>
> What's this "Payload" thing and how am I supposed access it in Java? If I
> call `request.getParts()` on the HttpServletRequest, I get:
> javax.servlet.ServletException: Unsupported Content-Type
> [application/csp-report], expected [multipart/form-data]
at org.eclipse.jetty.server.Request.getParts(Request.java:2309)
The Servlet spec has the following behavior:
- .getParts() - requires:
1. The content be sent as `Content-Type: multipart/form-data`
2. The request body content be encoded as multipart/form-data
3. Supports any HTTP Method (GET/POST/PUT/etc)
4. Destination Servlet must have declared MultipartConfigElement
(either as annotation or web descriptor element)
- .getParameter() - requires:
1. Content-Type: application/x-www-form-urlencoded - with request
body encoded as such
2. Content-Type: multipart/form-data - with request body encoded as
such. (same rules as .getParts())
3. that the content be sent as HTTP method POST or PUT
I can access the "Payload" using Jetty's `baseRequest.getInputStream()` and
> I guess I'm just wondering if that's the best/only way to do it. I'm used
> to doing whatever I need in the `HttpServletRequest`, not
> `org.eclipse.jetty.server.Request`.
>
This is correct, as your request didn't satisfy the above requirements it
can only be accessed via HttpServletRequest.getInputStream() or
HttpServletRequest.getWriter()
> Thanks for all your help in the past.
Glad to help
Joakim Erdfelt / [email protected]
On Tue, Apr 7, 2020 at 3:41 PM Glen Peterson <[email protected]>
wrote:
> I'm adding CSP[1] to my HTML pages because OWASP recommends it[2], but I'm
> having trouble accepting reports with a Java/Jetty server.
>
> The request I'm trying to process looks like this (in Chrome dev tools):
>
> *Request Headers:*
> :authority: myServer
> :method: POST
> :path: /somePath
> :scheme: https
> accept: */*
> accept-encoding: gzip, deflate, br
> accept-language: en-US,en;q=0.9,es;q=0.8
> cache-control: no-cache
> content-length: 685
> content-type: application/csp-report
> cookie: __cfduid=db5826e6e52efde6f19240e64885648011584136689;
> Hoshin=XfWP9dfo8V2sN4a9iqz2EAkhQfLKo8Lz_109781
> origin: https://myServer
> pragma: no-cache
> referer: https://myServer/anotherPath
> sec-fetch-dest: report
> sec-fetch-mode: no-cors
> sec-fetch-site: same-origin
> user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/80.0.3987.163 Safari/537.36
>
> *Request Payload:*
> {"csp-report":{"document-uri":"https://myServer/anotherPath","referrer":";
> https://myServer/yetAnotherPath","violated-directive":"style-src-attr","effective-directive":"style-src-attr","original-policy":"default-src
> 'self';script-src 'self' stackpath.bootstrapcdn.com code.jquery.com
> cdn.jsdelivr.net cdnjs.cloudflare.com 'unsafe-eval'
> 'unsafe-inline';report-uri
> CspReport.act;","disposition":"report","blocked-uri":"inline","line-number":173,"source-file":"
> https://myServer/anotherPath","status-code":0,"script-sample":""}}
>
> *Question:*
> What's this "Payload" thing and how am I supposed access it in Java? If I
> call `request.getParts()` on the HttpServletRequest, I get:
>
> javax.servlet.ServletException: Unsupported Content-Type
> [application/csp-report], expected [multipart/form-data]
> at org.eclipse.jetty.server.Request.getParts(Request.java:2309)
>
> I can access the "Payload" using Jetty's `baseRequest.getInputStream()`
> and I guess I'm just wondering if that's the best/only way to do it. I'm
> used to doing whatever I need in the `HttpServletRequest`, not
> `org.eclipse.jetty.server.Request`.
>
> Thanks for all your help in the past.
>
> Notes:
> [1]
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Enabling_reporting
> [2] https://owasp.org/www-community/attacks/Content_Security_Policy
>
> --
> Glen K. Peterson
> (828) 393-0081
> _______________________________________________
> jetty-users mailing list
> [email protected]
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
