This is an automated email from the ASF dual-hosted git repository.
sergeyb pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.1.x-fixes by this push:
new 94d49a8 [CXF-7503] Explicit check for DELETE with an option to
override
94d49a8 is described below
commit 94d49a8a173f6bf1d7f31ab6990eac9025b2e28a
Author: Sergey Beryozkin <[email protected]>
AuthorDate: Fri Sep 22 15:55:12 2017 +0100
[CXF-7503] Explicit check for DELETE with an option to override
---
.../main/java/org/apache/cxf/helpers/IOUtils.java | 29 +++++++++-------------
.../jaxrs/impl/ContainerRequestContextImpl.java | 4 ---
.../java/org/apache/cxf/jaxrs/utils/HttpUtils.java | 10 ++++++++
.../client/spec/ClientResponseContextImpl.java | 6 ++++-
.../jose/jaxrs/JweClientResponseFilter.java | 3 +--
.../jose/jaxrs/JweContainerRequestFilter.java | 10 +++++---
.../jose/jaxrs/JweJsonClientResponseFilter.java | 3 +--
.../jose/jaxrs/JweJsonContainerRequestFilter.java | 11 +++++---
.../jose/jaxrs/JwsClientResponseFilter.java | 2 +-
.../jose/jaxrs/JwsContainerRequestFilter.java | 9 +++++--
.../jose/jaxrs/JwsJsonClientResponseFilter.java | 2 +-
.../jose/jaxrs/JwsJsonContainerRequestFilter.java | 9 +++++--
12 files changed, 60 insertions(+), 38 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
b/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
index 778f781..763cc62 100644
--- a/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
@@ -48,37 +48,32 @@ public final class IOUtils {
if (is == null) {
return true;
}
- try {
- // if available is 0 it does not mean it is empty; it can also
throw IOException
- if (is.available() > 0) {
- return false;
- }
- } catch (IOException ex) {
- // ignore
+ // if available is 0 it does not mean it is empty
+ if (is.available() > 0) {
+ return false;
}
final byte[] bytes = new byte[1];
- try {
- if (is.markSupported()) {
- is.mark(1);
- try {
- return isEof(is.read(bytes));
- } finally {
- is.reset();
- }
+ if (is.markSupported()) {
+ is.mark(1);
+ try {
+ return isEof(is.read(bytes));
+ } finally {
+ is.reset();
}
- } catch (IOException ex) {
- // ignore
}
+
if (!(is instanceof PushbackInputStream)) {
return false;
}
+
// it may be an attachment stream
PushbackInputStream pbStream = (PushbackInputStream)is;
boolean isEmpty = isEof(pbStream.read(bytes));
if (!isEmpty) {
pbStream.unread(bytes);
}
+
return isEmpty;
}
private static boolean isEof(int result) {
diff --git
a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
index 94a8ce6..57355e3 100644
---
a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
+++
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
@@ -68,10 +68,6 @@ public class ContainerRequestContextImpl extends
AbstractRequestContextImpl
@Override
public boolean hasEntity() {
- InputStream is = getEntityStream();
- if (is == null) {
- return false;
- }
// Is Content-Length is explicitly set to 0 ?
if (HttpUtils.isPayloadEmpty(getHeaders())) {
return false;
diff --git
a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
index e77f6e2..2543b25 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
@@ -26,11 +26,14 @@ import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
+import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
+import java.util.Set;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -92,6 +95,9 @@ public final class HttpUtils {
private static final String PATH_RESERVED_CHARACTERS = "=@/:!$&\'(),;~";
private static final String QUERY_RESERVED_CHARACTERS = "?/,";
+ private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_CONTENT =
+ new HashSet<String>(Arrays.asList(new String[]{"GET", "HEAD",
"OPTIONS", "TRACE"}));
+
private HttpUtils() {
}
@@ -676,4 +682,8 @@ public final class HttpUtils {
return clazz.cast(value);
}
+
+ public static boolean isMethodWithNoContent(String method) {
+ return KNOWN_HTTP_VERBS_WITH_NO_CONTENT.contains(method);
+ }
}
diff --git
a/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
b/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
index e32c46f..fe4f362 100644
---
a/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
+++
b/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
@@ -61,7 +61,11 @@ public class ClientResponseContextImpl extends
AbstractResponseContextImpl
}
@Override
- public boolean hasEntity() {
+ public boolean hasEntity() {
+ // Is Content-Length is explicitly set to 0 ?
