Browse Source

Deprecate JSONP and disable it by default in Jackson view

Issue: SPR-16798
pull/1884/head
Sebastien Deleuze 7 years ago
parent
commit
b80c13b722
  1. 4
      spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
  2. 8
      spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java
  3. 5
      spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
  4. 17
      spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
  5. 14
      spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java
  6. 6
      spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java
  7. 3
      spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java
  8. 4
      spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java
  9. 4
      spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java
  10. 7
      src/docs/asciidoc/web/webmvc-view.adoc
  11. 5
      src/docs/asciidoc/web/webmvc.adoc

4
spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -91,6 +91,7 @@ public class MappingJackson2HttpMessageConverter extends AbstractJackson2HttpMes
@Override @Override
@SuppressWarnings("deprecation")
protected void writePrefix(JsonGenerator generator, Object object) throws IOException { protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
if (this.jsonPrefix != null) { if (this.jsonPrefix != null) {
generator.writeRaw(this.jsonPrefix); generator.writeRaw(this.jsonPrefix);
@ -104,6 +105,7 @@ public class MappingJackson2HttpMessageConverter extends AbstractJackson2HttpMes
} }
@Override @Override
@SuppressWarnings("deprecation")
protected void writeSuffix(JsonGenerator generator, Object object) throws IOException { protected void writeSuffix(JsonGenerator generator, Object object) throws IOException {
String jsonpFunction = String jsonpFunction =
(object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null); (object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null);

8
spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -115,14 +115,20 @@ public class MappingJacksonValue {
/** /**
* Set the name of the JSONP function name. * Set the name of the JSONP function name.
* @deprecated Will be removed as of Spring Framework 5.1, use
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
*/ */
@Deprecated
public void setJsonpFunction(@Nullable String functionName) { public void setJsonpFunction(@Nullable String functionName) {
this.jsonpFunction = functionName; this.jsonpFunction = functionName;
} }
/** /**
* Return the configured JSONP function name. * Return the configured JSONP function name.
* @deprecated Will be removed as of Spring Framework 5.1, use
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
*/ */
@Deprecated
@Nullable @Nullable
public String getJsonpFunction() { public String getJsonpFunction() {
return this.jsonpFunction; return this.jsonpFunction;

5
spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2015 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -45,7 +45,10 @@ import org.springframework.util.ObjectUtils;
* *
* @author Rossen Stoyanchev * @author Rossen Stoyanchev
* @since 4.1 * @since 4.1
* @deprecated Will be removed as of Spring Framework 5.1, use
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
*/ */
@Deprecated
public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice { public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice {
/** /**

17
spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -59,6 +59,7 @@ import org.springframework.web.servlet.View;
* @author Sebastien Deleuze * @author Sebastien Deleuze
* @since 3.1.2 * @since 3.1.2
*/ */
@SuppressWarnings("deprecation")
public class MappingJackson2JsonView extends AbstractJackson2View { public class MappingJackson2JsonView extends AbstractJackson2View {
/** /**
@ -69,7 +70,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
/** /**
* Default content type for JSONP: "application/javascript". * Default content type for JSONP: "application/javascript".
* @deprecated Will be removed as of Spring Framework 5.1, use
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
*/ */
@Deprecated
public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript"; public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript";
/** /**
@ -87,7 +91,7 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
private boolean extractValueFromSingleKeyModel = false; private boolean extractValueFromSingleKeyModel = false;
@Nullable @Nullable
private Set<String> jsonpParameterNames = new LinkedHashSet<>(Arrays.asList("jsonp", "callback")); private Set<String> jsonpParameterNames = new LinkedHashSet<>();
/** /**
@ -170,10 +174,14 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
* Set JSONP request parameter names. Each time a request has one of those * Set JSONP request parameter names. Each time a request has one of those
* parameters, the resulting JSON will be wrapped into a function named as * parameters, the resulting JSON will be wrapped into a function named as
* specified by the JSONP request parameter value. * specified by the JSONP request parameter value.
* <p>The parameter names configured by default are "jsonp" and "callback". * <p>As of Spring Framework 5.0.7, there is no parameter name configured
* by default.
* @since 4.1 * @since 4.1
* @see <a href="http://en.wikipedia.org/wiki/JSONP">JSONP Wikipedia article</a> * @see <a href="http://en.wikipedia.org/wiki/JSONP">JSONP Wikipedia article</a>
* @deprecated Will be removed as of Spring Framework 5.1, use
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
*/ */
@Deprecated
public void setJsonpParameterNames(Set<String> jsonpParameterNames) { public void setJsonpParameterNames(Set<String> jsonpParameterNames) {
this.jsonpParameterNames = jsonpParameterNames; this.jsonpParameterNames = jsonpParameterNames;
} }
@ -204,7 +212,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
* Invalid parameter values are ignored. * Invalid parameter values are ignored.
* @param value the query param value, never {@code null} * @param value the query param value, never {@code null}
* @since 4.1.8 * @since 4.1.8
* @deprecated Will be removed as of Spring Framework 5.1, use
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
*/ */
@Deprecated
protected boolean isValidJsonpQueryParam(String value) { protected boolean isValidJsonpQueryParam(String value) {
return CALLBACK_PARAM_PATTERN.matcher(value).matches(); return CALLBACK_PARAM_PATTERN.matcher(value).matches();
} }

