4.x: Return 500 when 204 with entity is sent from routing. (helidon-io#8357)

* Return 500 when 204 with entity is sent from routing.
* Never send entity with status 204 (from our own code)
* Updated to include 205 and 304 statuses

Author: tomas-langer

archetypes/archetypes/src/main/archetype/se/database/files/src/main/java/__pkg__/PokemonService.java.mustache

@@ -270,10 +270,10 @@ public class PokemonService implements HttpService {
                 .pathParameters()
                 .first("id").map(Integer::parseInt)
                 .orElseThrow(() -> new BadRequestException("No pokemon id"));
-        long count = dbClient.execute().createNamedDelete("delete-pokemon-by-id")
+        dbClient.execute().createNamedDelete("delete-pokemon-by-id")
                 .addParam("id", id)
                 .execute();
         response.status(Status.NO_CONTENT_204)
-                .send("Deleted: " + count + " values\n");
+                .send();
     }
 }

examples/dbclient/pokemons/src/main/java/io/helidon/examples/dbclient/pokemons/PokemonService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -286,10 +286,10 @@ private void deletePokemonById(ServerRequest request, ServerResponse response) {
                 .pathParameters()
                 .first("id").map(Integer::parseInt)
                 .orElseThrow(() -> new BadRequestException("No pokemon id"));
-        long count = dbClient.execute().createNamedDelete("delete-pokemon-by-id")
+        dbClient.execute().createNamedDelete("delete-pokemon-by-id")
                 .addParam("id", id)
                 .execute();
         response.status(Status.NO_CONTENT_204)
-                .send("Deleted: " + count + " values\n");
+                .send();
     }
 }

examples/metrics/http-status-count-se/src/test/java/io/helidon/examples/se/httpstatuscount/StatusService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2022, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package io.helidon.examples.se.httpstatuscount;
 
 import io.helidon.http.Status;
@@ -43,6 +44,12 @@ private void respondWithRequestedStatus(ServerRequest request, ServerResponse re
             status = Status.INTERNAL_SERVER_ERROR_500.code();
             msg = "Unsuccessful conversion";
         }
-        response.status(status).send(msg);
+        Status httpStatus = Status.create(status);
+        response.status(status);
+        if (httpStatus != Status.NO_CONTENT_204) {
+            response.send(msg);
+        } else {
+            response.send();
+        }
     }
 }

microprofile/tests/server/pom.xml

@@ -61,5 +61,10 @@
             <artifactId>helidon-microprofile-testing-junit5</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.helidon.logging</groupId>
+            <artifactId>helidon-logging-jul</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>

microprofile/tests/server/src/test/java/io/helidon/microprofile/tests/server/NoContentWithEntityTest.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.microprofile.tests.server;
+
+import io.helidon.http.Status;
+import io.helidon.microprofile.server.JaxRsCdiExtension;
+import io.helidon.microprofile.server.ServerCdiExtension;
+import io.helidon.microprofile.testing.junit5.AddBean;
+import io.helidon.microprofile.testing.junit5.AddExtension;
+import io.helidon.microprofile.testing.junit5.DisableDiscovery;
+import io.helidon.microprofile.testing.junit5.HelidonTest;
+
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.client.WebTarget;
+import jakarta.ws.rs.core.Response;
+import org.glassfish.jersey.ext.cdi1x.internal.CdiComponentProvider;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+@HelidonTest
+@DisableDiscovery
+@AddBean(NoContentWithEntityTest.TestResource.class)
+@AddExtension(ServerCdiExtension.class)
+@AddExtension(JaxRsCdiExtension.class)
+@AddExtension(CdiComponentProvider.class)
+class NoContentWithEntityTest {
+    @Inject
+    WebTarget target;
+
+    @Test
+    void streamingOutput() {
+        Response response = target.path("/noContent")
+                .request()
+                .get();
+
+        assertThat(response.getStatus(), is(Status.INTERNAL_SERVER_ERROR_500.code()));
+
+        response = target.path("/ok")
+                .request()
+                .get();
+        assertThat(response.getStatus(), is(Status.OK_200.code()));
+        assertThat(response.readEntity(String.class), is("hello"));
+    }
+
+    @Path("/")
+    public static class TestResource {
+
+        @GET
+        @Path("/noContent")
+        public Response noContent() {
+            return Response.noContent()
+                    .entity("hello")
+                    .build();
+        }
+
+        @GET
+        @Path("/ok")
+        public Response ok() {
+            return Response
+                    .ok("hello")
+                    .build();
+        }
+    }
+}

microprofile/tests/server/src/test/resources/logging-test.properties

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2024 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+handlers=java.util.logging.ConsoleHandler
+java.util.logging.ConsoleHandler.level=FINEST
+java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
+java.util.logging.SimpleFormatter.format=%1$tH:%1$tM:%1$tS %4$s %3$s %5$s%6$s%n
+# Global logging level. Can be overridden by specific loggers
+.level=INFO

webserver/tests/webserver/pom.xml

@@ -53,5 +53,10 @@
             <artifactId>hamcrest-all</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.helidon.logging</groupId>
+            <artifactId>helidon-logging-jul</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>

webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/NoContentWithEntityTest.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.webserver.tests;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.charset.StandardCharsets;
+
+import io.helidon.http.Status;
+import io.helidon.logging.common.LogConfig;
+import io.helidon.webclient.api.ClientResponseTyped;
+import io.helidon.webclient.http1.Http1Client;
+import io.helidon.webclient.http1.Http1ClientResponse;
+import io.helidon.webserver.http.HttpRules;
+import io.helidon.webserver.http.ServerRequest;
+import io.helidon.webserver.http.ServerResponse;
+import io.helidon.webserver.testing.junit5.ServerTest;
+import io.helidon.webserver.testing.junit5.SetUpRoute;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+@ServerTest
+class NoContentWithEntityTest {
+    private final Http1Client client;
+
+    NoContentWithEntityTest(Http1Client client) {
+        this.client = client;
+    }
+
+    @SetUpRoute
+    static void routing(HttpRules rules) {
+        rules.post("/noContent", NoContentWithEntityTest::noContent)
+                .post("/noContentStream", NoContentWithEntityTest::noContentStream)
+                .post("/ok", NoContentWithEntityTest::ok);
+
+        LogConfig.configureRuntime();
+    }
+
+    @Test
+    void testNoContentWorksFollowedByOk() {
+        try (Http1ClientResponse response = client.post("/noContent")
+                .submit("text")) {
+
+            assertThat(response.status(), is(Status.INTERNAL_SERVER_ERROR_500));
+        }
+
+        ClientResponseTyped<String> okResponse = client.post("/ok")
+                .submit("text", String.class);
+
+        assertThat(okResponse.status(), is(Status.OK_200));
+        assertThat(okResponse.entity(), is("text"));
+    }
+
+    @Test
+    void testNoContentWorksFollowedByOkStreaming() {
+        try (Http1ClientResponse response = client.post("/noContentStream")
+                .submit("text")) {
+
+            assertThat(response.status(), is(Status.INTERNAL_SERVER_ERROR_500));
+        }
+
+        ClientResponseTyped<String> okResponse = client.post("/ok")
+                .submit("text", String.class);
+
+        assertThat(okResponse.status(), is(Status.OK_200));
+        assertThat(okResponse.entity(), is("text"));
+    }
+
+    private static void ok(ServerRequest req, ServerResponse res) {
+        res.status(Status.OK_200).send("text");
+    }
+
+    private static void noContentStream(ServerRequest req, ServerResponse res) throws IOException {
+        res.status(Status.NO_CONTENT_204);
+        try (OutputStream out = res.outputStream()) {
+            out.write("text".getBytes(StandardCharsets.UTF_8));
+        }
+    }
+
+    private static void noContent(ServerRequest req, ServerResponse res) {
+        res.status(Status.NO_CONTENT_204).send("text");
+    }
+
+}
+

webserver/tests/webserver/src/test/resources/logging-test.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022, 2023 Oracle and/or its affiliates.
+# Copyright (c) 2022, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,8 +19,3 @@ java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
 java.util.logging.SimpleFormatter.format=%1$tH:%1$tM:%1$tS %4$s %3$s %5$s%6$s%n
 # Global logging level. Can be overridden by specific loggers
 .level=INFO
-io.helidon.webserver.level=INFO
-io.helidon.webserver.http.Http1Connection.level=INFO
-io.helidon.webserver.http.HttpRouting.level=INFO
-io.helidon.common.testing.http.junit5.level=INFO
-

webserver/webserver/src/main/java/io/helidon/webserver/http1/Http1ServerResponse.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2022, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -106,8 +106,25 @@ static void nonEntityBytes(ServerResponseHeaders headers,
                                boolean keepAlive,
                                boolean validateHeaders) {
 
+        status = status == null ? Status.OK_200 : status;
+
+        if (status.code() == Status.NO_CONTENT_204.code()
+            || status.code() == Status.RESET_CONTENT_205.code()
+            || status.code() == Status.NOT_MODIFIED_304.code()) {
+            // https://www.rfc-editor.org/rfc/rfc9110#status.204
+            // A 204 response is terminated by the end of the header section; it cannot contain content or trailers
+            // ditto for 205, and 304
+            if ((headers.contains(HeaderNames.CONTENT_LENGTH) && !headers.contains(HeaderValues.CONTENT_LENGTH_ZERO))
+                         || headers.contains(HeaderValues.TRANSFER_ENCODING_CHUNKED)) {
+                status = Status.INTERNAL_SERVER_ERROR_500;
+                LOGGER.log(System.Logger.Level.ERROR, "Attempt to send status " + status.text() + " with entity."
+                        + " Server responded with Internal Server Error. Please fix your routing, this is not allowed "
+                        + "by HTTP specification, such responses MUST NOT contain an entity.");
+            }
+        }
+
         // first write status
-        if (status == null || status == Status.OK_200) {
+        if (status == Status.OK_200) {
             buffer.write(OK_200);
         } else {
             buffer.write(HTTP_BYTES);