+ if (HttpUtils.isPayloadEmpty(getHeaders())) {
+ return false;
+ }
try {
return !IOUtils.isEmpty(getEntityStream());
} catch (IOException ex) {
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
index b66d07d..8c8f71c 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
@@ -26,7 +26,6 @@ import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
-import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -34,7 +33,7 @@ import
org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
public class JweClientResponseFilter extends AbstractJweDecryptingFilter
implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JweDecryptionOutput out = decrypt(res.getEntityStream());
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
index 951c237..9486365 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
@@ -27,7 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
-import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -36,8 +36,8 @@ import
org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
public class JweContainerRequestFilter extends AbstractJweDecryptingFilter
implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
JweDecryptionOutput out = decrypt(context.getEntityStream());
@@ -52,4 +52,8 @@ public class JweContainerRequestFilter extends
AbstractJweDecryptingFilter imple
super.validateHttpHeadersIfNeeded(context.getHeaders(),
out.getHeaders());
}
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
}
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
index 9ee2b66..27f2a51 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
@@ -26,7 +26,6 @@ import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
-import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -34,7 +33,7 @@ import
org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
public class JweJsonClientResponseFilter extends
AbstractJweJsonDecryptingFilter implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JweDecryptionOutput out = decrypt(res.getEntityStream());
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
index 6373483..30e1b33 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
@@ -27,7 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
-import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -38,8 +38,8 @@ import org.apache.cxf.rs.security.jose.jwe.JweException;
public class JweJsonContainerRequestFilter extends
AbstractJweJsonDecryptingFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
try {
@@ -59,4 +59,9 @@ public class JweJsonContainerRequestFilter extends
AbstractJweJsonDecryptingFilt
return;
}
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
+
}
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index ecbd49c..4e7acca 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -36,7 +36,7 @@ import
org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
public class JwsClientResponseFilter extends AbstractJwsReaderProvider
implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JwsCompactConsumer p = new
JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index 5031005..97062ba 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
@@ -41,8 +42,8 @@ import org.apache.cxf.security.SecurityContext;
public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
JwsCompactConsumer p = new
JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
@@ -94,4 +95,8 @@ public class JwsContainerRequestFilter extends
AbstractJwsReaderProvider impleme
}
return null;
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
}
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index 7d6ef35..1091671 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -36,7 +36,7 @@ import
org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider
implements ClientResponseFilter {
@Override
public void filter(ClientRequestContext req, ClientResponseContext res)
throws IOException {
- if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+ if (isCheckEmptyStream() && !res.hasEntity()) {
return;
}
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
diff --git
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index c7845bb..b9caca7 100644
---
a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jws.JwsException;
@@ -40,8 +41,8 @@ import
org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
public class JwsJsonContainerRequestFilter extends
AbstractJwsJsonReaderProvider implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
- if (HttpMethod.GET.equals(context.getMethod())
- || isCheckEmptyStream() &&
IOUtils.isEmpty(context.getEntityStream())) {
+ if (isMethodWithNoContent(context.getMethod())
+ || isCheckEmptyStream() && !context.hasEntity()) {
return;
}
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
@@ -67,4 +68,8 @@ public class JwsJsonContainerRequestFilter extends
AbstractJwsJsonReaderProvider
super.validateHttpHeadersIfNeeded(context.getHeaders(),
sigEntry.getProtectedHeader());
}
}
+
+ protected boolean isMethodWithNoContent(String method) {
+ return HttpMethod.DELETE.equals(method) ||
HttpUtils.isMethodWithNoContent(method);
+ }
}
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].
