DataFilters in Jetty Cometd

[Greg Wilkins]

All,

I have just committed an extension to the Jetty cometd that allows
DataFilters to be defined that can be mapped to particular channels.

The intent it to try an centralize a large part of the security
and validation handling needed for a web 2.0 webapp.

For my demo chat application, I define the following filters:

[
{
"channels": "/chat/**",
"class" : "org.mortbay.cometd.filter.NoMarkupFilter",
"init" : {}
},

{
"channels": "/chat/demo",
"class" : "org.mortbay.cometd.filter.RegexFilter",
"init" : [
[ "[fF].ck","dang" ],
[ "teh([^a-z])","the$1"],
[ "[Mm]icrosoft", "Micro\\$oft" ],
[ ".*tomcat.*", null ]
]
}
]

This applies two filters. The first to any chat channel
and it does the conversion of all <'s and >'s to &lt; and &gt;

The second applies just to the demo chat room and fixes
some spelling mistakes, removes rude words and censors
some topics.

The good things about this approach include:

* It is server side... where all validation must be.

* It knows about JSON structure, so it walks a JSON
object tree looking for data to filter. Thus it
removes markup from the user name AND the chat text.
A common programming mistake would be to protect the
chat text, but to forget that the username is also user
supplied data.

* The approach is not just limited to text. I am working
on a filter that will convert JMS messages sent to a
channel to JSON and will convert JSON messages sent to
JMS. Not sure this is the best approach for a JMS
bridge... but it is still interesting to play with.

Hope to see you all next week.

cheers