I am wondering if there is a way to disable method invocations in thymeleaf? We would like to give our users the ability to edit the templates in our application. We plan to use thymeleaf, but we do not want users to be able to call methods or access static fields or methods.
I found an old post Disabling static context and method invocation in Thymeleaf It was not possible in 2018, I am wondering if it is still the case in 2022?
If this cannot be disabled in thymeleaf, then are there any safe template engines available in spring?
Thanks
Related
We are planning to design a commerce site, using Spring boot as back end.
We would like our customers to be able to customize the front end template provided or create their own front templates.
Spring boot by default supports many templates, however, it seems there is no way to use them safely by the end customer, for example, they could call static methods if they know the class and method names.
It seems the correct way (without inventing a new safe template system) is to use front end template system. The idea is we provide a set of restful apis, and the template consumes the data and render the UI.
Are there any existing front end template systems / page builder we can use? Ideally, the template supports drag and drop editing of the template, as the customers are not developers.
Thanks!
Can I use spring-boot with freemarker but I need to create my template in runtime, load from a db, I only find sample using the return in a controller
At least if you don't need Spring MVC (spring-web) functionality, you can just use the FreeMarker API directly. You will need a freemarker.template.Configuration singleton bean (maybe the one that Spring creates for Spring MVC is sufficient, but creating your own is perhaps cleaner), and then you can use new Template(null, someString, cfg).process(dataModel, outputWriter). If performance is a concern, you might want to cache the resulting Template objects of course.
Also note that if you provide a such TemplateLoader implementation, FreeMarker can load template directly from the database, (in which case you would use Configuration.getTemplate(templateName) to get the Template object). That has the advantage that then the templates in the database can be #import-ed/#include-ed, and also that FreeMarker will cache the Template objects for you. And of course, in case you need this for Spring MVC, then you could just do things as usual in Spring MVC, you don't need "inline templates".
I'm new to java and web apps and after trying out a few things I went with a set up of Spring webmvc using annotations and velocity as templating engine. It's not that hard to do simple #RequestMapping annotations to controller methods and returning ModelAndView instances filled with data, however I was wondering how things are done when you have data you need in the model that occurs on every page, for example "latest 5 news items" or something similar. You could of course always fill the model with such data in every method that is handled by a #RequestMapping, but I'm quite sure that that is not the way to do it.
What is the correct way of filling the model with recurring data, without poluting your controller methods with calls to the same method for this recurring data.
Any help is appreciated.
You could use a servlet filter or a Spring interceptor, and get the recurring data from this filter or interceptor and place it in a request attribute.
Another solution is to let the page call more than one controller, for example by using multiple ajax requests. Then one controller could is responsible for the specific page and another is responsible for "latest 5 news items", see related question.
Good question dude. In my current app i am using sessions to store my username which is appearing on all the rest of the app.
#JB Nizet thanks for the link.. now ill go for spring interceptor
In it's simplest form, I want an interceptor that checks session data to see if a user is logged in, and if not redirects them to the login page. Obviously, I wouldn't want this interceptor to be used on say the welcome page or the login page itself.
I've seen a design that uses a listing of every url to one of two interceptors, one doing nothing and the other being the actual interceptor you want implemented, but this design seems very clunky and limits the ease of extensibility of the application. It makes sense to me that there should be an annotation-based way of using interceptors, but this doesn't seem to exist.
My friend has the idea of actually modifying the handler class so that during each request it checks the Controller it is mapping the request to for a new annotation we would create (ex #Interceptor("loginInterceptor") ).
A major point of my thinking is the extensibility, because I'd like to later implement similar interceptors for role-based authentication and/or administration authentication.
Does it sound like my friend's approach would work for this? Or what is a proper way of going about doing this?
Use Spring Security.
Please have a look at these sites, Spring Framework Annotation-based Controller Interceptor Configuration and
Ability to restrict HandlerInterceptors to specific controller paths
Hope it will be useful.
What about a Servlet Filter on all requests that sends the user to the login page if the user object isn't in the session? For the second part you can use security annotations on the controller methods that can check the user's role.
What I am looking to accomplish is a filter (or similar) that would handle the authentication model for my Spring MVC application. My application is also hosted on Google App Engine.
The authentication on this application can tend to be very dynamic and the permissions are not something that would fit cleanly into a predefined Role structure. These permissions would be tied to the different action methods on my controllers. Ideally I would like to be able to annotate these permissions but I am open for other suggestions.
I am finding that there is not very much information around on how to accomplish this. Ideally I would like to be able to intercept the call to my controller actions and be able to read off the annotations and handle accordingly. What I am hoping is that someone here has a little bit more knowledge on Spring MVC and where I can inject some custom code, and would be able to point me in the right direction.
I would still use Spring Security to do this. It may not have a class that 100% fits your login scheme, but that's what inheritance is for. Write your own. You can easily get rid of the ROLE based DecisionManager and make it fit your paradigm.
Based on your comments have you checked out the MethodInterceptor in Spring? It creates a Proxy that will intercept calls to any method on the proxied class and allow you to run or disallow the method based on any code you want. In Spring Security there is an AbstractSecurityInterceptor, but I find it very hard to use and for most access decisions I think it's overkill.
So I would use Spring Security to authenticate the user (and populate the SecurityContext) and then use interceptors to wall off access to methods in your controllers that you want protected.