kura
kura copied to clipboard
JAX-RS deserializes a non boolean value in a JSON request as false
Describe the bug Boolean fields validation in received HTTP request JSON body seems to be broken for boolean values.
If a JSON field deserializes to a boolean field, any non-boolean value in the received JSON is deserialized as false
, while the request should be refused with a Bad Request error (400).
Note that it is impossible to distinguish between a valid response having false
as the field value, and an invalid request. This could cause API unwanted behaviors.
To Reproduce Given the following sample controller:
@POST("/myEndPoint")
public myEndPoint( final MyEndPointBean postData ) {
...
}
and the following bean:
public class MyEndPointBean {
private Boolean myBoolean;
private Boolean getMyBoolean(){ ... }
private Boolean setMyBoolean(...){ ... }
}
If a POST with an INVALID boolean value is sent, like the following one:
POST /myEndPoint HTTP/1.1
Content-Type: application/json
{
myBoolean: "notABoolean",
}
the field myBoolean
is deserialized as false
.
Expected behavior The expected behavior is that the controller refuses the value, returning a bad request response.
Target Environment:
- X64 Laptop
- OS version: Ubuntu 20.04 LTS
- Kura compiled from master
Hi @robertodamiani , the configuration of the Gson serializer should be performed by the com.eclipsesource.jaxrs.provider.gson
bundle, see [1].
Maybe it is possible to change the serialization configuration by getting a reference to the GsonProvider
instance, which should be registered as an OSGi service, and provide a custom Gson
instance by calling the setGson
[2] method.
[1] https://github.com/hstaudacher/osgi-jax-rs-connector/blob/master/bundles/com.eclipsesource.jaxrs.provider.gson/src/com/eclipsesource/jaxrs/provider/gson/GsonProvider.java [2] https://github.com/hstaudacher/osgi-jax-rs-connector/blob/745ebabced77e50170fbc117825caf2fc8276ebd/bundles/com.eclipsesource.jaxrs.provider.gson/src/com/eclipsesource/jaxrs/provider/gson/GsonProvider.java#L38
Maybe you can also try registering custom MessageBodyReader/MessageBodyWriter
instances specific to your beans, without changing the global instance. I think you will have to register them as OSGi services as com.eclipsesource.jaxrs.provider.gson
does to have them picked up by the runtime.