Spring defaultHtmlEscape doesn't prevent xss attack - spring

I want to prevent xss attacks in my spring application.
I added
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
into my web.xml (I found this soulution here)
but on my page I save content with name <script>alert(1);</script> and this scripts executes after page refresh.
client side code:
$.ajax({
type: 'POST',
url: 'setContentName',
dataType: 'json',
data: {contentId: id, name: params.value}
});
What do I wrong?
P.S.
I load content using javascript after refresh

Mine is a somewhat controversial opinion, but I think you should validate and reject inbound XSS. You should escape it on output too, but it shouldn't be in your database in the first place, as dbs are long-lasting and often cross-application.
See https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
Use Hibernate Validator (you don't need to use Hibernate ORM) with JSoup to avoid XSS in your db:
Foo.java:
#Entity
class Foo {
#SafeHtml(whitelistType = SafeHtml.WhiteListType.NONE)
private String name;
...
}
FooController.java:
#Controller
public class FooController {
#RequestMapping(method=POST)
String submit(#Validated Foo foo) {
...
}
}
pom.xml:
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.1.2.Final</version>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.8.1</version>
</dependency>
See Adding additonal Security to Website for more anti-XSS measures

I use JSTL for the purpose. Include c prefix in the jsp page,
<%# taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
For the value you want to show
<c:out value=${someVar} escapeXml="true" />
Setting the attribute excapeXml="true" is optional in this scenario because its default value is true
Oracle Documentation

Related

Spring Boot, Sleuth, OTEL, and Honeycomb

I have a scenario where I have Spring Boot integrated with OTEL and shipping to Honeycomb.io. I am trying to add an environment tag to each trace. I have created a class:
#Component
public class EnvironmentSpanProcessor implements SpanProcessor {
#Value("${ENVIRONMENT")
private String environment;
Queue<SpanData> spans = new LinkedBlockingQueue<>(50);
#Override
public void onStart(Context context, ReadWriteSpan readWriteSpan) {
readWriteSpan.setAttribute("env", environment);
}
#Override
public boolean isStartRequired() {
return false;
}
#Override
public void onEnd(ReadableSpan readableSpan) {
this.spans.add(readableSpan.toSpanData());
}
#Override
public boolean isEndRequired() {
return true;
}
}
I have set break points in this class, and they never hit on startup, even though the bean can be seen in actuator. I have put breakpoints on:
SdkTracerProvider otelTracerProvider(SpanLimits spanLimits, ObjectProvider<List<SpanProcessor>> spanProcessors,
SpanExporterCustomizer spanExporterCustomizer, ObjectProvider<List<SpanExporter>> spanExporters,
Sampler sampler, Resource resource, SpanProcessorProvider spanProcessorProvider) {
SdkTracerProviderBuilder sdkTracerProviderBuilder = SdkTracerProvider.builder().setResource(resource)
.setSampler(sampler).setSpanLimits(spanLimits);
List<SpanProcessor> processors = spanProcessors.getIfAvailable(ArrayList::new);
processors.addAll(spanExporters.getIfAvailable(ArrayList::new).stream()
.map(e -> spanProcessorProvider.toSpanProcessor(spanExporterCustomizer.customize(e)))
.collect(Collectors.toList()));
processors.forEach(sdkTracerProviderBuilder::addSpanProcessor);
return sdkTracerProviderBuilder.build();
}
in OtelAutoConfiguration and am not seeing them firing either on startup.
My pom.xml relevant section is:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-sleuth</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-sleuth-brave</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-sleuth-otel-autoconfigure</artifactId>
</dependency>
<dependency>
<groupId>io.opentelemetry</groupId>
<artifactId>opentelemetry-exporter-otlp</artifactId>
</dependency>
<dependency>
<groupId>io.opentelemetry</groupId>
<artifactId>opentelemetry-extension-trace-propagators</artifactId>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty-shaded</artifactId>
<version>1.47.0</version>
</dependency>
And my configuration from application.yaml
sleuth:
enabled: true
web:
additional-skip-pattern: /readiness|/liveness
client.skip-pattern: /readiness
sampler:
probability: 1.0
rate: 100
propagation:
type: OT_TRACER
otel:
config:
trace-id-ratio-based: 1.0
log.exporter.enabled: true
exporter:
otlp:
endpoint: https://api.honeycomb.io
headers:
x-honeycomb-team: ${TELEMETRY_API_KEY}
x-honeycomb-dataset: app-telemetry
sleuth-span-filter:
enabled: true
resource:
enabled: true
I am getting traces, so it appears the system itself is working, however I cannot get my env tag added.
Preemptive thank you to #marcingrzejszczak for the help so far on my gist: https://gist.github.com/fpmoles/b880ccfdef2d2138169ed398e87ec396
I'm unsure why your span processor is not being picked up by Spring and being added to your list of processors being registered with the tracer provider.
An alternative way to set process consistent values, like environment, would be to set it as a resource attribute. This is more desireable because it's set once and delivered once per batch of spans sent to the configured backend (eg Honeycomb). Using a span processor adds the same attribute to every span.
This can be done in a few different ways:
If using AutoConfigure, you can set via system property or environment variable
Set directly on the resource during your otelTracerProvider method:
resource.setAttribute("environment", "${environment}");
FYI Honeycomb has OTel Java SDK & Agent distros to help simplify sending data that reduces required configuration and sets sensible defaults.

