cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [cxf] branch 3.1.x-fixes updated: [CXF-7503] Explicit check for DELETE with an option to override
Date Fri, 22 Sep 2017 15:49:33 GMT
This is an automated email from the ASF dual-hosted git repository.

sergeyb pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.1.x-fixes by this push:
     new 94d49a8  [CXF-7503] Explicit check for DELETE with an option to override
94d49a8 is described below

commit 94d49a8a173f6bf1d7f31ab6990eac9025b2e28a
Author: Sergey Beryozkin <sberyozkin@gmail.com>
AuthorDate: Fri Sep 22 15:55:12 2017 +0100

    [CXF-7503] Explicit check for DELETE with an option to override
---
 .../main/java/org/apache/cxf/helpers/IOUtils.java  | 29 +++++++++-------------
 .../jaxrs/impl/ContainerRequestContextImpl.java    |  4 ---
 .../java/org/apache/cxf/jaxrs/utils/HttpUtils.java | 10 ++++++++
 .../client/spec/ClientResponseContextImpl.java     |  6 ++++-
 .../jose/jaxrs/JweClientResponseFilter.java        |  3 +--
 .../jose/jaxrs/JweContainerRequestFilter.java      | 10 +++++---
 .../jose/jaxrs/JweJsonClientResponseFilter.java    |  3 +--
 .../jose/jaxrs/JweJsonContainerRequestFilter.java  | 11 +++++---
 .../jose/jaxrs/JwsClientResponseFilter.java        |  2 +-
 .../jose/jaxrs/JwsContainerRequestFilter.java      |  9 +++++--
 .../jose/jaxrs/JwsJsonClientResponseFilter.java    |  2 +-
 .../jose/jaxrs/JwsJsonContainerRequestFilter.java  |  9 +++++--
 12 files changed, 60 insertions(+), 38 deletions(-)

diff --git a/core/src/main/java/org/apache/cxf/helpers/IOUtils.java b/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
index 778f781..763cc62 100644
--- a/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/IOUtils.java
@@ -48,37 +48,32 @@ public final class IOUtils {
         if (is == null) {
             return true;
         }
-        try {
-            // if available is 0 it does not mean it is empty; it can also throw IOException
-            if (is.available() > 0) {
-                return false;
-            }
-        } catch (IOException ex) {
-            // ignore
+        // if available is 0 it does not mean it is empty
+        if (is.available() > 0) {
+            return false;
         }
         
         final byte[] bytes = new byte[1];
-        try {
-            if (is.markSupported()) {
-                is.mark(1);
-                try {
-                    return isEof(is.read(bytes));
-                } finally {
-                    is.reset();
-                }
+        if (is.markSupported()) {
+            is.mark(1);
+            try {
+                return isEof(is.read(bytes));
+            } finally {
+                is.reset();
             }
-        } catch (IOException ex) {
-            // ignore
         }
+        
         if (!(is instanceof PushbackInputStream)) {
             return false;
         }
+        
         // it may be an attachment stream
         PushbackInputStream pbStream = (PushbackInputStream)is;
         boolean isEmpty = isEof(pbStream.read(bytes));
         if (!isEmpty) {
             pbStream.unread(bytes);
         }
+        
         return isEmpty;
     }
     private static boolean isEof(int result) {
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
index 94a8ce6..57355e3 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/ContainerRequestContextImpl.java
@@ -68,10 +68,6 @@ public class ContainerRequestContextImpl extends AbstractRequestContextImpl
 
     @Override
     public boolean hasEntity() {
-        InputStream is = getEntityStream();
-        if (is == null) {
-            return false;
-        }
         // Is Content-Length is explicitly set to 0 ?
         if (HttpUtils.isPayloadEmpty(getHeaders())) {
             return false;
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
index e77f6e2..2543b25 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
@@ -26,11 +26,14 @@ import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.ResourceBundle;
+import java.util.Set;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -92,6 +95,9 @@ public final class HttpUtils {
     private static final String PATH_RESERVED_CHARACTERS = "=@/:!$&\'(),;~";
     private static final String QUERY_RESERVED_CHARACTERS = "?/,";
     
+    private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_CONTENT =
+        new HashSet<String>(Arrays.asList(new String[]{"GET", "HEAD", "OPTIONS", "TRACE"}));
+
     private HttpUtils() {
     }
     
@@ -676,4 +682,8 @@ public final class HttpUtils {
 
         return clazz.cast(value);
     }
+
+    public static boolean isMethodWithNoContent(String method) {
+        return KNOWN_HTTP_VERBS_WITH_NO_CONTENT.contains(method);
+    }
 }
diff --git a/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
b/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
index e32c46f..fe4f362 100644
--- a/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
+++ b/rt/rs/client/src/main/java/org/apache/cxf/jaxrs/client/spec/ClientResponseContextImpl.java
@@ -61,7 +61,11 @@ public class ClientResponseContextImpl extends AbstractResponseContextImpl
     }
     
