[
https://issues.apache.org/jira/browse/CXF-7503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16172522#comment-16172522
]
Daniel commented on CXF-7503:
-----------------------------
my debug printout shows my setting checkEmptyStream true is picked up alright
but IOUtils.isEmpty(context.getEntityStream()) returns false even though there
is no payload. This can be further verified by removing
"HttpMethod.GET.equals(context.getMethod())" and solely relies on
"isCheckEmptyStream() && IOUtils.isEmpty(context.getEntityStream())"
> JwsJsonContainerRequestFilter throws exception in case of DELETE method
> invocation with empty payload
> ---------------------------------------------------------------------------------------------------------
>
> Key: CXF-7503
> URL: https://issues.apache.org/jira/browse/CXF-7503
> Project: CXF
> Issue Type: Bug
> Affects Versions: 3.2.0
> Reporter: Daniel
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 3.1.14, 3.2.1
>
>
> Below is the stack trace. As GET method does not has such an issue, I looked
> into JwsJsonContainerRequestFilter and found JWS is pypassed in case of GET
> method. I think DELETE should also bypass the check. (Note that when DELETE
> method has an empty response, JWS should also be bypassed)
> public class JwsJsonContainerRequestFilter extends
> AbstractJwsJsonReaderProvider implements ContainerRequestFilter {
> @Override
> public void filter(ContainerRequestContext context) throws IOException {
> if (HttpMethod.GET.equals(context.getMethod()) {
> return;
> }
> ========GET=======
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingInInterceptor
> INFO: Inbound Message
> ----------------------------
> ID: 3
> Address: http://localhost:9000/app/swaggerSample/sample/aaa
> Http-Method: GET
> Content-Type: application/json
> Headers: {Accept=[application/json], cache-control=[no-cache],
> connection=[keep-alive], content-type=[application/json],
> host=[localhost:9000], pragma=[no-cache], user-agent=[Apache-CXF/3.2.0]}
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingOutInterceptor
> INFO: Outbound Message
> ---------------------------
> ID: 3
> Response-Code: 200
> Content-Type: application/jose+json
> Headers: {Content-Type=[application/jose+json], Date=[Thu, 14 Sep 2017
> 23:17:04 GMT], Access-Control-Allow-Origin=[*],
> Access-Control-Allow-Methods=[GET, POST, DELETE, PUT, PATCH],
> Access-Control-Allow-Headers=[Content-Type]}
> Payload:
> {"payload":"eyJuYW1lIjoiYWFhIiwidmFsdWUiOiIxMTEiLCJjb2RlIjoiISEhIn0","signatures":[{"protected":"eyJhbGciOiJFUzI1NiIsImN0eSI6Impzb24ifQ","signature":"q7h5u-a6OmWH8bXCXPF27aD8-euUqqPGPzvBkEl3WfaUenNLU0uFbCsyzXCVbhrbX5SMZra3ePQO4D3Hh6msNw"}]}
> --------------------------------------
> =======DELETE========
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingInInterceptor
> INFO: Inbound Message
> ----------------------------
> ID: 4
> Address: http://localhost:9000/app/swaggerSample/sample/aaa
> Http-Method: DELETE
> Content-Type: application/json
> Headers: {Accept=[application/json], cache-control=[no-cache],
> connection=[keep-alive], content-type=[application/json],
> host=[localhost:9000], pragma=[no-cache], user-agent=[Apache-CXF/3.2.0]}
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.phase.PhaseInterceptorChain
> doDefaultLogging
> WARNING: Interceptor for {http://server.swagger.jaxrs.demo/}Sample has thrown
> exception, unwinding now
> java.lang.StringIndexOutOfBoundsException: String index out of range: -2
> at java.lang.String.substring(String.java:1967)
> at
> org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter.fromJson(JsonMapObjectReaderWriter.java:155)
> at
> org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.prepare(JwsJsonConsumer.java:56)
> at
> org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:51)
> at
> org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:47)
> at
> org.apache.cxf.rs.security.jose.jaxrs.JwsJsonContainerRequestFilter.filter(JwsJsonContainerRequestFilter.java:47)
> at
> org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1681)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doDelete(AbstractHTTPServlet.java:231)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Sep 14, 2017 4:17:04 PM org.apache.cxf.phase.PhaseInterceptorChain unwind
> WARNING: Exception in handleFault on interceptor
> org.apache.cxf.jaxrs.interceptor.JAXRSDefaultFaultOutInterceptor@6d703c7a
> org.apache.cxf.interceptor.Fault: String index out of range: -2
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:75)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.wrapExceptionAsFault(PhaseInterceptorChain.java:374)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:332)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doDelete(AbstractHTTPServlet.java:231)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.StringIndexOutOfBoundsException: String index out of
> range: -2
> at java.lang.String.substring(String.java:1967)
> at
> org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter.fromJson(JsonMapObjectReaderWriter.java:155)
> at
> org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.prepare(JwsJsonConsumer.java:56)
> at
> org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:51)
> at
> org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:47)
> at
> org.apache.cxf.rs.security.jose.jaxrs.JwsJsonContainerRequestFilter.filter(JwsJsonContainerRequestFilter.java:47)
> at
> org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1681)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ... 26 more
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
