Details
-
Feature Request
-
Resolution: Obsolete
-
Major
-
None
-
2.2.2.GA
-
None
Description
When request parameters can't be parsed, the StringParameterInjector generates messages like:
Unable to extract parameter from http request: javax.ws.rs.QueryParam(\"domain\") value is 'abc'' for public abstract javax.ws.rs.core.Response com.mycompany.jaxrs.SearchResource.search(java.lang.String,java.lang.String,com.mycompany.Domain,java.util.List,java.util.List,com.mycompany.OrderBy,com.mycompany.SortOrder,java.lang.Integer,java.lang.Long,boolean,javax.ws.rs.core.UriInfo)"}
This reveals a lot of unnecessary information about the internal implementation that may be considered a security concern by some.
It would be great to either:
- sanitize this message so that it contains only the query param name (maybe log the full information, at debug level).
- add some kind of message formatting interface and allow us to set a @Provider that decides exactly how the message is formatted
- add a simple configuration flag that allows us to set 'dev_messages=false' (or similar) that causes the StringParameterInjector to omit param types and the target
Cheers!