I'm looking for a way to automatically have my RESTful controller, which returns a String, output a pdf file to the calling browser, when the URI has a .pdf at the end:
http://localhost:9090/services-rs/notices/58357.pdf
Without the .pdf at the end, it currently merely returns the String, i.e. plain text, in the browser.
I tried adding:
<entry key="pdf" value="application/pdf"/>
to my mediatypes list in my ContentNegotiatingViewResolver, but evidently that didn't do the trick.
How do I go about this? Is there a 3rd party library I need to use, or does Spring MVC have this ability built-in?
The ContentNegotiatingViewResolver does not use the extension at the end of your URI. It uses the Accept header in the request. If you would like to use the ContentNegotiatingViewResolver, ensure that your Accept header on the client side is using application/pdf.
If this is not possible for you, you will need to have a different controller.
Related
In my web api I allow the user to specify how they want their data via an extension: ie. host/api/location/getmyhouse.json or getmyhouse.xml.
However I also have actions that aren't get and they return if the action was successful or not. For that it doesn't really make sense to specify the return type so I was trying to have it just default to json. However by default it seems xml is used.
Is there a way to default the formatter to json vs xml without removing xml as a formatter AND without having the client specify it as I want this to be done via simple url in the browser. It's an internal thing so that's what we would like.
I am using Spring Security with Spring Controllers. There are some weird requests caused by some third party browser extension ending such as undefined or weird hexadecimal numbers. I would like to configure my application to block these requests but I could not find an easy way.
I do not want to declare a empty controller for this purpose. What is the correct way to return no-content for these requests?
Edit:
Some sample requets:
/activity/favorites/undefined
/activity/favorites/my/undefined
/help/undefined
Create some servlet filter that is invoked for every request (*). That filter has to check the request URL, and if it is on of the "strangers" that return what you want, but prevent the request from being future processed.
Is there any built-in support for validating malicious input within the Web API, similar to forms with MVC?
If not, could anyone suggest a "global" filter/message inpector/whatever to validate against malicious input? I'm trying to avoid validating all of my models/parameters individually...
No, I don't believe there is such support. Here's why. The input validation support with Web Forms/MVC was a stopgap measure. But encoding output is the better XSS fix; validating input doesn't work perfectly, as what input is "bad" depends on how you'll be outputting it (as part of HTML element source, as part of JS source, in an HTML attribute value, as part of a SQL query, etc.).
So I'd recommend against generic, global input validation as the solution to XSS concerns. Instead, make sure you're always encoding input correctly before outputting it (or passing it on to another layer, such as a SQL DB). For output, if you're using the normal Web API mechanisms for returning data (model classes with content negotiation/formatters), the formatters should handle the content type-specific encoding for you.
I believe XSS is not relevant to ASP.NET Web API. Here is why I think so. Suppose, in the request body, say I get a JSON like this "input": "<script>alert('hello');</script>" and the web API stores the "input" which is bound to some property as-is into a database and retrieve it as-is in a subsequent GET request and sends that off to a client, it is still okay. It is the responsibility of the client to ensure this data is escaped correctly. So, when this input property is serialized to say a web application, before it writes to the browser, the client web app must HTML encode. Web API doing this generally does not make sense because a web API can be consumed by other clients say a WPF application where XSS may not be applicable. Or am I missing any specific case you have in mind?
Why dont you use HttpUtility.HtmlEncode?
Input should always be validated. It doesn't matter where it is going. A name field should return a name string, not a jpeg file or for example depending on your environment a SQL attack.
On IE when i try to browse the rest apis, i am getting a application/json response instead of api (text/html) response (Returns html response on firefox). I am using django restframework 2.2.5 for this purpose.
I read through the documnets and understood that in order to overcome the problem of broken headers for IE we need to use TemplateHTMLRenderer explicitly in the view, so i have added the following to the class definition of my view but still i am getting a json response. Am i not doing it correctly or i am missing something else?
class CustomReports(generics.GenericAPIView):
`renderer_classes = (renderers.TemplateHTMLRenderer)`
Can you please help in fix the problem so that i get html response in case of IE as well?
Which version of IE are you using? I believe newer versions of IE should send correct Accept headers.
I probably wouldn't bother trying to fix things up to work around IE's broken behavior, but instead just make sure that you're including format suffixes in your urls. Then you can simply use the .api suffix to see the browseable API, or the .json suffix to see the plain json.
Eg instead of http://127.0.0.1:8000/api-root/, use http://127.0.0.1:8000/api-root/.api.
I'd like to be able to access some HTTP GET parameters directly in a JSP, without having to pass them through a Controller+Model, but at the same time still use the dispatcher/controller/model/view mechanism for other parameters and logic.
This is because I have many HTTP GET parameters that are generated by Javascript and used also only in Javascript. My Controllers don't need them at all.
I tried ${arg}, ${request.arg}, ${requestScope.arg}, nothing seems to work.
If I bypass the dispatcher, ${requestScope.arg} works.
But is there a way to make it work with the dispatcher?
Thanks!
If that's request parameters that you want to access (and not request attributes like the title says), then the syntax is ${param.parameterName}.
If it's request attributes, then it's ${requestScope.attributeName}.
See http://java.sun.com/products/jsp/syntax/2.0/syntaxref207.html#1010522 for a quick reference.