WebKit/JSONRPCServlet.py

"""JSON-RPC servlet base class

Written by Jean-Francois Pieronne

"""

import traceback
from MiscUtils import StringIO
try:
    import simplejson
except ImportError:
    print "ERROR: simplejson is not installed."
    print "Get it from http://cheeseshop.python.org/pypi/simplejson"

from HTTPContent import HTTPContent


class JSONRPCServlet(HTTPContent):
    """A superclass for Webware servlets using JSON-RPC techniques.

    JSONRPCServlet can be used to make coding JSON-RPC applications easier.

    Subclasses should override the method json_methods() which returns a list
    of method names. These method names refer to Webware Servlet methods that
    are able to be called by an JSON-RPC-enabled web page. This is very similar
    in functionality to Webware's actions.

    Some basic security measures against JavaScript hijacking are taken by
    default which can be deactivated if you're not dealing with sensitive data.
    You can further increase security by adding shared secret mechanisms.

    """

    # Class level variables that can be overridden by servlet instances:
    _debug = 0 # set to True if you want to see debugging output
    # The following variables control security precautions concerning
    # a vulnerability known as "JavaScript hijacking". See also:
    # http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
    # http://ajaxian.com/archives/protecting-a-javascript-service
    _allowGet = 0 # set to True if you want to allow GET requests
    _allowEval = 0 # set to True to allow direct evaluation of the response

    def __init__(self):
        HTTPContent.__init__(self)

    def respondToGet(self, transaction):
        if self._allowGet:
            self.writeError("GET method not allowed")
        HTTPContent.respondToGet(self, transaction)

    def defaultAction(self):
        self.jsonCall()

    def actions(self):
        actions = HTTPContent.actions(self)
        actions.append('jsonCall')
        return actions

    def exposedMethods(self):
        return []

    def writeError(self, msg):
        self.write(simplejson.dumps({'id': self._id, 'code': -1, 'error': msg}))

    def writeResult(self, data):
        data = simplejson.dumps({'id': self._id, 'result': data})
        if not self._allowEval:
            data = 'throw new Error' \
                '("Direct evaluation not allowed");\n/*%s*/' % (data,)
        self.write(data)

    def jsonCall(self):
        """Execute method with arguments on the server side.

        Returns Javascript function to be executed by the client immediately.

        """
        request = self.request()
        data = simplejson.loads(request.rawInput().read())
        self._id, call, params = data["id"], data["method"], data["params"]
        if call == 'system.listMethods':
            self.writeResult(self.exposedMethods())
        elif call in self.exposedMethods():
            try:
                method = getattr(self, call)
            except AttributeError:
                self.writeError('%s, although an approved method, '
                    'was not found' % call)
            else:
                try:
                    if self._debug:
                        self.log("json call %s(%s)" % (call, params))
                    self.writeResult(method(*params))
                except Exception:
                    err = StringIO()
                    traceback.print_exc(file=err)
                    e = err.getvalue()
                    self.writeError('%s was called, '
                        'but encountered an error: %s' % (call, e))
                    err.close()
        else:
            self.writeError('%s is not an approved method' % call)