2

Is there a reliable way to separately extract GET and POST parameters using a HttpServletRequest?

That is, differentiate parameters that were sent in the query string (GET) to parameters that were sent in the request body (POST), assuming Content-Type: application/x-www-form-urlencoded.

Example

POST /path HTTP/1.1
Host: test.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

first_name=posted_foo&last_name=posted_bar

I would like to end up with two variables, one containing the values from the URL and one containing the values from the request body:

get = {"first_name": "foo", "last_name": "bar"}
post = {"first_name": "posted_foo", "last_name": "posted_bar"}

The only methods I seem to be able to extract these parameters are the getParameter* methods.

  • HttpServletRequest.getParameter: Returns a single string and tends to be the value provided in the URL (GET).
  • HttpServletRequest.getParameterValues: Returns an array of strings containing all of the values provided in the query string and request body. Those passed via the query string tend to appear first. However, if only one value is present in the returns array of strings, it cannot be reliably determined whether the value came from the query string or the request body.

To illustrate, using PHP these values are provided through the $_GET and $_POST superglobals.

Improve this question
1

1 Answer 1

Reset to default
1

The query string is trivial to parse, thus gives you the URI query param names, while the getParameterNames() gives you the whole set.

Split the query string by '&', then subsplit each token by '='. For each key and value, perform the URLDecoder.decode(). That's all.

Toss all such keys in a set. If the param is in the uri query set it a good chance it's only there. If you must find if it is also in the post, actually, post form-encoded data is also coded like that, but that post is consumed so it's too late. Besides, the post could also be a multipart encoding which is non-trivial decode.

In the end, it's odd that you need this distinction. Can you explain for what purpose you seek this distinction?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for your answer. I did know that I could manually parse the query string to retrieve the GET parameters but I thought maybe there was a more reliable way of differentiating them both that I was missing. I guess the answer is pretty much: Not without parsing them yourself.
The reason I ask isn't so much that I need it, I know I could easily just rely on getParameter etc. it's just that I wanted to see if it was possible. Coming from a primarily PHP background where this distinction is easily accessible. I'm actually intending to write a class that wraps around HttpServletRequest that functions in a similar fashion to Symfony's HTTP Foundation Request class, which is what prompted the question. Thanks again!
One reason that I've run into is security. For example, while the OAuth 2.0 specification allows for bearer tokens to be passed as a query parameter, such is not always secure. I may want to accept the access token if it comes in the body, but reject if in the query string. As @user2023577 said, though, such cases are pretty rare.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.