Issue #6026 - Cleaning up warning for paths with uncovered HTTP methods

[joakime]

Closes #6026

Signed-off-by: Joakim Erdfelt joakim.erdfelt@gmail.com

[janbartel]

The log warn message is the wrong way around, it is the uncovered paths not methods, so it should be:

Suggested change

	LOG.warn("{} has paths with uncovered http methods: [{}]",
	LOG.warn("{} has uncovered http methods for paths: [{}]",

[joakime]

Yet the method name is checkPathsWithUncoveredHttpMethods ??

[janbartel]

Correct, we are reporting the uncovered paths not the uncovered methods.

[joakime]

Confusing.

• "has paths with uncovered http methods" - identifies paths, that has uncovered http methods
• "has uncovered http methods for paths" - identifies methods, that are not covered by the paths

Perhaps there's a 3rd choice that's less confusing. What does "uncovered http method" mean?

[sbordet]

Agree with @joakime here, the method name suggests the other way around.
Also, do we really want to use WARN? I don't think nothing happens if we hit this case, and we don't want to clog log files if repeated requests for this case happens?

[janbartel]

The name of the method is "checkPathsWithUncoveredMethods" - ie we are checking the paths for which there are uncovered methods. The logging is reporting the paths, not the methods - it would be incorrect to imply that we are reporting methods!

Furthermore, this warning is required by the servlet specification: your choice if you want to make it INFO instead of WARN, but the spec requires that we produce this warning at deployment time.

[joakime]

Is this the section of the spec this covers?

https://github.com/eclipse-ee4j/servlet-api/blob/5.0.0-RELEASE/spec/src/main/asciidoc/servlet-spec-body.adoc#handling-uncovered-http-methods

[janbartel]

Yes, this is the section. Please see comment by @gregw - we can enumerate the paths that are uncovered but not the methods.

[sbordet]

Agree with @joakime here, the method name suggests the other way around.
Also, do we really want to use WARN? I don't think nothing happens if we hit this case, and we don't want to clog log files if repeated requests for this case happens?

[gregw]

A bit of background.... the servlet spec is beyond brain dead here!

If an app has a security constraints:

• /foo/* with no methods specified
• /foo/bar/* for POST methods

Then a request to /foo/bar/info with any method other than POST is not constrained at all!!!! Hence the method is uncovered.
This is a real security issue and deserves a WARNING (at the very least)! Moreover, the methods uncovered are infinite and cannot be enumerated. Only the path specifications with uncovered methods can be enumerated.

So @janbartel is correct: there should be a warning that enumerates the paths. I kind of think we should also by default refuse to deploy.... but that's also contrary to the spec and going beyond the scope of this PR to just remove a noisy stack trace... which I agree gave no needed information.

[sbordet]

The boolean return value from checkPathsWithUncoveredHttpMethods() is never used, can it be changed without breaking?

[sbordet]

There is no need for String.join() as Set.toString() already formats like you want (external brackets and commas to separate items).

[joakime]

Done.

[joakime]

if we backport this to 9.4.x then removing the return value is a bad idea.
But for 10+ i'm fine with removing the return value.

[joakime]

Leaving it at WARN level.
Changed the message again, to be more like the original, but with better grammar.
The String.join was removed, in favor of Set.toString() instead.