(value = "Validates a request", notes = "Validates a request", response = RequestResponse.class)
    @ApiImplicitParams({ @io.swagger.annotations.ApiImplicitParam(name = "Auth", value = "value", required = true, dataType = "string", paramType = "header") })
    @ApiResponses({
        @io.swagger.annotations.ApiResponse(code = 200, message = "OK", responseHeaders = { @io.swagger.annotations.ResponseHeader(name = "X-ResponseTime", description = "Total Time Taken", response = String.class) }, response = RequestResponse.class),
        @io.swagger.annotations.ApiResponse(code = 400, message = "Bad Request", response = com.model.ErrorDetail.class),
        @io.swagger.annotations.ApiResponse(code = 401, message = "Unauthorized", response = com.model.ErrorDetail.class),
        @io.swagger.annotations.ApiResponse(code = 403, message = "Forbidden", response = com.model.ErrorDetail.class),
        @io.swagger.annotations.ApiResponse(code = 404, message = "Not Found", response = com.model.ErrorDetail.class),
        @io.swagger.annotations.ApiResponse(code = 405, message = "Method Not Allowed", response = com.model.ErrorDetail.class),
        @io.swagger.annotations.ApiResponse(code = 415, message = "Unsupported Media Type", response = com.model.ErrorDetail.class),
        @io.swagger.annotations.ApiResponse(code = 500, message = "Internal Server error", response = com.ErrorDetail.class) })
    public Response submitRequest(@ApiParam(value = "AccountRequest JSON input data.", required = true) AccountRequest accountRequest,
            @Context HttpServletRequest request) throws Exception {

        System.out.println("Inside submitRequest ============== ");
    }
}

@Controller @Path("/ar") @Api(tags = { "Request" }) public class RequestService extends AbstractService { static final Logger logger = Logger .getLogger("RequestServiceLogger"); @InitBinder public void customizeBinding (WebDataBinder binder) { System.out.println("Inside init binder ============== "); //I want to allow the allowed field only for AccountRequest object binder.setAllowedFields(allowedFields); } @Path("/submitrequest") @POST @Consumes({ "application/json" }) @Produces({ "application/json" }) @ApiOperation(value = "Validates a request", notes = "Validates a request", response = RequestResponse.class) @ApiImplicitParams({ @io.swagger.annotations.ApiImplicitParam(name = "Auth", value = "value", required = true, dataType = "string", paramType = "header") }) @ApiResponses({ @io.swagger.annotations.ApiResponse(code = 200, message = "OK", responseHeaders = { @io.swagger.annotations.ResponseHeader(name = "X-ResponseTime", description = "Total Time Taken", response = String.class) }, response = RequestResponse.class), @io.swagger.annotations.ApiResponse(code = 400, message = "Bad Request", response = com.model.ErrorDetail.class), @io.swagger.annotations.ApiResponse(code = 401, message = "Unauthorized", response = com.model.ErrorDetail.class), @io.swagger.annotations.ApiResponse(code = 403, message = "Forbidden", response = com.model.ErrorDetail.class), @io.swagger.annotations.ApiResponse(code = 404, message = "Not Found", response = com.model.ErrorDetail.class), @io.swagger.annotations.ApiResponse(code = 405, message = "Method Not Allowed", response = com.model.ErrorDetail.class), @io.swagger.annotations.ApiResponse(code = 415, message = "Unsupported Media Type", response = com.model.ErrorDetail.class), @io.swagger.annotations.ApiResponse(code = 500, message = "Internal Server error", response = com.ErrorDetail.class) }) public Response submitRequest(@ApiParam(value = "AccountRequest JSON input data.", required = true) AccountRequest accountRequest, @Context HttpServletRequest request) throws Exception { System.out.println("Inside submitRequest ============== "); } }

***如果有其他替代方法来过滤请求对象属性,请告诉我们。

0 个答案:

没有答案
相关问题
最新问题