I'm using Jboss Resteasy to set up web service. Just find out Resteasy is automatically decompressing gzip message according to below:
https://docs.jboss.org/resteasy/docs/2.0.0.GA/userguide/html/gzip.html
What if a client sends a zip bomb? Wondering how Resteasy handles this situation?
This flaw was identified and CVE was assigned: CVE-2016-6346.
The description states:
In order to reduce the risk of being exploited by this vulnerability, the default setting for RESTeasy was changed so that it no longer decodes requests with gzip compression
The fix is included in RESTeasy 3.1 branch and in 3.0.20 (and newer).
So my suggestion is to use an up-to-date version of RESTeasy.
Related
I have a fairly simple jax-rs application running on wildfly 9. It makes use of resteasy multipart form. It runs 100%. Now I am trying to run the same application with wildfly swarm, but get a
javax.ws.rs.NotSupportedException: Could not find message body reader for type .... multipart/form-data on execute of the resource post operation.
This as far as I understand is the resteasy-multipart-provider. In my pom I have the wildfly-swarm-weld-jaxrs fraction. Is this not suppose to take care of the multipart features? If not how do I get it included in the swarm fat jar/package? I have tried including the resteasy-multipart-provider as a compile dependency, but this breaks the swarm application and it refuses to start/boot. Or have I missed something else?
JAX-RS Multipart support is declared as an optional module in WildFly, so the necessary classes to make it work were not included in the application.
Since then Ken Finnigan added a new WildFly Swarm API for the module.
If you build the latest from wildfly-swarm/wildfly-swarm on GitHub you can add the wildfly-swarm-jaxrs-multipart artifact as a dependency to the project and that should resolve the problem.
Does Dropwizard support Servlet 3 asynchronous servlets? If not, is it on the roadmap at any time in the near future?
It uses Jetty 8, which supports Servlet 3.0. Jersey (and JAX-RS) doesn't have any support for this, but it's forthcoming in JAX-RS 2.0 (and Jersey 2.0). Dropwizard doesn't add anything special, but when Jersey 2.0 ships, the next major Dropwizard release will very likely include it.
You can use https://github.com/jetty-project/jetty-eventsource-servlet. Read wiki for how to impl Servlet and EventSource
In your DW Service implementation you add your SSE servlet
environment.addServlet(new MySseEventSourceServlet(), "/sse");
Then add this to your DW config
http:
connectorType: NONBLOCKING
now you can start listening for Server-sent Event's on
<host>:<port>/sse
ex.
curl localhost:8080/sse -H"Accept: text/event-stream"
See working example # GitHub, https://github.com/andershedstrom/dropwizard-with-sse
I am using JBOSS AS 7.0.2 Final, and was trying to upgrade the version of RESTEASY that comes with 7.0.2 RESTEASY 2.2.1.GA to a newer version such as 2.3.4.Final. I followed the directions as indicated in patching provided by JBOSS, and when I did that, at application server startup it throws the error of being unable to parse the module.xml file.
I attempted the same procedure on 7.1.1 Final and it works fine.
First Question is, anyone know how to update RESTEASY in 7.0.2 (My other servers are all using this so I really like not to have to reset my other servers and replace with newer version of JBOSS)
I was hoping to upgrade RESTEASY, with hopes that this error may have been resolved in newer version
I have also tried by adjusting my POM to use version 2.3.4.Final and tried every scope, but it always would fail to use the newer jars and stick with JBOSS supplied jar.
15:14:09,947 SEVERE [org.jboss.resteasy.core.SynchronousDispatcher] (http--127.0.0.1-8443-6) Failed executing POST /countermeasure/customQueryLite: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: java.util.ArrayList of media type
: application/xml
at org.jboss.resteasy.core.ServerResponse.writeTo(ServerResponse.java:216) [resteasy-jaxrs-2.2.1.GA.jar:]
It works fine for json, and text, and singular xml objects, but not list objects for xml.
Any answers in regards to these issues with resteasy and jboss would be helpful.
I am using Jersey 1.9 and it is generating my WADL perfectly except I need to redefine the resources base URI.
I'm running Jetty 7 sitting behind Apache using mod_proxy as a reverse proxy to route REST requests back to Jetty / Jersey. So Jersey generates the resources base URI as
http://localhost:8080/testRestAPI/rest/
when I need something like
http://mydomain.com/rest/
I found this from Google but it is not working: http://jersey.576304.n2.nabble.com/Changing-baseURI-when-generating-WADL-td6169703.html
unfortunately, you've found a bug in Jersey implementation. Please file a new issue as stated on mailing list - jira link: http://java.net/jira/browse/JERSEY
What you can do for now is downgrade to Jersey 1.8, which should not be affected by latest changes in this area. Thanks and sorry for inconvenience!
EDIT: issue link: http://java.net/jira/browse/JERSEY-773
it is already fixed, so you should be able to use this feature in Jersey 1.10-b02 and newer.
Does anyone know if WSRP URL rewriting is supported in Jboss Portal 2.7.2 when acting as a producer?
Currently, the URL rewriting is done on the consumer, which has to parse the mark-up (returned from Jboss) to find special WSRP tokens. This can have a performance impact, which can be improved by supplying the URLs directly to the producer (Jboss in our case).
Regards,
Jonathan
No. Answer can be found here: http://community.jboss.org/message/587434