This is an automated email from the ASF dual-hosted git repository.
sergeyb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 34b210e [CXF-7503] Explicit check for DELETE with an option to
override
34b210e is described below
commit 34b210e91d6fe860e1360ccf5b347b6dee8c58db
Author: Sergey Beryozkin <[email protected]>
AuthorDate: Fri Sep 22 15:55:12 2017 +0100
[CXF-7503] Explicit check for DELETE with an option to override
---
.../main/java/org/apache/cxf/helpers/IOUtils.java | 31 +++++++++-------------
.../jaxrs/impl/ContainerRequestContextImpl.java | 4 ---
.../java/org/apache/cxf/jaxrs/utils/HttpUtils.java | 10 +++++++
.../client/spec/ClientResponseContextImpl.java | 4 +++
.../jose/jaxrs/JweClientResponseFilter.java | 3 +--
.../jose/jaxrs/JweContainerRequestFilter.java | 10 ++++---
.../jose/jaxrs/JweJsonClientResponseFilter.java | 3 +--
.../jose/jaxrs/JweJsonContainerRequestFilter.java | 11 +++++---
.../jose/jaxrs/JwsClientResponseFilter.java | 2 +-
.../jose/jaxrs/JwsContainerRequestFilter.java | 9 +++++--
.../jose/jaxrs/JwsJsonClientResponseFilter.java | 2 +-
.../jose/jaxrs/JwsJsonContainerRequestFilter.java | 9 +++++--
12 files changed, 60 insertions(+), 38 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
b/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
index e474a09..0e3f5df 100644
--- a/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
@@ -48,37 +48,32 @@ public final class IOUtils {
if (is == null) {
return true;
}
- try {
- // if available is 0 it does not mean it is empty; it can also
throw IOException
- if (is.available() > 0) {
- return false;
- }
- } catch (IOException ex) {
- // ignore
+ // if available is 0 it does not mean it is empty
+ if (is.available() > 0) {
+ return false;
}
-
+
final byte[] bytes = new byte[1];
- try {
- if (is.markSupported()) {
- is.mark(1);
- try {
- return isEof(is.read(bytes));
- } finally {
- is.reset();
- }
+ if (is.markSupported()) {
+ is.mark(1);
+ try {
+ return isEof(is.read(bytes));
+ } finally {
+ is.reset();
}
- } catch (IOException ex) {
- // ignore
}
+
if (!(is instanceof PushbackInputStream)) {
return false;
}
+
// it may be an attachment stream
PushbackInputStream pbStream = (PushbackInputStream)is;
boolean isEmpty = isEof(pbStream.read(bytes));
if (!isEmpty) {
pbStream.unread(bytes);
}
+
return isEmpty;
}
private static boolean isEof(int result) {
diff --git
a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
index 9d7bcc6..72a72cb 100644
---
a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
+++
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
@@ -68,10 +68,6 @@ public class ContainerRequestContextImpl extends
AbstractRequestContextImpl
@Override
public boolean hasEntity() {
- InputStream is = getEntityStream();
- if (is == null) {
- return false;
- }
// Is Content-Length is explicitly set to 0 ?
if (HttpUtils.isPayloadEmpty(getHeaders())) {
return false;
diff --git
a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
index dc8c8a7..e5d5c94 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
@@ -26,11 +26,14 @@ import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
+import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
+import java.util.Set;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -91,6 +94,9 @@ public final class HttpUtils {
// there are more of such characters, ex, '*' but '*' is not affected by
UrlEncode
private static final String PATH_RESERVED_CHARACTERS = "=@/:!$&\'(),;~";
private static final String QUERY_RESERVED_CHARACTERS = "?/,";
+
+ private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_CONTENT =
+ new HashSet<>(Arrays.asList(new String[]{"GET", "HEAD", "OPTIONS",
"TRACE"}));
private HttpUtils() {
}
@@ -674,4 +680,8 @@ public final class HttpUtils {
return clazz.cast(value);
}
+
+ public static boolean isMethodWithNoContent(String method) {
+ return KNOWN_HTTP_VERBS_WITH_NO_CONTENT.contains(method);
+ }
}
diff --git
a/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
b/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
index 317ab21..2ee58b6 100644
---
a/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
+++
b/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
@@ -62,6 +62,10 @@ public class ClientResponseContextImpl extends
AbstractResponseContextImpl
@Override
public boolean hasEntity() {
+ // Is Content-Length is explicitly set to 0 ?
+ if (HttpUtils.isPayloadEmpty(getHeaders())) {
+ return false;
+ }
try {
return !IOUtils.isEmpty(getEntityStream());
} catch (IOException ex) {
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
index b66d07d..8c8f71c 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
@@ -26,7 +26,6 @@ import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
-import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -34,7 +33,7 @@ import
org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
public class JweClientResponseFilter extends AbstractJweDecryptingFilter
implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JweDecryptionOutput out = decrypt(res.getEntityStream());
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
index 951c237..9486365 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
@@ -27,7 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
-import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -36,8 +36,8 @@ import
org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
public class JweContainerRequestFilter extends AbstractJweDecryptingFilter
implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
JweDecryptionOutput out = decrypt(context.getEntityStream());
@@ -52,4 +52,8 @@ public class JweContainerRequestFilter extends
AbstractJweDecryptingFilter imple
super.validateHttpHeadersIfNeeded(context.getHeaders(),
out.getHeaders());
}
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
}
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
index 9ee2b66..27f2a51 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
@@ -26,7 +26,6 @@ import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
-import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -34,7 +33,7 @@ import
org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
public class JweJsonClientResponseFilter extends
AbstractJweJsonDecryptingFilter implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JweDecryptionOutput out = decrypt(res.getEntityStream());
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
index 6373483..30e1b33 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
@@ -27,7 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
-import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -38,8 +38,8 @@ import org.apache.cxf.rs.security.jose.jwe.JweException;
public class JweJsonContainerRequestFilter extends
AbstractJweJsonDecryptingFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
try {
@@ -59,4 +59,9 @@ public class JweJsonContainerRequestFilter extends
AbstractJweJsonDecryptingFilt
return;
}
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
+
}
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index ecbd49c..4e7acca 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -36,7 +36,7 @@ import
org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
public class JwsClientResponseFilter extends AbstractJwsReaderProvider
implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JwsCompactConsumer p = new
JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index a1b2f42..0a0d534 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
@@ -41,8 +42,8 @@ import org.apache.cxf.security.SecurityContext;
public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
JwsCompactConsumer p = new
JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
@@ -93,4 +94,8 @@ public class JwsContainerRequestFilter extends
AbstractJwsReaderProvider impleme
}
return null;
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
}
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index 1e035c8..c9311da 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -36,7 +36,7 @@ import
org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider
implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index b4b882c..a706c94 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jws.JwsException;
@@ -40,8 +41,8 @@ import
org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
public class JwsJsonContainerRequestFilter extends
AbstractJwsJsonReaderProvider implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
@@ -67,4 +68,8 @@ public class JwsJsonContainerRequestFilter extends
AbstractJwsJsonReaderProvider
super.validateHttpHeadersIfNeeded(context.getHeaders(),
sigEntry.getProtectedHeader());
}
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
}
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].
