Bug Report: Unable to completely disable openapi and wadl

[sanchezfauste]

Brief Summary

I'm trying to completely disable openapi and wadl using this asadmin command:

set-openapi-configuration --enabled=false

But wadl endpoints are not disabled correctly and openapi endpoint is giving error 403 instead of 404.

Expected Outcome

If I disable openapi the expected behaviour is that all openapi paths return a 404 error. These paths must not exist if openapi feature is disabled:

GET     /openapi/
GET     /openapi/application.wadl
GET     /v1/application.wadl

I think that actual 403 error is giving to much information in terms of security. An attacker can know that we are using Payara Micro.

Current Outcome

openapi endpoint:

GET /openapi

Gives:

<html xmlns="http://www.w3.org/1999/xhtml">
    <body>
        <h1>HTTP Status 403 - MicroProfile OpenAPI Service is disabled.</h1>
        <hr/>
        <p>
            <b>type</b>
            Status report
        </p>
        <p>
            <b>message</b>
            MicroProfile OpenAPI Service is disabled.
        </p>
        <p>
            <b>description</b>
            Access to the specified resource has been forbidden.
        </p>
        <hr/>
        <h3>Payara Micro #badassfish</h3>
    </body>
</html>

wadl endpoint:

GET /openapi/application.wadl

Gives:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<application xmlns="http://wadl.dev.java.net/2009/02">
    <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 3.1.5.payara-p1 2024-02-06 13:28:35"/>
    <doc xmlns:jersey="http://jersey.java.net/" jersey:hint="This is simplified WADL with user and core resources only. To get full WADL with extended resources use the query parameter detail. Link: http://****/openapi/application.wadl?detail=true"/>
    <grammars/>
    <resources base="http://****/openapi/">
        <resource path="/">
            <method id="getResponse" name="GET">
                <response>
                    <representation mediaType="text/plain"/>
                    <representation mediaType="application/json"/>
                </response>
            </method>
        </resource>
    </resources>
</application>

And application wadl:

GET /v1/application.wadl

Is giving error 500:

java.lang.NullPointerException: Cannot invoke "org.glassfish.jersey.server.wadl.WadlApplicationContext.isWadlGenerationEnabled()" because "this.wadlContext" is null

Reproducer

I'm trying to completely disable openapi and wadl using --prebootcommandfile with this asadmin command:

set-openapi-configuration --enabled=false

And disabling wadl on application:

import jakarta.ws.rs.ApplicationPath;
import jakarta.ws.rs.core.Application;
import org.glassfish.jersey.server.ServerProperties;

import java.util.Map;

@ApplicationPath("v1")
public class ApplicationConfig extends Application {
    @Override
    public Map<String, Object> getProperties() {
        return Map.of(
                ServerProperties.WADL_FEATURE_DISABLE, "true"
        );
    }
}

Operating System

Ubuntu 22.04.4 LTS

JDK Version

Zulu17.48+15-CA (build 17.0.10+7-LTS)

Payara Distribution

Payara Micro

[artur-mal]

I understand your concern. According to the Payara server documentation, when the OpenAPI service is disabled, the /openapi endpoint will always return a 403 error and any applications deployed during this period will not have an OpenAPI document built. Enabling the service again will not cause documents to be built for any currently deployed applications.

This behavior is by design and it seems to be the cause of the 403 error you’re seeing when you disable the OpenAPI service. I understand that you would prefer a 404 error for security reasons, but the current implementation of Payara Server does not support this.

[sanchezfauste]

What about wadl endpoints? These endpoints are still working with openapi feature disabled. It's possible to disable wadl endpoints?