You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ferry Syafei Sapei <pe...@yahoo.com> on 2008/09/30 16:51:35 UTC
Input validation for RESTful Service
Hi all,
I develop a RESTful Web Service following the tutorial on CXF Website (http://cwiki.apache.org/CXF20DOC/jax-rs-jsr-311.html).
To marshall/unmarshall the request and response, I use JAXB.
The request is defined as follows:
@XmlRootElement(name="orderRequest")
@XmlAccessorType(XmlAccessType.FIELD)
public class OrderRequest {
private AuthorizationRequest authorizationRequest;
@XmlElement(required=true, nillable=false)
private URI confirmationURL;
private PurchaseRequest purchaseRequest;
//getters and setters
...
}
The code for the RESTful Web Service is given below:
@Path("/ideal/")
public class IdealPaymentService {
@POST
@Path("/submitOrder/")
public Response submitOrder(OrderRequest orderRequest) throws URISyntaxException {
System.out.println("----invoking submitOrder" + orderRequest.toString());
return Response.ok("http://www.google.com").build();
}
}
The service is published by JAXRSServerFactoryBean in the Spring context:
...
<!-- Initialize JAXRSServer -->
<jaxrs:server id="restServices" address="/payment">
<jaxrs:serviceBeans>
<ref bean="idealPaymentService" />
</jaxrs:serviceBeans>
</jaxrs:server>
<bean id="idealPaymentService" class="com.lycoseurope.cbp.ideal.restful.service.IdealPaymentService" />
...
After the deployment, the service works perfectly, but the request is not correctly validated. I sent a request with a missing confirmationURL, but I got no error message even though the confirmationURL has been specified as a mandatory XML element, which is not nullable.
On publishing a web service using JAX-WS, we could set the option "schema-validation-enabled" to true in the spring context to turn on the input validation. Is there a similar property in JAX-RS to enable input validation?
Thank you very much in advance.
Re: Input validation for RESTful Service
Posted by Sergey Beryozkin <se...@iona.com>.
Hi,
I did some initial work for the schema validation be supported by JAXB-based providers. It should be available in the coming 2.1.3
release. The good schema validation support can be quite involved - all the helper classes are available inside CXF so we'll get
there eventually with JAX-RS too.
So this is how you would be able to do it :
<jaxrs:server>
<!-- this is identical on how you can do it with jax-ws if no schemas are available from wsdl -->
<jaxrs:schemaLocations>
<jaxrs:schemaLocation>classpath:/foo.xsd</jaxrs:schemaLocation>
<jaxrs:schemaLocation>../foo2.xsd</jaxrs:schemaLocation>
</jaxrs:schemaLocations>
</jaxrs:server>
Any MessageBodyReader which has setSchemas() method will be provided with this info (List<String>).
Default JAXB provider does it. As such you can also configure the same at the provider level :
<bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
<property name="schemas">
<list>
<value>classpath:/foo.xsd</value>
</list>
</property>
</bean>
But configuring it at the jaxrs:server level can be handly if you say have XMLBeans validation as well (if such one exists :-))...
The reason setSchemas will be called on provider (as opposed to setSchemaLocations) is that JAXBElementProvider also supports
jaxb.schemaLocation property which is less shareable as schemas and it's to do with supporting xsi:schemaLocation on the XML
instances...So we have setSchemaLocation on the JAXBElementProvider alongside with setSchemas which is to do with the validation...
I haven't checked if imports can be done properly.
Perhaps
<jaxrs:server>
<!-- this is identical on how you can do it with jax-ws if no schemas are available from wsdl -->
<jaxrs:schemaLocations>
<jaxrs:schemaLocation>../foo.xsd</jaxrs:schemaLocation>
<jaxrs:schemaLocation>../importedByfoo.xsd</jaxrs:schemaLocation>
</jaxrs:schemaLocations>
</jaxrs:server>
will do it...
Cheers, Sergey
> Hi all,
>
> I develop a RESTful Web Service following the tutorial on CXF Website (http://cwiki.apache.org/CXF20DOC/jax-rs-jsr-311.html).
>
> To marshall/unmarshall the request and response, I use JAXB.
>
> The request is defined as follows:
> @XmlRootElement(name="orderRequest")
> @XmlAccessorType(XmlAccessType.FIELD)
> public class OrderRequest {
> private AuthorizationRequest authorizationRequest;
> @XmlElement(required=true, nillable=false)
> private URI confirmationURL;
> private PurchaseRequest purchaseRequest;
> //getters and setters
> ...
> }
>
> The code for the RESTful Web Service is given below:
> @Path("/ideal/")
> public class IdealPaymentService {
> @POST
> @Path("/submitOrder/")
> public Response submitOrder(OrderRequest orderRequest) throws URISyntaxException {
> System.out.println("----invoking submitOrder" + orderRequest.toString());
> return Response.ok("http://www.google.com").build();
> }
> }
>
> The service is published by JAXRSServerFactoryBean in the Spring context:
> ...
> <!-- Initialize JAXRSServer -->
> <jaxrs:server id="restServices" address="/payment">
> <jaxrs:serviceBeans>
> <ref bean="idealPaymentService" />
> </jaxrs:serviceBeans>
> </jaxrs:server>
>
> <bean id="idealPaymentService" class="com.lycoseurope.cbp.ideal.restful.service.IdealPaymentService" />
> ...
>
> After the deployment, the service works perfectly, but the request is not correctly validated. I sent a request with a missing
> confirmationURL, but I got no error message even though the confirmationURL has been specified as a mandatory XML element, which
> is not nullable.
