0

We are facing problems with XSS attacks to our application. We are preventing this by using normal filters for GET requests.

We are using RESTEasy REST webservice calls to our application. Our filter not filtering the data inside form GET/POST/DELETE/PUT requests.

The basic requirment is we need to check the XSS attacks on all the fields,headers and cookies as well.

How do we get the posted values before invoking the method. Just like filters what we did for normal requests. I am using resteasy2.0 version for our app.

Is there anyway to update the request wrapper before going to invoke rest method. Please give us some suggestions on this. Thanks in advance.

Thanks, Govind.

Govind
  • 111
  • 8

2 Answers2

3

Resteasy 2.0 allows you to use Interceptors on JAX-RS invocations and route them through listener-like objects.

You can declare an interceptor to check your request body and/or header before a JAX-RS resource method is invoked.

You can give a look to the docs here : Resteasy Interceptors Documentation

An example on how use it : Resteasy Interceptors Example

Cirou
  • 1,420
  • 12
  • 18
  • Thanks Cirou for your suggestion. It seems these are for validation purpose. I need to change the form params and proceed with the updated values. Do i need to create a seperate HttpRequest class for this ? Please give me the link of code examples if u have any. – Govind Dec 07 '13 at 03:30
  • @Govind A link to a use example is already in my answer. At page 2 of that tutorial you can see the example code of a validating interceptor. – Cirou Dec 09 '13 at 08:57
  • Thanks for the resonse. I think you got my point wrongly. In that page the validation done for further proceed of remaining interceptors or method invocation. I need to filter the data and send push the filtered data to same Request scope and needto use the same HttpRequest to further procedence. – Govind Dec 09 '13 at 09:52
  • 1
    @Govind ok, now it's more clear. So, you want to modify the `HttpServletRequest` parameters if they do not respect your validation. This is a bit 'different than a simple validation. Take a look here: http://stackoverflow.com/questions/1413129/modify-request-parameter-with-servlet-filter – Cirou Dec 09 '13 at 11:17
1

If I have understood it properly you want a filter like in Servlet so that you can handle each request before it hit the REST function. It will also keep your implementation common for all REST alls. Correct me if I am wrong.

One simple solution coming in my mind though I never worked with resteasy2.0. You can write a common function and call that function from your REST methods first line. Check for scripting elements in that function and if found throw error or do something else.

A Paul
  • 8,113
  • 3
  • 31
  • 61