jersey icon indicating copy to clipboard operation
jersey copied to clipboard
verified publisher icon eclipse-ee4j

Disable wadl by default

Open paulrutter opened this issue 2 years ago • 6 comments

After deploying our jersey 2.40 application we noticed some exceptions around jaxb. It led to the out-of-the-box enabled wadl endpoint.

Because our REST API consists of both public and private endpoints, it was surprising to see that the application.wadl is just open for everyone to see, including private endpoints.

Wouldn't it be better to disable wadl by default instead? With OpenAPI nowadays, the wadl endpoint probably isn't that useful either. Apart from it being unexpected that it's enabled by default.

paulrutter avatar Aug 02 '23 21:08 paulrutter

Related issue https://github.com/eclipse-ee4j/jersey/issues/4898

paulrutter avatar Aug 02 '23 21:08 paulrutter

Big +1 one for this. The WADL endpoint was noted in multiple pen tests we had in the past. Having it disabled by default would be a good idea, IMO.

chkal avatar Aug 06 '23 07:08 chkal

After deploying our jersey 2.40 application we noticed some exceptions around jaxb. It led to the out-of-the-box enabled wadl endpoint.

The exceptions usually lead to disabled functionality, not enabled. I am not sure what exceptions you have in mind, but the usual ones are about missing JAX-B when moved from JDK 8. In that case, the WADL is disabled. Jersey warns about missing JAX-B, as JAX-B support is required by the JAX-RS Spec, but without JAX-B (and the JAX-B impl), Jersey works well (except it does not support JAX-B and WADL). If you have tried to fix the warnings and added JAX-B, then yes, the WADL was enabled.

The WADL can be disabled by setting ServerProperties#WADL_FEATURE_DISABLE to true, or by removing JAX-B.

Wouldn't it be better to disable wadl by default instead?

We may consider it. The WADL availability is something that's been around Jersey for years and the customers are used to having it. There is a number of applications modifying the WADL generated by Jersey (as Jersey provides a hook for it) and disabling WADL by default for them could lead to disfunction of their app. We definitely should not disable the WADL by default in 2.x. For the upcoming 4.x, it could be a possibility.

jansupol avatar Aug 16 '23 08:08 jansupol

I would have to check the exceptions that showed up, even though the wadl endpoint worked with these warnings. We do use jaxb for legacy support, but don't use wadl, as we have added OpenAPI annotations instead.

paulrutter avatar Aug 17 '23 15:08 paulrutter

The exceptions:

[2023-07-12 20:05:18] Failed to generate the schema for the JAX-B elements com.sun.xml.internal.bind.v2.runtime.IllegalAnnotationsException: 25 counts of IllegalAnnotationExceptions

paulrutter avatar Aug 18 '23 17:08 paulrutter

Please don't break applications for other people.

minfrin avatar Nov 27 '23 21:11 minfrin