Spring MVC 3 内容协商仅限于支持它的操作
我在我的 Spring MVC 3 应用程序中配置了内容协商,如下所示:
<bean
class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
<property name="order" value="0" />
<property name="favorPathExtension" value="true" />
<property name="defaultContentType">
<ref bean="htmlMediaType" />
</property>
<property name="mediaTypes">
<map>
<entry key="json" value="application/json" />
<entry key="xml" value="application/xml" />
</map>
</property>
<property name="defaultViews">
<list>
<bean
class="org.springframework.web.servlet.view.json.MappingJacksonJsonView">
<property name="objectMapper" ref="jacksonObjectMapper" />
</bean>
<bean class="org.springframework.web.servlet.view.xml.MarshallingView">
<property name="marshaller">
<bean class="org.springframework.oxm.castor.CastorMarshaller" />
</property>
</bean>
</list>
</property>
<property name="viewResolvers">
<ref bean="tilesViewResolver" />
</property>
</bean>
这工作得很好——我的所有视图都将呈现为带有“普通”视图模板的 html 视图,或者呈现为视图模型数据的 JSON 或 XML 转储,具体取决于“接受”标头。
然而,这对我来说似乎有点安全漏洞。我的一些操作是 API 样式的操作,并且可以合法地以 HTML、JSON 或 XML 形式提供。但是,某些视图仅适用于 HTML。我真的不希望最终用户只需在网址中添加“.json”即可查看所有视图数据。
有没有办法在 Spring MVC 中进行内容协商,但仅限于明确选择加入的操作?我可以设置像 @RespondsTo("xml", "json") 这样的控制器注释吗?
I have configured content negotiation in my Spring MVC 3 app as follows:
<bean
class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
<property name="order" value="0" />
<property name="favorPathExtension" value="true" />
<property name="defaultContentType">
<ref bean="htmlMediaType" />
</property>
<property name="mediaTypes">
<map>
<entry key="json" value="application/json" />
<entry key="xml" value="application/xml" />
</map>
</property>
<property name="defaultViews">
<list>
<bean
class="org.springframework.web.servlet.view.json.MappingJacksonJsonView">
<property name="objectMapper" ref="jacksonObjectMapper" />
</bean>
<bean class="org.springframework.web.servlet.view.xml.MarshallingView">
<property name="marshaller">
<bean class="org.springframework.oxm.castor.CastorMarshaller" />
</property>
</bean>
</list>
</property>
<property name="viewResolvers">
<ref bean="tilesViewResolver" />
</property>
</bean>
This works very well -- all my views will render as html views with the 'normal' view templates, or as JSON or XML dumps of the view model data depending on the 'Accept' header.
However, this seems to be a bit of a security hole to me. Some of my actions are API-style actions, and are legitimately available in HTML or JSON or XML. However, some views are intended to be HTML-only. I don't really want end-users to be able to see all the view data just by adding ".json" to the url.
Is there any way to do content negotiation in Spring MVC, but only on actions which have explicitly opted-in to it? Can I set up a controller annotation like @RespondsTo("xml", "json")?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
发布评论
评论(3)
我刚刚面临同样的问题。 @RequestMapping 的 products 属性对此有所帮助。虽然这与您的要求相反 - 有点选择退出而不是选择加入,但我认为这可以让您满意。
@Controller
@RequestMapping("/categories")
public class CategoriesController
{
@RequestMapping(value = "/create", method = RequestMethod.GET, produces = "application/xhtml+xml")
public String createForm(Model model)
{
}
}
/create - 通过显示 JSP 视图可以正常工作/create.json - 406 错误
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
为什么不通过 DelegatingFilterProxy 使用过滤器来阻止用户访问不必要的内容类型?
Why don't you use a filter through DelegatingFilterProxy to block users from accessing unnecessary content types ?