Coexistence of both thymeleaf and jasper files in Spring Boot application

I tried, in a project both jasper and thymeleaf, but can not coexist, as I would like to use jsp must comment out Spring-boot-starter-thymeleaf depend on the package, so that it can run. Looking for a solution so that both jasper and thymeleaf can co exist. I got a solution on stackoverflow if some one use servlet-context.xml ( Mixing thymeleaf and jsp files in Spring Boot ), where both jasper and thymeleaf coexist. But my requirement is how to include those attributes in pom.xml if I am using spring-boot-starter-web.
I was able to run both HTML and JSP page from embedded jar build inside Spring boot. But if you like to run it independently by copying the Jar in command prompt then you need to copy the JSP page folder structure as it will not be in the jar content and you need to change the pom file little bit so that the jar can add external content to it.
STEP 1: Add Thymeleaf and JSP dependencies
Add below dependencies to your pom.xml file
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
STEP 2: Project structure and file creation
Under source folder src/main/resources create folder templates, under that create sub-folder thymeleaf. And create a html file sample.html(say)
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Hello</title>
</head>
<body>
THYMELEAF PAGE: <p th:text="${name}"></p>
</body>
</html>
Under src/main/webapp/WEB-INF create sub-folder views. Under views create a jsp file, sample.jsp(say)
<!DOCTYPE html>
<html lang="en">
<head>
<title>Hello</title>
</head>
<body>
JSP PAGE: Hello ${name}
</body>
</html>
STEP 3: In your application.properties set thymeleaf view names and JSP configuration for internal view resolution.
#tomcat-connection settings
spring.datasource.tomcat.initialSize=20
spring.datasource.tomcat.max-active=25
#Jasper and thymeleaf configaration
spring.view.prefix= /WEB-INF/
spring.view.suffix= .jsp
spring.view.view-names= views
spring.thymeleaf.view-names= thymeleaf
#Embedded Tomcat server
server.port = 8080
#Enable Debug
debug=true
management.security.enabled=false
STEP 4: Create controller for serving Thymeleaf and JSP pages:
package com.example.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
#Controller
public class TestController {
#RequestMapping(value="/jasper", method=RequestMethod.GET)
public String newjasper(Map<String, Object> m, String name){
//System.out.print("-- INSIDE JSP CONTROLER ------");
m.put("name", name);
return "views/sample";
}
#RequestMapping(value="/thymeleaf", method=RequestMethod.GET)
public String newthymeleaf(Map<String, Object> m, String name){
//System.out.print("-- INSIDE HTML CONTROLER ------");
m.put("name", name);
return "thymeleaf/sample";
}
}
STEP 5: Some cases you may required to create a configuration class SpringConfig.class (say) for view resolution for JSP pages. But optional, I don't use it in my configuration file.
import org.springframework.web.servlet.view.JstlView;
#Configuration
public class SpringConfig {
#Value("${spring.view.prefix}")
private String prefix;
#Value("${spring.view.suffix}")
private String suffix;
#Value("${spring.view.view-names}")
private String viewNames;
#Bean
InternalResourceViewResolver jspViewResolver() {
final InternalResourceViewResolver viewResolver = new
InternalResourceViewResolver();
viewResolver.setPrefix(prefix);
viewResolver.setSuffix(suffix);
viewResolver.setViewClass(JstlView.class);
viewResolver.setViewNames(viewNames);
return viewResolver;
}
}
STEP 6: Testing application for both jsp and html.
When you hit this url in your browser: http://localhost:8080/thymeleaf?name=rohit . This will open our sample.html file with parameter name in center of page and with this url: http://localhost:8080/jasper?name=rohit will open sample.jsp page with parameter name in center.
from the viewresover javadoc.
Specify a set of name patterns that will applied to determine whether
a view name returned by a controller will be resolved by this resolver
or not.
In applications configuring several view resolvers –for example, one
for Thymeleaf and another one for JSP+JSTL legacy pages–, this
property establishes when a view will be considered to be resolved by
this view resolver and when Spring should simply ask the next resolver
in the chain –according to its order– instead.
The specified view name patterns can be complete view names, but can
also use the * wildcard: "index.", "user_", "admin/*", etc.
Also note that these view name patterns are checked before applying
any prefixes or suffixes to the view name, so they should not include
these. Usually therefore, you would specify orders/* instead of
/WEB-INF/templates/orders/*.html.
Specify names of views –patterns, in fact– that cannot be handled by
this view resolver.
These patterns can be specified in the same format as those in
setViewNames(String []), but work as an exclusion list.
viewResolver.setViewNames(viewNames);

