0

I'm currently using RestEasy(2.3.6) with Jackson(1.9.9) and needing to prefix my JSON arrays with '{} &&' in order to prevent JSON hijacking.

I'm new to Jackson and am having a really hard time understanding where to insert anything like this. I'm not even sure where to insert something like this to make it happen all the time, and I would like to take it one step further and be able to specify to only prefix return values that contain JSON arrays and not regular objects.

I imagine there is a class somewhere I need to subclass and override a method, and then register that class somehow. Has anyone ever done anything like this?

Matt
  • 823
  • 1
  • 8
  • 17
  • Jackson 1.9.9??? The current version is 2.2.x... You should consider an upgrade! – fge Jun 12 '13 at 19:24
  • Also: why is such hijacking of any concern to you? How do you generate your JSON currently? – fge Jun 12 '13 at 19:25
  • 1.9.9 was pulled in with the dependency on resteasy-jackson-provider v2.3.6, so that's just what I went with. Could probably set up exclusions and force it to use the newer one if there's something in there that will help solve my issue. Whether or not to worry about hijacking is a decision that is not up to me. Currently I'm using Jackson to automatically marshal pojos returned from my resteasy resource methods. – Matt Jun 12 '13 at 19:31
  • The point still remains, though: _why_ do you need to prevent "JSON hijacking"? – fge Jun 12 '13 at 19:33
  • 1
    The accepted answer to this question: http://stackoverflow.com/questions/9727096/spring-json-tainting-response-from-jacksonmessageconverter should help. – Jukka Jun 12 '13 at 19:50

1 Answers1

0

Jukka, the question you linked to led me to a solution. I extended JacksonJsonProvider, and overrode the writeTo() method. There are a few conditions in there and I was able to add jg.writeRaw("{}&&"); before each place it writes the value. Also, since I'm using Spring, I had to annotate my class with @Component in order for it to be found.

Also another gotcha with creating your own JsonProvider subclass is your rest methods must have @Produces('application/json') (you should always be explicit with these anyway) or else the default JsonProvider will be used.

Matt
  • 823
  • 1
  • 8
  • 17