cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmitry Kozlov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6297) JAX-RS BeanValidation feature fails with NPE in JAXRSBeanValidationOutInterceptor on sub-resource call
Date Wed, 25 Mar 2015 12:47:52 GMT

    [ https://issues.apache.org/jira/browse/CXF-6297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14379808#comment-14379808
] 

Dmitry Kozlov commented on CXF-6297:
------------------------------------

Thanks Sergey,

I'll take a look. My quick recent experiment is that Jersey reverses this logic :) It applies
request filter once, while response - twice ))) Anyways, I'll need to double check. But to
this moment my personal preference is clearly CXF.

As for Pre-matching - might be a good idea (actually the best - thought about it as well),
the only concern is to make sure it's DDoS proof for the case when attacker generates path
randomly. Frankly speaking I'd prefer to bother auth server only in case when there is something
to call (i.e. when match detected), otherwise 405 should be enough.

As for the rest of cases granular use of NameBinding might be a way.

Anyways, the spec leaves the impression that sub-resources case didn't get too much of attention.
IMHO :)

Thank you!

> JAX-RS BeanValidation feature fails with NPE in JAXRSBeanValidationOutInterceptor on
sub-resource call
> ------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-6297
>                 URL: https://issues.apache.org/jira/browse/CXF-6297
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 3.0.4
>            Reporter: Dmitry Kozlov
>            Assignee: Sergey Beryozkin
>             Fix For: 3.1.0, 3.0.5
>
>
> With {{JAXRSBeanValidationFeature}} enabled CXF fails to process request to sub-resource
with exception like this:
> {code}
> 23:58:16.049 [qtp457732796-28] WARN  o.a.cxf.phase.PhaseInterceptorChain - Interceptor
for {http://example.com/}MainResource has thrown exception, unwinding now
> java.lang.NullPointerException: null
>     at org.apache.cxf.jaxrs.validation.ValidationUtils.getResourceInstance(ValidationUtils.java:39)
~[cxf-rt-frontend-jaxrs-3.0.4.jar:3.0.4]
>     at org.apache.cxf.jaxrs.validation.JAXRSBeanValidationOutInterceptor.getServiceObject(JAXRSBeanValidationOutInterceptor.java:44)
~[cxf-rt-frontend-jaxrs-3.0.4.jar:3.0.4]
>     at org.apache.cxf.validation.AbstractValidationInterceptor.handleMessage(AbstractValidationInterceptor.java:60)
~[cxf-core-3.0.4.jar:3.0.4]
>     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
[cxf-core-3.0.4.jar:3.0.4]
>     at org.apache.cxf.interceptor.OutgoingChainInterceptor.handleMessage(OutgoingChainInterceptor.java:83)
[cxf-core-3.0.4.jar:3.0.4]
>     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
[cxf-core-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-core-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) [javax.servlet-api-3.1.0.jar:3.1.0]
>     at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
[cxf-rt-transports-http-3.0.4.jar:3.0.4]
>     ...
> {code}
> The example resource code:
> {code}
> @Path("/main")
> public interface MainResource {
>     @Path("/sub/{id}")
>     SubResource subResource(@PathParam @Size(min=3, max=255) String id);
> }
> -----
> public interface SubResource {
>     @GET
>     @Path("/items")
>     List<String> items();
> }
> GET http://example.com/main/sub/123/items
> {code}
> NPE happens at [ValidationUtils.java:39|https://github.com/apache/cxf/blob/c79696bfc1aee1d1204cbd592f6bc5c83c0d9dae/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/validation/ValidationUtils.java#L39],
since {{resourceProvider}} retrieved on previous line is {{null}}:
> {code:java|firstline=33|highlight=39}
>     public static Object getResourceInstance(Message message) {
>         final OperationResourceInfo ori = message.getExchange().get(OperationResourceInfo.class);
>         if (ori == null) {
>             return null;
>         }
>         final ResourceProvider resourceProvider = ori.getClassResourceInfo().getResourceProvider();
>         if (!resourceProvider.isSingleton()) {
>             String error = "Service object is not a singleton, use a custom invoker to
validate";
>             LOG.warning(error);
>             return null;
>         } else {
>             return resourceProvider.getInstance(message);
>         }
> {code}
> This happens only during invocation of {{JAXRSBeanValidationOutInterceptor}} and only
when calling sub-resources as in example above.
> h3. Partial Workaround
> The partial workaround is to enable in-interceptor only. But this won't work for people
wishing to validate response entities as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message