使用JSON Sanitizer从Spring MVC Controller清除响应JSON?
[英]Sanitizing response JSON from Spring MVC Controller using JSON Sanitizer?
问题描述
I want to intercept the JSON sent back from a Spring MVC Rest Controller and run it through a sanitizer that ensures it's valid and HTML escapes any dodgy characters. 
我想拦截从Spring MVC Rest Controller发送回的JSON,并通过消毒剂运行它,以确保其有效,并且HTML会转义任何狡猾的字符。 (Possibly the OWASP JSON Sanitizer ) (可能是OWASP JSON Sanitizer )
We use the Jackson HTTP Message converter to convert the @ResponseBody to JSON, as far as I can see once I return the object as a @ResponseBody I lose control of it. 据我所知,一旦我以@ResponseBody的形式返回对象,就失去了对它的控制,我们使用Jackson的HTTP Message转换器将@ResponseBody转换为JSON。
Is there a sensible way to intercept the JSON as a String to run sanitization code on it? 是否有一种明智的方式将JSON截取为String以便在其上运行清理代码?
I'm currently investigating three avenues: 我目前正在调查三个途径:
- Writing a Filter and ResponseWrapper which sanitizes the JSON before it's sent back to the client. 编写一个Filter和ResponseWrapper,在将JSON发送回客户端之前先对其进行净化处理。
- Extending the JSON Mapper somehow to provide sanitized JSON. 以某种方式扩展JSON Mapper以提供经过净化的JSON。
- Writing a Handler Interceptor and using it to modify the response. 编写处理程序拦截器并使用它来修改响应。
I'm not sure if either of these will work or if there is a more sensible third option. 我不确定这两种方法是否都可以使用,或者是否有更明智的第三种选择。
1 个解决方案
解决方案1
5 2015-12-09 20:55:36
I know this answer may be too late, but I needed to do the same thing, so I added a serializer to the JSON mapper. 我知道这个答案可能为时已晚,但是我需要做同样的事情,因此我向JSON映射器添加了序列化器。
The web configuration: Web配置:
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import com.fasterxml.jackson.databind.ObjectMapper;
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void configureMessageConverters(
List<HttpMessageConverter<?>> converters) {
// the list is empty, so we just add our converter
converters.add(jsonConverter());
}
@Bean
public HttpMessageConverter<Object> jsonConverter() {
ObjectMapper objectMapper = Jackson2ObjectMapperBuilder
.json()
.serializerByType(String.class, new SanitizedStringSerializer())
.build();
return new MappingJackson2HttpMessageConverter(objectMapper);
}
}
And the string serializer: 和字符串序列化器:
import java.io.IOException;
import org.apache.commons.lang3.StringEscapeUtils;
import com.fasterxml.jackson.core.JsonGenerationException;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.ser.std.NonTypedScalarSerializerBase;
public class SanitizedStringSerializer extends NonTypedScalarSerializerBase<String> {
public SanitizedStringSerializer() {
super(String.class);
}
@Override
public void serialize(String value, JsonGenerator jgen, SerializerProvider provider)
throws IOException, JsonGenerationException {
jgen.writeRawValue("\"" + StringEscapeUtils.escapeHtml4(value) + "\"");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.