>
> On publishing a web service using JAX-WS, we could set the option "schema-validation-enabled" to true in the spring context to
> turn on the input validation. Is there a similar property in JAX-RS to enable input validation?
>
> Thank you very much in advance.
>
>
>
>
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: Input validation for RESTful Service
Posted by Sergey Beryozkin <se...@iona.com>.
Hi
It will be fixed shortly as part of enhancing the default JAXB-based message body providers (XML and JSON), such that additional
properties can be used during the JAXBContext creation.
In meantime there's always a workaround available : copy&paste the existing JAXBElement message body provider, add required bean
setters (liek setProperties() or setEnableValidation) and configure your custom provider as needed from Spring. In JAX-RS it's
tricky to enable such a property at a jaxrs:server element level as there could be a number of data bindings involved at the same
time (perhaps a bit hypothetic but still feasible), all of which have their own ways to enable the validation, so such a property
has to be set on a message body provider level...
Cheers, Sergey
> Hi all,
>
> I develop a RESTful Web Service following the tutorial on CXF Website (http://cwiki.apache.org/CXF20DOC/jax-rs-jsr-311.html).
>
> To marshall/unmarshall the request and response, I use JAXB.
>
> The request is defined as follows:
> @XmlRootElement(name="orderRequest")
> @XmlAccessorType(XmlAccessType.FIELD)
> public class OrderRequest {
> private AuthorizationRequest authorizationRequest;
> @XmlElement(required=true, nillable=false)
> private URI confirmationURL;
> private PurchaseRequest purchaseRequest;
> //getters and setters
> ...
> }
>
> The code for the RESTful Web Service is given below:
> @Path("/ideal/")
> public class IdealPaymentService {
> @POST
> @Path("/submitOrder/")
> public Response submitOrder(OrderRequest orderRequest) throws URISyntaxException {
> System.out.println("----invoking submitOrder" + orderRequest.toString());
> return Response.ok("http://www.google.com").build();
> }
> }
>
> The service is published by JAXRSServerFactoryBean in the Spring context:
> ...
> <!-- Initialize JAXRSServer -->
> <jaxrs:server id="restServices" address="/payment">
> <jaxrs:serviceBeans>
> <ref bean="idealPaymentService" />
> </jaxrs:serviceBeans>
> </jaxrs:server>
>
> <bean id="idealPaymentService" class="com.lycoseurope.cbp.ideal.restful.service.IdealPaymentService" />
> ...
>
> After the deployment, the service works perfectly, but the request is not correctly validated. I sent a request with a missing
> confirmationURL, but I got no error message even though the confirmationURL has been specified as a mandatory XML element, which
> is not nullable.
>
> On publishing a web service using JAX-WS, we could set the option "schema-validation-enabled" to true in the spring context to
> turn on the input validation. Is there a similar property in JAX-RS to enable input validation?
>
> Thank you very much in advance.
>
>
>
>
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: Input validation for RESTful Service
Posted by Sergey Beryozkin <se...@progress.com>.
Hi
I might've replied to this message before - sorry for any duplication if it's the case
Please see http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/resources/jaxrs/WEB-INF/beans.xml
for an example of how one can configure both JAXB and JSON providers to do the input validation, in this case showing how one can
share the (in memory) schema resources, with multiple schemas involved. If you do JAXB or JSON only then there's no need to use
SchemaHandler bean and a schemas list can also be as a property
If you have one schema importing the other one then the xs:import statement should not have a schemaLocation attribute, only a
namespace attribute one (in case this schema is a classpath resource) :
http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/book.xsd
and then add it as part of the schema list as shown in the configuration sample
Cheers, Sergey
> Hi all,
>
> I develop a RESTful Web Service following the tutorial on CXF Website (http://cwiki.apache.org/CXF20DOC/jax-rs-jsr-311.html).
>
> To marshall/unmarshall the request and response, I use JAXB.
>
> The request is defined as follows:
> @XmlRootElement(name="orderRequest")
> @XmlAccessorType(XmlAccessType.FIELD)
> public class OrderRequest {
> private AuthorizationRequest authorizationRequest;
> @XmlElement(required=true, nillable=false)
> private URI confirmationURL;
> private PurchaseRequest purchaseRequest;
> //getters and setters
> ...
> }
>
> The code for the RESTful Web Service is given below:
> @Path("/ideal/")
> public class IdealPaymentService {
> @POST
> @Path("/submitOrder/")
> public Response submitOrder(OrderRequest orderRequest) throws URISyntaxException {
> System.out.println("----invoking submitOrder" + orderRequest.toString());
> return Response.ok("http://www.google.com").build();
> }
> }
>
> The service is published by JAXRSServerFactoryBean in the Spring context:
> ...
> <!-- Initialize JAXRSServer -->
> <jaxrs:server id="restServices" address="/payment">
> <jaxrs:serviceBeans>
> <ref bean="idealPaymentService" />
> </jaxrs:serviceBeans>
> </jaxrs:server>
>
> <bean id="idealPaymentService" class="com.lycoseurope.cbp.ideal.restful.service.IdealPaymentService" />
> ...
>
> After the deployment, the service works perfectly, but the request is not correctly validated. I sent a request with a missing
> confirmationURL, but I got no error message even though the confirmationURL has been specified as a mandatory XML element, which
> is not nullable.
>
> On publishing a web service using JAX-WS, we could set the option "schema-validation-enabled" to true in the spring context to
> turn on the input validation. Is there a similar property in JAX-RS to enable input validation?
>
> Thank you very much in advance.
>
>
>
>