Daniel created CXF-7503:
---------------------------
Summary: JwsJsonContainerRequestFilter throws exception in case of
DELETE method invocation with empty payload
Key: CXF-7503
URL: https://issues.apache.org/jira/browse/CXF-7503
Project: CXF
Issue Type: Bug
Affects Versions: 3.2.0
Reporter: Daniel
Priority: Critical
Below is the stack trace. As GET method does not has such an issue, I looked
into JwsJsonContainerRequestFilter and found JWS is pypassed in case of GET
method. I think DELETE should also bypass the check. (Note that when DELETE
method has an empty response, JWS should also be bypassed)
public class JwsJsonContainerRequestFilter extends
AbstractJwsJsonReaderProvider implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
if (HttpMethod.GET.equals(context.getMethod()) {
return;
}
========GET=======
--------------------------------------
Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingInInterceptor
INFO: Inbound Message
----------------------------
ID: 3
Address: http://localhost:9000/app/swaggerSample/sample/aaa
Http-Method: GET
Content-Type: application/json
Headers: {Accept=[application/json], cache-control=[no-cache],
connection=[keep-alive], content-type=[application/json],
host=[localhost:9000], pragma=[no-cache], user-agent=[Apache-CXF/3.2.0]}
--------------------------------------
Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingOutInterceptor
INFO: Outbound Message
---------------------------
ID: 3
Response-Code: 200
Content-Type: application/jose+json
Headers: {Content-Type=[application/jose+json], Date=[Thu, 14 Sep 2017 23:17:04
GMT], Access-Control-Allow-Origin=[*], Access-Control-Allow-Methods=[GET, POST,
DELETE, PUT, PATCH], Access-Control-Allow-Headers=[Content-Type]}
Payload:
{"payload":"eyJuYW1lIjoiYWFhIiwidmFsdWUiOiIxMTEiLCJjb2RlIjoiISEhIn0","signatures":[{"protected":"eyJhbGciOiJFUzI1NiIsImN0eSI6Impzb24ifQ","signature":"q7h5u-a6OmWH8bXCXPF27aD8-euUqqPGPzvBkEl3WfaUenNLU0uFbCsyzXCVbhrbX5SMZra3ePQO4D3Hh6msNw"}]}
--------------------------------------
=======DELETE========
--------------------------------------
Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingInInterceptor
INFO: Inbound Message
----------------------------
ID: 4
Address: http://localhost:9000/app/swaggerSample/sample/aaa
Http-Method: DELETE
Content-Type: application/json
Headers: {Accept=[application/json], cache-control=[no-cache],
connection=[keep-alive], content-type=[application/json],
host=[localhost:9000], pragma=[no-cache], user-agent=[Apache-CXF/3.2.0]}
--------------------------------------
Sep 14, 2017 4:17:04 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for {http://server.swagger.jaxrs.demo/}Sample has thrown
exception, unwinding now
java.lang.StringIndexOutOfBoundsException: String index out of range: -2
at java.lang.String.substring(String.java:1967)
at
org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter.fromJson(JsonMapObjectReaderWriter.java:155)
at
org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.prepare(JwsJsonConsumer.java:56)
at
org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:51)
at
org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:47)
at
org.apache.cxf.rs.security.jose.jaxrs.JwsJsonContainerRequestFilter.filter(JwsJsonContainerRequestFilter.java:47)
at
org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1681)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doDelete(AbstractHTTPServlet.java:231)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Sep 14, 2017 4:17:04 PM org.apache.cxf.phase.PhaseInterceptorChain unwind
WARNING: Exception in handleFault on interceptor
org.apache.cxf.jaxrs.interceptor.JAXRSDefaultFaultOutInterceptor@6d703c7a
org.apache.cxf.interceptor.Fault: String index out of range: -2
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:75)
at
org.apache.cxf.phase.PhaseInterceptorChain.wrapExceptionAsFault(PhaseInterceptorChain.java:374)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:332)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doDelete(AbstractHTTPServlet.java:231)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.StringIndexOutOfBoundsException: String index out of
range: -2
at java.lang.String.substring(String.java:1967)
at
org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter.fromJson(JsonMapObjectReaderWriter.java:155)
at
org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.prepare(JwsJsonConsumer.java:56)
at
org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:51)
at
org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:47)
at
org.apache.cxf.rs.security.jose.jaxrs.JwsJsonContainerRequestFilter.filter(JwsJsonContainerRequestFilter.java:47)
at
org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1681)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
... 26 more
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
