Resteasy new WebApplicationExceptions behavior

Hi guys,

Well I upgraded one of my project to RESTEASY 5.0.2.Final and the code below that used to work (in an old version) and which is consistent with the JAX-RS spec does not work any longer because of the new way of handling client WebApplicationException thrown in a server side context.

Based on the doc and the code, it seems that this new way of handling WebApplicationException, create a "sanitized" response with no body in it.

I'm not against this feature but I think it should not be activated by default to keep on being consistent with the JAX-RS spec. AFAIK the spec does not make no difference between a WebApplicationException thrown by a client in a client side context or WebApplicationException thrown by a client in a service side context . In both case the response returned by the WebApplicationException must reflect the exact response (headers, body etc..) sent by the remote server.

By default, and as you said in your doc the good practice is "to catch the Exception and treat it in some appropriate manner" and for sure not applying the good practice can lead to security issue as explained here (https://issues.redhat.com/browse/RESTEASY-2781). But to me it's up to the developper to apply the good practice, if he does not want to do it, then the new RESTEASY feature is a usefull workaround. But to me, it should be activated by the developper and not by default.

try {
    ...
        return     tokenEndpointWebTarget
            .request(MediaType.APPLICATION_JSON_TYPE)
            .post(Entity.form(accessTokenRequestForm), AccessTokenResponse.class);
    
    } catch (WebApplicationException e) {
        LoginException loginException = null;
        Response response = e.getResponse();
        
        if (response.getMediaType() != null && response.bufferEntity()) { <= always false with the new behavior
                try {
                    AccessTokenErrorResponse accessTokenErrorResponse = response
                            .readEntity(AccessTokenErrorResponse.class);
                    if (accessTokenErrorResponse != null) {
                        if (OAuth2Constants.INVALID_GRANT_ERROR.equals(accessTokenErrorResponse.getError())) {
                            loginException = new FailedLoginException("Invalid user credentials");
                        } else {
                            loginException = new LoginException(accessTokenErrorResponse.getError() + " - "
                                    + accessTokenErrorResponse.getErrorDescription());
                        }
                    }
                } catch (ProcessingException ignore) {
                }
            }
            ...
        } 

WDYT ?