Spring JPA transaction commits before the #Transactional annotated method ends

I had a controller method that updates some fields of an order entity.
I traced the execution flow of the controller method in debug mode.
And I found that the transaction commits too early.
The transaction commits just after call repository update method.
what's the problem?
source codes are below.
// Controller
#RestController
#RequestMapping(value = "/test", produces = {MediaType.APPLICATION_JSON_UTF8_VALUE})
public class TxTestController extends BaseController {
#Autowired
private OrderRepository orderRepository;
#Transactional
#GetMapping(value = "/update")
public void updateOrder() throws Exception {
Order order = orderRepository.findAll().get(0);
order.setFeeRemains(order.getFeeRemains().add(BigDecimal.valueOf(100000000)));
orderRepository.updateOrder(order.getId(), order.getRemains(), order.getFeeRemains(), order.getStatus());
// The transaction is commited after execution of the above line.
// and the external database tools can see the changed data from here.
// So no way to rollback transaction after this line.
System.out.println(order);
// do another persistence jobs
}
}
// Repository
public interface OrderRepository extends JpaRepository<Order, String>, QueryDslPredicateExecutor<Order> {
#Modifying
#Query("update Order o set o.remains = :remains, o.feeRemains = :feeRemains, o.status = :status where o.id = :orderId")
void updateOrder(#Param("orderId") String orderId,
#Param("remains") BigDecimal remains,
#Param("feeRemains") BigDecimal feeRemains,
#Param("status") Order.Status status);
}
// application.yml
spring:
jpa:
properties:
hibernate:
dialect: org.hibernate.dialect.MySQL5Dialect
generate-ddl: true
hibernate:
ddl-auto: update
show-sql: false
datasource:
url: jdbc:mysql://localhost:3306/plutusds
username: root
password: root
testWhileIdle: true
validationQuery: SELECT 1
// pom dependencies
<?xml version="1.0" encoding="UTF-8"?>
...
<dependencies>
...
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>1.5.2.RELEASE</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.41</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>5.2.9.Final</version>
</dependency>
...
</dependencies>
...
</project>
if I remove the #Transactional annotation from the controller method, then
javax.persistence.TransactionRequiredException occurred.
In spring #Transactional defines single database transaction. Since spring uses Hibernate EntityManager internally to manage the session for database transaction and it is handled automatically.Commit will be done once a database transaction is successful.We can have multiple database transactions in single method.In that case commit will happen after each successful transaction. #Transactional does not mean to the method where we use.It just says that method have a database transaction and that will be taken care of by spring. Another point is we should not write transactional at controller level , we should have a service class for it where we can use transactional. please refer to the below link which describes in detail of #Transactional.
How Spring Jpa Transactional Works
For a long, long time it hasn't been possible to use #Transactional annotations on controllers using the default Java proxy mechanism. Spring creates a proxy of controllers and the annotation processor that manages transactions looses visibility of the #Transactional annotation as it can only see the proxy.
TL;DR: Spring managed transactions cannot start in a controller. Move that into a service layer.
By the way, controllers shouldn't have business logic as yours have (those 3 lines of 'find - set - update' are business logic).
This problem is due to the mysql engine type.
By default, Hibernate creates the tables with the MyISAM engine which is not transactional. Basically just you need to define the dialect for hibernate to switch to a transactional engine type such as InnoDB.
Try this:
spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQLInnoDBDialect
Below link includes useful details about mysql engine type as summary information:
https://www.w3resource.com/mysql/mysql-storage-engines.php

