HI Jim,
It does seem odd that the DefaultResponseExceptionMapper is triggered on a 3xx status code. However, I also think it makes sense to only wrap exceptions if they are 400 or greater. I filed an issue for that [1] and will look at the RESTEasy core side too.

We are currently not using the REST protocol for any TCK's or tests. In WildFly the REST subsystem currently has a hard-requirement on servlet. This is something we want to look at changing, but not something we've looked at. Undertow is currently the only HTTP server available in WildFly and it provides servlet by default.

[1]: https://github.com/resteasy/resteasy-microprofile/issues/94

On Thu, Sep 1, 2022 at 9:13 AM Jim Krueger <jim_krueger@us.ibm.com> wrote:
Hi,
We are changing Open Liberty to use the rest-jakarta protocol in Arquillian instead of servlet-jakarta for running the MicroProfile TCKs.  This has resulted in some problems in the MicroProfile Rest Client TCK tests involving redirects.  When REST is used instead of Servlet a "sanitized" WebApplicationException is being returned rather than the Response object, which only occurs within a request is handled by RESTEasy.  This is due to code added to the org.jboss.resteasy.microprofile.client.DefaultResponseExceptionMapper under https://github.com/resteasy/resteasy/pull/2632 to address a potential vulnerability.  I know you are also working on switching RestEasy / Wildfly TCK testing to use the rest-jakarta protocol.  I would expect you would see this same issue in your testing.

I have been attempting to understand the change in your PR I've listed above, specifically why it was necessary to add the 300 series status codes as a trigger to use this DefaultResponseExceptionMapper.   It makes sense that a 400 or greater response code should be handled in this manner, but I'm having difficulty understanding how returning the response object when a 300 series status is received causes a potential problem. Especially since this appears to prevent Redirect scenarios involving Rest clients instead of Servlets from working.

Here is a list of the MP Rest Client TCK tests that are failing using REST vs. Servlet:
    [junit] TCK TESTS THAT DID NOT PASS:
    [junit]                                test303Default
    [junit]                                test302Default
    [junit]                                test307Default
    [junit]                                test301Default
    [junit]                                test301Default
    [junit]                                test302Default
    [junit]                                test303Default
    [junit]                                test307Default
    [junit]                                testPropagationOfResponseDetailsFromDefaultMapper

Thanks
_______________________________________________
resteasy-dev mailing list -- resteasy-dev@lists.jboss.org
To unsubscribe send an email to resteasy-dev-leave@lists.jboss.org


--
James R. Perkins
JBoss by Red Hat