-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for new property to ignore responses in exceptions thrown by the Client API #4641
Support for new property to ignore responses in exceptions thrown by the Client API #4641
Conversation
…the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data. Signed-off-by: Santiago Pericasgeertsen <[email protected]>
@spericas I'm interested to learn a little more about the use-case. Ignoring the response at the client-side feels like closing the stable door after the horse has bolted. Can you explain a little more? |
@dansiviter This is really only about preventing accidental leaks of confidential data, should the response contain them, such as from the third-party servers, similar to the test case (in the PR), when the |
@jansupol Thanks. I'd hope the sensitive error data would not even be transmitted over the wire but I can see how poor error handling could lead to this also. |
1. Upgrade to Jersey 2.33 2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641. Signed-off-by: Santiago Pericasgeertsen <[email protected]>
1. Upgrade to Jersey 2.33 2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641. Signed-off-by: Santiago Pericasgeertsen <[email protected]>
* Upgrade Netty to 4.1.58 (#2678) Signed-off-by: Tomas Langer <[email protected]> * Added overall timeout to evictable cache (#2659) Signed-off-by: Tomas Langer <[email protected]> * Fix copyright year for commits broken by squashing. (#2687) Signed-off-by: Tomas Langer <[email protected]> * Concat array enhancement (#2508) * Concat array enhancement Signed-off-by: Daniel Kec <[email protected]> * Update Jackson to 2.12.1 (#2690) * Update Jackson to 2.12.1 * Upgrade to latest Junit5 to get fix for junit-team/junit5#2198 * Manage junit4 version * PokemonService template fixed in SE Database Archetype. (#2701) Signed-off-by: Tomas Kraus <[email protected]> * Fixed different output in DbClient SE archetype (#2703) Signed-off-by: Tomas Kraus <[email protected]> * Fix TODO application: (#2708) - WebSecurity needs to be passed config.get("security") to take the "security.web-server" configuration - Added outbound configuration for the google login - Upgraded cassandra driver to fix issues with old guava dependencies - Removed metrics to avoid issues with cassandra driver. Fixes #2707 * Update k8s descriptors to avoid using deprecated APIs. (#2719) * Separate execution of DataChunkReleaseTest in its own VM to prevent leak messages in other test's logs. (#2716) Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Changes in this commit: (#2727) 1. Upgrade to Jersey 2.33 2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Properly release underlying buffer before passing it to WebSocket handler (#2715) * Properly release underlying buffer before passing it to handler. * Releases data chunks after passing them to Tyrus without any copying. Reports an error and closes connection if Tyrus is unable to handle the data. Finally, fixed a problem related to subscription requests. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Removed unused logger. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fixed checkstyle. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fix issue with null value in JSON. (#2723) Signed-off-by: Tomas Langer <[email protected]> * Upgrade grpc to v1.35.0 (#2713) * Upgrade grpc to v1.35.0 * Update copyright * Upgrades OCI SDK to version 1.31.0 (#2699) * Updated OCI to 1.31.0 Signed-off-by: Laird Nelson <[email protected]> * Fix null array values in HOCON/JSON config parser. (#2731) Resolves #2720 (follow-up) * Performance improvements to queue(s) management in Webserver (#2704) * Initial patch. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fixed some type params and improved comments. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * More cleanup and make sure to fail publisher on an error condition. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Suppress warnings. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Call clearQueues on every new request for proper cleanup of keep-alive connections. Some copyright fixes. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fixed checkstyle issues. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Force logging of LEAK error even if finalize does not get called on a DataChunk. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Upgrade Weld (#2668) Signed-off-by: Tomas Langer <[email protected]> * Rest client async header propagation with usage of Helidon Context (#2735) Rest client header propagation with usage of Helidon Context Signed-off-by: David Kral <[email protected]> * Allow override of Jersey property via config (#2737) * Allow the default value of property jersey.config.client.ignoreExceptionResponse to be overridden via config. New test. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fixed copyright year. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * New implementation of LazyValue (#2738) * New implementation of LazyValue that lazily initializes a Semaphore instead of eagerly creating a ReentrantLock. Makes use of volatile guarantees and atomicity of VarHandle updates. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * New test for LazyValueImpl. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Reduced sleep time in test. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Update CHANGELOG for 2.2.1 release (#2743) * 2.2.1 THIRD_PARTY_LICENSES update (#2746) * Update THIRD_PARTY_LICENSES * Support async invocations using optional synthetic SimplyTimed behavior (#2745) * Add support for async invocations for optional inferred SimplyTimed behavior on JAX-RS endpoints Signed-off-by: [email protected] <[email protected]> * Do not attempt to access the request context in Fallback callback. If used together with Retry, it is possible for the fallback to be called in a fresh thread for which there is no current request scope. Instead just use the original value obtained in this class' constructor. Updated functional test (with some class renaming) to cover this use case. (#2748) Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fix for native image. (#2753) Signed-off-by: Tomas Langer <[email protected]> * Fixed checkstyle issues. Signed-off-by: Santiago Pericasgeertsen <[email protected]> Co-authored-by: Tomas Langer <[email protected]> Co-authored-by: Daniel Kec <[email protected]> Co-authored-by: Joe DiPol <[email protected]> Co-authored-by: Tomáš Kraus <[email protected]> Co-authored-by: Romain Grecourt <[email protected]> Co-authored-by: Jonathan Knight <[email protected]> Co-authored-by: Laird Nelson <[email protected]> Co-authored-by: David Král <[email protected]> Co-authored-by: Tim Quinn <[email protected]>
* Upgraded to Jersey 2.33. Fixed problem with SSE test and adapted 2.0 patch in eclipse-ee4j/jersey#4641. * Removed unused import. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fixed copyright. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Run JerseyPropetiesTest in separate VM. Signed-off-by: Santiago Pericasgeertsen <[email protected]> * Fixed copyright. Signed-off-by: Santiago Pericasgeertsen <[email protected]>
Support for new property to ignore responses in exceptions thrown by the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data.
Signed-off-by: Santiago Pericasgeertsen [email protected]