[
https://issues.apache.org/jira/browse/CXF-6297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14379808#comment-14379808
]
Dmitry Kozlov commented on CXF-6297:
------------------------------------
Thanks Sergey,
I'll take a look. My quick recent experiment is that Jersey reverses this logic
:) It applies request filter once, while response - twice ))) Anyways, I'll
need to double check. But to this moment my personal preference is clearly CXF.
As for Pre-matching - might be a good idea (actually the best - thought about
it as well), the only concern is to make sure it's DDoS proof for the case when
attacker generates path randomly. Frankly speaking I'd prefer to bother auth
server only in case when there is something to call (i.e. when match detected),
otherwise 405 should be enough.
As for the rest of cases granular use of NameBinding might be a way.
Anyways, the spec leaves the impression that sub-resources case didn't get too
much of attention. IMHO :)
Thank you!
> JAX-RS BeanValidation feature fails with NPE in
> JAXRSBeanValidationOutInterceptor on sub-resource call
> ------------------------------------------------------------------------------------------------------
>
> Key: CXF-6297
> URL: https://issues.apache.org/jira/browse/CXF-6297
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.0.4
> Reporter: Dmitry Kozlov
> Assignee: Sergey Beryozkin
> Fix For: 3.1.0, 3.0.5
>
>
> With {{JAXRSBeanValidationFeature}} enabled CXF fails to process request to
> sub-resource with exception like this:
> {code}
> 23:58:16.049 [qtp457732796-28] WARN o.a.cxf.phase.PhaseInterceptorChain -
> Interceptor for {http://example.com/}MainResource has thrown exception,
> unwinding now
> java.lang.NullPointerException: null
> at
> org.apache.cxf.jaxrs.validation.ValidationUtils.getResourceInstance(ValidationUtils.java:39)
> ~[cxf-rt-frontend-jaxrs-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.jaxrs.validation.JAXRSBeanValidationOutInterceptor.getServiceObject(JAXRSBeanValidationOutInterceptor.java:44)
> ~[cxf-rt-frontend-jaxrs-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.validation.AbstractValidationInterceptor.handleMessage(AbstractValidationInterceptor.java:60)
> ~[cxf-core-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> [cxf-core-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.interceptor.OutgoingChainInterceptor.handleMessage(OutgoingChainInterceptor.java:83)
> [cxf-core-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> [cxf-core-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> [cxf-core-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> [javax.servlet-api-3.1.0.jar:3.1.0]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
> [cxf-rt-transports-http-3.0.4.jar:3.0.4]
> ...
> {code}
> The example resource code:
> {code}
> @Path("/main")
> public interface MainResource {
> @Path("/sub/{id}")
> SubResource subResource(@PathParam @Size(min=3, max=255) String id);
> }
> -----
> public interface SubResource {
> @GET
> @Path("/items")
> List<String> items();
> }
> GET http://example.com/main/sub/123/items
> {code}
> NPE happens at
> [ValidationUtils.java:39|https://github.com/apache/cxf/blob/c79696bfc1aee1d1204cbd592f6bc5c83c0d9dae/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/validation/ValidationUtils.java#L39],
> since {{resourceProvider}} retrieved on previous line is {{null}}:
> {code:java|firstline=33|highlight=39}
> public static Object getResourceInstance(Message message) {
> final OperationResourceInfo ori =
> message.getExchange().get(OperationResourceInfo.class);
> if (ori == null) {
> return null;
> }
> final ResourceProvider resourceProvider =
> ori.getClassResourceInfo().getResourceProvider();
> if (!resourceProvider.isSingleton()) {
> String error = "Service object is not a singleton, use a custom
> invoker to validate";
> LOG.warning(error);
> return null;
> } else {
> return resourceProvider.getInstance(message);
> }
> {code}
> This happens only during invocation of {{JAXRSBeanValidationOutInterceptor}}
> and only when calling sub-resources as in example above.
> h3. Partial Workaround
> The partial workaround is to enable in-interceptor only. But this won't work
> for people wishing to validate response entities as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
