Support stricter encoding of URI variables in UriComponents [SPR-17039] #21577
Comments
|
Rossen Stoyanchev commented This is now ready, see the updated "URI Encoding" in the docs. The short version is, use the new Please give this a try with 5.0.8 or 5.1 snapshots to confirm how it works in your application. |
|
Christophe Levesque commented Thanks Rossen Stoyanchev! The only downside is that it requires that extra UriComponentBuilder.fromHttpUrl(url).queryParam("foo", foo).toUriString(); // <= this would still not work, needs to add new encode() after toUriStringIs there a way to change the PS: Also, unrelated request: can there be a |
|
Rossen Stoyanchev commented The key to understand this, is that different degrees of encoding are applied to the URI template vs URI variables. In other words given: The URI template is everything except for the URI variable placeholders. However the code snippet you showed only builds a URI literal without any variables, so the level encoding is the same, only illegal characters, no matter which method is used. So it would also have to be something like: .queryParam("foo", "{foo}").buildAndExpand(foo)By the time That said URI uri = UriComponentBuilder.fromHttpUrl(url).queryParam("foo", "{foo}").encode().buildAndExpand("a+b"); |
|
Rossen Stoyanchev commented Come to think of it, this works and it's almost identical length as what you had: URI uri = UriComponentsBuilder
.fromHttpUrl(url).queryParam("foo", "{foo}").build(foo);Or include it in the URI template: URI uri = UriComponentsBuilder
.fromHttpUrl(url + "?foo={foo}").build(foo);Explanation: the For |
|
Rossen Stoyanchev commented Resolving but now is a good time to try this. |
|
Michal Domagala commented I use autoconfigured Could you point me how to elegant undo #21577 for autoconfigured |
|
Rossen Stoyanchev commented Michal Domagala, I've create a ticket in Boot. I've also included at least one example there of how it can be done. There may be better ways though so watch for updates on the ticket. |
|
Leonard Brünings commented Rossen Stoyanchev please advice on how to solve it with generic // templates are populated via Spring Boot Configuration Properties
private Map<String, UriTemplate> templates = new HashMap<>();
public URI getLink(String linkType, Map<String, String> templateParams) {
return templates.get(linkType).expand(templateParams);
}At this point we don't know what variable we have, and if they are query or path variables. URI redirectUri = getLink("configSite", Collections.singletonMap("email", "[email protected]"));
// render https://example.com/[email protected]
// instead of https://example.com/config?email=service%2Bbar%40gmail.comThis will provide a valid URI, however it won't encode the |
|
Leonard Brünings commented I managed to get the desired result with: public URI getLink(String linkType, Map<String, String> templateParams) {
return UriComponentsBuilder.fromUriString(templates.get(linkType).toString())
.encode()
.buildAndExpand(templateParams).toUri();
}However, I must say this is quite ugly. Is there any way we could get |
|
Rossen Stoyanchev commented Not really, UriTemplate uses UriComponentsBuilder internally, and provides just one way of doing it. You could shorten your example to: public URI getLink(String linkType, Map<String, String> templateParams) {
return UriComponentsBuilder.fromUriString(templates.get(linkType).toString())
.build(templateParams);
} |
spring-projects-issues
added
type: enhancement
|
I ended up here after doing quite a bit of searching when investigating a bug that only appeared when users had entered a string with a I believe that a lot of the confusion around this issue is related to the "String obsession" anti-pattern. If we have separate types for URI components with different levels of encoding applied, that might help to make conversion from one form to another more explicit. |
|
UriComponentsBuilder does have different URI components. The issue here is that there are legitimate reasons to want to encode We did revamp the section on URI encoding but adding something specifically about the treatment of |
|
|
Thanks for the docs update.
I wonder if there is actually a use case for the behavior of queryParam()
where the value is assumed to be a String that may be a combination of
illegal characters, which must be encoded, and + characters with special
meaning that must be preserved.
Maybe IDEs will be able to issue a warning when not using template
variables with queryParam(), because it leads to bugs that only occur with
values that happen to contain a +, which may not be the case during testing.
Op vr 20 dec. 2019 12:05 schreef Rossen Stoyanchev <[email protected]
…:
adding something specifically about the treatment of + in the Javadoc of
UriComponentsBuilder is a good idea. I will do so
261956f
<261956f>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#21577?email_source=notifications&email_token=AAOVHA444POWXLDEZQZEJ3TQZSRF7A5CNFSM4J4MJQ5KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHMUMRY#issuecomment-567887431>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVHAYS7E7TEIIUNCXNT3DQZSRF7ANCNFSM4J4MJQ5A>
.
|
The + character is not correcly encoded by Cas when using delegated authenication. This leads to the following error when CAS redirects to a delegated authentication server: ``` ERROR [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Illegal character in query at index xxx: https://casserver.fr:443/cas/oauth2.0/callbackAuthorize?client_id=myapp&redirect_uri=http%3A%2F%2Fmyapp.fr%3A4200%2Fauth%2Fauth-callback&response_type=id_token token&client_name=CasOAuthClient> ``` This error originates from UriComponentsBuilder usage. See spring-projects/spring-framework#21577 and https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#web-uri-encoding
|
Did I understand this properly? Is the simplest way to encode "=" in query params something like this: |
|
No, this works too: |
|
What if you need to add a parameter that can have multiple values, for example using a If not then what is the suggested way to get this functionality? |
|
It seems the above does not fully encode, it's the same as using I continue to find bugs as a result of the current API, and expect to be doing so for a long time. In Section 2.2 "Reserved Characters": --> I think the parameters after the first one in the --> So yes characters like '+' should be preserved when used as a delimiter, not otherwise. Section 2.4 "When to Encode or Decode": --> This decision is important, and always treating reserved characters in query parameter data as delimiters (except when used with template variables) does not seem right, especially when there is no other option than to use template variables. --> This is the reverse process and warns again about the possibility to mix up data and delimiters. So, it's all about API design, the spec doesn't say As I see it, there are only 2 kind of Strings that could be supplied as values for the
A query parameter string that would consist of plain strings (non-encoded user input) which are joined with '+' characters to be transmitted as delimiters, should not exist. It could result in a String that contains some '+' characters that need to be percent-encoded and others that do not. However, it is precisely this kind of String that is assumed to be passed into Since parameters values to |
@rstoyanchev this works for '=' but not for '/' or '+'. so is the following the simplest way to encode '/', '+' and similar characters? |
|
@ravenblackdusk It seems so. Maybe the simplest solution would be to add a |
Uh oh!
There was an error while loading. Please reload this page.
Rossen Stoyanchev opened SPR-17039 and commented
Historically
UriComponentshas always encoded only characters that are illegal in a given part of the URI (e.g. "/" is illegal in a path segment), and that does not include characters that are legal but have some other reserved meaning (e.g. ";" in a path segment, or also "+" in a query param).UriComponentshas also always relied on expanding URI variables first, and then encoding the expanded String, which makes it impossible to apply stricter encoding to URI variable values which is usually what's expected intuitively, because once expanded it's impossible to tell the values apart from the rest of the template. Typically the expectation is that expanded values will have by fully encoded.While the RestTemplate and WebClient can be configured with a
UriBuilderFactorythat supports different encoding mode strategy, currently there is really no answer when usingUriComponentsdirectly.Affects: 5.0.7
Issue Links:
1 votes, 9 watchers
The text was updated successfully, but these errors were encountered: