Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22401

[GSS](7.4.z) RESTEASY-2997 - RESTEASY003210 is appeared in response body when request resource is not found

    XMLWordPrintable

Details

    • Hide

      Using jboss-quickstart's helloworld-rs app, reproduce in JBoss EAP 7.3.7:

      $ git clone https://github.com/jboss-developer/jboss-eap-quickstarts.git
      $ cd jboss-eap-quickstarts/helloworld-rs
      $ mvn clean package
      $ cp target/helloworld-rs.war jboss-eap-7.3.7/standalone/deployments/
      
      // For JBoss EAP 7.3.7 as latest
      $ curl 127.0.0.1:8080/helloworld-rs/rest/html
      RESTEASY003210: Could not find resource for full path: http://127.0.0.1:8080/helloworld-rs/rest/html
      
      // For JBoss EAP 7.2.9
      $ curl -v 127.0.0.1:8080/helloworld-rs/rest/html
      $ (only return HTTP header, no HTTP response body.)
      
      Show
      Using jboss-quickstart's helloworld-rs app, reproduce in JBoss EAP 7.3.7: $ git clone https://github.com/jboss-developer/jboss-eap-quickstarts.git $ cd jboss-eap-quickstarts/helloworld-rs $ mvn clean package $ cp target/helloworld-rs.war jboss-eap-7.3.7/standalone/deployments/ // For JBoss EAP 7.3.7 as latest $ curl 127.0.0.1:8080/helloworld-rs/rest/html RESTEASY003210: Could not find resource for full path: http://127.0.0.1:8080/helloworld-rs/rest/html // For JBoss EAP 7.2.9 $ curl -v 127.0.0.1:8080/helloworld-rs/rest/html $ (only return HTTP header, no HTTP response body.)
    • Hide

      Add the below custom ExceptionMapper to remove the response body:

      import javax.ws.rs.NotFoundException;
      import javax.ws.rs.core.Response;
      import javax.ws.rs.ext.ExceptionMapper;
      import javax.ws.rs.ext.Provider;
      
      @Provider
      public class MyNotFoundExceptionMapper implements ExceptionMapper<NotFoundException> {
          @Override
          public Response toResponse(NotFoundException e) {
              return Response.status(Response.Status.NOT_FOUND).build();
          }
      }
      
      Show
      Add the below custom ExceptionMapper to remove the response body: import javax.ws.rs.NotFoundException; import javax.ws.rs.core.Response; import javax.ws.rs.ext.ExceptionMapper; import javax.ws.rs.ext.Provider; @Provider public class MyNotFoundExceptionMapper implements ExceptionMapper<NotFoundException> { @Override public Response toResponse(NotFoundException e) { return Response.status(Response.Status.NOT_FOUND).build(); } }
    • +

    Description

      In JBoss EAP 7.3.0 and later which merged RESTEASY-2189, the default ExceptionHandler returns "RESTEASY003210: Could not find resource for full path: <path>" in the response body when request path is not found:

      $ curl 127.0.0.1:8080/helloworld-rs/rest/html
      RESTEASY003210: Could not find resource for full path: http://127.0.0.1:8080/helloworld-rs/rest/html
      

      A malicious user can find out that RESTEasy is being used in the backend. I believe the default message returned by the server should not contain any messages that can guess the product name or versions.

      I think it would be more appropriate to just return the response header same as in JBoss EAP 7.2.9 and earlier.

      Attachments

        Issue Links

          Activity

            People

              istudens@redhat.com Ivo Studensky
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: