Since WildFly 20, you can configure RESTEasy through the MicroProfile Config project (https://github.com/eclipse/microprofile-config). The use of MicroProfile Config offers to REST developers a plenty of flexibility in controlling runtime configuration.
If you want to read more details about MicroProfile Config API, we recommend checking this tutorial: Configuring Microservices with MicroProfile Configuration
In a nutshell, the MicroProfile Config, defines a ConfigSource as Map<String, String> of property names to values. In turn, the ConfigSource represents a sequence of ConfigSources, ordered by priority. The priority of a ConfigSource is given by an ordinal (represented by an int), with a higher value indicating a higher priority. Here is the ordered list (Top-Down Ranking) ConfigSources:
- a ConfigSource based on System.getProperties() (ordinal = 400).
- a ConfigSource based on System.getenv() (ordinal = 300)
- a ConfigSource for each META-INF/microprofile-config.properties file on the ClassPath, separately configurable via a config_ordinal property inside each file (default ordinal = 100)
Using MicroProfile Config with REST Easy
Before WildFly 20, configuration properties were added at application level through the standard web.xml descriptor. For example, to set the resteasy.role.based.security property:
<web-app>
...
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
</web-app>
Now, you can define this property with any of the ConfigSources, for example through the META-INF/microprofile-config.properties file:
resteasy.role.based.security=true
You can check an example application which uses RESTEasy Role Base Security here: Securing JAX-RS Services in WildFly applications
The full list of Properties you can set for your REST Easy Application is listed in this Table:
| Configuration Param | Default | Description |
|---|---|---|
| resteasy.servlet.mapping.prefix | NA | If the url-pattern for the RESTEasy servlet-mapping is not /* |
| resteasy.providers | NA | A comma delimited list of fully qualified @Provider class names you want to register |
| resteasy.use.builtin.providers | true | Whether or not to register default, built-in @Provider classes |
| resteasy.resources | NA | A comma delimited list of fully qualified JAX-RS resource class names you want to register |
| resteasy.jndi.resources | NA | A comma delimited list of JNDI names which reference objects you want to register as JAX-RS resources |
| javax.ws.rs.Application | NA | Fully qualified name of Application class to bootstrap in a spec portable way |
| resteasy.media.type.mappings | NA | Replaces the need for an Accept header by mapping file name extensions (like .xml or .txt) to a media type. Used when the client is unable to use an Accept header to choose a representation (i.e. a browser). |
| resteasy.language.mappings | NA | Replaces the need for an Accept-Language header by mapping file name extensions (like .en or .fr) to a language. Used when the client is unable to use an Accept-Language header to choose a language (i.e. a browser). |
| resteasy.media.type.param.mapping | NA | Names a query parameter that can be set to an acceptable media type, enabling content negotiation without an Accept header. |
| resteasy.role.based.security | false | Enables role based security. |
| resteasy.document.expand.entity.references | false | Expand external entities in org.w3c.dom.Document documents and JAXB object representations |
| resteasy.document.secure.processing.feature | true | Impose security constraints in processing org.w3c.dom.Document documents and JAXB object representations |
| resteasy.document.secure.disableDTDs | true | Prohibit DTDs in org.w3c.dom.Document documents and JAXB object representations |
| resteasy.wider.request.matching | false | Turns off the JAX-RS spec defined class-level expression filtering and instead tries to match version every method’s full path. |
| resteasy.use.container.form.params | false | Obtain form parameters by using HttpServletRequest.getParameterMap(). Use this switch if you are calling this method within a servlet filter or eating the input stream within the filter. |
| resteasy.rfc7232preconditions | false | Enables RFC7232 compliant HTTP preconditions handling. |
| resteasy.gzip.max.input | 10000000 | Imposes maximum size on decompressed gzipped . |
| resteasy.secure.random.max.use | 100 | The number of times a SecureRandom can be used before reseeding. |
| resteasy.buffer.exception.entity | true | Upon receiving an exception, the client side buffers any response entity before closing the connection. |
| resteasy.add.charset | true | If a resource method returns a text/* or application/xml* media type without an explicit charset, RESTEasy will add “charset=UTF-8” to the returned Content-Type header. Note that the charset defaults to UTF-8 in this case, independent of the setting of this parameter. |
| resteasy.disable.html.sanitizer | false | Normally, a response with media type “text/html” and a status of 400 will be processed so that the characters “/”, “<“, “>”, “&”, “”” (double quote), and “‘” (single quote) are escaped to prevent an XSS attack. If this parameter is set to “true”, escaping will not occur. |
| resteasy.patchfilter.disabled | false | Turns off the default patch filter to handle JSON patch and JSON Merge Patch request. A customerized patch method filter can be provided to serve the JSON patch and JSON merge patch request instead. |
