Update to JERSEY-2637: sensitive params can be exposed in logs even for POST requests

 - Changed default behaviour (as was in previous versions)
 - Added an option to disable injecting query params via @FormParam

Change-Id: I3364188abacc327158b5e7e08ef08a60fc94cee4
Signed-off-by: Michal Gajdos <[email protected]>

Author: Michal Gajdos

containers/jersey-servlet-core/src/main/java/org/glassfish/jersey/servlet/ServletProperties.java

@@ -1,7 +1,7 @@
 /*
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *
- * Copyright (c) 2012-2014 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012-2015 Oracle and/or its affiliates. All rights reserved.
  *
  * The contents of this file are subject to the terms of either the GNU
  * General Public License Version 2 only ("GPL") or the Common Development
@@ -39,9 +39,10 @@
  */
 package org.glassfish.jersey.servlet;
 
-import org.glassfish.hk2.api.ServiceLocator;
 import org.glassfish.jersey.internal.util.PropertiesClass;
 
+import org.glassfish.hk2.api.ServiceLocator;
+
 /**
  * Jersey servlet container configuration properties.
  *
@@ -51,28 +52,27 @@
 public final class ServletProperties {
 
     /**
-     * If set the regular expression is used to match an incoming servlet path URI
-     * to some web page content such as static resources or JSPs to be handled
-     * by the underlying servlet engine.
-     * <p></p>
+     * If set, indicates the URL pattern of the Jersey servlet filter context path.
+     * <p>
+     * If the URL pattern of a filter is set to a base path and a wildcard,
+     * such as "/base/*", then this property can be used to declare a filter
+     * context path that behaves in the same manner as the Servlet context
+     * path for determining the base URI of the application. (Note that with
+     * the Servlet 2.x API it is not possible to determine the URL pattern
+     * without parsing the {@code web.xml}, hence why this property is necessary.)
+     * <p>
      * The property is only applicable when {@link ServletContainer Jersey servlet
-     * container} is configured to run as a {@link javax.servlet.Filter}, otherwise
-     * this property will be ignored. If a servlet path matches this regular
-     * expression then the filter forwards the request to the next filter in the
-     * filter chain so that the underlying servlet engine can process the request
-     * otherwise Jersey will process the request. For example if you set the value
-     * to {@code /(image|css)/.*} then you can serve up images and CSS files
-     * for your Implicit or Explicit Views while still processing your JAX-RS
-     * resources.
-     * <p></p>
-     * The type of this property must be a String and the value must be a valid
-     * regular expression.
+     * container} is configured to run as a {@link javax.servlet.Filter}, otherwise this property
+     * will be ignored.
+     * <p>
+     * The value of the property may consist of one or more path segments separate by
+     * {@code '/'}.
      * <p></p>
      * A default value is not set.
      * <p></p>
      * The name of the configuration property is <tt>{@value}</tt>.
      */
-    public static final String FILTER_STATIC_CONTENT_REGEX = "jersey.config.servlet.filter.staticContentRegex";
+    public static final String FILTER_CONTEXT_PATH = "jersey.config.servlet.filter.contextPath";
 
     /**
      * If set to {@code true} and a 404 response with no entity body is returned
@@ -100,27 +100,28 @@ public final class ServletProperties {
     public static final String FILTER_FORWARD_ON_404 = "jersey.config.servlet.filter.forwardOn404";
 
     /**
-     * If set, indicates the URL pattern of the Jersey servlet filter context path.
-     * <p>
-     * If the URL pattern of a filter is set to a base path and a wildcard,
-     * such as "/base/*", then this property can be used to declare a filter
-     * context path that behaves in the same manner as the Servlet context
-     * path for determining the base URI of the application. (Note that with
-     * the Servlet 2.x API it is not possible to determine the URL pattern
-     * without parsing the {@code web.xml}, hence why this property is necessary.)
-     * <p>
+     * If set the regular expression is used to match an incoming servlet path URI
+     * to some web page content such as static resources or JSPs to be handled
+     * by the underlying servlet engine.
+     * <p></p>
      * The property is only applicable when {@link ServletContainer Jersey servlet
-     * container} is configured to run as a {@link javax.servlet.Filter}, otherwise this property
-     * will be ignored.
-     * <p>
-     * The value of the property may consist of one or more path segments separate by
-     * {@code '/'}.
+     * container} is configured to run as a {@link javax.servlet.Filter}, otherwise
+     * this property will be ignored. If a servlet path matches this regular
+     * expression then the filter forwards the request to the next filter in the
+     * filter chain so that the underlying servlet engine can process the request
+     * otherwise Jersey will process the request. For example if you set the value
+     * to {@code /(image|css)/.*} then you can serve up images and CSS files
+     * for your Implicit or Explicit Views while still processing your JAX-RS
+     * resources.
+     * <p></p>
+     * The type of this property must be a String and the value must be a valid
+     * regular expression.
      * <p></p>
      * A default value is not set.
      * <p></p>
      * The name of the configuration property is <tt>{@value}</tt>.
      */
-    public static final String FILTER_CONTEXT_PATH = "jersey.config.servlet.filter.contextPath";
+    public static final String FILTER_STATIC_CONTENT_REGEX = "jersey.config.servlet.filter.staticContentRegex";
 