Spring MVC file upload - Unable to process parts as no multi-part configuration has been provided

So I'm a newbie to Spring and I'm trying to get file upload working for my project (I'm using Spring Tool Suite btw.) and when submitting a form all I'm getting is:
HTTP Status 500 - Could not parse multipart servlet request; nested exception is java.lang.IllegalStateException: Unable to process parts as no multi-part configuration has been provided
Stack trace from browser:
type Exception report
message Could not parse multipart servlet request; nested exception is java.lang.IllegalStateException: Unable to process parts as no multi-part configuration has been provided
description The server encountered an internal error that prevented it from fulfilling this request.
exception
org.springframework.web.multipart.MultipartException: Could not parse multipart servlet request; nested exception is java.lang.IllegalStateException: Unable to process parts as no multi-part configuration has been provided
org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.parseRequest(StandardMultipartHttpServletRequest.java:100)
org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.(StandardMultipartHttpServletRequest.java:78)
org.springframework.web.multipart.support.StandardServletMultipartResolver.resolveMultipart(StandardServletMultipartResolver.java:75)
org.springframework.web.multipart.support.MultipartFilter.doFilterInternal(MultipartFilter.java:108)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
root cause
java.lang.IllegalStateException: Unable to process parts as no multi-part configuration has been provided
org.apache.catalina.connector.Request.parseParts(Request.java:2676)
org.apache.catalina.connector.Request.getParts(Request.java:2643)
org.apache.catalina.connector.RequestFacade.getParts(RequestFacade.java:1083)
org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.parseRequest(StandardMultipartHttpServletRequest.java:85)
org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.(StandardMultipartHttpServletRequest.java:78)
org.springframework.web.multipart.support.StandardServletMultipartResolver.resolveMultipart(StandardServletMultipartResolver.java:75)
org.springframework.web.multipart.support.MultipartFilter.doFilterInternal(MultipartFilter.java:108)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
note The full stack trace of the root cause is available in the Apache Tomcat/8.0.27 logs.
This is the form tag in jsp:
<form:form class="form-horizontal" role="form" method="post"
action="newArtist.html" modelAttribute="artist" enctype="multipart/form-data">
Input part:
<div class="form-group">
<div class="col-lg-3">
<label for="photo">Artist photo:</label>
<form:input type="file" id="photo" path="photo"></form:input>
</div>
</div>
Photo is stored in this field in Artist object:
#Lob
private byte[] photo;
Controller mapping methods:
#RequestMapping(value = "/newArtist", method = RequestMethod.GET)
public String showAddArtistForm(Model model)
{
model.addAttribute("artist", new Artist());
return "newArtist";
}
#RequestMapping(value = "/newArtist", method = RequestMethod.POST)
public String addArtist(#ModelAttribute("artist") #Valid Artist artist, BindingResult result,
#RequestParam("photo") MultipartFile photo) throws IOException
{
if (result.hasErrors())
return "newArtist";
if(photo.getBytes() != null)
artist.setPhoto(photo.getBytes());
artistService.addArtist(artist);
return "redirect:artists.html";
}
Multipart resolver configuration in servlet-context.xml:
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="10000000"/>
</bean>
Filters in web.xml:
<filter>
<filter-name>MultipartFilter</filter-name>
<filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>MultipartFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Dependencies:
<!-- Apache Commons FileUpload -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<!-- Apache Commons IO -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
I also imported Tomcat's config file context.xml to META-INF/context.xml and edited Context tag like so:
<Context allowCasualMultipartParsing="true">
Nothing seems to be working, any help will be greatly appreciated.
Actually you don't need any filter on the web.xml in order to upload your multipart file with Spring MVC. I've the same configuration in my project and it worked (${spring.version} = 4.3.4.RELEASE):
POM
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Apache Commons FileUpload -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.2</version>
</dependency>
<!-- Apache Commons IO -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.5</version>
</dependency>
HTML
<form method="POST" enctype="multipart/form-data" action="uploadAction">
<table>
<tr><td>File to upload:</td><td><input type="file" name="file" /></td></tr>
<tr><td></td><td><input type="submit" value="Upload" /></td></tr>
</table>
</form>
Spring context
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="10000000"/>
</bean>
Spring controller
#PostMapping("/uploadAction")
public String handleFileUpload(#RequestParam("file") MultipartFile file,
RedirectAttributes redirectAttributes) {
File out = new File("outputfile.pdf");
FileOutputStream fos = null;
