0

We are in the process of building a custom built JEE security layer which is going to ensure that all possible OWASP concerns are addressed. This security layer is built as Filters that needs to run before the Controllers (Spring in our case), so that they can execute before the request actually reaches the Controller. These security filters looks at the user input and performs various Sanitation. One such sanitation is the JSON sanitation, where the JSON data from client is looked for any malicious content.

Currently , the Spring Controllers use the @RequestBody annotation to populare the incoming JSON data into POJO classes.

I have exactly the same question but, is there a generic way to retrieve the parameters (sent as JSON data) from the request ?

my objective is to have a JSON sanitizer code in a Filter, so that it intercepts and parses all JSON data that comes to the controller.

Community
  • 1
  • 1
yathirigan
  • 5,619
  • 22
  • 66
  • 104
  • 1
    This sounds like a job for middleware (code that looks at all incoming requests and can handle them or modify them). I don't understand the details of what you're trying to do so I can't make a suggestion more specific than that. – jfriend00 Apr 22 '15 at 17:25
  • @jfriend00 I have added some background context to the question. Hope it provides the information you are looking for. We are not using any Middlleware or Tool for this purpose, instead building a custom layer to work as a Security Layer. – yathirigan Apr 22 '15 at 17:47
  • We would need to see at least some code for how you are fielding the incoming http requests. You would essentially need to implement your own middleware processing if you aren't using any framework. – jfriend00 Apr 22 '15 at 17:54
  • I am writing simple Java Servlet Filter which gets invoked before the Controller. If i want to inspect a parameter inside this controller, i just say request.getParameter("x") to get it's value, inspect and sanitize. But when JSON data comes from the client side, the request.getParameter("X") gives me NULL but those JSON data are received at the Controller using the @RequestBody approach in the Controller. My question is, what should i use instead of request.getParameter in this JSON scenario ? – yathirigan Apr 22 '15 at 18:17
  • Is this a node.js question (JavaScript) or some sort of Java Dev environment. Confused! Has your JSON been parsed yet? – jfriend00 Apr 22 '15 at 18:40
  • Currently the Spring Controller which receives the request , using the @RequestBody annotation, it maps the JSON data to a POJO Java Class (which matches the structure of the JSON data). This question is on the Java side where the request is received and parameters are retrieved. – yathirigan Apr 23 '15 at 02:35
  • You might want to edit your question to make that a lot clearer. I can't help you with the Java side of things. You may also want to remove the node.js tag since that seems to have nothing to do with your actual question, yet it confused me. – jfriend00 Apr 23 '15 at 02:36

1 Answers1

0

I was able to read & retrieve the json data using the following technique. The StringBuffer jb finally has the entire JSON data.

StringBuffer jb = new StringBuffer();
  String line = null;
 BufferedReader reader = request.getReader();
    while ((line = reader.readLine()) != null)
      jb.append(line);
  }

Ref: HttpServletRequest get JSON POST data

Community
  • 1
  • 1
yathirigan
  • 5,619
  • 22
  • 66
  • 104