users@jersey.java.net

[Jersey] Re: JERSEY-649

From: Markus Karg <karg_at_quipsy.de>
Date: Fri, 11 Mar 2011 08:48:46 +0100

Jakub,

 

it is working really well in GFv2ur2. :-)

 

Actually I don't understand where the security problem within a JAX-RS application shall exist (it is a responsibility of the application to check whether subdirectory access actually is allowed), anyways, this is a different topic.

 

Thanks a lot!

Markus

 

From: Markus Karg [mailto:markus.karg_at_gmx.net]
Sent: Donnerstag, 10. März 2011 19:49
To: users_at_jersey.java.net
Subject: [Jersey] Re: JERSEY-649

 

Jakub,

 

thank you so much for your kind help! I will try out tomorrow the lines below.

 

I now understand that the problem is created by the container and that there cannot be a real fix in Jersey.

 

Thanks a lot!

Markus

 

From: Jakub Podlesak [mailto:jakub.podlesak_at_oracle.com]
Sent: Donnerstag, 10. März 2011 17:37
To: users_at_jersey.java.net
Subject: [Jersey] Re: JERSEY-649

 

Hi Markus,

Thanks for the patience. This is not really about fixing Jersey,
but rather about configuring the underlying container.
They disable such requests by default for security reasons.

For GlassFish v2, the way to enable encoded slashes in requests
is to:

./bin/asadmin create-jvm-options -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

In GFv3.x:

./bin/asadmin create-jvm-options -Dcom.sun.grizzly.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

For Grizzly 1/2:

you either use the jvm property above (-Dcom.sun.grizzly.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true)
or use the new Jersey ResourceConfig feature: "com.sun.jersey.api.container.grizzly.AllowEncodedSlashFeature"

~Jakub

On 03/08/2011 03:36 PM, Markus Karg wrote:

Jakub,

 

thank you for your kind information.

 

Does that mean that to make it work we definitively need to upgrade the used GlassFish from v2ur2 to a later release and there is no fix possible inside Jersey? That would be a problem for us as we have to supply the fix to hundreds of companies, which means, not just redeploying an EAR file but replacing the complete server... :-(

 

Thanks!

Markus

 

From: Jakub Podlesak [mailto:jakub.podlesak_at_oracle.com]
Sent: Dienstag, 8. März 2011 15:32
To: users_at_jersey.java.net
Subject: [Jersey] Re: JERSEY-649

 

Hi Markus,

I have just updated the bug report. There was a bug in the earlier Grizzly version, which
blocked such requests to come to Jersey. I am working on the Grizzly version update,
then will see if there is another issue in Jersey with that.

Thanks for your patience,

~Jakub

On 03/08/2011 08:37 AM, Markus Karg wrote:

I'd kindly lilke to ask whether there is any time frame or plan when to fix issue JERSEY-649? This is a major showstopper as it makes using Jersey impossible for any data containing a forward slash, which unfortunately is rather common in lots of legacy data sets. It would be great if that could be fixed rather soon. I'm a bit disappointed that there is not at least any comment in the tracker about whether a workaround is known to the Jersey team.

 

Thanks

Markus

  





-- 
Jakub Podle¹ák
CZJUG co-lead,
Web Services Research And Development
Oracle, Czech s r.o.
Praha 4, V Parku 8
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.