3

I have a controller:

@Controller
@RequestMapping("/player")
public class PlayerController extends AbstractController {      

@RequestMapping(value = "/doSomething", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(value = HttpStatus.OK)
@ResponseBody
public int doSomeThing(@RequestBody SomeDTO someDTO , HttpServletRequest request) throws IOException {

this.playerService.doSomething(
                 someDTO );

return SERVER_OK;
}

 // Tons of similar methods here
}

I would like to create a filter that will intercept all the calls to this controller and will have access to the @RequestBody Object object that each of these methods receives. I would like to manipulate this @RequestBody object.

Is that possible?

Kirby
  • 13,024
  • 6
  • 79
  • 95
Urbanleg
  • 5,402
  • 14
  • 64
  • 128
  • No not with a filter. Also why would you want to manipulate the arguments before they reach the controller. – M. Deinum May 28 '14 at 11:36
  • I would like to validate username \ password from the dto. is there a better way through spring security? – Urbanleg May 28 '14 at 11:37
  • And why should that be done in the filter and not in the controller? That belongs, imho, to the controller not a filter. – M. Deinum May 28 '14 at 11:40
  • I would like to prevent the scenario where a programmer forgets to add the authenticate line in the controller method, if the filter will do that, he cannot make this mistake. – Urbanleg May 28 '14 at 11:41
  • It is a create method, so I don't see why the username/password for the current user would be inside the `PlayerAccountDTO`? For some reason that sounds wrong and doesn't even belong there. – M. Deinum May 28 '14 at 11:43
  • This is a code example, its not the real deal, the real code should be an api we are exposing for users with valid username\password. please ignore the methods\dtos names. I Edited my post – Urbanleg May 28 '14 at 11:44
  • And you're idea is to include the username/password in each and every resource you expose, seems still scary to me? (Or you're explanation is a bit of). If you use rest you can also use Basic or Digest authentication both of which are perfectly supported by Spring Security. – M. Deinum May 28 '14 at 11:47
  • This api can be used by many customers, i would like to avoid opening a session for the users. it should be a stateless service – Urbanleg May 28 '14 at 11:49
  • Check the bean validation integration. @Valid on the parameter. – Martin Frey May 28 '14 at 11:57
  • You could create a custom message converter. See for example http://stackoverflow.com/questions/5019162/custom-httpmessageconverter-with-responsebody-to-do-json-things – Mike Argyriou May 28 '14 at 12:08
  • Why would you need a session, spring security can work perfectly without a session. – M. Deinum May 28 '14 at 12:27
  • Deinum, Where exactly spring security authentication in a session less takes the credentials from? the DTO? it is a service for other applications , not browsers, so typing username\password in the standard http authentication way is not an option. – Urbanleg May 28 '14 at 13:06
  • Urbanleg, stateless service means that your client has to provide credentials on every api call and your backend has to validate these credentials on every api call. [HTTP Basic authentication](http://tools.ietf.org/html/rfc2617#page-5) is just a normal HTTP header – ksokol May 28 '14 at 19:55
  • Take a look Dave Syer's answer to, "How to add a filter class in Spring Boot?" at http://stackoverflow.com/a/19830906/266531 – Kirby Jul 23 '15 at 22:57

0 Answers0