Question/potential issue with org.jboss.resteasy.microprofile.client.DefaultResponseExceptionMapper
by Jim Krueger
Hi,
We are changing Open Liberty to use the rest-jakarta protocol in Arquillian instead of servlet-jakarta for running the MicroProfile TCKs. This has resulted in some problems in the MicroProfile Rest Client TCK tests involving redirects. When REST is used instead of Servlet a "sanitized" WebApplicationException is being returned rather than the Response object, which only occurs within a request is handled by RESTEasy. This is due to code added to the org.jboss.resteasy.microprofile.client.DefaultResponseExceptionMapper under https://github.com/resteasy/resteasy/pull/2632 to address a potential vulnerability. I know you are also working on switching RestEasy / Wildfly TCK testing to use the rest-jakarta protocol. I would expect you would see this same issue in your testing.
I have been attempting to understand the change in your PR I've listed above, specifically why it was necessary to add the 300 series status codes as a trigger to use this DefaultResponseExceptionMapper. It makes sense that a 400 or greater response code should be handled in this manner, but I'm having difficulty understanding how returning the response object when a 300 series status is received causes a potential problem. Especially since this appears to prevent Redirect scenarios involving Rest clients instead of Servlets from working.
Here is a list of the MP Rest Client TCK tests that are failing using REST vs. Servlet:
[junit] TCK TESTS THAT DID NOT PASS:
[junit] test303Default
[junit] test302Default
[junit] test307Default
[junit] test301Default
[junit] test301Default
[junit] test302Default
[junit] test303Default
[junit] test307Default
[junit] testPropagationOfResponseDetailsFromDefaultMapper
Thanks
2 years, 3 months