     /**
      * Application configuration initialization property whose value is a fully
@@ -148,6 +149,20 @@ public final class ServletProperties {
      */
     public static final String PROVIDER_WEB_APP = "jersey.config.servlet.provider.webapp";
 
+    /**
+     * If {@code true} then query parameters will not be treated as form parameters (e.g. injectable using
+     * {@link javax.ws.rs.FormParam}) in case a Form request is processed by server.
+     * <p>
+     * The default value is {@code false}.
+     * </p>
+     * <p>
+     * The name of the configuration property is <tt>{@value}</tt>.
+     * </p>
+     *
+     * @since 2.16
+     */
+    public static final String QUERY_PARAMS_AS_FORM_PARAMS_DISABLED = "jersey.config.servlet.form.queryParams.disabled";
+
     /**
      * Identifies the object that will be used as a parent {@link ServiceLocator} in the Jersey
      * {@link WebComponent}.

containers/jersey-servlet-core/src/main/java/org/glassfish/jersey/servlet/WebComponent.java

@@ -61,6 +61,7 @@
 import javax.ws.rs.RuntimeType;
 import javax.ws.rs.core.Form;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 
@@ -273,29 +274,40 @@ public void dispose(final WebConfig instance) {
      * Jersey application handler.
      */
     final ApplicationHandler appHandler;
+
     /**
      * Jersey background task scheduler - used for scheduling request timeout event handling tasks.
      */
     final ScheduledExecutorService backgroundTaskScheduler;
+
     /**
      * Web component configuration.
      */
     final WebConfig webConfig;
+
     /**
      * If {@code true} and deployed as filter, the unmatched requests will be forwarded.
      */
     final boolean forwardOn404;
+
     /**
      * Cached value of configuration property
      * {@link org.glassfish.jersey.server.ServerProperties#RESPONSE_SET_STATUS_OVER_SEND_ERROR}.
      * If {@code true} method {@link HttpServletResponse#setStatus} is used over {@link HttpServletResponse#sendError}.
      */
     final boolean configSetStatusOverSendError;
+
     /**
      * Asynchronous context delegate provider.
      */
     private final AsyncContextDelegateProvider asyncExtensionDelegate;
 
+    /**
+     * Flag whether query parameters should be kept as entity form params if a servlet filter consumes entity and
+     * Jersey has to retrieve form params from servlet request parameters.
+     */
+    private final boolean queryParamsAsFormParams;
+
     /**
      * Create and initialize new web component instance.
      *
@@ -318,13 +330,15 @@ public WebComponent(final WebConfig webConfig, ResourceConfig resourceConfig) th
         final AbstractBinder webComponentBinder = new WebComponentBinder(resourceConfig.getProperties());
         resourceConfig.register(webComponentBinder);
 
-        ServiceLocator locator = (ServiceLocator) webConfig.getServletContext().getAttribute(ServletProperties.SERVICE_LOCATOR);
+        final ServiceLocator locator = (ServiceLocator) webConfig.getServletContext()
+                .getAttribute(ServletProperties.SERVICE_LOCATOR);
 
         this.appHandler = new ApplicationHandler(resourceConfig, webComponentBinder, locator);
 
         this.asyncExtensionDelegate = getAsyncExtensionDelegate();
         this.forwardOn404 = webConfig.getConfigType().equals(WebConfig.ConfigType.FilterConfig)
                 && resourceConfig.isProperty(ServletProperties.FILTER_FORWARD_ON_404);
+        this.queryParamsAsFormParams = !resourceConfig.isProperty(ServletProperties.QUERY_PARAMS_AS_FORM_PARAMS_DISABLED);
         this.configSetStatusOverSendError = ServerProperties.getValue(resourceConfig.getProperties(),
                 ServerProperties.RESPONSE_SET_STATUS_OVER_SEND_ERROR, false, Boolean.class);
         this.backgroundTaskScheduler = appHandler.getServiceLocator()
@@ -561,14 +575,17 @@ private void filterFormParameters(final HttpServletRequest servletRequest, final
             final String queryString = servletRequest.getQueryString();
             final List<String> queryParams = queryString != null ? getDecodedQueryParamList(queryString) : Collections.<String>emptyList();
 
+            final boolean keepQueryParams = queryParamsAsFormParams || queryParams.isEmpty();
+            final MultivaluedMap<String, String> formMap = form.asMap();
+
             while (parameterNames.hasMoreElements()) {
                 final String name = (String) parameterNames.nextElement();
                 final List<String> values = Arrays.asList(servletRequest.getParameterValues(name));
 
-                form.asMap().put(name, queryParams.isEmpty() ? values : filterQueryParams(name, values, queryParams));
+                formMap.put(name, keepQueryParams ? values : filterQueryParams(name, values, queryParams));
             }
 
