From 874859493bbda59739c38c7e52eb3625f247b93a Mon Sep 17 00:00:00 2001 From: Sebastien Deleuze Date: Fri, 8 Jun 2018 12:29:48 +0200 Subject: [PATCH] Deprecate JSONP and disable it by default in Jackson view Issue: SPR-16798 --- .../json/MappingJackson2HttpMessageConverter.java | 4 +++- .../http/converter/json/MappingJacksonValue.java | 8 +++++++- .../AbstractJsonpResponseBodyAdvice.java | 5 ++++- .../view/json/MappingJackson2JsonView.java | 15 ++++++++++++--- .../view/json/MappingJackson2JsonViewTests.java | 14 ++++++++++++-- .../socket/sockjs/transport/TransportType.java | 6 +++++- .../transport/handler/DefaultSockJsService.java | 3 ++- .../handler/JsonpPollingTransportHandler.java | 4 +++- .../handler/JsonpReceivingTransportHandler.java | 4 +++- src/asciidoc/web-mvc.adoc | 6 ++++++ src/asciidoc/web-view.adoc | 7 ++++--- 11 files changed, 61 insertions(+), 15 deletions(-) diff --git a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java index 4832ec0bd676..09b678413ae1 100644 --- a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java +++ b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -88,6 +88,7 @@ public void setPrefixJson(boolean prefixJson) { @Override + @SuppressWarnings("deprecation") protected void writePrefix(JsonGenerator generator, Object object) throws IOException { if (this.jsonPrefix != null) { generator.writeRaw(this.jsonPrefix); @@ -101,6 +102,7 @@ protected void writePrefix(JsonGenerator generator, Object object) throws IOExce } @Override + @SuppressWarnings("deprecation") protected void writeSuffix(JsonGenerator generator, Object object) throws IOException { String jsonpFunction = (object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null); diff --git a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java index 016fe94a0129..af80f4a3e782 100644 --- a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java +++ b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJacksonValue.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -108,14 +108,20 @@ public FilterProvider getFilters() { /** * Set the name of the JSONP function name. + * @deprecated Will be removed as of Spring Framework 5.1, use + * CORS instead. */ + @Deprecated public void setJsonpFunction(String functionName) { this.jsonpFunction = functionName; } /** * Return the configured JSONP function name. + * @deprecated Will be removed as of Spring Framework 5.1, use + * CORS instead. */ + @Deprecated public String getJsonpFunction() { return this.jsonpFunction; } diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java index 0a383c6c57e1..0a8beee06d85 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -45,7 +45,10 @@ * * @author Rossen Stoyanchev * @since 4.1 + * @deprecated Will be removed as of Spring Framework 5.1, use + * CORS instead. */ +@Deprecated public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice { /** diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java index 12a5baa0c2b2..c8853596e079 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,7 +17,6 @@ package org.springframework.web.servlet.view.json; import java.io.IOException; -import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.LinkedHashSet; @@ -58,6 +57,7 @@ * @author Sebastien Deleuze * @since 3.1.2 */ +@SuppressWarnings("deprecation") public class MappingJackson2JsonView extends AbstractJackson2View { /** @@ -68,7 +68,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View { /** * Default content type for JSONP: "application/javascript". + * @deprecated Will be removed as of Spring Framework 5.1, use + * CORS instead. */ + @Deprecated public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript"; /** @@ -83,7 +86,7 @@ public class MappingJackson2JsonView extends AbstractJackson2View { private boolean extractValueFromSingleKeyModel = false; - private Set jsonpParameterNames = new LinkedHashSet(Arrays.asList("jsonp", "callback")); + private Set jsonpParameterNames = new LinkedHashSet(); /** @@ -168,7 +171,10 @@ public void setExtractValueFromSingleKeyModel(boolean extractValueFromSingleKeyM *

The parameter names configured by default are "jsonp" and "callback". * @since 4.1 * @see JSONP Wikipedia article + * @deprecated Will be removed as of Spring Framework 5.1, use + * CORS instead. */ + @Deprecated public void setJsonpParameterNames(Set jsonpParameterNames) { this.jsonpParameterNames = jsonpParameterNames; } @@ -198,7 +204,10 @@ private String getJsonpParameterValue(HttpServletRequest request) { * Invalid parameter values are ignored. * @param value the query param value, never {@code null} * @since 4.1.8 + * @deprecated Will be removed as of Spring Framework 5.1, use + * CORS instead. */ + @Deprecated protected boolean isValidJsonpQueryParam(String value) { return CALLBACK_PARAM_PATTERN.matcher(value).matches(); } diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java index 4e062b2a0055..b6346ec96cea 100644 --- a/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java +++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/view/json/MappingJackson2JsonViewTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,9 +17,11 @@ package org.springframework.web.servlet.view.json; import java.io.IOException; +import java.util.Arrays; import java.util.Date; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Map; import java.util.Set; @@ -324,11 +326,19 @@ public void renderSimpleBeanWithFilters() throws Exception { @Test public void renderWithJsonp() throws Exception { + testJsonp("jsonp", "callback", false); + testJsonp("jsonp", "_callback", false); + testJsonp("jsonp", "_Call.bAcK", false); + testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", false); + testJsonp("jsonp", "