14
spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -17,9 +17,11 @@
package org.springframework.web.servlet.view.json; package org.springframework.web.servlet.view.json;
import java.io.IOException; import java.io.IOException;
import java.util.Arrays;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -324,11 +326,19 @@ public class MappingJackson2JsonViewTests {
@Test @Test
public void renderWithJsonp() throws Exception { public void renderWithJsonp() throws Exception {
testJsonp("jsonp", "callback", false);
testJsonp("jsonp", "_callback", false);
testJsonp("jsonp", "_Call.bAcK", false);
testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", false);
testJsonp("jsonp", "<script>", false);
testJsonp("jsonp", "!foo!bar", false);
this.view.setJsonpParameterNames(new LinkedHashSet<>(Arrays.asList("jsonp")));
testJsonp("jsonp", "callback", true); testJsonp("jsonp", "callback", true);
testJsonp("jsonp", "_callback", true); testJsonp("jsonp", "_callback", true);
testJsonp("jsonp", "_Call.bAcK", true); testJsonp("jsonp", "_Call.bAcK", true);
testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true); testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true);
testJsonp("jsonp", "<script>", false); testJsonp("jsonp", "<script>", false);
testJsonp("jsonp", "!foo!bar", false); testJsonp("jsonp", "!foo!bar", false);
} }

6
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportType.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -28,6 +28,8 @@ import org.springframework.lang.Nullable;
/** /**
* SockJS transport types. * SockJS transport types.
* *
* <p>JSONP support will be removed as of Spring Framework 5.1, use others transports instead.
*
* @author Rossen Stoyanchev * @author Rossen Stoyanchev
* @author Sebastien Deleuze * @author Sebastien Deleuze
* @since 4.0 * @since 4.0
@ -40,8 +42,10 @@ public enum TransportType {
XHR_SEND("xhr_send", HttpMethod.POST, "cors", "jsessionid", "no_cache"), XHR_SEND("xhr_send", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
@Deprecated
JSONP("jsonp", HttpMethod.GET, "jsessionid", "no_cache"), JSONP("jsonp", HttpMethod.GET, "jsessionid", "no_cache"),
@Deprecated
JSONP_SEND("jsonp_send", HttpMethod.POST, "jsessionid", "no_cache"), JSONP_SEND("jsonp_send", HttpMethod.POST, "jsessionid", "no_cache"),
XHR_STREAMING("xhr_streaming", HttpMethod.POST, "cors", "jsessionid", "no_cache"), XHR_STREAMING("xhr_streaming", HttpMethod.POST, "cors", "jsessionid", "no_cache"),

3
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsService.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -79,6 +79,7 @@ public class DefaultSockJsService extends TransportHandlingSockJsService impleme
} }
@SuppressWarnings("deprecation")
private static Set<TransportHandler> getDefaultTransportHandlers(@Nullable Collection<TransportHandler> overrides) { private static Set<TransportHandler> getDefaultTransportHandlers(@Nullable Collection<TransportHandler> overrides) {
Set<TransportHandler> result = new LinkedHashSet<>(8); Set<TransportHandler> result = new LinkedHashSet<>(8);
result.add(new XhrPollingTransportHandler()); result.add(new XhrPollingTransportHandler());

4
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpPollingTransportHandler.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -41,7 +41,9 @@ import org.springframework.web.util.JavaScriptUtils;
* *
* @author Rossen Stoyanchev * @author Rossen Stoyanchev
* @since 4.0 * @since 4.0
* @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
*/ */
@Deprecated
public class JsonpPollingTransportHandler extends AbstractHttpSendingTransportHandler { public class JsonpPollingTransportHandler extends AbstractHttpSendingTransportHandler {
@Override @Override

4
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/handler/JsonpReceivingTransportHandler.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -38,7 +38,9 @@ import org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJ
* A {@link TransportHandler} that receives messages over HTTP. * A {@link TransportHandler} that receives messages over HTTP.
* *
* @author Rossen Stoyanchev * @author Rossen Stoyanchev
* @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
*/ */
@Deprecated
public class JsonpReceivingTransportHandler extends AbstractHttpReceivingTransportHandler { public class JsonpReceivingTransportHandler extends AbstractHttpReceivingTransportHandler {
private final FormHttpMessageConverter formConverter = new FormHttpMessageConverter(); private final FormHttpMessageConverter formConverter = new FormHttpMessageConverter();

7
src/docs/asciidoc/web/webmvc-view.adoc

@ -2030,9 +2030,10 @@ annotations. When further control is needed, a custom `ObjectMapper` can be inje
through the `ObjectMapper` property for cases where custom JSON through the `ObjectMapper` property for cases where custom JSON
serializers/deserializers need to be provided for specific types. serializers/deserializers need to be provided for specific types.
http://en.wikipedia.org/wiki/JSONP[JSONP] is supported and automatically enabled when As of Spring Framework 5.0.7, http://en.wikipedia.org/wiki/JSONP[JSONP] support is
the request has a query parameter named `jsonp` or `callback`. The JSONP query parameter deprecated and requires to customize the JSONP query parameter
name(s) could be customized through the `jsonpParameterNames` property. name(s) through the `jsonpParameterNames` property. This support will be removed as of
Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.

5
src/docs/asciidoc/web/webmvc.adoc

@ -2670,6 +2670,11 @@ For controllers relying on view resolution, JSONP is automatically enabled when
request has a query parameter named `jsonp` or `callback`. Those names can be request has a query parameter named `jsonp` or `callback`. Those names can be
customized through `jsonpParameterNames` property. customized through `jsonpParameterNames` property.
[NOTE]
====
As of Spring Framework 5.0.7, JSONP support is deprecated and will be removed as of
Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
====
[[mvc-ann-modelattrib-methods]] [[mvc-ann-modelattrib-methods]]

Loading…
Cancel
Save