OpenAPI UI + PathParams containing / character

[ewoudwerkman]

I recently updated my OpenLiberty application from Microprofile 4.1 to 6.1 which includes an upgrade of the OpenAPI spec and implementation. One of the things that is 'fixed' is the OpenAPI UI is the encoding of forward slashes ('/') to their encoded version (%2F) (see swagger-api/swagger-js#1331).

This change breaks OpenLiberty to use path params that are encoded, when using the OpenAPI user interface. For example:

@GET
@Path("/resource/public/{resourceURL:.+}")
public Response getPublicResource(@PathParam("resourceURL") String resourceURL, @Context HttpHeaders headers) {
}

You get the following error when using the /openapi/ui endpoint and using the try-it-out button for the above request:
URI has encoded forward slash [%2F] character.

[INFO] [13-12-2024 10:36:24:042 CET] 0000014e com.ibm.ws.webcontainer.webapp                               E SRVE0315E: An exception occurred: java.lang.Throwable: java.io.IOException: CWWWC0005I: The request URI has invalid or improperly encoded characters: [/store/resource/public/%2Fexported_es.esdl] . URI has encoded forward slash [%2F] character.
[INFO] 	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5154)
[INFO] 	at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:328)
[INFO] 	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1047)
[INFO] 	at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:293)
[INFO] 	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1260)
[INFO] 	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:476)
[INFO] 	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:435)
[INFO] 	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:569)
[INFO] 	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:503)
[INFO] 	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:363)
[INFO] 	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:330)
[INFO] 	at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:169)
[INFO] 	at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:77)
[INFO] 	at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516)
[INFO] 	at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586)
[INFO] 	at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970)
[INFO] 	at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059)
[INFO] 	at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:298)
[INFO] 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
[INFO] 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
[INFO] 	at java.base/java.lang.Thread.run(Thread.java:1583)
[INFO] Caused by: java.io.IOException: CWWWC0005I: The request URI has invalid or improperly encoded characters: [/store/resource/public/%2Fexported_es.esdl] . URI has encoded forward slash [%2F] character.
[INFO] 	at com.ibm.wsspi.webcontainer.util.RequestUtils.verifyEncodedCharacter(RequestUtils.java:1087)
[INFO] 	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1160)
[INFO] 	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5096)

StackOverflow shows some hits for Tomcat (e.g. https://stackoverflow.com/questions/38435024/how-can-i-pass-string-path-param-containing-slash-character) and SpringBoot (https://stackoverflow.com/questions/13482020/encoded-slash-2f-with-spring-requestmapping-path-param-gives-http-400/58303792#58303792), but I don't know how I can configure this for OpenLiberty

As I cannot change/configure the OpenAPI UI, is there something I can do to configure OpenLiberty to accept these characters?

[Azquelt]

Unfortunately, this seems to be a difference between Jakarta REST and OpenAPI.

In Jakarta REST, a path parameter is allowed to contain the / character, while in OpenAPI it is not.

There's a good rationale for why OpenAPI forbids this in this comment - the reasoning seems to be that OpenAPI is broadly applicable to lots of REST frameworks which don't all resolve the resulting ambiguity and those that do resolve it don't all do so in the same way.

This limitation means that your REST operation can't be fully represented using OpenAPI.

The restriction on having %2F in a URL stems from the requirement in Servlet 6.0 to reject "suspicious sequences" when canonicalizing URI paths. This can be disabled in Open Liberty by setting the webContainer skipEncodedCharVerification parameter in your server.xml:

  <webContainer skipEncodedCharVerification="true" />

[ewoudwerkman]

Thanks for the quick reply!
I was looking for such a configuration option and this fixed my issue!