From b80c13b722bb207ddf43f53a007ee3ddc1dd2e26 Mon Sep 17 00:00:00 2001
From: Sebastien Deleuze <sdeleuze@pivotal.io>
Date: Fri, 8 Jun 2018 12:31:40 +0200
Subject: [PATCH] Deprecate JSONP and disable it by default in Jackson view

Issue: SPR-16798
---
 .../MappingJackson2HttpMessageConverter.java    |  4 +++-
 .../converter/json/MappingJacksonValue.java     |  8 +++++++-
 .../AbstractJsonpResponseBodyAdvice.java        |  5 ++++-
 .../view/json/MappingJackson2JsonView.java      | 17 ++++++++++++++---
 .../view/json/MappingJackson2JsonViewTests.java | 14 ++++++++++++--
 .../socket/sockjs/transport/TransportType.java  |  6 +++++-
 .../transport/handler/DefaultSockJsService.java |  3 ++-
 .../handler/JsonpPollingTransportHandler.java   |  4 +++-
 .../handler/JsonpReceivingTransportHandler.java |  4 +++-
 src/docs/asciidoc/web/webmvc-view.adoc          |  7 ++++---
 src/docs/asciidoc/web/webmvc.adoc               |  5 +++++
 11 files changed, 62 insertions(+), 15 deletions(-)

diff --git a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
index 4e54a23f5f..f7818cb623 100644
--- a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
+++ b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -91,6 +91,7 @@ public class MappingJackson2HttpMessageConverter extends AbstractJackson2HttpMes
 
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
 		if (this.jsonPrefix != null) {
 			generator.writeRaw(this.jsonPrefix);
@@ -104,6 +105,7 @@ public class MappingJackson2HttpMessageConverter extends AbstractJackson2HttpMes
 	}
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected void writeSuffix(JsonGenerator generator, Object object) throws IOException {
 		String jsonpFunction =
 				(object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null);
diff --git a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java
index 49baa93a40..a99952689a 100644
--- a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java
+++ b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -115,14 +115,20 @@ public class MappingJacksonValue {
 
 	/**
 	 * Set the name of the JSONP function name.
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	public void setJsonpFunction(@Nullable String functionName) {
 		this.jsonpFunction = functionName;
 	}
 
 	/**
 	 * Return the configured JSONP function name.
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	@Nullable
 	public String getJsonpFunction() {
 		return this.jsonpFunction;
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
index 0a383c6c57..55d7ffe14e 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,7 +45,10 @@ import org.springframework.util.ObjectUtils;
  *
  * @author Rossen Stoyanchev
  * @since 4.1
+ * @deprecated Will be removed as of Spring Framework 5.1, use
+ * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
  */
+@Deprecated
 public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice {
 
 	/**
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
index daf207984c..a6345ef9ef 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -59,6 +59,7 @@ import org.springframework.web.servlet.View;
  * @author Sebastien Deleuze
  * @since 3.1.2
  */
+@SuppressWarnings("deprecation")
 public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	/**
@@ -69,7 +70,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 
 	/**
 	 * Default content type for JSONP: "application/javascript".
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript";
 
 	/**
@@ -87,7 +91,7 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 	private boolean extractValueFromSingleKeyModel = false;
 
 	@Nullable
-	private Set<String> jsonpParameterNames = new LinkedHashSet<>(Arrays.asList("jsonp", "callback"));
+	private Set<String> jsonpParameterNames = new LinkedHashSet<>();
 
 
 	/**
@@ -170,10 +174,14 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 	 * Set JSONP request parameter names. Each time a request has one of those
 	 * parameters, the resulting JSON will be wrapped into a function named as
 	 * specified by the JSONP request parameter value.
-	 * <p>The parameter names configured by default are "jsonp" and "callback".
+	 * <p>As of Spring Framework 5.0.7, there is no parameter name configured
+	 * by default.
 	 * @since 4.1
 	 * @see <a href="http://en.wikipedia.org/wiki/JSONP">JSONP Wikipedia article</a>
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	public void setJsonpParameterNames(Set<String> jsonpParameterNames) {
 		this.jsonpParameterNames = jsonpParameterNames;
 	}
@@ -204,7 +212,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
 	 * Invalid parameter values are ignored.
 	 * @param value the query param value, never {@code null}
 	 * @since 4.1.8
+	 * @deprecated Will be removed as of Spring Framework 5.1, use
+	 * <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
 	 */
+	@Deprecated
 	protected boolean isValidJsonpQueryParam(String value) {
 		return CALLBACK_PARAM_PATTERN.matcher(value).matches();
 	}
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java
index 077f2dfa29..98258493e4 100644
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,11 @@
 package org.springframework.web.servlet.view.json;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -324,11 +326,19 @@ public class MappingJackson2JsonViewTests {
 
