Deprecate JSONP and disable it by default in Jackson view
Issue: SPR-16798
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -91,6 +91,7 @@ public class MappingJackson2HttpMessageConverter extends AbstractJackson2HttpMes
|
||||
|
||||
|
||||
@Override
|
||||
@SuppressWarnings("deprecation")
|
||||
protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
|
||||
if (this.jsonPrefix != null) {
|
||||
generator.writeRaw(this.jsonPrefix);
|
||||
@@ -104,6 +105,7 @@ public class MappingJackson2HttpMessageConverter extends AbstractJackson2HttpMes
|
||||
}
|
||||
|
||||
@Override
|
||||
@SuppressWarnings("deprecation")
|
||||
protected void writeSuffix(JsonGenerator generator, Object object) throws IOException {
|
||||
String jsonpFunction =
|
||||
(object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null);
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -115,14 +115,20 @@ public class MappingJacksonValue {
|
||||
|
||||
/**
|
||||
* Set the name of the JSONP function name.
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use
|
||||
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public void setJsonpFunction(@Nullable String functionName) {
|
||||
this.jsonpFunction = functionName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the configured JSONP function name.
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use
|
||||
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
|
||||
*/
|
||||
@Deprecated
|
||||
@Nullable
|
||||
public String getJsonpFunction() {
|
||||
return this.jsonpFunction;
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -45,7 +45,10 @@ import org.springframework.util.ObjectUtils;
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @since 4.1
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use
|
||||
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice {
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -59,6 +59,7 @@ import org.springframework.web.servlet.View;
|
||||
* @author Sebastien Deleuze
|
||||
* @since 3.1.2
|
||||
*/
|
||||
@SuppressWarnings("deprecation")
|
||||
public class MappingJackson2JsonView extends AbstractJackson2View {
|
||||
|
||||
/**
|
||||
@@ -69,7 +70,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
|
||||
|
||||
/**
|
||||
* Default content type for JSONP: "application/javascript".
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use
|
||||
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript";
|
||||
|
||||
/**
|
||||
@@ -87,7 +91,7 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
|
||||
private boolean extractValueFromSingleKeyModel = false;
|
||||
|
||||
@Nullable
|
||||
private Set<String> jsonpParameterNames = new LinkedHashSet<>(Arrays.asList("jsonp", "callback"));
|
||||
private Set<String> jsonpParameterNames = new LinkedHashSet<>();
|
||||
|
||||
|
||||
/**
|
||||
@@ -170,10 +174,14 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
|
||||
* Set JSONP request parameter names. Each time a request has one of those
|
||||
* parameters, the resulting JSON will be wrapped into a function named as
|
||||
* specified by the JSONP request parameter value.
|
||||
* <p>The parameter names configured by default are "jsonp" and "callback".
|
||||
* <p>As of Spring Framework 5.0.7, there is no parameter name configured
|
||||
* by default.
|
||||
* @since 4.1
|
||||
* @see <a href="http://en.wikipedia.org/wiki/JSONP">JSONP Wikipedia article</a>
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use
|
||||
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public void setJsonpParameterNames(Set<String> jsonpParameterNames) {
|
||||
this.jsonpParameterNames = jsonpParameterNames;
|
||||
}
|
||||
@@ -204,7 +212,10 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
|
||||
* Invalid parameter values are ignored.
|
||||
* @param value the query param value, never {@code null}
|
||||
* @since 4.1.8
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use
|
||||
* <a href="https://docs.spring.io/spring/docs/5.0.x/spring-framework-reference/web.html#mvc-cors">CORS</a> instead.