-            if (!form.asMap().isEmpty()) {
+            if (!formMap.isEmpty()) {
                 containerRequest.setProperty(InternalServerProperties.FORM_DECODED_PROPERTY, form);
 
                 if (LOGGER.isLoggable(Level.WARNING)) {

core-common/src/main/java/org/glassfish/jersey/ExtendedConfig.java

@@ -1,7 +1,7 @@
 /*
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *
- * Copyright (c) 2012 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012-2015 Oracle and/or its affiliates. All rights reserved.
  *
  * The contents of this file are subject to the terms of either the GNU
  * General Public License Version 2 only ("GPL") or the Common Development
@@ -47,6 +47,7 @@
  * @author Marek Potociar (marek.potociar at oracle.com)
  */
 public interface ExtendedConfig extends Configuration {
+
     /**
      * Get the value of the property with a given name converted to {@code boolean}.
      * Returns {@code false} if the value is not convertible.

docs/src/main/docbook/appendix-properties.xml

@@ -496,6 +496,99 @@
         </table>
     </section>
 
+    <section xml:id="appendix-properties-servlet">
+        <title>Servlet configuration properties</title>
+
+        <para>
+            List of servlet configuration properties that can be found in &jersey.servlet.ServletProperties; class.
+        </para>
+
+        <table>
+            <title>List of servlet configuration properties</title>
+            <tgroup cols="3">
+                <thead>
+                    <row>
+                        <entry>Constant</entry>
+                        <entry>Value</entry>
+                        <entry>Description</entry>
+                    </row>
+                </thead>
+                <tbody>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.FILTER_CONTEXT_PATH;</entry>
+                        <entry><literal>jersey.config.servlet.filter.contextPath</literal></entry>
+                        <entry>
+                            <para>
+                                If set, indicates the URL pattern of the Jersey servlet filter context path.
+                            </para>
+                        </entry>
+                    </row>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.FILTER_FORWARD_ON_404;</entry>
+                        <entry><literal>jersey.config.servlet.filter.forwardOn404</literal></entry>
+                        <entry>
+                            <para>
+                                If set to <literal>true</literal> and a 404 response with no entity body is returned from either
+                                the runtime or the application then the runtime forwards the request to the next filter in the
+                                filter chain. This enables another filter or the underlying servlet engine to process the request.
+                                Before the request is forwarded the response status is set to 200.
+                            </para>
+                        </entry>
+                    </row>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.FILTER_STATIC_CONTENT_REGEX;</entry>
+                        <entry><literal>jersey.config.servlet.filter.staticContentRegex</literal></entry>
+                        <entry>
+                            <para>
+                                If set the regular expression is used to match an incoming servlet path URI to some web page
+                                content such as static resources or JSPs to be handled by the underlying servlet engine.
+                            </para>
+                        </entry>
+                    </row>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.JAXRS_APPLICATION_CLASS;</entry>
+                        <entry><literal>javax.ws.rs.Application</literal></entry>
+                        <entry>
+                            <para>
+                                Application configuration initialization property whose value is a fully qualified class name of a
+                                class that implements JAX-RS Application.
+                            </para>
+                        </entry>
+                    </row>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.PROVIDER_WEB_APP;</entry>
+                        <entry><literal>jersey.config.servlet.provider.webapp</literal></entry>
+                        <entry>
+                            <para>
+                                Indicates that Jersey should scan the whole web app for application-specific resources and
+                                providers.
+                            </para>
+                        </entry>
+                    </row>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.QUERY_PARAMS_AS_FORM_PARAMS_DISABLED;</entry>
+                        <entry><literal>jersey.config.servlet.form.queryParams.disabled</literal></entry>
+                        <entry>
+                            <para>
+                                If <literal>true</literal> then query parameters will not be treated as form parameters
+                                (e.g. injectable using @FormParam) in case a Form request is processed by server.
+                            </para>
+                        </entry>
+                    </row>
+                    <row>
+                        <entry>&jersey.servlet.ServletProperties.SERVICE_LOCATOR;</entry>
+                        <entry><literal>jersey.config.servlet.context.serviceLocator</literal></entry>
+                        <entry>
+                            <para>
+                                Identifies the object that will be used as a parent ServiceLocator in the Jersey WebComponent.
+                            </para>
+                        </entry>
+                    </row>
+                </tbody>
+            </tgroup>
+        </table>
+    </section>
+
     <section xml:id="appendix-properties-client">
         <title>Client configuration properties</title>
 

docs/src/main/docbook/deployment.xml

@@ -908,7 +908,7 @@ public class MyApplication extends ResourceConfig {
             <title>Jersey Servlet container modules</title>
 
             <para>
-                Jersey uses its own <literal>&jersey.containers.ServletContainer;</literal> implementation of Servlet and
+                Jersey uses its own <literal>&jersey.servlet.ServletContainer;</literal> implementation of Servlet and
                 Servlet Filter API to integrate with Servlet containers. As any JAX-RS runtime, Jersey provides support
                 for Servlet containers that support Servlet specification version 2.5 and higher. To support JAX-RS 2.0
                 asynchronous resources on top of a Servlet container, support for Servlet specification version 3.0 or higher