Why does my Java JAX-RS webapp on TOMCAT 8.5 report A MultiException (JAXBContext / WADL) with references to GLASSFISH package names?

Question

Our server app has been running for circa six years, in the last six months or so we have been witnessing periodic errors (a few times every other day) ...

It's hosted in AWS using Elastic Beanstalk with Tomcat 8.5 with Corretto 11 running on 64bit Amazon Linux 2.

I'm using JAX-RS with Jersey, hosted on Tomcat.

I'm not clear what's causing the JAXBContext / MultiException WADL issues.

Initial research implies that someone is doing a 'OPTIONS' request and the JAX-RS can't serialise Exceptions (because the dependency can't be found).

Is it safe to simply add the dependency - are there vulnerabilities with OPTIONS? Or should I reject any 'OPTIONS' requests because I wasn't expecting them?

09/04/21 04:44:45 AuthenticationFilter Problem during AuthenticationFile:doFilter for URI:/rest/myEndpoint Exception: A MultiException has 4 exceptions. They are: 
1. javax.ws.rs.ProcessingException: Error creating a JAXBContext for wadl processing. 
2. java.lang.IllegalStateException: Unable to perform operation: create on org.glassfish.jersey.server.wadl.internal.WadlApplicationContextImpl 
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of 
org.glassfish.jersey.server.wadl.processor.WadlModelProcessor$OptionsHandler errors were found 
4. java.lang.IllegalStateException: Unable to perform operation: resolve on 
org.glassfish.jersey.server.wadl.processor.WadlModelProcessor$OptionsHandler ... 
com.devology.servlet.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:115) 
com.devology.servlet.filters.TimingFilter.doFilter(TimingFilter.java:84) 
com.devology.servlet.filters.BrowserCachingFilter.doFilter(BrowserCachingFilter.java:55) 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
java.base/java.lang.Thread.run(Thread.java:829) Causes leading up to this are logged as separate entries

09/04/21 04:44:45 AuthenticationFilter Problem during AuthenticationFile:doFilter for URI:/rest/myEndpoint cause #1 Exception: A MultiException has 4 exceptions. They are: 
1. javax.ws.rs.ProcessingException: Error creating a JAXBContext for wadl processing. 
2. java.lang.IllegalStateException: Unable to perform operation: create on org.glassfish.jersey.server.wadl.internal.WadlApplicationContextImpl 
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of 
org.glassfish.jersey.server.wadl.processor.WadlModelProcessor$OptionsHandler errors were found 
4. java.lang.IllegalStateException: Unable to perform operation: resolve on 
org.glassfish.jersey.server.wadl.processor.WadlModelProcessor$OptionsHandler ... 
org.jvnet.hk2.internal.Collector.throwIfErrors(Collector.java:89) 
org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:250) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:358) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:777) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:740) 
org.jvnet.hk2.internal.ServiceLocatorImpl.getService(ServiceLocatorImpl.java:710) 
com.devology.servlet.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:115) 
com.devology.servlet.filters.TimingFilter.doFilter(TimingFilter.java:84) 
com.devology.servlet.filters.BrowserCachingFilter.doFilter(BrowserCachingFilter.java:55) 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
java.base/java.lang.Thread.run(Thread.java:829) 

09/04/21 04:44:45 AuthenticationFilter Problem during AuthenticationFile:doFilter for URI:/rest/myEndpoint cause #2 Exception: Error creating a JAXBContext for wadl processing.... 
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) 
org.jvnet.hk2.internal.ClazzCreator.createMe(ClazzCreator.java:272) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:366) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:83) 
org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:71) 
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
org.jvnet.hk2.internal.SingletonContext.findOrCreate(SingletonContext.java:122) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:116) 
org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:90) 
org.jvnet.hk2.internal.ClazzCreator.resolve(ClazzCreator.java:212) 
org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:235) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:358) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:777) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:740) 
org.jvnet.hk2.internal.ServiceLocatorImpl.getService(ServiceLocatorImpl.java:710) 
com.devology.servlet.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:115) 
com.devology.servlet.filters.TimingFilter.doFilter(TimingFilter.java:84) 
com.devology.servlet.filters.BrowserCachingFilter.doFilter(BrowserCachingFilter.java:55) 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
java.base/java.lang.Thread.run(Thread.java:829) 

