prevent calling ServletRequest#getInputStream if FILTER_FORWARD_ON_404

connectors/apache-connector/src/main/java/org/glassfish/jersey/apache/connector/ApacheConnector.java

@@ -60,6 +60,7 @@
 import org.glassfish.jersey.client.innate.http.SSLParamConfigurator;
 import org.glassfish.jersey.client.spi.AsyncConnectorCallback;
 import org.glassfish.jersey.client.spi.Connector;
+import org.glassfish.jersey.innate.io.InputStreamWrapper;
 import org.glassfish.jersey.internal.util.PropertiesHelper;
 import org.glassfish.jersey.message.internal.HeaderUtils;
 import org.glassfish.jersey.message.internal.OutboundMessageContext;
@@ -890,7 +891,7 @@ protected void prepareSocket(SSLSocket socket) throws IOException {
         }
     }
 
-    private static class CancellableInputStream extends InputStream {
+    private static class CancellableInputStream extends InputStreamWrapper {
         private final InputStream in;
         private final Supplier<Boolean> isCancelled;
 
@@ -899,58 +900,17 @@ private CancellableInputStream(InputStream in, Supplier<Boolean> isCancelled) {
             this.isCancelled = isCancelled;
         }
 
-        public int read(byte b[]) throws IOException {
-            checkAborted();
-            return in.read();
-        }
-
-        public int read(byte b[], int off, int len) throws IOException {
-            checkAborted();
-            return in.read(b, off, len);
-        }
-
-        @Override
-        public int read() throws IOException {
-            checkAborted();
-            return in.read();
-        }
-
-        public boolean markSupported() {
-            return in.markSupported();
-        }
-
-        @Override
-        public long skip(long n) throws IOException {
-            checkAborted();
-            return in.skip(n);
-        }
-
-        @Override
-        public int available() throws IOException {
-            checkAborted();
-            return in.available();
-        }
-
         @Override
-        public void close() throws IOException {
-            in.close();
+        protected InputStream getWrapped() {
+            return in;
         }
 
         @Override
-        public void mark(int readlimit) {
-            in.mark(readlimit);
-        }
-
-        @Override
-        public void reset() throws IOException {
-            checkAborted();
-            in.reset();
-        }
-
-        private void checkAborted() throws IOException {
+        protected InputStream getWrappedIOE() throws IOException {
             if (isCancelled.get()) {
                 throw new IOException(new CancellationException());
             }
+            return in;
         }
     }
 }

connectors/apache5-connector/src/main/java/org/glassfish/jersey/apache5/connector/Apache5Connector.java

@@ -105,6 +105,7 @@
 import org.glassfish.jersey.client.innate.http.SSLParamConfigurator;
 import org.glassfish.jersey.client.spi.AsyncConnectorCallback;
 import org.glassfish.jersey.client.spi.Connector;
+import org.glassfish.jersey.innate.io.InputStreamWrapper;
 import org.glassfish.jersey.internal.util.PropertiesHelper;
 import org.glassfish.jersey.message.internal.HeaderUtils;
 import org.glassfish.jersey.message.internal.OutboundMessageContext;
@@ -894,7 +895,7 @@ protected void prepareSocket(SSLSocket socket) throws IOException {
         }
     }
 
-    private static class CancellableInputStream extends InputStream {
+    private static class CancellableInputStream extends InputStreamWrapper {
         private final InputStream in;
         private final Supplier<Boolean> isCancelled;
 
@@ -903,58 +904,17 @@ private CancellableInputStream(InputStream in, Supplier<Boolean> isCancelled) {
             this.isCancelled = isCancelled;
         }
 
-        public int read(byte b[]) throws IOException {
-            checkAborted();
-            return in.read();
-        }
-
-        public int read(byte b[], int off, int len) throws IOException {
-            checkAborted();
-            return in.read(b, off, len);
-        }
-
-        @Override
-        public int read() throws IOException {
-            checkAborted();
-            return in.read();
-        }
-
-        public boolean markSupported() {
-            return in.markSupported();
-        }
-
-        @Override
-        public long skip(long n) throws IOException {
-            checkAborted();
-            return in.skip(n);
-        }
-
-        @Override
-        public int available() throws IOException {
-            checkAborted();
-            return in.available();
-        }
-
         @Override
-        public void close() throws IOException {
-            in.close();
+        protected InputStream getWrapped() {
+            return in;
         }
 
