避免在URI中使用浮点数的Spring MVC请求映射中检测文件扩展名 [英] Avoid file extension detection in Spring MVC request mapping with floating point number in URI
问题描述
我使用Spring Boot来实现REST应用程序。我有一个像这样映射的资源
I used Spring Boot to implement a REST application. I have one resource that is mapped like this
@RequestMapping(value = "/{fromLat}/{fromLon}/{toLat}/{toLon:.+}", method = {RequestMethod.GET},
produces = {"application/json"})
因此路径包含坐标,请求看起来像这样
Thus the path contains coordinates and a request looks like this
$ curl -I -X GET http://localhost:8085/foobar/53.481297/9.900539/53.491691/9.946046
不幸最后一个结尾被解释为一个文件扩展名,它导致一个响应标题提供文件下载而不仅仅是普通数据。
Unfortunatly the last end is interpreted as a file extension which leads to a response header that offers a file download instead of just the plain data.
Content-Disposition: attachment;filename=f.txt
我以为我可以处理这种情况自定义WebMvcConfigurerAdapter Bean(并且没有@EnableWebMvc)注释,如解释这里。
I thought I could handle the situation with a custom WebMvcConfigurerAdapter Bean (and without @EnableWebMvc) annotation like explained here.
public class CustomWebMvcConfigurerAdapter extends WebMvcConfigurerAdapter {
@Override
public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
configurer.favorPathExtension(false);
}
}
但这并不成功。不幸的是,检测到的文件扩展名没有修复 - 因此我无法使用规则来修复扩展程序。
But that does not do the trick. Unfortunatly the detected file extension is not fix - thus I can not use a rule for a fix extension.
如何配置系统只响应内容而不使用Content-Disposition标题(导致f.txt下载)?我不想在结尾处使用斜杠(/)。
How can I configure the system to just respond with the content and without the Content-Disposition header (which leads to an f.txt download)? I would not like to use a slash ("/") at the end.
我已经查看了以下资源
- Spring MVC controller browser downloads "f.txt"
- Add property support for configureContentNegotiation
推荐答案
在Spring Framework 4.1.9和4.2.3中修复了Content-Disposition标题以使用内联类型,该类型仅建议文件下载名称,如果内容最终被下载。它不会再强制另存为对话框。
In Spring Framework 4.1.9 and 4.2.3 the Content-Disposition header was fixed to use the "inline" type which only suggests a file download name, should the content end up being downloaded. It won't force a Save As dialog any more.
另请注意,首先,Content-Disposition标头的原因是为了保护应用程序免受RFD攻击。这是一个非常复杂的问题,但您可以在 CVE-2015-5211 中查看摘要。报告。
Note also that the reason for the Content-Disposition header in the first place is to protect applications against RFD attacks. This is a very complex issue but you can see a summary in the CVE-2015-5211 report.
这篇关于避免在URI中使用浮点数的Spring MVC请求映射中检测文件扩展名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
