Doh! Thanks. Don't know how I didn't see getInputStream on HttpServletRequest.
On Wed, Apr 8, 2020 at 11:01 AM Joakim Erdfelt <[email protected]> wrote: > What's this "Payload" thing and how am I supposed access it in Java? If I >> call `request.getParts()` on the HttpServletRequest, I get: >> javax.servlet.ServletException: Unsupported Content-Type >> [application/csp-report], expected [multipart/form-data] > > at org.eclipse.jetty.server.Request.getParts(Request.java:2309) > > > > The Servlet spec has the following behavior: > > - .getParts() - requires: > 1. The content be sent as `Content-Type: multipart/form-data` > 2. The request body content be encoded as multipart/form-data > 3. Supports any HTTP Method (GET/POST/PUT/etc) > 4. Destination Servlet must have declared MultipartConfigElement > (either as annotation or web descriptor element) > - .getParameter() - requires: > 1. Content-Type: application/x-www-form-urlencoded - with request > body encoded as such > 2. Content-Type: multipart/form-data - with request body encoded as > such. (same rules as .getParts()) > 3. that the content be sent as HTTP method POST or PUT > > I can access the "Payload" using Jetty's `baseRequest.getInputStream()` >> and I guess I'm just wondering if that's the best/only way to do it. I'm >> used to doing whatever I need in the `HttpServletRequest`, not >> `org.eclipse.jetty.server.Request`. >> > > This is correct, as your request didn't satisfy the above requirements it > can only be accessed via HttpServletRequest.getInputStream() or > HttpServletRequest.getWriter() > > >> Thanks for all your help in the past. > > > Glad to help > > Joakim Erdfelt / [email protected] > > > On Tue, Apr 7, 2020 at 3:41 PM Glen Peterson <[email protected]> > wrote: > >> I'm adding CSP[1] to my HTML pages because OWASP recommends it[2], but >> I'm having trouble accepting reports with a Java/Jetty server. >> >> The request I'm trying to process looks like this (in Chrome dev tools): >> >> *Request Headers:* >> :authority: myServer >> :method: POST >> :path: /somePath >> :scheme: https >> accept: */* >> accept-encoding: gzip, deflate, br >> accept-language: en-US,en;q=0.9,es;q=0.8 >> cache-control: no-cache >> content-length: 685 >> content-type: application/csp-report >> cookie: __cfduid=db5826e6e52efde6f19240e64885648011584136689; >> Hoshin=XfWP9dfo8V2sN4a9iqz2EAkhQfLKo8Lz_109781 >> origin: https://myServer >> pragma: no-cache >> referer: https://myServer/anotherPath >> sec-fetch-dest: report >> sec-fetch-mode: no-cors >> sec-fetch-site: same-origin >> user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, >> like Gecko) Chrome/80.0.3987.163 Safari/537.36 >> >> *Request Payload:* >> {"csp-report":{"document-uri":"https://myServer/anotherPath","referrer":"; >> https://myServer/yetAnotherPath","violated-directive":"style-src-attr","effective-directive":"style-src-attr","original-policy":"default-src >> 'self';script-src 'self' stackpath.bootstrapcdn.com code.jquery.com >> cdn.jsdelivr.net cdnjs.cloudflare.com 'unsafe-eval' >> 'unsafe-inline';report-uri >> CspReport.act;","disposition":"report","blocked-uri":"inline","line-number":173,"source-file":" >> https://myServer/anotherPath","status-code":0,"script-sample":""}} >> >> *Question:* >> What's this "Payload" thing and how am I supposed access it in Java? If >> I call `request.getParts()` on the HttpServletRequest, I get: >> >> javax.servlet.ServletException: Unsupported Content-Type >> [application/csp-report], expected [multipart/form-data] >> at org.eclipse.jetty.server.Request.getParts(Request.java:2309) >> >> I can access the "Payload" using Jetty's `baseRequest.getInputStream()` >> and I guess I'm just wondering if that's the best/only way to do it. I'm >> used to doing whatever I need in the `HttpServletRequest`, not >> `org.eclipse.jetty.server.Request`. >> >> Thanks for all your help in the past. >> >> Notes: >> [1] >> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Enabling_reporting >> [2] https://owasp.org/www-community/attacks/Content_Security_Policy >> >> -- >> Glen K. Peterson >> (828) 393-0081 >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > -- Glen K. Peterson (828) 393-0081
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
