kura icon indicating copy to clipboard operation
kura copied to clipboard

Published 20 hours ago verified publisher icon eclipse

JAX-RS deserializes a non boolean value in a JSON request as false

Open robertodamiani opened this issue 3 years ago • 2 comments

Describe the bug Boolean fields validation in received HTTP request JSON body seems to be broken for boolean values.

If a JSON field deserializes to a boolean field, any non-boolean value in the received JSON is deserialized as false, while the request should be refused with a Bad Request error (400).

Note that it is impossible to distinguish between a valid response having false as the field value, and an invalid request. This could cause API unwanted behaviors.

To Reproduce Given the following sample controller:

@POST("/myEndPoint")
public myEndPoint( final MyEndPointBean postData ) {
    ...
}

and the following bean:

public class MyEndPointBean {
    private Boolean myBoolean;

    private Boolean getMyBoolean(){ ... }
    private Boolean setMyBoolean(...){ ... }
}

If a POST with an INVALID boolean value is sent, like the following one:

POST /myEndPoint HTTP/1.1
Content-Type: application/json

{
  myBoolean: "notABoolean",
}

the field myBoolean is deserialized as false.

Expected behavior The expected behavior is that the controller refuses the value, returning a bad request response.

Target Environment:

  • X64 Laptop
  • OS version: Ubuntu 20.04 LTS
  • Kura compiled from master

robertodamiani avatar Apr 28 '21 15:04 robertodamiani

Hi @robertodamiani , the configuration of the Gson serializer should be performed by the com.eclipsesource.jaxrs.provider.gson bundle, see [1].

Maybe it is possible to change the serialization configuration by getting a reference to the GsonProvider instance, which should be registered as an OSGi service, and provide a custom Gson instance by calling the setGson [2] method.

[1] https://github.com/hstaudacher/osgi-jax-rs-connector/blob/master/bundles/com.eclipsesource.jaxrs.provider.gson/src/com/eclipsesource/jaxrs/provider/gson/GsonProvider.java [2] https://github.com/hstaudacher/osgi-jax-rs-connector/blob/745ebabced77e50170fbc117825caf2fc8276ebd/bundles/com.eclipsesource.jaxrs.provider.gson/src/com/eclipsesource/jaxrs/provider/gson/GsonProvider.java#L38

nicolatimeus avatar Apr 29 '21 08:04 nicolatimeus

Maybe you can also try registering custom MessageBodyReader/MessageBodyWriter instances specific to your beans, without changing the global instance. I think you will have to register them as OSGi services as com.eclipsesource.jaxrs.provider.gson does to have them picked up by the runtime.

nicolatimeus avatar Apr 29 '21 08:04 nicolatimeus