sabrina sabrina - 10 months ago 47
JSON Question

Accessing Google App Engine datastore using JSON and JavaScript

I'm trying to get the data from app engine datastore using JSON and send it to JavaScript code, but the JSON I've made doesn't appear to support JSONP so it can't be retrieve. I'm using Java and Gson to make JSON.

Java Code:

public class outputServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {

DatastoreService datastore = DatastoreServiceFactory.getDatastoreService();
Query query = new Query("smsgateway");
List<Entity> from = datastore.prepare(query).asList(FetchOptions.Builder.withLimit(10));
for (Entity sms : from){

Gson gson = new Gson();
String json = gson.toJson(from);


Is there any mistake I've made in this code? Or are there other ways to make an accessible JSON?

--edited: from the code above I get this JSON array:

[{"key":{"parentKey":{"kind":"user","id":0,"name":"test 1"},"kind":"smsgateway","id":5707702298738688},"propertyMap":{"content":"test content1","date":"Dec 12, 2013 2:58:57 PM","user":"test 1"}}]

Answer Source

Here's how to change your code to do JSONP by wrapping the returned JSON in a Javascript method call, with the name of the method provided by the calling page:

Gson gson = new Gson();
String json = gson.toJson(from);
String callback = req.getParameter("callback");

resp.getWriter().println(callback + "(" + json + ");");

This requires calling your servlet with a parameter named callback that contains the name of the function you want to receive the JSON in the calling page. You can either do this manually (see below), or using a framework such as jQuery.

Assuming your json is [1, 2, 3] and you invoke the servlet as http://yourhost/yourservlet?callback=doStuff, this would be its output:

doStuff([1, 2, 3]);

Here's a minimal, manual example that works with the above Java code and calls a Javascript method named doStuff() with the JSON fetched from the server via JSONP:

<script type="text/javascript">
  function doStuff(json) {
    // Do stuff with JSON received from server.
<script type="text/javascript"

On the security of JSONP

There's security concerns surrounding JSONP for the both server and client:

The client has to fully trust the server, because the server can inject any kind of executable code into the page by virtue of how JSONP works. A malicious JSONP server can steal cookies, login credentials and anything displayed on the calling site or expose the user to malware.

The server can't easily verify if a JSONP request is legitimate or triggered by XSRF. For that reason, only use JSONP for public data -- do not use it for data that requires a authentication/login, should not be exposed to a third party or is otherwise sensitive.

If this is a learning exercise or homework, don't worry too much about this. If you plan to actually run JSONP out there on the web, reconsider.

For a more secure approach to cross-domain AJAX calls, take a look at CORS. For the simple case of "serve public data to everyone" it's as simple as setting a single header on the response: Access-Control-Allow-Origin: *. For anything else (non-public data, serve only to certain hosts, accepting data via POST) it quickly turns into a complex affair.