Support for new property to ignore responses in exceptions thrown by the Client API #4641
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
jansupol
approved these changes
Nov 25, 2020
senivam
approved these changes
Nov 25, 2020
|
@spericas I'm interested to learn a little more about the use-case. Ignoring the response at the client-side feels like closing the stable door after the horse has bolted. Can you explain a little more? |
|
@dansiviter This is really only about preventing accidental leaks of confidential data, should the response contain them, such as from the third-party servers, similar to the test case (in the PR), when the |
|
@jansupol Thanks. I'd hope the sensitive error data would not even be transmitted over the wire but I can see how poor error handling could lead to this also. |
spericas
added a commit
to spericas/helidon
that referenced
this pull request
Feb 2, 2021
1. Upgrade to Jersey 2.33 2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
spericas
added a commit
to helidon-io/helidon
that referenced
this pull request
Feb 2, 2021
1. Upgrade to Jersey 2.33 2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
spericas
added a commit
to helidon-io/helidon
that referenced
this pull request
Feb 11, 2021
* Upgrade Netty to 4.1.58 (#2678) Signed-off-by: Tomas Langer <tomas.langer@oracle.com> * Added overall timeout to evictable cache (#2659) Signed-off-by: Tomas Langer <tomas.langer@oracle.com> * Fix copyright year for commits broken by squashing. (#2687) Signed-off-by: Tomas Langer <tomas.langer@oracle.com> * Concat array enhancement (#2508) * Concat array enhancement Signed-off-by: Daniel Kec <daniel.kec@oracle.com> * Update Jackson to 2.12.1 (#2690) * Update Jackson to 2.12.1 * Upgrade to latest Junit5 to get fix for junit-team/junit5#2198 * Manage junit4 version * PokemonService template fixed in SE Database Archetype. (#2701) Signed-off-by: Tomas Kraus <Tomas.Kraus@oracle.com> * Fixed different output in DbClient SE archetype (#2703) Signed-off-by: Tomas Kraus <Tomas.Kraus@oracle.com> * Fix TODO application: (#2708) - WebSecurity needs to be passed config.get("security") to take the "security.web-server" configuration - Added outbound configuration for the google login - Upgraded cassandra driver to fix issues with old guava dependencies - Removed metrics to avoid issues with cassandra driver. Fixes #2707 * Update k8s descriptors to avoid using deprecated APIs. (#2719) * Separate execution of DataChunkReleaseTest in its own VM to prevent leak messages in other test's logs. (#2716) Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Changes in this commit: (#2727) 1. Upgrade to Jersey 2.33 2. Configuration via system properties for the Jersey Client API. Any response in an exception will be mapped to an empty one to prevent data leaks. See eclipse-ee4j/jersey#4641. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Properly release underlying buffer before passing it to WebSocket handler (#2715) * Properly release underlying buffer before passing it to handler. * Releases data chunks after passing them to Tyrus without any copying. Reports an error and closes connection if Tyrus is unable to handle the data. Finally, fixed a problem related to subscription requests. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Removed unused logger. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fixed checkstyle. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fix issue with null value in JSON. (#2723) Signed-off-by: Tomas Langer <tomas.langer@oracle.com> * Upgrade grpc to v1.35.0 (#2713) * Upgrade grpc to v1.35.0 * Update copyright * Upgrades OCI SDK to version 1.31.0 (#2699) * Updated OCI to 1.31.0 Signed-off-by: Laird Nelson <laird.nelson@oracle.com> * Fix null array values in HOCON/JSON config parser. (#2731) Resolves #2720 (follow-up) * Performance improvements to queue(s) management in Webserver (#2704) * Initial patch. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fixed some type params and improved comments. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * More cleanup and make sure to fail publisher on an error condition. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Suppress warnings. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Call clearQueues on every new request for proper cleanup of keep-alive connections. Some copyright fixes. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fixed checkstyle issues. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Force logging of LEAK error even if finalize does not get called on a DataChunk. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Upgrade Weld (#2668) Signed-off-by: Tomas Langer <tomas.langer@oracle.com> * Rest client async header propagation with usage of Helidon Context (#2735) Rest client header propagation with usage of Helidon Context Signed-off-by: David Kral <david.k.kral@oracle.com> * Allow override of Jersey property via config (#2737) * Allow the default value of property jersey.config.client.ignoreExceptionResponse to be overridden via config. New test. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fixed copyright year. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * New implementation of LazyValue (#2738) * New implementation of LazyValue that lazily initializes a Semaphore instead of eagerly creating a ReentrantLock. Makes use of volatile guarantees and atomicity of VarHandle updates. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * New test for LazyValueImpl. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Reduced sleep time in test. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Update CHANGELOG for 2.2.1 release (#2743) * 2.2.1 THIRD_PARTY_LICENSES update (#2746) * Update THIRD_PARTY_LICENSES * Support async invocations using optional synthetic SimplyTimed behavior (#2745) * Add support for async invocations for optional inferred SimplyTimed behavior on JAX-RS endpoints Signed-off-by: tim.quinn@oracle.com <tim.quinn@oracle.com> * Do not attempt to access the request context in Fallback callback. If used together with Retry, it is possible for the fallback to be called in a fresh thread for which there is no current request scope. Instead just use the original value obtained in this class' constructor. Updated functional test (with some class renaming) to cover this use case. (#2748) Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fix for native image. (#2753) Signed-off-by: Tomas Langer <tomas.langer@oracle.com> * Fixed checkstyle issues. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> Co-authored-by: Tomas Langer <tomas.langer@gmail.com> Co-authored-by: Daniel Kec <daniel.kec@oracle.com> Co-authored-by: Joe DiPol <joe.dipol@oracle.com> Co-authored-by: Tomáš Kraus <tomas.kraus@oracle.com> Co-authored-by: Romain Grecourt <romain.grecourt@oracle.com> Co-authored-by: Jonathan Knight <jk@thegridman.com> Co-authored-by: Laird Nelson <laird.nelson@oracle.com> Co-authored-by: David Král <david.k.kral@oracle.com> Co-authored-by: Tim Quinn <tim.quinn@oracle.com>
spericas
added a commit
to spericas/helidon
that referenced
this pull request
Feb 18, 2021
spericas
added a commit
to helidon-io/helidon
that referenced
this pull request
Feb 18, 2021
* Upgraded to Jersey 2.33. Fixed problem with SSE test and adapted 2.0 patch in eclipse-ee4j/jersey#4641. * Removed unused import. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fixed copyright. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Run JerseyPropetiesTest in separate VM. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com> * Fixed copyright. Signed-off-by: Santiago Pericasgeertsen <santiago.pericasgeertsen@oracle.com>
This was referenced Jun 26, 2021
Merged
This was referenced Jul 6, 2021
This was referenced Aug 5, 2021
This was referenced Apr 17, 2022
This was referenced May 3, 2022
Closed
1 task
Closed
1 task
1 task
This was referenced Oct 19, 2022
Closed
1 task
This was referenced Feb 11, 2023
Closed
1 task
This was referenced May 11, 2023
This was referenced Jun 15, 2023
This was referenced Jul 6, 2023
1 task
1 task
1 task
This was referenced Apr 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support for new property to ignore responses in exceptions thrown by the Client API. If the property jersey.config.client.ignoreExceptionResponse is set to true, any response in an exception thrown by the Client API will be mapped to an empty response that only includes the status code of the original one. This is to prevent accidental leaks of confidential data.
Signed-off-by: Santiago Pericasgeertsen santiago.pericasgeertsen@oracle.com