Other Configurations

  1. ContentType
  2. Encoding
  3. Javascript Hijacking Protection

Content type

To change the response content type of the JsonView you can set the content type property like below.

<beans>
    <bean name="jsonView" class="org.springframework.web.servlet.view.json.JsonView">
        <property name="contentType"><value>application/json</value></property>
    </bean>
</beans>

Encoding

To change the response encoding of the JsonView you can set the encoding property like below.

<beans>
    <bean name="jsonView" class="org.springframework.web.servlet.view.json.JsonView">
        <property name="encoding"><value>ISO-8859-1</value></property>
    </bean>
</beans>

Javascript Hijacking Protection

To protect against Javascript hijacking as described in Fortify's paper Json objects may be optionally wrapped within Javascript comments by setting the hijackSafe property to true.

<beans>
    <bean name="jsonView" class="org.springframework.web.servlet.view.json.JsonView">
        <property name="hijackSafe"><value>true</value></property>
    </bean>
</beans>

Result: /*JSON{"command":{"placeofbirth":"Sydney"}}JSON*/

The default '/* JSON.... JSON*/' wrapper text can be configured by setting the hijackSafePrefixPostFix property

  <beans>
    <bean name="jsonView" class="org.springframework.web.servlet.view.json.JsonView">
        <property name="hijackSafe"><value>true</value></property>
        <property name="hijackSafePrefixPostFix"><value>TEST</value></property>
    </bean>
  </beans>

Result:

/*TEST{"command":{"placeofbirth":"Sydney"}}TEST*/

The wrapper can then be removed in client side code. For example

var resp = eval("("+data.substring(data.indexOf("\/\*JSON")+6, data.lastIndexOf("JSON\*\/"))+")");<<<Monospaced>>>

Thanks to Hodge for original suggestion.