I have the below in my Dropwizard conf file as a generic size limitation on all incoming API calls. I have a callee that is going through a proxy and the proxy strips the content-length header from the call. For now the proxy cannot be fixed so I need a work around. The Dropwizard validator rejects incoming calls without a content-length header even if the actual content is non-null. For one and only one particular API I'd like to make an exception and allow an incoming API call without a content-length header. If I comment out the limits below in the conf file then any incoming API call without a content-length header works but that solution opens a security hole.
Is a custom validator my best option? Are there other options? Will the custom validator override the generic validation or will the generic validation still reject the API call without a content-length header (i.e. is validation an AND or an OR operation with generic and custom validators in place)?
contentLengthLimit {
maxContentLength: 8388608
maxContentLengthToRead: 52428800
}
# Sets the limit for request content length after decompression for gzip request, to
prevent zip bomb.
# https://en.wikipedia.org/wiki/Zip_bomb
# Add a value larger than your expected uncompressed object sizes for your API to your Application's config
# If the limit is null, the ZipBombPreventingFilter filter will not be registered.
contentLengthLimitAfterDecompression: 8388608 #8MB
Related
We are trying to write a iRule for the BIG-IP universal persistence module.
Our mission is to extract and persist from a HTTP response payload/body an application unique identifier (something like a seesionid for us).
Then use it in a consecutive HTTP requests.
Note, this unique identifier return in text/xml/soap-xml response formats and there is no cookie involve here.
We're having problem to write the TCL code for the extraction of our custom unique identifier from the HTTP response payload/body.
We have checked these manuals and did not find example for this kind of functionality:
https://devcentral.f5.com/wiki/iRules.HTTP_RESPONSE.ashx
https://devcentral.f5.com/wiki/iRules.HTTP__payload.ashx
Thanks.
Here's an example with jsession IDs that should get you started with basic persistence flow, and this example gives you an idea on how to work with payload data.
What error format must be used by RESTful API when content negotiation fails (ActionController::UnknownFormat is raised):
when a controller responds to the only one format (e. g. JSON) and the user has requested another one (e. g. XML), should the error be generated as JSON object or XML one?
when a controller responds to several formats and the user has requested neither of them, which one should be used during error generation: one of the 'known' by the controller or the one, having been requested by the user?
I think you are under no obligation to respond to any invalid request with the same format as the request was made. Imagine getting a request with payload in unknown binary format - what are you supposed to do in such a case.
ActionController::UnknownFormat should trigger a 406 Not Acceptable response, probably will in Rails 5.
You should rescue the ActionController::UnknownFormat and respond with proper HTTP code as well as set an Accept header listing all formats that your API supports (if Rails doesn't do it by default, I'm not sure)
What's the difference between reload and reloadFromOrigin in WKWebView? Apple's documentation says that reloadFromOrigin:
Reloads the current page, performing end-to-end revalidation using
cache-validating conditionals if possible.
But I am not sure what that really means.
I was interested in this too. Looking at WebKit's source (Source/WebCore/loader/FrameLoader.cpp, FrameLoader::addExtraFieldsToRequest(...) around the if (loadType == FrameLoadType::Reload) conditional) it looks like the key difference is in what extra HTTP header request fields are specified.
reloadFromOrigin() sets the Cache-Control and Pragma fields to no-cache, while a simple reload() only results in in the Cache-Control header field having max-age=0 set.
To work out what this means I looked at the Header Field Definitions section of the HTTP 1.1 spec. Section 14.9.4 'Cache Revalidation and Reload Controls' states:
The client can specify these three kinds of action using Cache- Control request directives:
End-to-end reload
The request includes a "no-cache" cache-control directive or, for compatibility with HTTP/1.0 clients, "Pragma: no-cache". Field names MUST NOT be included with the no-cache directive in a request. The server MUST NOT use a cached copy when responding to such a request.
Specific end-to-end revalidation
The request includes a "max-age=0" cache-control directive, which forces each cache along the path to the origin server to revalidate its own entry, if any, with the next cache or server. The initial request includes a cache-validating conditional with the client's current validator.
Unspecified end-to-end revalidation
The request includes "max-age=0" cache-control directive, which forces each cache along the path to the origin server to revalidate its own entry, if any, with the next cache or server. The initial request does not include a cache-validating
conditional; the first cache along the path (if any) that holds a cache entry for this resource includes a cache-validating conditional with its current validator.
From my reading of the spec, it looks like reload() uses only max-age=0 so may result in you getting a cached, but validated, copy of the requested data, whereas reloadFromOrigin() will force a fresh copy to be obtained from the origin server.
(This seems to contradict Apple's header/Class Reference documentation for the two functions in WKWebView. I think the descriptions for the two should be swapped over - I have lodged Bug Report/Radar 27020398 with Apple and will update this answer either way if I hear back from them...)
I have customized Apache Wink to use an XML provider, basically overriden the standard JacksonJsonProvider.
See http://jackson-users.ning.com/forum/topics/jackson-xml-provider for details
The provider seems to work and the resource gets correctly recognized, but the resource method does not get executed.
Do I need to set something on the client ? Apache Wink returns HTTP 204 (No content).
The problem turned out to be the resource signature mismatch. By default, the rest client which I was using used an "accept" text/plain by default whereas the resource was returning "application/xml"
I'm using BITS to make requests to a ASP.NET MVC controller method named Source that returns a FileResult. I know the type FilePathResult uses HttpResponse.TransmitFile, but I don't know if HttpResponse.TransmitFile actually writes the file to the response stream regardless of the request type.
My question is, does FileResult only include the header information on HEAD requests, or does it transmit the file regardless of the request type? Or, do I have to account for HEAD requests myself?
The result is forced to react on a request by YOUR ACTION CODE. If you do not do anything special on different request types (e.g. [HttpGet]-Attribute, HttpMethodConstraints in the Route, etc...) The file is just written to the response stream.