Bug 899664 (JBPAPP6-1520)

Summary: (EAP 6.4.x) RESTEasy: Boolean configuration parameters don't reject non-sense content
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Pavel Janousek <pjanouse>
Component: RESTEasyAssignee: Weinan Li <weli>
Status: CLOSED EOL QA Contact: Katerina Odabasi <kanovotn>
Severity: medium Docs Contact:
Priority: medium    
Version: TBD EAP 6CC: kanovotn, mkopecky, myarboro, nobody, rajesh.rajasekaran, rsvoboda, vtunka, weli
Target Milestone: DR9   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBPAPP6-1520
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
This release of JBoss EAP 6 carries a bug that allows invalid Boolean configuration parameters to be set. This behavior is unintended as invalid parameters should be rejected and the application should not be deployed. This issue is expected to be resolved in future release of the product.
Story Points: ---
Clone Of:
: 1121661 (view as bug list) Environment:
Last Closed: 2019-08-19 12:43:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1121661    

Description Pavel Janousek 2011-12-15 15:22:14 UTC
project_key: JBPAPP6

RESTEasy can be configured through several configuration options in WAR application deployment file WEB-INF/web.xml. These options are type of Boolean (= true, false; maybe we should do support for 0 and 1 too), other invalid or non-sense setting should be rejected as invalid deployment description and a such application should not be deployed at all.

Affected options are:
- resteasy.scan
- resteasy.scan.providers
- resteasy.scan.resources
- resteasy.use.builtin.providers

Comment 1 Pavel Janousek 2011-12-15 15:22:28 UTC
Link: Added: This issue Cloned to JBPAPP-7767


Comment 2 Weinan Li 2011-12-20 05:34:38 UTC
It's an requirement that these parameters should accept 'true' and 'false' values, currently the code is like the following:


      String sResources = getParameter(ResteasyContextParameters.RESTEASY_SCAN_RESOURCES);
      if (sResources != null)
      {
         scanResources = Boolean.valueOf(sResources.trim());
      }

It's possible to modify the logic and I wonder whether that's necessary. I'll ask Bill for confirmation. btw, such kind of issue should be into RESTEasy project instead of EAP in JIRA, it's a feature request instead of a bug.

Comment 3 Pavel Janousek 2011-12-20 08:36:26 UTC
Assume web.xml contains only correctly values (format, content etc.) is deeply bad way. First check is done by XML check against DTD definition, but it isn't sufficient - it only check lexical validity, not semantic.... And worse way is raise only conversion exception in this way if any... - properly implemented feature (as this one) should report invalid input correctly - with appropriate error message.

Also be aware - something later catchs this exception and doesn't report it at all - this is the worst scenario - silently ignore a such thing is very bad programmer's technique. 

In my PoV this error-ed deployment description should fail during deploying with reporting of appropriate message in this case.

Every such gathering of some value should be wrapped with try/catch block. This is not only one case of bad piece of code in RESTEasy (nor in this project too, of course).

Comment 4 Weinan Li 2012-01-04 05:44:38 UTC
problem fixed in trunk: https://github.com/resteasy/Resteasy/pull/3

Comment 5 Weinan Li 2012-01-04 05:45:19 UTC
When EAP uses newest RESTEasy release, we'll get this issue solved.

Comment 6 Pavel Janousek 2012-01-05 11:34:38 UTC
Link: Added: This issue is related to JBPAPP-7859


Comment 7 Shelly McGowan 2012-02-18 00:25:19 UTC
Latest update is RESTEasy 2.3.2 bugfix release is targeted for AS 7.1.1.  Moving to 6.0.0.ER4 as that is the EAP build scheduled to pick up 7.1.1

Comment 8 Pavel Janousek 2012-03-22 10:49:43 UTC
Link: Added: This issue incorporates JBPAPP-8506


Comment 9 Rajesh Rajasekaran 2012-04-02 16:31:05 UTC
Shelly, was this jira resolved for ER4? 

Comment 10 Rajesh Rajasekaran 2012-04-30 19:42:06 UTC
Weinan, Was the pull request merged upstream? As this priority on this release was downgraded, do you want to delay cutting a new resteasy release or do you plan to cut a release now since the fix is available. Please check the cutoff dates with Shelly if you plan to cut the release or move the fix version to TBD EAP6

Comment 12 Weinan Li 2012-05-09 02:53:48 UTC
fixed in er7

Comment 13 Pavel Janousek 2012-05-11 13:27:25 UTC
Configuration parameter:
- resteasy.use.builtin.providers

was missed in this fixing, others are fine and work for me as expected. I've tried on ER7 build.

Comment 14 Anne-Louise Tangring 2012-11-13 21:01:40 UTC
Docs QE Status: Removed: NEW 


Comment 15 Weinan Li 2013-09-10 08:46:12 UTC
PR submitted: https://github.com/resteasy/Resteasy/pull/387

Comment 19 Weinan Li 2013-10-09 14:10:56 UTC
The PR has been merged into upstream Branch_2_3, but we'll need a new release of RESTEasy to include this (2.3.8). From RESTEasy community there is no 2.3.8.Final yet.

If we want to include this in EAP 6.2.0, it will need following steps:

- Ron will need to release RESTEasy 2.3.8.Final in community
- We'll need a 'upgrade RESTEasy 2.3.8.Final' request and pass 3-ack
- Several days are needed to build 2.3.8 for EAP6
- A PR request to update RESTEasy version of EAP6 in github will be created
- A bug related with above PR requests will be created.

According to the importance of this bug, I'd suggest we deduce this from 6.2.0 and  put it into future version. Is that okay?

Comment 24 mark yarborough 2014-03-18 21:20:50 UTC
Requesting clarification on owner, relevance, target since this bug
more than than two years old and less than POST state: 

http://post-office.corp.redhat.com/archives/eap6-triage/2014-March/msg00001.html

Comment 25 Weinan Li 2014-03-19 07:44:51 UTC
As RESTEasy 2.3.8.Final is not included into EAP 6.3, so the patch is still not included.

Comment 26 Weinan Li 2014-06-17 11:48:36 UTC
2.3.8 has fixed this problem.

Comment 27 Katerina Odabasi 2014-06-25 11:01:27 UTC
Resteasy 2.3.8 still doesn't use parseBooleanParam() method to check for RESTEASY_USE_BUILTIN_PROVIDERS parameter.

Comment 28 Weinan Li 2014-06-25 12:06:42 UTC
(In reply to Katerina Novotna from comment #27)
> Resteasy 2.3.8 still doesn't use parseBooleanParam() method to check for
> RESTEASY_USE_BUILTIN_PROVIDERS parameter.

Katerina, I've checked the source code of 2.3.8.Final-redhat and seems it's already merged:

master:resteasy-prod weinanli$ grep  'parseBooleanParam' resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/server/servlet/ConfigurationBootstrap.java
         scanProviders = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCAN_PROVIDERS, sProviders);
         boolean tmp = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCAN, scanAll);
         scanResources = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCAN_RESOURCES, sResources);
         boolean tmp = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCANNED_BY_DEPLOYER, sScannedByDeployer);
    private boolean parseBooleanParam(String key, String value) {
master:resteasy-prod weinanli$ git branch
  2.3.7.1.Final-redhat
  2.3.7.2.Final-redhat
  2.3.7.Final-redhat
  2.3.7.Final-redhat-2
  2.3.7.Final-redhat-2-BZ1091552
* 2.3.8.Final-redhat
  master
master:resteasy-prod weinanli$ cat ./.git/config
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
	ignorecase = true
	precomposeunicode = true
[remote "origin"]
	url = git+ssh://weli.eng.bos.redhat.com/srv/git/resteasy.git
	fetch = +refs/heads/*:refs/remotes/origin/*

Where do you find that the patch is not merged?

Comment 29 Katerina Odabasi 2014-06-25 13:50:32 UTC
Hi Weinan, yes the patch is merged, but not complete. I see in [1] line 107, that RESTEASY_USE_BUILTIN_PROVIDERS parameter will not throw exception when incorrect input is provided.

Additionally, line 104, parameter RESTEASY_ROLE_BASED_SECURITY is the same case.

[1] http://git.app.eng.bos.redhat.com/git/resteasy.git/tree/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/server/servlet/ConfigurationBootstrap.java?h=2.3.8.Final-redhat

Comment 30 Weinan Li 2014-06-25 13:52:08 UTC
Thanks for checking so carefully Katerina, I'll work on it.

Comment 31 Weinan Li 2014-06-27 10:30:20 UTC
PR for upstream: https://github.com/resteasy/Resteasy/pull/515/files

Comment 32 Weinan Li 2014-06-30 12:54:42 UTC
PR for Branch_2_3: https://github.com/resteasy/Resteasy/pull/516/files

Comment 34 Scott Mumford 2014-07-17 04:16:19 UTC
Making public for inclusion in 6.3.0 Release Notes.

Comment 36 Marek Kopecky 2014-11-18 13:54:43 UTC
I set option "resteasy.scan" to "1" in web.xml:
    <context-param>
        <param-name>resteasy.scan</param-name>
        <param-value>1</param-value>
    </context-param>

I deploy application:
mvn package jboss-as:deploy

Actual results:
org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS011235: Invalid value for parameter resteasy.scan: 1"}}

Expected results:
No errors.