Where is this class "HttpContext" exist in glassfish jersey 2.9 . I was using jersey 1.17.1 to use HttpContext where it was exist in package com.sun.jersey.api.core.HttpContext.
But i did't find it in jersey 2.9.
The direct replacement for HttpContext is not available in Jersey 2.x versions and unfortunately, this breaking change detail hasn't been mentioned anywhere in the migration guide. Instead of searching for direct replacement, if we dig deeper into the interface HttpContext, based on the following method summary refer
we can infer that instead of using HttpContext, we can simply use the following out-of-the-box alternatives.
Instead of HttpContext#getRequest use #Context ContainerRequestContext crc
Instead of HttpContext#getResponse use #Context ContainerResponseContext crc
Instead of HttpContext#getUriInfo use #Context UriInfo uriInfo
Instead of HttpContext#getProperties use ContainerRequestContext#getProperty
Jersey 2.x had a lot of breaking changes, which partly caused by the fact that JAX-RS standard incorporated a lot of things in Jersey 1.x.
To quote https://jersey.java.net/documentation/latest/migration.html#mig-1.x
This chapter is a migration guide for people switching from Jersey 1.x. Since many of the Jersey 1.x features became part of JAX-RS 2.0 standard which caused changes in the package names, we decided it is a good time to do a more significant incompatible refactoring, which will allow us to introduce some more interesting new features in the future. As the result, there are many incompatibilities between Jersey 1.x and Jersey 2.0. This chapter summarizes how to migrate the concepts found in Jersey 1.x to Jersey/JAX-RS 2.0 concepts.
The migration chapter does not indicate what happened to HttpContext, but it no longer exists in its old form.
Related
Update
this issue is now assigned to CVE-2022-22965. Other than below nice answers, please do check Spring Framework RCE: Early Announcement as it is the most reliable and up-to-date site for this issue.
According to different source, seems we got a serious security issue when using Spring Core library.
https://securityboulevard.com/2022/03/new-spring4shell-zero-day-vulnerability-confirmed-what-it-is-and-how-to-be-prepared/
Quoting from above link, we are in risk if:
You use a Spring app (up to and including version 5.3.17)
Your app runs on Java 9+
You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
You don’t use an allowlist –OR– you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
The link suggested to some solution but doesn't seems easy to implement/reliable.
What should we do to fix this issue, in easiest and most reliable way?
According to the Spring Framework RCE: Early Announcement, upgrading to Spring Framework 5.3.18 or 5.2.20 will fix the RCE.
If you use Spring Boot, Spring Boot 2.5.12 and Spring Boot 2.6.6 fixes the vulnerability.
If you're unable to update:
You can choose to only upgrade Tomcat. The Apache Tomcat team has released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side.
If you can't do any of the above, the RCE announcement blog post suggests a workaround: Set disallowedFields on WebDataBinder through an #ControllerAdvice:
#ControllerAdvice
#Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
#InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}
This quick fix will not work if a controller sets disallowedFields locally through its own #InitBinder method, which overrides the global setting. Also, more generally, the workaround will not have an effect if you use alternate REST frameworks such as Jersey (however, it has not yet been demonstrated that such configurations are impacted).
Note: Spring upgrade is needed later on as vulnerability is not in Tomcat
Temporary Workaround is Upgrade tomcat to 10.0.20, 9.0.62, and 8.5.78
Spring Reference
For instance, if I open the Spring Framework Reference Documentation and open 5.9.2. #Autowired, I get this explanation: As expected, you can apply the #Autowired annotation to "traditional" setter methods:.
Not very informative. Actually, the explanation assumes prior knowledge given that I'm expected to have certain expectations.
So is there complete reference of annotations somewhere?
DZone had a refcard about Spring Annotations a good while back so its not the most up to date but this might still be useful to you - http://refcardz.dzone.com/refcardz/spring-annotations
You will need to quickly create an account if you dont have one (free by the way) but its worth it for all the other refcards anyway.
I think the official spring documentation is very good but ya you cant just jump into a section like 5.2.9 without prior knowledge of the how the dependency injection framework works etc.
And btw, the refcard was written by Craig Walls who is the author of the Spring in Action book series so you can be confident that the document is correct (albeit dated).
I am new to spring. I was looking into spring-oxm's XStreamMarshaller. I was hoping to find a way to convert my objects into xml using this. The spring site tells me clearly how to do it but it still needs me to add a XStream dependency in my POM. I don't understand what the use of spring-oxm is? If i had to add the xstream dependency anyway then i can directly use xstreams toXml operation and be done with it? I would really appreciate any help I could get in understanding the use of spring-oxm.
