Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for new property to ignore responses in exceptions thrown by the Client API #4641

Merged
merged 1 commit into from
Nov 30, 2020

Conversation

spericas
Copy link
Contributor

Support for new property to ignore responses in exceptions thrown by the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data.

Signed-off-by: Santiago Pericasgeertsen [email protected]

…the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>
@dansiviter
Copy link

@spericas I'm interested to learn a little more about the use-case. Ignoring the response at the client-side feels like closing the stable door after the horse has bolted. Can you explain a little more?

@jansupol
Copy link
Contributor

@dansiviter This is really only about preventing accidental leaks of confidential data, should the response contain them, such as from the third-party servers, similar to the test case (in the PR), when the second resource would be the confidential endpoint. The response is meant for the first resource, but not for the client requesting the first resource.
While the users should use a try-catch block for handling the exceptions, they rarely do. The option is meant to be the framework support for customers who do not want to propagate the confidential info, but for some reason, they cannot modify their code.

@dansiviter
Copy link

@jansupol Thanks. I'd hope the sensitive error data would not even be transmitted over the wire but I can see how poor error handling could lead to this also.

@jansupol jansupol merged commit 95c08d3 into eclipse-ee4j:master Nov 30, 2020
@jansupol jansupol added this to the 2.33 milestone Dec 7, 2020
spericas added a commit to spericas/helidon that referenced this pull request Feb 2, 2021
1. Upgrade to Jersey 2.33
2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>
spericas added a commit to helidon-io/helidon that referenced this pull request Feb 2, 2021
1. Upgrade to Jersey 2.33
2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>
spericas added a commit to helidon-io/helidon that referenced this pull request Feb 11, 2021
* Upgrade Netty to 4.1.58 (#2678)

Signed-off-by: Tomas Langer <[email protected]>

* Added overall timeout to evictable cache (#2659)

Signed-off-by: Tomas Langer <[email protected]>

* Fix copyright year for commits broken by squashing. (#2687)

Signed-off-by: Tomas Langer <[email protected]>

* Concat array enhancement (#2508)

* Concat array enhancement

Signed-off-by: Daniel Kec <[email protected]>

* Update Jackson to 2.12.1 (#2690)

* Update Jackson to 2.12.1
* Upgrade to latest Junit5 to get fix for junit-team/junit5#2198
* Manage junit4 version

* PokemonService template fixed in SE Database Archetype. (#2701)

Signed-off-by: Tomas Kraus <[email protected]>

* Fixed different output in DbClient SE archetype (#2703)

Signed-off-by: Tomas Kraus <[email protected]>

* Fix TODO application: (#2708)

- WebSecurity needs to be passed config.get("security") to take the "security.web-server" configuration
 - Added outbound configuration for the google login
 - Upgraded cassandra driver to fix issues with old guava dependencies
 - Removed metrics to avoid issues with cassandra driver.

Fixes #2707

* Update k8s descriptors to avoid using deprecated APIs. (#2719)

* Separate execution of DataChunkReleaseTest in its own VM to prevent leak messages in other test's logs. (#2716)

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Changes in this commit: (#2727)

1. Upgrade to Jersey 2.33
2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Properly release underlying buffer before passing it to WebSocket handler (#2715)

* Properly release underlying buffer before passing it to handler.

* Releases data chunks after passing them to Tyrus without any copying. Reports an error and closes connection if Tyrus is unable to handle the data. Finally, fixed a problem related to subscription requests.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Removed unused logger.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fixed checkstyle.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fix issue with null value in JSON. (#2723)

Signed-off-by: Tomas Langer <[email protected]>

* Upgrade grpc to v1.35.0 (#2713)

* Upgrade grpc to v1.35.0

* Update copyright

* Upgrades OCI SDK to version 1.31.0 (#2699)

* Updated OCI to 1.31.0

Signed-off-by: Laird Nelson <[email protected]>

* Fix null array values in HOCON/JSON config parser. (#2731)

Resolves #2720 (follow-up)

* Performance improvements to queue(s) management in Webserver (#2704)

* Initial patch.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fixed some type params and improved comments.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* More cleanup and make sure to fail publisher on an error condition.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Suppress warnings.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Call clearQueues on every new request for proper cleanup of keep-alive connections. Some copyright fixes.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fixed checkstyle issues.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Force logging of LEAK error even if finalize does not get called on a DataChunk.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Upgrade Weld (#2668)

Signed-off-by: Tomas Langer <[email protected]>

* Rest client async header propagation with usage of Helidon Context (#2735)

Rest client header propagation with usage of Helidon Context

Signed-off-by: David Kral <[email protected]>

* Allow override of Jersey property via config (#2737)

* Allow the default value of property jersey.config.client.ignoreExceptionResponse to be overridden via config. New test.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fixed copyright year.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* New implementation of LazyValue (#2738)

* New implementation of LazyValue that lazily initializes a Semaphore instead of eagerly creating a ReentrantLock. Makes use of volatile guarantees and atomicity of VarHandle updates.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* New test for LazyValueImpl.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Reduced sleep time in test.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Update CHANGELOG for 2.2.1 release (#2743)

* 2.2.1 THIRD_PARTY_LICENSES update (#2746)

* Update THIRD_PARTY_LICENSES

* Support async invocations using optional synthetic SimplyTimed behavior (#2745)

* Add support for async invocations for optional inferred SimplyTimed behavior on JAX-RS endpoints

Signed-off-by: [email protected] <[email protected]>

* Do not attempt to access the request context in Fallback callback. If used together with Retry, it is possible for the fallback to be called in a fresh thread for which there is no current request scope. Instead just use the original value obtained in this class' constructor. Updated functional test (with some class renaming) to cover this use case. (#2748)

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fix for native image. (#2753)

Signed-off-by: Tomas Langer <[email protected]>

* Fixed checkstyle issues.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

Co-authored-by: Tomas Langer <[email protected]>
Co-authored-by: Daniel Kec <[email protected]>
Co-authored-by: Joe DiPol <[email protected]>
Co-authored-by: Tomáš Kraus <[email protected]>
Co-authored-by: Romain Grecourt <[email protected]>
Co-authored-by: Jonathan Knight <[email protected]>
Co-authored-by: Laird Nelson <[email protected]>
Co-authored-by: David Král <[email protected]>
Co-authored-by: Tim Quinn <[email protected]>
spericas added a commit to spericas/helidon that referenced this pull request Feb 18, 2021
spericas added a commit to helidon-io/helidon that referenced this pull request Feb 18, 2021
* Upgraded to Jersey 2.33. Fixed problem with SSE test and adapted 2.0 patch in  eclipse-ee4j/jersey#4641.

* Removed unused import.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fixed copyright.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Run JerseyPropetiesTest in separate VM.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>

* Fixed copyright.

Signed-off-by: Santiago Pericasgeertsen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants