[
https://issues.apache.org/jira/browse/CXF-6848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241527#comment-15241527
]
Daniel Kulp commented on CXF-6848:
----------------------------------
This is more or less working as designed. If you specify those properties,
you are pretty much demanding that you want the security of those things
enforced. However, FastInfoset does not provide any means to enforce any of
those security requirements. Thus, we bail as we cannot guarantee the security
requirements.
If you set a system property of "org.apache.cxf.stax.allowInsecureParser" to
true prior to starting CXF, it would just log a warning. I supposed that could
be changed to an contextual property as well to specify if a particular
endpoint could allow the insecure stuff or not.
> Cannot use JAX-RS properties maxAttributeSize/maxTextLength with FastInfoset
> ----------------------------------------------------------------------------
>
> Key: CXF-6848
> URL: https://issues.apache.org/jira/browse/CXF-6848
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.0, 3.1.5
> Environment: JRE 1.7
> Reporter: Cyril Dangerville
>
> When FastInfoset is enabled, specifying JAX-RS property
> {{org.apache.cxf.stax.maxAttributeSize}} or
> {{org.apache.cxf.stax.maxTextLength}} (at any level) will fail with
> {noformat}
> Caused by: java.lang.ClassCastException:
> com.sun.xml.fastinfoset.stax.StAXDocumentParser cannot be cast to
> org.codehaus.stax2.XMLStreamReader2
> at
> org.apache.cxf.staxutils.WoodstoxHelper.setProperty(WoodstoxHelper.java:41)
> at org.apache.cxf.staxutils.StaxUtils.setProperty(StaxUtils.java:2209)
> at
> org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2169)
> {noformat}
> To reproduce the error, checkout the sources of CXF (or only CXF JAXRS
> system tests), in v3.1.5 for example, then add property _maxAttributeSize_ or
> _maxTextLength_ to the configuration of jaxrs server {{restservice3}} in file
> {{cxf/systests/jaxrs/src/test/resources/jaxrs_soap_rest/WEB-INF/beans.xml}}
> as follows:
> {noformat}
> ...
> <jaxrs:server id="restservice3" address="/rest3">
> ...
> <jaxrs:properties>
> <entry key="org.apache.cxf.endpoint.private" value="true"/>
> <!-- BEGIN CHANGE -->
> <entry key="org.apache.cxf.stax.maxAttributeSize" value="500" />
> <!-- END CHANGE -->
> </jaxrs:properties>
> </jaxrs:server>
> ...
> {noformat}
> Increase CXF log level by adding file {{logging.properties}} to directory
> {{cxf/systests/jaxrs}} with similar content:
> {noformat}
> handlers = java.util.logging.ConsoleHandler
> java.util.logging.ConsoleHandler.level = INFO
> .level=INFO
> {noformat}
> Then, from directory {{cxf/systests/jaxrs}}, run:
> {noformat}
> $ mvn clean
> $ mvn -Pnochecks -Djava.util.logging.config.file=logging.properties
> -Dtest=JAXRSSoapBookTest#testPostGetBookFastinfoset test
> {noformat}
> You should get a stacktrace as follows:
> {noformat}
> javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
> at
> org.apache.cxf.jaxrs.utils.SpecExceptions.toInternalServerErrorException(SpecExceptions.java:79)
> at
> org.apache.cxf.jaxrs.utils.ExceptionUtils.toInternalServerErrorException(ExceptionUtils.java:106)
> at
> org.apache.cxf.jaxrs.provider.AbstractJAXBProvider.configureReaderRestrictions(AbstractJAXBProvider.java:809)
> at
> org.apache.cxf.jaxrs.provider.AbstractJAXBProvider.createDepthReaderIfNeeded(AbstractJAXBProvider.java:798)
> at
> org.apache.cxf.jaxrs.provider.JAXBElementProvider.getStreamReader(JAXBElementProvider.java:268)
> at
> org.apache.cxf.jaxrs.provider.JAXBElementProvider.doUnmarshal(JAXBElementProvider.java:231)
> at
> org.apache.cxf.jaxrs.provider.JAXBElementProvider.readFrom(JAXBElementProvider.java:193)
> at
> org.apache.cxf.jaxrs.utils.JAXRSUtils.readFromMessageBodyReader(JAXRSUtils.java:1343)
> at
> org.apache.cxf.jaxrs.utils.JAXRSUtils.readFromMessageBody(JAXRSUtils.java:1294)
> at
> org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameter(JAXRSUtils.java:826)
> at
> org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameters(JAXRSUtils.java:789)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:212)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:253)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
> at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
> at org.eclipse.jetty.server.Server.handle(Server.java:499)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
> at
> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.xml.stream.XMLStreamException:
> com.sun.xml.fastinfoset.stax.StAXDocumentParser cannot be cast to
> org.codehaus.stax2.XMLStreamReader2
> at
> org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2196)
> at
> org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2128)
> at
> org.apache.cxf.jaxrs.provider.AbstractJAXBProvider.configureReaderRestrictions(AbstractJAXBProvider.java:807)
> ... 40 more
> Caused by: java.lang.ClassCastException:
> com.sun.xml.fastinfoset.stax.StAXDocumentParser cannot be cast to
> org.codehaus.stax2.XMLStreamReader2
> at
> org.apache.cxf.staxutils.WoodstoxHelper.setProperty(WoodstoxHelper.java:41)
> at org.apache.cxf.staxutils.StaxUtils.setProperty(StaxUtils.java:2209)
> at
> org.apache.cxf.staxutils.StaxUtils.configureReader(StaxUtils.java:2169)
> ... 42 more
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
