POST disabled in JBOSS EAP 7

1

I have implemented a service with JAX-RS that has GET and POST operations:

@Path("/funcionario")
@Singleton
public class FuncionarioService {
    private List<Funcionario> funcionarios = new ArrayList<>();

    @GET
    @Path("/{nome}")
    @Produces(MediaType.APPLICATION_JSON)
    public Response buscarFuncionario(@PathParam(value = "nome") String nome) {
        for (Funcionario funcionario : funcionarios) {
            if (funcionario.getNome().equals(nome))
                return Response.ok(funcionario.toJSON()).build();
        }
        return Response.status(404).build();
    }

    @POST
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces({ MediaType.APPLICATION_JSON })
    public Response criarFuncionario(Funcionario funcionario, @Context UriInfo uriInfo) throws URISyntaxException {
        Boolean criado = criar(funcionario);
        URI location = uriInfo.getAbsolutePathBuilder().path(funcionario.getNome()).build();
        if (criado) {
            return Response.created(location).build();
        } else {
            return Response.status(HttpStatus.SEE_OTHER_303.getStatusCode()).location(location).build();
        }
    }
}

When I call the GET method, I get the expected resource response not found:

curl -XGET http://localhost:8080/servicorestfuljee/funcionario/giuliana --verbose
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /funcionario/giuliana HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Connection: keep-alive
< X-Powered-By: Undertow/1
< Server: JBoss-EAP/7
< Content-Length: 74
< Content-Type: text/html
< Date: Fri, 05 Oct 2018 11:51:47 GMT

In order to support authentication, I created a user named user with password through the script located at $JBOSS_HOME/bin/add-user.sh by adding this user to the user group >.

After that, I added the security for my services to the web.xml file, so they request a password every time they are accessed:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>servicorestfuljee</web-resource-name>
        <url-pattern>/funcionario/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>POST</http-method>
        <http-method>PATCH</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ApplicationRealm</realm-name>
</login-config>

<security-role>
    <role-name>user</role-name>
</security-role>

Now, if I try to access the service without a password, I'll get the error 401:

curl -XGET http://localhost:8080/servicorestfuljee/funcionario/giuliana --verbose
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /servicorestfuljee/funcionario/giuliana HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: JBoss-EAP/7
< Pragma: no-cache
< Date: Fri, 05 Oct 2018 12:12:27 GMT
< Connection: keep-alive
< WWW-Authenticate: Basic realm="ApplicationRealm"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71

Informing the user and password, I can access the GET method:

curl -XGET http://localhost:8080/servicorestfuljee/funcionario/giuliana -u user:password --verbose
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> GET /servicorestfuljee/funcionario/giuliana HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: JBoss-EAP/7
< Pragma: no-cache
< Date: Fri, 05 Oct 2018 12:16:12 GMT
< Connection: keep-alive
< Content-Type: text/html;charset=UTF-8
< Content-Length: 68

But if I try to access POST, I get error 405:

curl --header "Content-Type: application/json" -XPOST --data '{"nome": "giuliana","idade": 20, "cargo": "arquiteta de software"}' http://localhost:8080/servicorestfuljee/funcionario --verbose -u user:password
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> POST /servicorestfuljee/funcionario HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 66
> 
* upload completely sent off: 66 out of 66 bytes
< HTTP/1.1 405 Method Not Allowed
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: JBoss-EAP/7
< Pragma: no-cache
< Date: Fri, 05 Oct 2018 12:16:46 GMT
< Connection: keep-alive
< Content-Type: text/html;charset=UTF-8
< Content-Length: 104

I looked in the JBoss EAP 7 documentation for something to configure the available HTTP methods, but I did not find much. How can I fix this problem in a secure way?

    
asked by anonymous 05.10.2018 / 14:21

1 answer

1

The problem occurred because the responsible for exposing these endpoints was missing in JBoss, which is Application:

package br.gov.dataprev.servicorestfuljavaee;

import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;

@ApplicationPath("api")
public class JAXRSConfiguration extends Application {

}

After executing mvn clean package , the package was being generated with "-1.0" and therefore nothing was accessible by path servicorestfuljee !

With these changes you could access the post by the correct URL:

curl --header "Content-Type: application/json" -XPOST --data '{"nome": "giuliana","idade": 20, "cargo": "arquiteta de software"}' http://localhost:8080/servicorestfuljee-1.0/api/funcionario --verbose -u user:password
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> POST /servicorestfuljee-1.0/api/funcionario HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 66
> 
* upload completely sent off: 66 out of 66 bytes
< HTTP/1.1 201 Created
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: JBoss-EAP/7
< Pragma: no-cache
< Location: http://localhost:8080/servicorestfuljee-1.0/api/funcionario/giuliana
< Date: Fri, 05 Oct 2018 13:43:46 GMT
< Connection: keep-alive
< Content-Length: 0
    
05.10.2018 / 15:48