 	@Test
 	public void renderWithJsonp() throws Exception {
+		testJsonp("jsonp", "callback", false);
+		testJsonp("jsonp", "_callback", false);
+		testJsonp("jsonp", "_Call.bAcK", false);
+		testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", false);
+		testJsonp("jsonp", "<script>", false);
+		testJsonp("jsonp", "!foo!bar", false);
+
+		this.view.setJsonpParameterNames(new LinkedHashSet<>(Arrays.asList("jsonp")));
+
 		testJsonp("jsonp", "callback", true);
 		testJsonp("jsonp", "_callback", true);
 		testJsonp("jsonp", "_Call.bAcK", true);
 		testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true);
-
 		testJsonp("jsonp", "<script>", false);
 		testJsonp("jsonp", "!foo!bar", false);
 	}
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java
index ef86b35df3..70ab282839 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@ import org.springframework.lang.Nullable;
 /**
  * SockJS transport types.
  *
+ * <p>JSONP support will be removed as of Spring Framework 5.1, use others transports instead.
+ *
  * @author Rossen Stoyanchev
  * @author Sebastien Deleuze
  * @since 4.0
@@ -40,8 +42,10 @@ public enum TransportType {
 
 	XHR_SEND("xhr_send", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
 
+	@Deprecated
 	JSONP("jsonp", HttpMethod.GET, "jsessionid", "no_cache"),
 
+	@Deprecated
 	JSONP_SEND("jsonp_send", HttpMethod.POST, "jsessionid", "no_cache"),
 
 	XHR_STREAMING("xhr_streaming", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java
index 6e69a8bc8c..c4894136d8 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,6 +79,7 @@ public class DefaultSockJsService extends TransportHandlingSockJsService impleme
 	}
 
 
+	@SuppressWarnings("deprecation")
 	private static Set<TransportHandler> getDefaultTransportHandlers(@Nullable Collection<TransportHandler> overrides) {
 		Set<TransportHandler> result = new LinkedHashSet<>(8);
 		result.add(new XhrPollingTransportHandler());
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java
index e4f6b3d7dd..db3204db39 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,7 +41,9 @@ import org.springframework.web.util.JavaScriptUtils;
  *
  * @author Rossen Stoyanchev
  * @since 4.0
+ * @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
  */
+@Deprecated
 public class JsonpPollingTransportHandler extends AbstractHttpSendingTransportHandler {
 
 	@Override
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java
index f4482aed33..248bf8026e 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,7 +38,9 @@ import org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJ
  * A {@link TransportHandler} that receives messages over HTTP.
  *
  * @author Rossen Stoyanchev
+ * @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
  */
+@Deprecated
 public class JsonpReceivingTransportHandler extends AbstractHttpReceivingTransportHandler {
 
 	private final FormHttpMessageConverter formConverter = new FormHttpMessageConverter();
diff --git a/src/docs/asciidoc/web/webmvc-view.adoc b/src/docs/asciidoc/web/webmvc-view.adoc
index d2beb699c1..f39b9f7f36 100644
--- a/src/docs/asciidoc/web/webmvc-view.adoc
+++ b/src/docs/asciidoc/web/webmvc-view.adoc
@@ -2030,9 +2030,10 @@ annotations. When further control is needed, a custom `ObjectMapper` can be inje
 through the `ObjectMapper` property for cases where custom JSON
 serializers/deserializers need to be provided for specific types.
 
-http://en.wikipedia.org/wiki/JSONP[JSONP] is supported and automatically enabled when
-the request has a query parameter named `jsonp` or `callback`. The JSONP query parameter
-name(s) could be customized through the `jsonpParameterNames` property.
+As of Spring Framework 5.0.7, http://en.wikipedia.org/wiki/JSONP[JSONP] support is
+deprecated and requires to customize the JSONP query parameter
+name(s) through the `jsonpParameterNames` property. This support will be removed as of
+Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
 
 
 
diff --git a/src/docs/asciidoc/web/webmvc.adoc b/src/docs/asciidoc/web/webmvc.adoc
index 50aa14710b..fa0edd0358 100644
--- a/src/docs/asciidoc/web/webmvc.adoc
+++ b/src/docs/asciidoc/web/webmvc.adoc
@@ -2670,6 +2670,11 @@ For controllers relying on view resolution, JSONP is automatically enabled when
 request has a query parameter named `jsonp` or `callback`. Those names can be
 customized through `jsonpParameterNames` property.
 
+[NOTE]
+====
+As of Spring Framework 5.0.7, JSONP support is deprecated and will be removed as of
+Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
+====
 
 
 [[mvc-ann-modelattrib-methods]]