Reputation: 1432
How to perform input validation with javax.ws.rs?
I am implementing a REST API using javax.ws.rs. An implementation goal is to be as secure as possible, so every input should be validated.
For input validation, I am implementing a public class ValidatingHttpRequest that implements HttpServletRequest.
I could identify 11 methods which are even called, all the others now throw UnsupportedOperationException. However some of those methods handle things apparently used by the REST framework. For example my code does not care about headers, but getHeaders gets called. With a lot of reverse engineering I would be able to figure out what headers are used and should be validated, and of course I could do the validation. Possibly with introducing nonoptimal behaviours and maybe some bugs. And there are some similar aspects of the HTTP request.
But no one did this before, possibly someone who actually knows how the REST framework works? Or is it unnecessary, as the framework itself cannot be fooled?
So I am looking for a fully validating HttpServletRequest implementation, or a reasoning why it is unnecessary in this case. Of course I will validate the request body and parameters using the implementation.
Upvotes: 7
Views: 13416
Answers (1)
Reputation: 130927
I am implementing a REST API using
javax.ws.rs. [...] For input validation, I am implementing a public classValidatingHttpRequestthat implementsHttpServletRequest.
You are missing the whole point of JAX-RS. In JAX-RS, you deal with annotated resource classes and methods, so you don't need to write "low level" Servlets.
I am looking for a fully validating
HttpServletRequestimplementation, or a reasoning why it is unnecessary in this case.
You definitely don't want (and don't need) to write a Servlet for validation purposes.
JAX-RS implementations such as Jersey, RESTEasy and Apache CXF support Bean Validation, an annotation-based API to validate Java Beans. You can validate pretty much everything you need, including request headers, parameters and entities.
Check the chapter 7 of the JAX-RS specification, it describes how validation works. However, to integrate Bean Validation with JAX-RS implementations, you want to see the vendor-specific documentantion:
Upvotes: 13
Related Questions
- Validating input parameters for JAX-RS methods
- Bean Validation and JAX-WS
- JAX-WS request validation using JAXB
- Validating web service request against XSD in jax-ws?
- JAX-WS and XSD Validation
- JAX-RS 2.0 Validation
- How best to validate JAX-WS inputs?
- webservices - validating input
- Form input validation with JAX-RS
- WSDL runtime validation with JAX-WS