Return-Path: <issues-return-44425-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 52ED9200D5B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 28 Nov 2017 11:52:15 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 51812160C01; Tue, 28 Nov 2017 10:52:15 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 523A1160C17
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 28 Nov 2017 11:52:14 +0100 (CET)
Received: (qmail 26563 invoked by uid 500); 28 Nov 2017 10:52:13 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 26397 invoked by uid 99); 28 Nov 2017 10:52:13 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Nov 2017 10:52:13 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 091D41A13D0
	for <issues@cxf.apache.org>; Tue, 28 Nov 2017 10:52:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id RMW8uOAx3DhR for <issues@cxf.apache.org>;
	Tue, 28 Nov 2017 10:52:10 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id BBD5C5F5FD
	for <issues@cxf.apache.org>; Tue, 28 Nov 2017 10:52:07 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id CA580E25BB
	for <issues@cxf.apache.org>; Tue, 28 Nov 2017 10:52:05 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 8A11A241F4
	for <issues@cxf.apache.org>; Tue, 28 Nov 2017 10:52:04 +0000 (UTC)
Date: Tue, 28 Nov 2017 10:52:04 +0000 (UTC)
From: "Colm O hEigeartaigh (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.13102425.1505432841000.333506.1511866324563@Atlassian.JIRA>
In-Reply-To: <JIRA.13102425.1505432841000@Atlassian.JIRA>
References: <JIRA.13102425.1505432841000@Atlassian.JIRA> <JIRA.13102425.1505432841564@jira-lw-us.apache.org>
Subject: [jira] [Closed] (CXF-7503) JwsJsonContainerRequestFilter throws
 exception in case of DELETE method invocation with empty payload
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 28 Nov 2017 10:52:15 -0000


     [ https://issues.apache.org/jira/browse/CXF-7503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed CXF-7503.
------------------------------------

> JwsJsonContainerRequestFilter throws exception in case of DELETE method invocation with empty payload    
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-7503
>                 URL: https://issues.apache.org/jira/browse/CXF-7503
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.2.0
>            Reporter: Daniel
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.1.14, 3.2.1
>
>
> Below is the stack trace. As GET method does not has such an issue, I looked into JwsJsonContainerRequestFilter and found JWS is pypassed in case of GET method. I think DELETE should also bypass the check. (Note that when DELETE method has an empty response, JWS should also be bypassed)
> public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider implements ContainerRequestFilter {
>     @Override
>     public void filter(ContainerRequestContext context) throws IOException {
>         if (HttpMethod.GET.equals(context.getMethod()) {
>             return;
>         }
> ========GET=======
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingInInterceptor
> INFO: Inbound Message
> ----------------------------
> ID: 3
> Address: http://localhost:9000/app/swaggerSample/sample/aaa
> Http-Method: GET
> Content-Type: application/json
> Headers: {Accept=[application/json], cache-control=[no-cache], connection=[keep-alive], content-type=[application/json], host=[localhost:9000], pragma=[no-cache], user-agent=[Apache-CXF/3.2.0]}
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingOutInterceptor
> INFO: Outbound Message
> ---------------------------
> ID: 3
> Response-Code: 200
> Content-Type: application/jose+json
> Headers: {Content-Type=[application/jose+json], Date=[Thu, 14 Sep 2017 23:17:04 GMT], Access-Control-Allow-Origin=[*], Access-Control-Allow-Methods=[GET, POST, DELETE, PUT, PATCH], Access-Control-Allow-Headers=[Content-Type]}
> Payload: {"payload":"eyJuYW1lIjoiYWFhIiwidmFsdWUiOiIxMTEiLCJjb2RlIjoiISEhIn0","signatures":[{"protected":"eyJhbGciOiJFUzI1NiIsImN0eSI6Impzb24ifQ","signature":"q7h5u-a6OmWH8bXCXPF27aD8-euUqqPGPzvBkEl3WfaUenNLU0uFbCsyzXCVbhrbX5SMZra3ePQO4D3Hh6msNw"}]}
> --------------------------------------
> =======DELETE========
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.interceptor.LoggingInInterceptor
> INFO: Inbound Message
> ----------------------------
> ID: 4
> Address: http://localhost:9000/app/swaggerSample/sample/aaa
> Http-Method: DELETE
> Content-Type: application/json
> Headers: {Accept=[application/json], cache-control=[no-cache], connection=[keep-alive], content-type=[application/json], host=[localhost:9000], pragma=[no-cache], user-agent=[Apache-CXF/3.2.0]}
> --------------------------------------
> Sep 14, 2017 4:17:04 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
> WARNING: Interceptor for {http://server.swagger.jaxrs.demo/}Sample has thrown exception, unwinding now
> java.lang.StringIndexOutOfBoundsException: String index out of range: -2
> 	at java.lang.String.substring(String.java:1967)
> 	at org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter.fromJson(JsonMapObjectReaderWriter.java:155)
> 	at org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.prepare(JwsJsonConsumer.java:56)
> 	at org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:51)
> 	at org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:47)
> 	at org.apache.cxf.rs.security.jose.jaxrs.JwsJsonContainerRequestFilter.filter(JwsJsonContainerRequestFilter.java:47)
> 	at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1681)
> 	at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
> 	at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doDelete(AbstractHTTPServlet.java:231)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> 	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> 	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> 	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> 	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:748)
> Sep 14, 2017 4:17:04 PM org.apache.cxf.phase.PhaseInterceptorChain unwind
> WARNING: Exception in handleFault on interceptor org.apache.cxf.jaxrs.interceptor.JAXRSDefaultFaultOutInterceptor@6d703c7a
> org.apache.cxf.interceptor.Fault: String index out of range: -2
> 	at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:75)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.wrapExceptionAsFault(PhaseInterceptorChain.java:374)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:332)
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doDelete(AbstractHTTPServlet.java:231)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> 	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> 	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> 	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> 	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.StringIndexOutOfBoundsException: String index out of range: -2
> 	at java.lang.String.substring(String.java:1967)
> 	at org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter.fromJson(JsonMapObjectReaderWriter.java:155)
> 	at org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.prepare(JwsJsonConsumer.java:56)
> 	at org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:51)
> 	at org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer.<init>(JwsJsonConsumer.java:47)
> 	at org.apache.cxf.rs.security.jose.jaxrs.JwsJsonContainerRequestFilter.filter(JwsJsonContainerRequestFilter.java:47)
> 	at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1681)
> 	at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)
> 	at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> 	... 26 more



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)