         @Override
-        public void mark(int readlimit) {
-            in.mark(readlimit);
-        }
-
-        @Override
-        public void reset() throws IOException {
-            checkAborted();
-            in.reset();
-        }
-
-        private void checkAborted() throws IOException {
+        protected InputStream getWrappedIOE() throws IOException {
             if (isCancelled.get()) {
                 throw new IOException(new CancellationException());
             }
+            return in;
         }
     }
 

containers/jersey-servlet-core/src/main/java/org/glassfish/jersey/servlet/WebComponent.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2022 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2024 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License v. 2.0, which is available at
@@ -17,6 +17,8 @@
 package org.glassfish.jersey.servlet;
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.lang.reflect.Type;
 import java.net.URI;
 import java.security.AccessController;
@@ -54,6 +56,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.glassfish.jersey.innate.io.InputStreamWrapper;
 import org.glassfish.jersey.internal.ServiceFinderBinder;
 import org.glassfish.jersey.internal.inject.AbstractBinder;
 import org.glassfish.jersey.internal.inject.InjectionManager;
@@ -413,15 +416,29 @@ public Integer get() {
     }
 
     /**
-     * Initialize {@code ContainerRequest} instance to used used to handle {@code servletRequest}.
+     * Initialize {@code ContainerRequest} instance to used to handle {@code servletRequest}.
      */
     private void initContainerRequest(
             final ContainerRequest requestContext,
             final HttpServletRequest servletRequest,
             final HttpServletResponse servletResponse,
             final ResponseWriter responseWriter) throws IOException {
 
-        requestContext.setEntityStream(servletRequest.getInputStream());
+        try {
+            requestContext.setEntityStream(new InputStreamWrapper() {
+                @Override
+                protected InputStream getWrapped() {
+                    try {
+                        return servletRequest.getInputStream();
+                    } catch (IOException e) {
+                        throw new UncheckedIOException(e);
+                    }
+                }
+            });
+        } catch (UncheckedIOException e) {
+            throw e.getCause();
+        }
+
         requestContext.setRequestScopedInitializer(requestScopedInitializer.get(new RequestContextProvider() {
             @Override
             public HttpServletRequest getHttpServletRequest() {

containers/jersey-servlet-core/src/test/java/org/glassfish/jersey/servlet/internal/RequestInputStreamTest.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.jersey.servlet.internal;
+
+import org.glassfish.jersey.CommonProperties;
+import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.server.ServerProperties;
+import org.glassfish.jersey.servlet.ServletProperties;
+import org.glassfish.jersey.servlet.WebComponent;
+import org.glassfish.jersey.servlet.WebConfig;
+import org.glassfish.jersey.servlet.WebFilterConfig;
+import org.junit.jupiter.api.Test;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.net.URI;
+import java.util.Collections;
+import java.util.Enumeration;
+
+public class RequestInputStreamTest {
+    @Test
+    public void test404RequestInputStream() throws ServletException, IOException {
+        InvocationHandler handler = new InvocationHandler() {
+            @Override
+            public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
+                switch (method.getName()) {
+                    case "getHeaderNames":
+                        return Collections.emptyEnumeration();
+                    case "getInputStream":
+                        throw new IllegalStateException("ServletRequest#getInputStream clashes with ServletRequest#getReader");
+                }
+                return null;
+            }
+        };
+
+        FilterConfig filterConfig = new FilterConfig() {
+            @Override
+            public String getFilterName() {
+                return null;
+            }
+
+            @Override
+            public ServletContext getServletContext() {
+                return (ServletContext) Proxy.newProxyInstance(getClass().getClassLoader(),
+                        new Class[]{ServletContext.class},
+                        handler);
+            }
+
+            @Override
+            public String getInitParameter(String name) {
+                return null;
+            }
+
+            @Override
+            public Enumeration<String> getInitParameterNames() {
+                return null;
+            }
+        };
+        WebConfig dummyWebConfig = new WebFilterConfig(filterConfig);
+        ResourceConfig resourceConfig = new ResourceConfig()
+                .property(CommonProperties.PROVIDER_DEFAULT_DISABLE, "ALL")
+                .property(ServerProperties.WADL_FEATURE_DISABLE, true)
+                .property(ServletProperties.FILTER_FORWARD_ON_404, true)
+                .property(ServerProperties.RESPONSE_SET_STATUS_OVER_SEND_ERROR, true);
+        WebComponent component = new WebComponent(dummyWebConfig, resourceConfig);
+        component.service(URI.create("http://localhost"), URI.create("http://localhost"),
+                (HttpServletRequest) Proxy.newProxyInstance(getClass().getClassLoader(),
+                        new Class[] {HttpServletRequest.class},
+                        handler
+                        ),
+                (HttpServletResponse) Proxy.newProxyInstance(getClass().getClassLoader(),
+                        new Class[]{HttpServletResponse.class},
+                        handler)
+                );
+    }
+}