|
||||
*/
|
||||
@Deprecated
|
||||
protected boolean isValidJsonpQueryParam(String value) {
|
||||
return CALLBACK_PARAM_PATTERN.matcher(value).matches();
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,9 +17,11 @@
|
||||
package org.springframework.web.servlet.view.json;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
@@ -324,11 +326,19 @@ public class MappingJackson2JsonViewTests {
|
||||
|
||||
@Test
|
||||
public void renderWithJsonp() throws Exception {
|
||||
testJsonp("jsonp", "callback", false);
|
||||
testJsonp("jsonp", "_callback", false);
|
||||
testJsonp("jsonp", "_Call.bAcK", false);
|
||||
testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", false);
|
||||
testJsonp("jsonp", "<script>", false);
|
||||
testJsonp("jsonp", "!foo!bar", false);
|
||||
|
||||
this.view.setJsonpParameterNames(new LinkedHashSet<>(Arrays.asList("jsonp")));
|
||||
|
||||
testJsonp("jsonp", "callback", true);
|
||||
testJsonp("jsonp", "_callback", true);
|
||||
testJsonp("jsonp", "_Call.bAcK", true);
|
||||
testJsonp("jsonp", "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true);
|
||||
|
||||
testJsonp("jsonp", "<script>", false);
|
||||
testJsonp("jsonp", "!foo!bar", false);
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -28,6 +28,8 @@ import org.springframework.lang.Nullable;
|
||||
/**
|
||||
* SockJS transport types.
|
||||
*
|
||||
* <p>JSONP support will be removed as of Spring Framework 5.1, use others transports instead.
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @author Sebastien Deleuze
|
||||
* @since 4.0
|
||||
@@ -40,8 +42,10 @@ public enum TransportType {
|
||||
|
||||
XHR_SEND("xhr_send", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
|
||||
|
||||
@Deprecated
|
||||
JSONP("jsonp", HttpMethod.GET, "jsessionid", "no_cache"),
|
||||
|
||||
@Deprecated
|
||||
JSONP_SEND("jsonp_send", HttpMethod.POST, "jsessionid", "no_cache"),
|
||||
|
||||
XHR_STREAMING("xhr_streaming", HttpMethod.POST, "cors", "jsessionid", "no_cache"),
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -79,6 +79,7 @@ public class DefaultSockJsService extends TransportHandlingSockJsService impleme
|
||||
}
|
||||
|
||||
|
||||
@SuppressWarnings("deprecation")
|
||||
private static Set<TransportHandler> getDefaultTransportHandlers(@Nullable Collection<TransportHandler> overrides) {
|
||||
Set<TransportHandler> result = new LinkedHashSet<>(8);
|
||||
result.add(new XhrPollingTransportHandler());
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -41,7 +41,9 @@ import org.springframework.web.util.JavaScriptUtils;
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @since 4.0
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public class JsonpPollingTransportHandler extends AbstractHttpSendingTransportHandler {
|
||||
|
||||
@Override
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -38,7 +38,9 @@ import org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJ
|
||||
* A {@link TransportHandler} that receives messages over HTTP.
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @deprecated Will be removed as of Spring Framework 5.1, use others transports instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public class JsonpReceivingTransportHandler extends AbstractHttpReceivingTransportHandler {
|
||||
|
||||
private final FormHttpMessageConverter formConverter = new FormHttpMessageConverter();
|
||||
|
||||
@@ -2030,9 +2030,10 @@ annotations. When further control is needed, a custom `ObjectMapper` can be inje
|
||||
through the `ObjectMapper` property for cases where custom JSON
|
||||
serializers/deserializers need to be provided for specific types.
|
||||
|
||||
http://en.wikipedia.org/wiki/JSONP[JSONP] is supported and automatically enabled when
|
||||
the request has a query parameter named `jsonp` or `callback`. The JSONP query parameter
|
||||
name(s) could be customized through the `jsonpParameterNames` property.
|
||||
As of Spring Framework 5.0.7, http://en.wikipedia.org/wiki/JSONP[JSONP] support is
|
||||
deprecated and requires to customize the JSONP query parameter
|
||||
name(s) through the `jsonpParameterNames` property. This support will be removed as of
|
||||
Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -2670,6 +2670,11 @@ For controllers relying on view resolution, JSONP is automatically enabled when
|
||||
request has a query parameter named `jsonp` or `callback`. Those names can be
|
||||
customized through `jsonpParameterNames` property.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
As of Spring Framework 5.0.7, JSONP support is deprecated and will be removed as of
|
||||
Spring Framework 5.1, <<mvc-cors,CORS>> should be used instead.
|
||||
====
|
||||
|
||||
|
||||
[[mvc-ann-modelattrib-methods]]
|
||||
|
||||
Reference in New Issue
Block a user