try {
fos = new FileOutputStream(out);
// Writes bytes from the specified byte array to this file output stream
fos.write(file.getBytes());
System.out.println("Upload and writing output file ok");
} catch (FileNotFoundException e) {
System.out.println("File not found" + e);
} catch (IOException ioe) {
System.out.println("Exception while writing file " + ioe);
} finally {
// close the streams using close method
try {
if (fos != null) {
fos.close();
}
} catch (IOException ioe) {
System.out.println("Error while closing stream: " + ioe);
}
//storageService.store(file);
redirectAttributes.addFlashAttribute("message",
"You successfully uploaded " + file.getOriginalFilename() + "!");
return "redirect:/";
}
}
None of the answers address the issue properly. As per Tomcat documentation, on the configuration of allowCasualMultipartParsing:
Set to true if Tomcat should automatically parse multipart/form-data request bodies when HttpServletRequest.getPart* or HttpServletRequest.getParameter* is called, even when the target servlet isn't marked with the #MultipartConfig annotation (See Servlet Specification 3.0, Section 3.2 for details). Note that any setting other than false causes Tomcat to behave in a way that is not technically spec-compliant. The default is false.
So, what's the compliant way? Reading the official JEE 6 tutorial gives a hint. If you want to use a spec-compliant way with Servlet 3 or newer, your servlet must have a MultipartConfig. You have three choices, depending on how you configure your servlet:
With programmatic configuration: context.addServlet(name, servlet).setMultipartConfig(new MultipartConfigElement("your_path").
With annotations, annotate the servlet's class with #javax.servlet.annotation.MultipartConfig.
With XML configuration, add this to the WEB-INF/web.xml descriptor, in the section of your servlet:
<multipart-config>
<location>/tmp</location>
<max-file-size>20848820</max-file-size>
<max-request-size>418018841</max-request-size>
<file-size-threshold>1048576</file-size-threshold>
</multipart-config>
For those who get the same exception for PUT method handlers: use POST instead. PUT is incompatible with the multi-part.
More details can be found in the respective answer
It is straight forward from the exception that no multi-part configuration is found. Though you have provided multipartResolver bean.
The problem is that while specifying the MultipartFilter before the Spring Security filter, It tries to get the multipartResolver bean but can't find it. Because it expect the bean name/id as filterMultipartResolver instead of multipartResolver.
Do yourself a favor. Please change the bean configuration like following -
<bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="10000000"/>
</bean>
Add In your config file as:
#Bean(name = "multipartResolver")
public CommonsMultipartResolver CanBeAnyName() {
//configuration
}
I have something similar, but what i did is just send a file without mapping it with any attribute in my model, in your case i would modify this:
<div class="form-group">
<div class="col-lg-3">
<label for="photo">Artist photo:</label>
<input type="file" id="photo" name="file"/>
</div>
</div>
In your controller
#RequestMapping(value = "/newArtist", method = RequestMethod.POST)
public String addArtist(#ModelAttribute("artist") #Valid Artist artist, BindingResult result,
#RequestParam("file") MultipartFile file) throws IOException
//Here read the file and store the bytes into your photo attribute
...
Had the same issue in a Spring Boot application, this exceptions occur several times:
org.springframework.web.multipart.MultipartException: Could not parse multipart servlet request; nested exception is
java.lang.IllegalStateException: org.apache.tomcat.util.http.fileupload.FileUploadBase$FileSizeLimitExceededException: The field multipartFile exceeds its maximum permitted size of 1048576 bytes
org.apache.tomcat.util.http.fileupload.FileUploadBase$FileSizeLimitExceededException: The field multipartFile exceeds its maximum permitted size of 1048576 bytes.
Get rid of the tomcat exception with this, with copy catting from http://www.mkyong.com/spring-boot/spring-boot-file-upload-example/
Tomcat large file upload connection reset. Need to let {#link #containerCustomizer()} work properly, other wise exception will occur several times, RequestMapping for uploadError will fail.
#Bean
public TomcatEmbeddedServletContainerFactory tomcatEmbedded() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory();
tomcat.addConnectorCustomizers((TomcatConnectorCustomizer) connector -> {
if ((connector.getProtocolHandler() instanceof AbstractHttp11Protocol<?>)) {
//-1 means unlimited
((AbstractHttp11Protocol<?>) connector.getProtocolHandler()).setMaxSwallowSize(-1);
}
});
return tomcat;
}
If anyone is using J2EE and not spring framework and still facing issue
what you can try is adding #MultipartConfig annotation on servlet and add enctype="multipart/form-data" inside form tag
If you are using Tomcat 8.
Configure the following in Tomcat's conf/context.xml
Add allowCasualMultipartParsing="true" attribute to context node
Add <Resources cachingAllowed="true" cacheMaxSize="100000" /> inside context node