Thanks a lot in advance!
Spring provides a higher level abstraction for you by eliminating the scaffolding code you need to write. For e.g. in case of OXM you will be working with Marshaller and Unmarshaller abstractions irrespective of the underlying implementations uses (XStream, JAXB, Castor, XmlBeans etc). Moreover it lets you use DI for injecting marshalling/unmarshalling services to your own services. Another advantage is consistent exception hierarchy irrespective of the underlying implementation. All these are well explained on their reference documentation.
If you have very simple needs and doesn't already use Spring then I suggest you stick to JAXB that comes with JDK 6.
I am very new to Spring JDBC and working on a given task, looking at the codes we already have my teammates have used RowMapper, but I was doing some Googling and saw some tutorials are using ParameterizedRowMapper , so I was wondering if there is any benefit or good practice in using one rather than the other one and your technical thoughts behind that...
thanks.
Right from the javadoc of ParameterizedRowMapper:
Extension of the RowMapper interface, adding type parameterization. As
of Spring 3.0, this is equivalent to using the RowMapper interface
directly.
Prior to Spring 3.0, most APIs did not use generics because Java 1.5 wasn't a requirement. As a result, there was a RowMapper, that didn't support generics and ParameterizedRowMapper that did support generics by extending RowMapper and adding the generic parameter. As of Spring 3.0, most APIs were updated to support generics. If you actually look at the current (3.0 or greater) definition of ParameterizedRowMapper, it just simply extends RowMapper and adds nothing to the definition to allow for backward compatibility. Therefore, you can pretty much use RowMapper either parameterized or not and no need to use ParameterizedRowMapper.
I built a simple Spring3, Hibernate3/(JPA2), RESTful service, hosted on Tomcat6, that uses JAXB2 to marshal the results. (It uses annotated pojos.) I needed to use specific namespace prefixes, so I wrote a custom com.sun.xml.bind.marshaller.NamespacePrefixMapper. I included the JAXB2 RI jars with my application and everything worked fine.
Then someone said that's great, we need to host it under WebLogic 11g (10.3.3) too. No problem, I created the special weblogic deployment descriptors to prefer the application jars, renamed my persistence.xml, and wrapped the WAR in an EAR with the JPA2 jars. It worked great, almost.
Unfortunately, our WebLogic server runs a custom security realm that also uses JAXB and causes conflicts with my application. So I dropped the JAXB jars from the app and it runs fine in WebLogic. Of course it no longer runs under Tomcat unless I add the JAXB jars to Tomcat. I'd like to avoid that.
So my questions... I've read quite a few posts on stackoverflow that contain a lot of opinions/disagreements regarding the use of the sun "internal" JAXB2 implementation vs. packaging the RI with your app. Is there not yet a clean solution to this problem? Does my stack support another way to custom map my namespace prefixes without including the JAXB2 RI? Can I safely use the Java6 "internal" JAXB NamespacePrefixMapper, or will that come and go with various Java releases? Does Spring3 offer another solution? What's the true story on the Java6 JAXB2 implementation? Is it only there for Sun's (Oracle's) internal use?
Thanks.
As mentioned in the comments, I'll summarise what is mentioned in http://www.func.nl/community/knowledgebase/customize-namespace-prefix-when-marshalling-jaxb.
Note: I haven't tried this myself, so it may not work.
Essentially, you configure the JAXB marshaller to use an XMLStreamWriter when marshalling, and you configure that to map prefixes, e.g.
XMLStreamWriter xmlStreamWriter = XMLOutputFactory.newInstance().createXMLStreamWriter(writer);
xmlStreamWriter.setPrefix("func", "http://www.func.nl");
JAXBContext context = JAXBContext.newInstance(object.getClass());
Marshaller marshaller = context.createMarshaller();
marshaller.marshal(object, xmlStreamWriter);
The idea is that if JAXB hasn't been given a prefix mapper, then it'll leave it up to the XMLStreamWriter to handle the prefixes, and by doing the above, you're telling it how to do it.
Again: I'm just repeating the content from the website that's blocked from your network, so I take no credit for it being right, and no blame for it being wrong.
The EclipseLink JAXB (MOXy) will use the namespace prefixes as declared in the #XmlSchema annotation.
For more information see:
How to customize namespace prefixes on Jersey(JAX-WS)
Define Spring JAXB namespaces without using NamespacePrefixMapper