Occasionally I write posts just to let me hold onto a thought process, moreso than to help someone else find a solution. The below fits that profile – feel free to ignore, unless you’re really interested in poking around DropWizard.
Goal: wrap JSON responses with /* */. This is to support a hacky version of CSRF. Bleah.
Starting point: DropWizard 0.7.1, which used Jersey 1.18
Attempts:
- JacksonMessageBodyProvider: just couldn’t get it to hook in correctly
- Jersey ContainerResponseFilter: Hook in via DropWizard’s environment.jersey().getResourceConfig().getContainerResponseFilters().add( … do guice injection here ). No ready way to rewrite response. Can append headers. Could apparently adjust request information going in. But not JSON formatted result coming out
- Servlet Filter: can append /* foo */ (haven’t yet grabbed JSON), but that’s added to { “foo”: “bar”, “bar”: “foo”}/* foo */, rather than wrapping. Did have to turn off gzip in DropWizard, else the stream was already closed. (Couldn’t figure out a way to inject my filter in ahead of the Gzip actions…) In this case, though, httpResponse.resetBuffer() doesn’t succeed, as the stream is already committed.
Final solution: use WriteInterceptor: https://jersey.java.net/documentation/latest/filters-and-interceptors.html#d0e9712 – but those exist in Jersey 2, which isn’t supported until DropWizard 0.8.0… Note: Jersey 2 changes its dependency injection approach to use HK2 instead of its previous own approach, which meant that my nifty wiring in of Spring security had to be redone / reworked.
Outcome: Whoever decided to protect from JSON execution through wrapping the JSON with comment blocks, you threw me a number of curve balls. But I did in fact prevail, and now have an interceptor which wraps my responses appropriately, _if_ there’s not a certain flag and the user making the request isn’t a privileged user. Ugh. All nicely unit-tested, using Mockito to let me cover the conditions for the request, etc. This is code I need to hang onto….