3

This has been answered before with annotation syntax: Aspectj overwrite an argument of a method

But I can't figure out how to do it with the AspectJ declarative syntax. The following should add "Poop" in front of each string in the method but it does not.

public aspect UserInputSanitizerAdvisor {

    pointcut unSafeString() : execution(@RequestMapping * * (..));

    Object around() : unSafeString() {
        //thisJoinPoint.getArgs();
        //proceed();
        System.out.println("I'm Around");
        Object[] args = thisJoinPoint.getArgs();
        if (args != null) {
            for (int i = 0; i < args.length; i++) {
                Object o = args[i];
                if (o != null && o instanceof String) {
                    String s = (String) o;
                    args[i] = "poop: " + s;
                }
            }
        }

        return proceed();
    }

}

I can't figure out how to give "proceed()" all the arguments.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Adam Gent
  • 47,843
  • 23
  • 153
  • 203

2 Answers2

7

I got the annotation version working:

@SuppressWarnings("unused")
@Aspect
public class UserInputSanitizerAdivsor {

    @Around("execution(@RequestMapping * * (..))")
    public Object check(final ProceedingJoinPoint jp) throws Throwable {
        Object[] args = jp.getArgs();
        if (args != null) {
            for (int i = 0; i < args.length; i++) {
                Object o = args[i];
                if (o != null && o instanceof String) {
                    String s = (String) o;
                    args[i] = UserInputSanitizer.sanitize(s);
                }
            }
        }
        return jp.proceed(args);
    }
}

Now I have XSS protection for all my Spring MVC controllers. I was hoping to get the aspectJ syntax working though.

Adam Gent
  • 47,843
  • 23
  • 153
  • 203
  • The traditional AspectJ syntax forces that call made to proceed() in an around advice match those collected by its pointcut. Given your need to update each string argument, the @AspectJ syntax is the only real choice. – ramnivas Jan 30 '11 at 17:46
  • @ramnivas Thanks for confirming my suspicion. Your book is awesome especially chapter 3. – Adam Gent Jan 30 '11 at 18:05
  • In my case (Spring 3.2) I had to specify the full name of the RequestMapping annotation to get it to work, like so: @Around("execution(@org.springframework.web.bind.annotation.RequestMapping * * (..))") – Luciano Fiandesio May 22 '15 at 08:17
0

Does return thisJoinPoint.proceed(args); do what you want?

Howard
  • 38,639
  • 9
  • 64
  • 83
  • 1
    You're right. I don't think that you can do it declaratively -> the args() is not flexible enough to handle any arguments. – Howard Jan 30 '11 at 17:51