09/04/21 04:44:45 AuthenticationFilter Problem during AuthenticationFile:doFilter for URI:/rest/myEndpoint cause #3 Exception: Provider 
com.sun.xml.internal.bind.v2.ContextFactory not found... 
javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:148) 
javax.xml.bind.ContextFinder.find(ContextFinder.java:361) 
javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:446) 
javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:409) 
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) 
org.jvnet.hk2.internal.ClazzCreator.createMe(ClazzCreator.java:272) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:366) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:83) 
org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:71) 
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
org.jvnet.hk2.internal.SingletonContext.findOrCreate(SingletonContext.java:122) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:116) 
org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:90) 
org.jvnet.hk2.internal.ClazzCreator.resolve(ClazzCreator.java:212) 
org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:235) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:358) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:777) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:740) 
org.jvnet.hk2.internal.ServiceLocatorImpl.getService(ServiceLocatorImpl.java:710) 
com.devology.servlet.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:115) 
com.devology.servlet.filters.TimingFilter.doFilter(TimingFilter.java:84) 
com.devology.servlet.filters.BrowserCachingFilter.doFilter(BrowserCachingFilter.java:55) 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
java.base/java.lang.Thread.run(Thread.java:829) 

09/04/21 04:44:45 AuthenticationFilter Problem during AuthenticationFile:doFilter for URI:/rest/myEndpoint cause #4 Exception: 
com.sun.xml.internal.bind.v2.ContextFactory... 
javax.xml.bind.ContextFinder.safeLoadClass(ContextFinder.java:573) 
javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:145) 
javax.xml.bind.ContextFinder.find(ContextFinder.java:361) 
javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:446) 
javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:409) 
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) 
org.jvnet.hk2.internal.ClazzCreator.createMe(ClazzCreator.java:272) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:366) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:83) 
org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:71) 
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
org.jvnet.hk2.internal.SingletonContext.findOrCreate(SingletonContext.java:122) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:116) 
org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:90) 
org.jvnet.hk2.internal.ClazzCreator.resolve(ClazzCreator.java:212) 
org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:235) 
org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:358) 
org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) 
org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2126) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:777) 
org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:740) 
org.jvnet.hk2.internal.ServiceLocatorImpl.getService(ServiceLocatorImpl.java:710) 
com.devology.servlet.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:115) 
com.devology.servlet.filters.TimingFilter.doFilter(TimingFilter.java:84) 
com.devology.servlet.filters.BrowserCachingFilter.doFilter(BrowserCachingFilter.java:55) 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
java.base/java.lang.Thread.run(Thread.java:829)

_"pretty standard JAX-RS stack hosted on Tomcat"_ - technically, there is no _standard_ JAX-RS stack. There is only _implementations_ of the JAX-RS _specification_. You seem to be using Jersey as the JAX-RS implementation. Jersey's packaging has Glassfish in the name as that was the original organization that create the project. Tomcat has no JAX-RS implementation, so you need to add the implementation. You need to make sure all your Jersey dependencies are compatible. For better help, you should post _all_ your dependencies as there may be some conflicts. — Paul Samsotha, Apr 09 '21 at 18:45
As far as the WADL, by default Jersey serves up WADL at all OPTIONS endpoints. — Paul Samsotha, Apr 09 '21 at 18:45
Also if you could better format the stack trace, it will help others will readability. — Paul Samsotha, Apr 09 '21 at 18:46
Thanks @PaulSamsotha that's useful feedback, stacktrace layout fixed and dropped my assumptions about it being a standard Jax-RS stack. From your opinion is it worth me adding the dependencies so people can do an OPTIONS request, or intercept it - I've seen some reports on OPTIONS based vulnerabilities, though not necessarily JAX-RS related. — RobbiewOnline, Apr 09 '21 at 20:32
The message about the lack of `com.sun.xml.` **internal** `.bind.v2.ContextFactory` means that you lack a [JAXB implementation](https://mvnrepository.com/artifact/com.sun.xml.bind/jaxb-impl/2.3.3) in your application. This is a class name of the default implementation, which was removed in Java 9 (but the error message didn't change...). — Piotr P. Karwasz, Apr 09 '21 at 20:59

Why does my Java JAX-RS webapp on TOMCAT 8.5 report A MultiException (JAXBContext / WADL) with references to GLASSFISH package names?

0 Answers0