users@jersey.java.net

[Jersey] Re: Curly braces in path produce IllegalStateException (Jersey 2.11)

From: Joe Mocker <jmocker_at_Tremorvideo.com>
Date: Wed, 20 Aug 2014 20:35:10 +0000

I can't explain the change in behavior but if you look at the Jersey javadoc, you'll see that for WebTarget.path(uri) (https://jersey.java.net/apidocs/latest/jersey/javax/ws/rs/client/WebTarget.html#path%28java.lang.String%29) it says

"the path, may contain URI template parameters"

And a vague description of "template parameters" is here (https://jersey.java.net/documentation/latest/user-guide.html#d0e9424)

"URI template parameters, e.g. widgets/{id} where {id} represents a variable part of the URI."

Its expecting some sort of identifier after the opening brace, which you are not supplying, hence the error.

I think Gili's suggestion is correct, you need to escape the curly braces.

  --joe

On Aug 20, 2014, at 1:23 PM, cowwoc <cowwoc_at_bbs.darktech.org<mailto:cowwoc_at_bbs.darktech.org>> wrote:


  1. Try escaping the braces using http://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
  2. File a bug report against the Jersey documentation asking for them to specify how to escape such characters.

Gili

On 20/08/2014 3:59 PM, Gabriel Soto wrote:
Hi Gili,

I'm trying to test that the server does not break and logs an appropriate error after receiving "strange" HTTP requests.
In this case, the request would be an HTTP GET with a header similar to this:

GET /test{} HTTP/1.1

I'm reading the JAX-RS API again, and the error I was getting actually makes sense because the path() method takes a string that may contain template parameters. I'm not sure why it worked on previous versions.

However, the question remains. Would there be a way to do this kind of thing with JAX-RS/Jersey?

Thanks again!
Gabriel




On Wed, Aug 20, 2014 at 4:27 PM, cowwoc <cowwoc_at_bbs.darktech.org<mailto:cowwoc_at_bbs.darktech.org>> wrote:
Hi Gabriel,

Not that I know of. Explain to me again what you're trying to test? What kind of "unexpected input" would you send? Why do you need to access it still encoded? And what do you expect the server to do once it receives this unexpected input?

Gili


On 20/08/2014 3:07 PM, Gabriel Soto wrote:
Thanks for the quick reply, Gili.

Your answer provokes a new question. I'd prefer the request to have the URL unescaped, since I'm trying to test the server's behavior when faced with this kind of unexpected input.

I can see that the Jersey client does escape URLs by default. Is it possible to change this behavior so the sent request contains the original URL?

Thanks,
Gabriel

On Wed, Aug 20, 2014 at 3:17 PM, cowwoc <cowwoc_at_bbs.darktech.org<mailto:cowwoc_at_bbs.darktech.org>> wrote:
I don't know the answer to your question but I would point out that according to the Java: the argument is "the path, may contain URI template parameters."

Perhaps you can escape the braces using percent/URL encoding? Or perhaps a double slash?

I think the Javadoc should discuss how to escape braces, so I suggest a issue to that effect.

Gili


On 20/08/2014 2:08 PM, Gabriel Soto wrote:
I'm trying to perform some fuzz testing by sending requests to a server with malformed URIs.

The following minimal code worked well on Jersey 2.3.1:

ClientBuilder.newClient()
    .target(UriBuilder.fromUri("http://localhost<http://localhost/>"))
    .path("test{}")
    .request();

We just updated to 2.11.0 and the same code produces the following error:

java.lang.IllegalStateException: Illegal character "}" at position 5 is not allowed as a start of a name in a path template "test{}".
    at org.glassfish.jersey.client.JerseyWebTarget.getUri(JerseyWebTarget.java:136)
    at org.glassfish.jersey.client.JerseyWebTarget.request(JerseyWebTarget.java:216)
    at org.glassfish.jersey.client.JerseyWebTarget.request(JerseyWebTarget.java:59)
    (...)
Caused by: java.lang.IllegalArgumentException: Illegal character "}" at position 5 is not allowed as a start of a name in a path template "test{}".
    at org.glassfish.jersey.uri.internal.UriTemplateParser.parseName(UriTemplateParser.java:328)
    at org.glassfish.jersey.uri.internal.UriTemplateParser.parse(UriTemplateParser.java:251)
    at org.glassfish.jersey.uri.internal.UriTemplateParser.<init>(UriTemplateParser.java:110)
    at org.glassfish.jersey.uri.UriTemplate.createUriComponent(UriTemplate.java:1001)
    at org.glassfish.jersey.uri.UriTemplate.createURIWithStringValues(UriTemplate.java:961)
    at org.glassfish.jersey.uri.UriTemplate.createURIWithStringValues(UriTemplate.java:906)
    at org.glassfish.jersey.uri.UriTemplate.createURI(UriTemplate.java:871)
    at org.glassfish.jersey.uri.internal.JerseyUriBuilder._build(JerseyUriBuilder.java:893)
    at org.glassfish.jersey.uri.internal.JerseyUriBuilder.build(JerseyUriBuilder.java:810)
    at org.glassfish.jersey.client.JerseyWebTarget.getUri(JerseyWebTarget.java:134)
    (...)

I'm trying to understand if this is related to https://java.net/jira/browse/JERSEY-2525
It certainly doesn't look fixed in this version.

Any ideas?

Thanks,
Gabriel