{
log.warn("JSON-RPC request denied. To enable JSON mode add an init-param of jsonRpcEnabled=true to web.xml");
throw new SecurityException("JSON interface disabled");
}
JsonRpcCalls calls = null;
try
{
// TODO: We do not support JSON-RPC-GET. Is this legal?
// I'm of the opinion that allow any kind of RPC over GET without an
// explicit @idempotent marker is probably against the HTTP spec
// Plus there are additional security issues with GET requests
// So I'm not rushing to fix this error
Reader in = request.getReader();
JsonParser parser = JsonParserFactory.get();
calls = (JsonRpcCalls) parser.parse(in, new JsonRpcCallsJsonDecoder(converterManager, moduleManager));
if (calls.getCallCount() != 1)
{
JsonRpcError error = new JsonRpcError(calls, "Non unique call", ERROR_CODE_INTERNAL, null);
writeResponse(error, response, SC_INTERNAL_SERVER_ERROR);
return;
}
if (!calls.isParseErrorClean())
{
JsonRpcError error = new JsonRpcError(calls, calls.getParseErrors(), ERROR_CODE_PARSE, null);
writeResponse(error, response, SC_INTERNAL_SERVER_ERROR);
return;
}
// Check the methods are accessible
for (Call c : calls)
{
accessControl.assertGeneralExecutionIsPossible(c.getScriptName(), c.getMethodDeclaration());
}
Replies replies = remoter.execute(calls);
Reply reply = replies.getReply(0);
// The existence of a throwable indicates that something went wrong
if (reply.getThrowable() != null)
{
Throwable ex = reply.getThrowable();
JsonRpcError error = new JsonRpcError(calls, ex.getMessage(), ERROR_CODE_SERVER, null);
writeResponse(error, response, SC_INTERNAL_SERVER_ERROR);
return;
}
JsonRpcResponse answer = new JsonRpcResponse(calls.getVersion(), calls.getId(), reply.getReply());
writeResponse(answer, response, HttpServletResponse.SC_OK);
}
catch (JsonRpcCallException ex)
{
writeResponse(new JsonRpcError(ex), response, ex.getHttpStatusCode());