Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 26.1.0.Final
Component/s: Security, Web (Undertow)
Labels:
None

Workaround Description:

Hide

Using legacy security (not Elytron) this works just fine but that means staying on WF24.

Show
Using legacy security (not Elytron) this works just fine but that means staying on WF24.
[QE] How to address?:
---
[QE] Why QE missed?:
---

Description

The bug is that in jax-rs methods like the two below the multivaluedMap and the form.asMap()
are always empty if you play with the security settings.

@POST @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response multivaluedMap(MultivaluedMap<String, String> multivaluedMap)

@POST @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response form(Form form)

However if declared like this they work:
@POST @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response form(@FormParam("name") String value)

You can also get a hold of the values if you inject HttpServletRequest klike this
@Context private HttpServletRequest servletRequest;
and call servletRequest.getParameterMap()

To repoduce do like this:

start a clean server (wilfdly-26 or jboss-eap7.4) and deploy the war

#run the test
$ bash ./runtest.sh
multivaluedmap value='VALUE'
form value='VALUE'
formparam value='VALUE'
injected value='VALUE'

create the keystore in $JBOSS_HOME/standalone/configuration
$ keytool -genkeypair -alias sso -keyalg RSA -keysize 2048 -validity 7300 -keystore sso.ks -dname "CN=localhost" -keypass qwerty -storepass qwerty

cli commands for jboss eap 7.4
/subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain)
/subsystem=elytron/key-store=CoordKS:add(relative-to=jboss.server.config.dir,path=sso.ks,credential-reference={clear-text=qwerty})
/subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=CoordKS,key-alias=sso,credential-reference={clear-text=qwerty},path="/",secure=true,http-only=true)
reload

cli commands for wildfly 26.1
/subsystem=elytron/key-store=CoordKS:add(relative-to=jboss.server.config.dir,path=sso.ks,credential-reference={clear-text=qwerty})
/subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=CoordKS,key-alias=sso,credential-reference={clear-text=qwerty},path="/",secure=true,http-only=true)
reload

#run the test again
$ bash ./runtest.sh
expected output
multivaluedmap value='null'
form value='null'
formparam value='VALUE'
injected value='VALUE'

Note that in web.xml the url-pattern under security-constraint does not even have to match the path used.
Also note that if you play the security-constraint / login-config in web.xml you get different results.
Java8 have been used throughout.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

multivaluedmaptest.zip
7 kB
2022/05/05 1:56 PM

Issue Links

is caused by

ELYWEB-180 Elytron web consumes the InputStream when form parameters are parsed

Pull Request Sent

Activity

People

Assignee:: Farah Juma

Reporter:: Peter Jonsson (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022/05/05 2:00 PM

Updated:: 2022/05/12 6:53 AM