Allow encoded slashes for JAX-RS application by default #1728
Comments
|
Reported by mkarg |
|
tmueller said: |
|
@mpotociar said: Is there a way in GF to automatically allow encoded slashes for URLs handled by the Jersey container? To me it seems that the configuration mentioned above is not granular enough. IOW, it's either enabled or disabled for all containers attached handling the requests on the particular listener. |
|
mkarg said: |
|
@mpotociar said: |
|
This issue was imported from java.net JIRA JERSEY-1456 |
|
@mpotociar What is the current status of this major issue? In 2013 you said you will have a look into it after 2.0. This is 25 minor releases ago. Any news? |
|
@pavelbucek "Ping" ;-) |
|
@mkarg pong ;) |
|
I'm not sure why is this filed against Jersey, since it seems to be GF issue. I would be interested in seeing comparison of all jersey-supported containers - I would guess that each container would behave "differently" .. |
|
This issue originated from the fact that Jersey was part for the GlassFish project (or in some way still is looking at the package names): The idea was to say "JAX-RS does not restrict it, so the RI for Java EE must not restrict it too.". So the correct location for this was the JAX-RS implementation of GF, which is / was Jersey. Meanwhile it seems Jersey is handled more like a standalone projects, so we should move it up to the general GF tracker? For what sake, there is no active GF support, so it would never get fixed? |
|
The issue cannot be fixed by changing anything in Jersey codebase -> it doesn't belong to Jersey project. |
|
So where to put it? GlassFish is de-facto a non-maintained project, and Grizzly doesn't know that it runs a JAX-RS application. |
|
Glassfish is pretty active these days. Check your facts before you state something like that.. |
|
Didn't want to blame anybody. But after three years of proven inactivity according to https://github.com/javaee/glassfish/graphs/code-frequency please don't mind me not checking each time whether Oracle now is finally fixing years-old bugs or not before talking about this topic. Anyways, I understand that you want this thread to end and the issue to be moved over to GF, so I will do that. |
GlassFish does not allow encoded slashes in URLs by default. It is told that this would be for security reasons. But, encoded slashes are allowed by default for "admin-listener". I suspect the reason is that somebody noticed that there now is a JAX-RS based admin interface at that port which otherwise will not work.
So it is doubtful why user's JAX-RS application are still not allowed to receive encoded slashes, as the implementation (Jersey) has no security problems to handle them. People are forced to find out how to enable this explicitly (in fact I did not find it in the manuals at all but needed to ask in a forum, where someone told me the cryptic spell to cast, so GlassFish will magically work as virtually all JAX-RS deployers and application vendors wants it to work like:
).
I want to propose two things to reduce the level of torture one have to bear:
(1) The deployment manual should clearly contain that above code line and it should be marked in a colourful way that everbody will directly find it when about to deploy a JAX-RS application on GlassFish.
(2) JAX-RS applications by default should be allowed to receive encoded slashes. A JAX-RS application prodiver is coding according to the JAX-RS specification, which does not prevent slashes, and nobody at the Jersey team so far mentioned any problems with slashes in the Jersey product. The risk covered by the prevention of slash, in my opinion, mostly exists in Servlet applications. But, again, a JAX-RS application is not a servlet by definition (the Jersey container is one, but that is not suffering from that security problem with slashes).
Environment
Win7 Pro SP1 64 Bit de_DE
Affected Versions
[2.0-m13]
The text was updated successfully, but these errors were encountered: