Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for new property to ignore responses in exceptions thrown by the Client API #4641

Merged
merged 1 commit into from
Nov 30, 2020

Conversation

spericas
Copy link
Contributor

Support for new property to ignore responses in exceptions thrown by the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data.

Signed-off-by: Santiago Pericasgeertsen santiago.pericasgeertsen@oracle.com

…the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
@dansiviter
Copy link

@spericas I'm interested to learn a little more about the use-case. Ignoring the response at the client-side feels like closing the stable door after the horse has bolted. Can you explain a little more?

@jansupol
Copy link
Contributor

@dansiviter This is really only about preventing accidental leaks of confidential data, should the response contain them, such as from the third-party servers, similar to the test case (in the PR), when the second resource would be the confidential endpoint. The response is meant for the first resource, but not for the client requesting the first resource.
While the users should use a try-catch block for handling the exceptions, they rarely do. The option is meant to be the framework support for customers who do not want to propagate the confidential info, but for some reason, they cannot modify their code.

@dansiviter
Copy link

@jansupol Thanks. I'd hope the sensitive error data would not even be transmitted over the wire but I can see how poor error handling could lead to this also.

@jansupol jansupol merged commit 95c08d3 into eclipse-ee4j:master Nov 30, 2020
@jansupol jansupol added this to the 2.33 milestone Dec 7, 2020
spericas added a commit to spericas/helidon that referenced this pull request Feb 2, 2021
1. Upgrade to Jersey 2.33
2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
spericas added a commit to helidon-io/helidon that referenced this pull request Feb 2, 2021
1. Upgrade to Jersey 2.33
2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
spericas added a commit to helidon-io/helidon that referenced this pull request Feb 11, 2021
* Upgrade Netty to 4.1.58 (#2678)

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

* Added overall timeout to evictable cache (#2659)

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

* Fix copyright year for commits broken by squashing. (#2687)

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

* Concat array enhancement (#2508)

* Concat array enhancement

Signed-off-by: Daniel Kec <daniel.kec@oracle.com>

* Update Jackson to 2.12.1 (#2690)

* Update Jackson to 2.12.1
* Upgrade to latest Junit5 to get fix for junit-team/junit5#2198
* Manage junit4 version

* PokemonService template fixed in SE Database Archetype. (#2701)

Signed-off-by: Tomas Kraus <Tomas.Kraus@oracle.com>

* Fixed different output in DbClient SE archetype (#2703)

Signed-off-by: Tomas Kraus <Tomas.Kraus@oracle.com>

* Fix TODO application: (#2708)

- WebSecurity needs to be passed config.get("security") to take the "security.web-server" configuration
 - Added outbound configuration for the google login
 - Upgraded cassandra driver to fix issues with old guava dependencies
 - Removed metrics to avoid issues with cassandra driver.

Fixes #2707

* Update k8s descriptors to avoid using deprecated APIs. (#2719)

* Separate execution of DataChunkReleaseTest in its own VM to prevent leak messages in other test's logs. (#2716)

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Changes in this commit: (#2727)

1. Upgrade to Jersey 2.33
2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Properly release underlying buffer before passing it to WebSocket handler (#2715)

* Properly release underlying buffer before passing it to handler.

* Releases data chunks after passing them to Tyrus without any copying. Reports an error and closes connection if Tyrus is unable to handle the data. Finally, fixed a problem related to subscription requests.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Removed unused logger.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fixed checkstyle.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fix issue with null value in JSON. (#2723)

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

* Upgrade grpc to v1.35.0 (#2713)

* Upgrade grpc to v1.35.0

* Update copyright

* Upgrades OCI SDK to version 1.31.0 (#2699)

* Updated OCI to 1.31.0

Signed-off-by: Laird Nelson <laird.nelson@oracle.com>

* Fix null array values in HOCON/JSON config parser. (#2731)

Resolves #2720 (follow-up)

* Performance improvements to queue(s) management in Webserver (#2704)

* Initial patch.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fixed some type params and improved comments.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* More cleanup and make sure to fail publisher on an error condition.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Suppress warnings.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Call clearQueues on every new request for proper cleanup of keep-alive connections. Some copyright fixes.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fixed checkstyle issues.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Force logging of LEAK error even if finalize does not get called on a DataChunk.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Upgrade Weld (#2668)

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

* Rest client async header propagation with usage of Helidon Context (#2735)

Rest client header propagation with usage of Helidon Context

Signed-off-by: David Kral <david.k.kral@oracle.com>

* Allow override of Jersey property via config (#2737)

* Allow the default value of property jersey.config.client.ignoreExceptionResponse to be overridden via config. New test.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fixed copyright year.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* New implementation of LazyValue (#2738)

* New implementation of LazyValue that lazily initializes a Semaphore instead of eagerly creating a ReentrantLock. Makes use of volatile guarantees and atomicity of VarHandle updates.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* New test for LazyValueImpl.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Reduced sleep time in test.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Update CHANGELOG for 2.2.1 release (#2743)

* 2.2.1 THIRD_PARTY_LICENSES update (#2746)

* Update THIRD_PARTY_LICENSES

* Support async invocations using optional synthetic SimplyTimed behavior (#2745)

* Add support for async invocations for optional inferred SimplyTimed behavior on JAX-RS endpoints

Signed-off-by: tim.quinn@oracle.com <tim.quinn@oracle.com>

* Do not attempt to access the request context in Fallback callback. If used together with Retry, it is possible for the fallback to be called in a fresh thread for which there is no current request scope. Instead just use the original value obtained in this class' constructor. Updated functional test (with some class renaming) to cover this use case. (#2748)

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fix for native image. (#2753)

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

* Fixed checkstyle issues.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

Co-authored-by: Tomas Langer <tomas.langer@gmail.com>
Co-authored-by: Daniel Kec <daniel.kec@oracle.com>
Co-authored-by: Joe DiPol <joe.dipol@oracle.com>
Co-authored-by: Tomáš Kraus <tomas.kraus@oracle.com>
Co-authored-by: Romain Grecourt <romain.grecourt@oracle.com>
Co-authored-by: Jonathan Knight <jk@thegridman.com>
Co-authored-by: Laird Nelson <laird.nelson@oracle.com>
Co-authored-by: David Král <david.k.kral@oracle.com>
Co-authored-by: Tim Quinn <tim.quinn@oracle.com>
spericas added a commit to spericas/helidon that referenced this pull request Feb 18, 2021
spericas added a commit to helidon-io/helidon that referenced this pull request Feb 18, 2021
* Upgraded to Jersey 2.33. Fixed problem with SSE test and adapted 2.0 patch in  eclipse-ee4j/jersey#4641.

* Removed unused import.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fixed copyright.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Run JerseyPropetiesTest in separate VM.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>

* Fixed copyright.

Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants