I've using Spring/AngularJS and to prevent JSON vulnerability, I'm trying to prefix all JSON array responses with ")]}',\n" - see reference.
I was able to prefix by
<mvc:annotation-driven>
<mvc:message-converters>
<bean id="mappingJackson2HttpMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" >
<property name="jsonPrefix" value=")]}',\n" />
</bean>
</mvc:message-converters>
</mvc:annotation-driven>
But the problem is it's prefixing all JSON responses with ")]}',\n" and I only need to prefix the JSON arrays. Is there a way I could only set the prefix for JSON array responses? Thanks.
Instead of having a prefix which basically makes your response invalid JSON consider returning a object instead of an array. This will mitigate the attack vector as well.
{d: [1,2,3,4]}
Related
I am working with MuleSoft Anypoint Studio and I need to convert JSON payload to in the end XML. During this conversion every field that is NULL need to be excluded. Some values are not sent via POST request and I am expecting to not see them in the end result - XML file but that is not the case as they are there. For example in the JSON POST request Value field is not sent, which becomes null in Mule so it should not appear in the XML file but it's still written in it as <Value/>. I am mainly having problems with Object to JSON transformer.
I have tried configuring a custom mapper
<spring:beans>
<spring:bean id="Bean" name="NonNullMapper" class="org.codehaus.jackson.map.ObjectMapper">
<spring:property name="SerializationInclusion">
<spring:value type="org.codehaus.jackson.map.annotate.JsonSerialize.Inclusion">NON_NULL</spring:value>
</spring:property>
</spring:bean>
But that didn't really work. I also tried
<spring:beans>
<spring:bean id="jacksonObjectMapper" class="org.codehaus.jackson.map.ObjectMapper" />
<spring:bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<spring:property name="targetObject" ref="jacksonObjectMapper" />
<spring:property name="targetMethod" value="configure" />
<spring:property name="arguments">
<spring:list>
<spring:value>WRITE_NULL_MAP_VALUES</spring:value>
<spring:value>false</spring:value>
</spring:list>
</spring:property>
</spring:bean>
</spring:beans>
That didn't work too as I get an error which I couldn't manage to fix
More than one object of type class org.codehaus.jackson.map.ObjectMapper registered but only one expected
I am working with
Mule 3.9.0
Anypoint Studio 6.4
com.fasterxml.jackson and in some places org.codehaus.jackson
I would really appreciate any help or some hint.
Given that this in Mule, you can use DataWeave instead to transform the payload. Setting the XML writer property skipNullOn could give the desired result. https://docs.mulesoft.com/mule-user-guide/v/3.9/dataweave-formats#skip-null-on
Example
%output application/xml skipNullOn="payload"
---
payload
I'm trying to fill the autocomplete field in Orbeon (version 2016.1) with suggestions which I receive as a JSON.
The JSON I get looks like:
{"status":"success","code":200,"data":{"streets":[{"name":"Street One","id":"1"},{"name":"Street Two","id":"2"},{"name":"Street Three","id":"3"}]}}
I know that the Resource URI should point to my web service (could that URI, or the arguments I need to send, be encoded?), but I don't know how the Items, Label and Value fields should be configured in this case (the label would be name from the json and value should point to the code from the json, of course).
I referred to https://doc.orbeon.com/xforms/submission-json.html but haven't exactly managed to get what I'm trying to.
Can someone help?
Thanks in advance.
Masa
In particular, with your specific JSON, the corresponding XML will look as follows. In general, see the section Seeing the converted XML for how you can create a form in Form Builder that allows you to see what the converted XML is for any JSON.
<json type="object">
<status>success</status>
<code type="number">200</code>
<data type="object">
<streets type="array">
<_ type="object">
<name>Street One</name>
<id>1</id>
</_>
<_ type="object">
<name>Street Two</name>
<id>2</id>
</_>
<_ type="object">
<name>Street Three</name>
<id>3</id>
</_>
</streets>
</data>
</json>
Using Spring RestControllers with Jackson JSON parsing backend, with AngularJS on front end. I'm looking for an efficient way to have Jackson serialize an Instant as the epoch milliseconds for subsequent convenient usage with JavaScript code. (On the browser side I wish to feed the epoch ms through Angular's Date Filter: {{myInstantVal | date:'short' }} for my desired date format.)
On the Java side, the getter that Jackson would use is simply:
public Instant getMyInstantVal() { return myInstantVal; }
Serialization wouldn't work as-is, because the jackson-datatype-jsr310 doesn't return Epoch milliseconds by default for an Instant. I looked at adding #JsonFormat to the above getter to morph the Instant into something the front-end can use, but it suffers from two problems: (1) the pattern I can supply it is apparently limited to SimpleDateFormat which doesn't provide an "epoch milliseconds" option, and (2) when I tried to send the Instant as a formatted date to the browser instead, Jackson throws an exception because the #JsonFormat annotation requires a TimeZone attribute for Instants, something I don't wish to hardcode as it would vary from user to user.
My solution so far (and it's working fine) is to create a replacement getter using #JsonGetter, which causes Jackson to use this method instead to serialize myInstantVal:
#JsonGetter("myInstantVal")
public long getMyInstantValEpoch() {
return myInstantVal.toEpochMilli();
}
Is this the proper way of doing this? Or is there a nice annotation I'm missing that I can put on getMyInstantVal() so I won't have to create these additional methods?
