Strict content type checking for REST and RPC endpoints

Fri, 13 Mar 2009 15:45:45 -0700 

Reviewers: shindig.remailer,

Description:
Enable strict content type checks for REST and RPC endpoints and enable
it by default.

Allowed content types are:
JSON -> application/json, text/x-json, application/javascript,
application/x-javascript, text/javascript, text/ecmascript
XML -> application/xml, text/xml
Atom -> application/xml+atom

The default output content type for JSON is switched from
application/json to application/javascript to enable more convenient
browser tests as application/javascript doesnt automatically trigger a
download on many browsers.

application/x-www-form-urlencoded is now strictly forbidden and will
result in an BAD_REQUEST. This is necessary to avoid prevent confusion
around OAuth body signing. Servlets will automatically decode the body
content into parameters if this content type is set and the body content
is not available for the API once this happens. If the body was a JSON
AppData update for instance it is lost. There is incompatability here
whith Shindig PHP which allows the body through in this case and
includes it in the OAuth message verification where Java Shindig simply
cannot. A forthcoming patch will address the OAuth compatability issue

Containers can control whether they allow unknown content types to pass
through the check



Please review this at http://codereview.appspot.com/28042

Affected files:
  java/common/conf/shindig.properties
  java/common/src/main/java/org/apache/shindig/protocol/ApiServlet.java
java/common/src/main/java/org/apache/shindig/protocol/DataServiceServlet.java 
  java/common/src/main/java/org/apache/shindig/protocol/JsonRpcServlet.java
  java/common/src/main/java/org/apache/shindig/protocol/SystemHandler.java
java/common/src/test/java/org/apache/shindig/protocol/DataServiceServletTest.java java/common/src/test/java/org/apache/shindig/protocol/JsonRpcServletTest.java java/gadgets/src/main/java/org/apache/shindig/gadgets/http/DefaultInvalidationService.java java/gadgets/src/main/java/org/apache/shindig/gadgets/http/DefaultRequestPipeline.java java/gadgets/src/test/java/org/apache/shindig/gadgets/http/DefaultInvalidationServiceTest.java java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/image/JPEGOptimizerTest.java java/social-api/src/test/java/org/apache/shindig/social/dataservice/integration/AbstractLargeRestfulTests.java

Reply via email to