Jersey 2.1 - Consuming collection of POJO as JSON string

I have a collection of entities (List) which I need to convert to/from json.
The POJO:
public class Task {
private Long id;
private String title;
private Boolean done;
(...)
}
Jersey produces the following result
[{"id":1,"title":"T1","done":false},{"id":2,"title":"T2","done":false}]
when I call the method:
#GET
#Override
#Produces("application/json")
public List<Task> findAll() {
(...)
return tasks;
}
So far so good.
Now, I need to consume a similar JSON string. I assumed that the following method would do the trick:
#PUT
#Consumes("application/json")
public void save(List<Task> tasks) {
(...)
}
But instead I get the error below:
SEVERE: line 1:0 no viable alternative at input
'"[{\"id\":1,\"title\":\"T1\",\"done\":true},{\"id\":2,\"title\":\"T2\",\"done\":false}]"'
What am I doing wrong? Is that even possible?
Jersey's dependencies:
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
<version>2.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-moxy</artifactId>
<version>2.1</version>
</dependency>
Here is the web.xml configuration
<servlet>
<servlet-name>Jersey Servlet</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>my.rest.package</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Jersey Servlet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
It seems that you're sending corrupted JSON as entity in your message body, something like:
POST http://localhost:9998/test/list
Accept: application/json
Content-Type: application/json
"[{\"a\":\"a\",\"b\":1,\"c\":1}]"
I was able to get the same error as you with the entity like this (line 1:0 no viable alternative at input '"[{\"a\":\"a\",\"b\":1,\"c\":1}]"').
Make sure you're sending the valid JSON to your REST service, i.e. by registering a logging filter in your Application:
new ResourceConfig()
.packages("my.rest.package")
// Register logging filter and print entity.
.register(new LoggingFilter(LOGGER, true));
Alternatively, you can accept the incoming JSON as String and parse it within the method using any standard parser.
#PUT
public void save(String s) {
// parse s
}
Type parameters are not available after type erasure.
Try using array instead of list:
#PUT
#Consumes("application/json")
public void save(Task[] taskArray) {
List<Task> tasks = Arrays.asList(taskArray);
(...)
}

Resources