cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6848) Cannot use JAX-RS properties maxAttributeSize/maxTextLength with FastInfoset
Date Thu, 14 Apr 2016 17:15:25 GMT

    [ https://issues.apache.org/jira/browse/CXF-6848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241527#comment-15241527
] 

Daniel Kulp commented on CXF-6848:
----------------------------------

This is more or less working as designed.   If you specify those properties, you are pretty
much demanding that you want the security of those things enforced.   However, FastInfoset
 does not provide any means to enforce any of those security requirements.  Thus, we bail
as we cannot guarantee the security requirements. 

If you set a system property of "org.apache.cxf.stax.allowInsecureParser" to true prior to
starting CXF, it would just log a warning.  I supposed that could be changed to an contextual
property as well to specify if a particular endpoint could allow the insecure stuff or not.
 



> Cannot use JAX-RS properties maxAttributeSize/maxTextLength with FastInfoset
> ----------------------------------------------------------------------------
>
>                 Key: CXF-6848
>                 URL: https://issues.apache.org/jira/browse/CXF-6848
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.1.0, 3.1.5
>         Environment: JRE 1.7
>            Reporter: Cyril Dangerville
>
> When FastInfoset is enabled, specifying JAX-RS property {{org.apache.cxf.stax.maxAttributeSize}}
or {{org.apache.cxf.stax.maxTextLength}}  (at any level) will fail with 
> {noformat}
> Caused by: java.lang.ClassCastException: com.sun.xml.fastinfoset.stax.StAXDocumentParser
cannot be cast to org.codehaus.stax2.XMLStreamReader2
>         at org.apache.cxf.staxutils.WoodstoxHelper.setProperty(WoodstoxHelper.java:41)
>         at org.apache.cxf.staxutils.StaxUtils.setProperty(StaxUtils.java:2209)
>         at org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2169)
> {noformat}
> To reproduce the error, checkout the sources of CXF (or only CXF JAXRS  system tests),
in v3.1.5 for example, then add property _maxAttributeSize_ or _maxTextLength_ to the configuration
of jaxrs server {{restservice3}} in file {{cxf/systests/jaxrs/src/test/resources/jaxrs_soap_rest/WEB-INF/beans.xml}}
as follows:
> {noformat}
> ...
> <jaxrs:server id="restservice3" address="/rest3">
> ...
>         <jaxrs:properties>
>             <entry key="org.apache.cxf.endpoint.private" value="true"/>
>             <!--  BEGIN CHANGE -->
>              <entry key="org.apache.cxf.stax.maxAttributeSize" value="500" /> 
>             <!--  END CHANGE -->
>         </jaxrs:properties>
>     </jaxrs:server>
> ...
> {noformat}
> Increase CXF log level by adding file  {{logging.properties}} to directory  {{cxf/systests/jaxrs}}
with similar content:
> {noformat}
> handlers = java.util.logging.ConsoleHandler
> java.util.logging.ConsoleHandler.level = INFO
> .level=INFO
> {noformat}
> Then, from directory {{cxf/systests/jaxrs}}, run:
> {noformat}
> $ mvn clean
> $ mvn -Pnochecks -Djava.util.logging.config.file=logging.properties -Dtest=JAXRSSoapBookTest#testPostGetBookFastinfoset
test
> {noformat}
> You should get a stacktrace as follows:
> {noformat}
> javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
> 	at org.apache.cxf.jaxrs.utils.SpecExceptions.toInternalServerErrorException(SpecExceptions.java:79)
> 	at org.apache.cxf.jaxrs.utils.ExceptionUtils.toInternalServerErrorException(ExceptionUtils.java:106)
> 	at org.apache.cxf.jaxrs.provider.AbstractJAXBProvider.configureReaderRestrictions(AbstractJAXBProvider.java:809)
> 	at org.apache.cxf.jaxrs.provider.AbstractJAXBProvider.createDepthReaderIfNeeded(AbstractJAXBProvider.java:798)
> 	at org.apache.cxf.jaxrs.provider.JAXBElementProvider.getStreamReader(JAXBElementProvider.java:268)
> 	at org.apache.cxf.jaxrs.provider.JAXBElementProvider.doUnmarshal(JAXBElementProvider.java:231)
> 	at org.apache.cxf.jaxrs.provider.JAXBElementProvider.readFrom(JAXBElementProvider.java:193)
> 	at org.apache.cxf.jaxrs.utils.JAXRSUtils.readFromMessageBodyReader(JAXRSUtils.java:1343)
> 	at org.apache.cxf.jaxrs.utils.JAXRSUtils.readFromMessageBody(JAXRSUtils.java:1294)
> 	at org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameter(JAXRSUtils.java:826)
> 	at org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameters(JAXRSUtils.java:789)
> 	at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:212)
> 	at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:253)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
> 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)
> 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
> 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
> 	at org.eclipse.jetty.server.Server.handle(Server.java:499)
> 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
> 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
> 	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.xml.stream.XMLStreamException: com.sun.xml.fastinfoset.stax.StAXDocumentParser
cannot be cast to org.codehaus.stax2.XMLStreamReader2
> 	at org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2196)
> 	at org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2128)
> 	at org.apache.cxf.jaxrs.provider.AbstractJAXBProvider.configureReaderRestrictions(AbstractJAXBProvider.java:807)
> 	... 40 more
> Caused by: java.lang.ClassCastException: com.sun.xml.fastinfoset.stax.StAXDocumentParser
cannot be cast to org.codehaus.stax2.XMLStreamReader2
> 	at org.apache.cxf.staxutils.WoodstoxHelper.setProperty(WoodstoxHelper.java:41)
> 	at org.apache.cxf.staxutils.StaxUtils.setProperty(StaxUtils.java:2209)
> 	at org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2169)
> 	... 42 more
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message