JAX-RS 2: ensure your server providers are not used on client side!

Since JAX-RS 1 and moreover with JAX-RS 2 developpers create JAX-RS providers.

The most common ones are to (de)serialize the request/response payloads but you can do much more now like switching the input stream, updating the output stream, filtering the request/response etc…

Going further in this API you’ll realize you can filter input/output on server side and client side (for instance you can write a ClientRequestFilter and a ContainerRequestFilter). Generally client and server API are close but adapted to the “side” where the provider is working.

However can we ensure we didn’t mess things configuring a client provider on a server?

Specification doesn’t provide an awesome solution to this issue. Main reason is probably the fact that servers using scanning would almost always be failing if it was strictly validated.

That said specification provides @ConstrainedTo annotation to let developpers document their @Provider implementations. This annotation simply takes a parameter marking the side the provider can be used (SERVER or CLIENT). If it is not present the provider is supposed working on both sides (said otherwise no validation is done).

When @ConstrainedTo is set the JAX-RS runtime is able to ensure only server (client) providers are used.

In TomEE (coming version 2) this annotation is validated on server side. A misconfiguration will lead to a warning:

WARNING - class org.superbiz.LimitedMockClient is not a SERVER provider, ignoring

If you want to be more strict just set the associated flag to ensure deployment fails:

openejb.jaxrs.fail-on-constrainedto = true

Once this flag is set, instead of the previous warning you’ll get an exception during deployment.

Provider scanning was one of the most asked feature in TomEE so it was added but keep in mind you can still turn it off if you want to control your JAX-RS runtime setting another flag to true:

cxf.jaxrs.skip-provider-scanning = true

Of course once you’ll have done it you will have to register yourself the providers but it gives you more control and you rarely have tons of providers for an application.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s