You just need to read the README that you linked to. Emphasis mine:
Most JSR-310 types are serialized as numbers (integers or decimals as appropriate) if the SerializationFeature#WRITE_DATES_AS_TIMESTAMPS feature is enabled, and otherwise are serialized in standard ISO-8601 string representation.
[...]
Granularity of timestamps is controlled through the companion features SerializationFeature#WRITE_DATE_TIMESTAMPS_AS_NANOSECONDS and DeserializationFeature#READ_DATE_TIMESTAMPS_AS_NANOSECONDS. For serialization, timestamps are written as fractional numbers (decimals), where the number is seconds and the decimal is fractional seconds, if WRITE_DATE_TIMESTAMPS_AS_NANOSECONDS is enabled (it is by default), with resolution as fine as nanoseconds depending on the underlying JDK implementation. If WRITE_DATE_TIMESTAMPS_AS_NANOSECONDS is disabled, timestamps are written as a whole number of milliseconds.
This is what worked for me in Kotlin (should be the same for Java). This lets you serialize as an epoch millisecond without changing the ObjectMapper's configuration
data class MyPojo(
#JsonFormat(without = [JsonFormat.Feature.WRITE_DATE_TIMESTAMPS_AS_NANOSECONDS])
val timestamp: Instant
)
Adding on to JB's answer, to override Spring MVC's default JSON parser to strip away the nanoseconds from Instant (and other Java 8 date objects that have them):
In the mvc:annotation-driven element, specify that you will be overriding the default JSON message converter:
<mvc:annotation-driven validator="beanValidator">
<mvc:message-converters register-defaults="true">
<beans:ref bean="jsonConverter"/>
</mvc:message-converters>
</mvc:annotation-driven>
(register-defaults above is true by default and most probably what you'll want to keep the other converters configured by Spring as-is).
Override MappingJackson2HttpMessageConverter as follows:
<beans:bean id="jsonConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
<beans:property name="objectMapper">
<beans:bean class="org.springframework.http.converter.json.Jackson2ObjectMapperFactoryBean">
<beans:property name="featuresToDisable">
<beans:array>
<util:constant static-field="com.fasterxml.jackson.databind.SerializationFeature.WRITE_DATE_TIMESTAMPS_AS_NANOSECONDS"/>
</beans:array>
</beans:property>
</beans:bean>
</beans:property>
Step #1 is important as Spring MVC will otherwise ignore the configured MJ2HMC object in favor of its own default one.
partial H/T this SO post.
A simple way to return epoch millis in the JSON response for an Instant property can be following:
#JsonFormat(shape = JsonFormat.Shape.NUMBER, timezone = "UTC")
private Instant createdAt;
This will result in the following response:
{
...
"createdAt": 1534923249,
...
}
I created a saved search of "items" in netsuite.
<netsuite:search config-ref="NetSuite__Login_Authentication" searchRecord="ITEM_ADVANCED" bodyFieldsOnly="false" returnSearchColumns="true" doc:name="NetSuite"/>
<json:object-to-json-transformer doc:name="Object to JSON"/>
When 'returnSearchColumns' is set to "true", receiving the below exception. If this attribute is set to false, there is no exception but response is missing the columns selected.
java.lang.IllegalArgumentException: No enum constant org.mule.module.netsuite.RecordTypeEnum.ITEM
Also, received 'ConsumerIterator' object as response from netsuite and used "Object to JSON" transformer right after netsuite connector. The response received is an array of item objects.
1) Is there a way to convert this payload into XML format? Both object to XML and JSON to XML are not giving entire XML.
2) How to avoid the above mentioned illegal argument exception ?
1) object-to-xml should convert all fields to XML, or you could try something like Dataweave. What exactly is missing?
2) There is no type called 'ITEM'. You have to use one mentioned in this list: http://mulesoft.github.io/netsuite-connector/6.0.1/java/org/mule/module/netsuite/RecordTypeEnum.html such as 'INVENTORY_ITEM '
Why MappingJackson2XmlView doesn't allow to convert model that contains more than one object ?
see MappingJackson2XmlView.class line 90 :
throw new IllegalStateException("Model contains more than one object to render, only one is supported");
This is because there's no default way to convert a list to XML: a document must have exactly one root element. While an unnamed list is a valid thing to return in JSON, it's not OK in XML. You need to specify an intermediate class to hold the list. If you use a MarshallingView with a Jaxb2Marshaller, you can do this and still offer raw JSON lists:
<property name="defaultViews">
<list>
<!-- JSON -->
<bean class="org.springframework.web.servlet.view.json.MappingJackson2JsonView" />
<!-- XML -->
<bean class="org.springframework.web.servlet.view.xml.MarshallingView">
<constructor-arg>
<bean class="org.springframework.oxm.jaxb.Jaxb2Marshaller">
<property name="packagesToScan" value="example.model" />
</bean>
</constructor-arg>
</bean>
</list>
</property>
Here, example.model.FooCollection would just contain a list of example.model.Foo, and would define its own #XmlRootElement.