We are in the process of building a custom built JEE security layer which is going to ensure that all possible OWASP concerns are addressed. This security layer is built as Filters that needs to run before the Controllers (Spring in our case), so that they can execute before the request actually reaches the Controller. These security filters looks at the user input and performs various Sanitation. One such sanitation is the JSON sanitation, where the JSON data from client is looked for any malicious content.
Currently , the Spring Controllers use the @RequestBody annotation to populare the incoming JSON data into POJO classes.
I have exactly the same question but, is there a generic way to retrieve the parameters (sent as JSON data) from the request ?
my objective is to have a JSON sanitizer code in a Filter, so that it intercepts and parses all JSON data that comes to the controller.
I was able to read & retrieve the json data using the following technique. The StringBuffer jb finally has the entire JSON data.
StringBuffer jb = new StringBuffer();
String line = null;
BufferedReader reader = request.getReader();
while ((line = reader.readLine()) != null)
jb.append(line);
}