     @Override
-    public boolean hasEntity() { 
+    public boolean hasEntity() {
+        // Is Content-Length is explicitly set to 0 ?
+        if (HttpUtils.isPayloadEmpty(getHeaders())) {
+            return false;
+        }
         try {
             return !IOUtils.isEmpty(getEntityStream());
         } catch (IOException ex) {
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
index b66d07d..8c8f71c 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
@@ -26,7 +26,6 @@ import javax.ws.rs.client.ClientRequestContext;
 import javax.ws.rs.client.ClientResponseContext;
 import javax.ws.rs.client.ClientResponseFilter;
 
-import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 
@@ -34,7 +33,7 @@ import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 public class JweClientResponseFilter extends AbstractJweDecryptingFilter implements ClientResponseFilter
{
     @Override
     public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException
{
-        if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+        if (isCheckEmptyStream() && !res.hasEntity()) {
             return;
         }
         JweDecryptionOutput out = decrypt(res.getEntityStream());
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
index 951c237..9486365 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
@@ -27,7 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 
-import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 
@@ -36,8 +36,8 @@ import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter
{
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
-        if (HttpMethod.GET.equals(context.getMethod())
-            || isCheckEmptyStream() && IOUtils.isEmpty(context.getEntityStream()))
{
+        if (isMethodWithNoContent(context.getMethod())
+            || isCheckEmptyStream() && !context.hasEntity()) {
             return;
         }
         JweDecryptionOutput out = decrypt(context.getEntityStream());
@@ -52,4 +52,8 @@ public class JweContainerRequestFilter extends AbstractJweDecryptingFilter
imple
             super.validateHttpHeadersIfNeeded(context.getHeaders(), out.getHeaders());
         }
     }
+    
+    protected boolean isMethodWithNoContent(String method) {
+        return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoContent(method);
+    }
 }
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
index 9ee2b66..27f2a51 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
@@ -26,7 +26,6 @@ import javax.ws.rs.client.ClientRequestContext;
 import javax.ws.rs.client.ClientResponseContext;
 import javax.ws.rs.client.ClientResponseFilter;
 
-import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 
@@ -34,7 +33,7 @@ import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 public class JweJsonClientResponseFilter extends AbstractJweJsonDecryptingFilter implements
ClientResponseFilter {
     @Override
     public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException
{
-        if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+        if (isCheckEmptyStream() && !res.hasEntity()) {
             return;
         }
         JweDecryptionOutput out = decrypt(res.getEntityStream());
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
index 6373483..30e1b33 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
@@ -27,7 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 
-import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -38,8 +38,8 @@ import org.apache.cxf.rs.security.jose.jwe.JweException;
 public class JweJsonContainerRequestFilter extends AbstractJweJsonDecryptingFilter implements
ContainerRequestFilter {
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
-        if (HttpMethod.GET.equals(context.getMethod())
-            || isCheckEmptyStream() && IOUtils.isEmpty(context.getEntityStream()))
{
+        if (isMethodWithNoContent(context.getMethod())
+            || isCheckEmptyStream() && !context.hasEntity()) {
             return;
         }
         try {
@@ -59,4 +59,9 @@ public class JweJsonContainerRequestFilter extends AbstractJweJsonDecryptingFilt
             return;
         }
     }
+    
+    protected boolean isMethodWithNoContent(String method) {
+        return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoContent(method);
+    }
+    
 }
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index ecbd49c..4e7acca 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -36,7 +36,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 public class JwsClientResponseFilter extends AbstractJwsReaderProvider implements ClientResponseFilter
{
     @Override
     public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException
{
-        if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+        if (isCheckEmptyStream() && !res.hasEntity()) {
             return;
         }
         JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index 5031005..97062ba 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 
 import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
@@ -41,8 +42,8 @@ import org.apache.cxf.security.SecurityContext;
 public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter
{
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
-        if (HttpMethod.GET.equals(context.getMethod())
-            || isCheckEmptyStream() && IOUtils.isEmpty(context.getEntityStream()))
{
+        if (isMethodWithNoContent(context.getMethod())
+            || isCheckEmptyStream() && !context.hasEntity()) {
             return;
         }
         JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
@@ -94,4 +95,8 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
impleme
         }
         return null;
     }
+    
+    protected boolean isMethodWithNoContent(String method) {
+        return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoContent(method);
+    }
 }
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index 7d6ef35..1091671 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -36,7 +36,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider implements
ClientResponseFilter {
     @Override
     public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException
{
-        if (isCheckEmptyStream() && IOUtils.isEmpty(res.getEntityStream())) {
+        if (isCheckEmptyStream() && !res.hasEntity()) {
             return;
         }
         JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index c7845bb..b9caca7 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 
 import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsException;
@@ -40,8 +41,8 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider implements
ContainerRequestFilter {
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
-        if (HttpMethod.GET.equals(context.getMethod())
-            || isCheckEmptyStream() && IOUtils.isEmpty(context.getEntityStream()))
{
+        if (isMethodWithNoContent(context.getMethod())
+            || isCheckEmptyStream() && !context.hasEntity()) {
             return;
         }
         JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
@@ -67,4 +68,8 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider
             super.validateHttpHeadersIfNeeded(context.getHeaders(), sigEntry.getProtectedHeader());
         }
     }
+
+    protected boolean isMethodWithNoContent(String method) {
+        return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoContent(method);
+    }
 }

-- 
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <commits@cxf.apache.org>'].

Mime
View raw message