DataDog · jandro996 · Jul 3, 2025 · Jun 20, 2025 · Jul 1, 2025 · Jul 2, 2025
@@ -16,6 +16,7 @@ dependencies {
  implementation group: 'org.jboss.resteasy', name: 'resteasy-undertow', version:'3.1.0.Final'
  implementation group: 'org.jboss.resteasy', name: 'resteasy-cdi', version:'3.1.0.Final'
  implementation group: 'org.jboss.weld.servlet', name: 'weld-servlet', version: '2.4.8.Final'
+ implementation group: 'org.jboss.resteasy', name: 'resteasy-jackson2-provider', version: '3.1.0.Final'
 
  implementation group: 'javax.el', name: 'javax.el-api', version:'3.0.0'
 
@@ -24,6 +25,7 @@ dependencies {
 
  testImplementation project(':dd-smoke-tests')
  testImplementation(testFixtures(project(":dd-smoke-tests:iast-util")))
+ testImplementation project(':dd-smoke-tests:appsec')
 }
 
 tasks.withType(Test).configureEach {

@@ -1,15 +1,19 @@
 package smoketest.resteasy;
 
+import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider;
 import java.util.HashSet;
 import java.util.Set;
 import javax.ws.rs.core.Application;
+import org.jboss.resteasy.plugins.providers.StringTextStar;
 
 public class App extends Application {
 
  private Set<Object> singletons = new HashSet<Object>();
 
  public App() {
  singletons.add(new Resource());
+ singletons.add(new StringTextStar()); // Writer for String
+ singletons.add(new JacksonJsonProvider()); // Writer for json
  }
 
  @Override

@@ -0,0 +1,45 @@
+package smoketest.resteasy;
+
+import java.util.List;
+
+public class RequestBody {
+ private List<KeyValue> main;
+ private Object nullable;
+
+ public List<KeyValue> getMain() {
+ return main;
+ }
+
+ public void setMain(List<KeyValue> main) {
+ this.main = main;
+ }
+
+ public Object getNullable() {
+ return nullable;
+ }
+
+ public void setNullable(Object nullable) {
+ this.nullable = nullable;
+ }
+
+ public static class KeyValue {
+ private String key;
+ private Double value;
+
+ public String getKey() {
+ return key;
+ }
+
+ public void setKey(String key) {
+ this.key = key;
+ }
+
+ public Double getValue() {
+ return value;
+ }
+
+ public void setValue(Double value) {
+ this.value = value;
+ }
+ }
+}
@@ -6,9 +6,11 @@
 import java.util.List;
 import java.util.Set;
 import java.util.SortedSet;
+import javax.ws.rs.Consumes;
 import javax.ws.rs.CookieParam;
 import javax.ws.rs.GET;
 import javax.ws.rs.HeaderParam;
+import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
@@ -94,4 +96,18 @@ public Response responseLocation(@QueryParam("param") String param) throws URISy
  public Response getCookie() throws SQLException {
  return Response.ok().cookie(new NewCookie("user-id", "7")).build();
  }
+
+ @Path("/api_security/response")
+ @POST
+ @Produces(MediaType.APPLICATION_JSON)
+ @Consumes(MediaType.APPLICATION_JSON)
+ public Response apiSecurityResponse(RequestBody input) {
+ return Response.ok(input).build();
+ }
+
+ @GET
+ @Path("/api_security/sampling/{i}")
+ public Response apiSecuritySamplingWithStatus(@PathParam("i") int i) {
+ return Response.status(i).header("content-type", "text/plain").entity("Hello!\n").build();
+ }
 }
@@ -0,0 +1,96 @@
+package smoketest
+
+import datadog.smoketest.appsec.AbstractAppSecServerSmokeTest
+import datadog.trace.api.Platform
+import groovy.json.JsonOutput
+import groovy.json.JsonSlurper
+import okhttp3.MediaType
+import okhttp3.Request
+import okhttp3.RequestBody
+import okhttp3.Response
+
+import java.util.zip.GZIPInputStream
+
+
+class ResteasyAppsecSmokeTest extends AbstractAppSecServerSmokeTest {
+
+ @Override
+ ProcessBuilder createProcessBuilder() {
+ String jarPath = System.getProperty("datadog.smoketest.resteasy.jar.path")
+
+ List<String> command = new ArrayList<>()
+ command.add(javaPath())
+ command.addAll(defaultJavaProperties)
+ command.addAll(defaultAppSecProperties)
+ if (Platform.isJavaVersionAtLeast(17)) {
+ command.addAll(["--add-opens", "java.base/java.lang=ALL-UNNAMED"])
+ }
+ command.addAll(["-jar", jarPath, Integer.toString(httpPort)])
+ ProcessBuilder processBuilder = new ProcessBuilder(command)
+ processBuilder.directory(new File(buildDirectory))
+ }
+
+ void 'API Security samples only one request per endpoint'() {
+ given:
+ def url = "http://localhost:${httpPort}/hello/api_security/sampling/200?test=value"
+ def request = new Request.Builder()
+ .url(url)
+ .addHeader('X-My-Header', "value")
+ .get()
+ .build()
+
+ when:
+ List<Response> responses = (1..3).collect {
+ client.newCall(request).execute()
+ }
+
+ then:
+ responses.each {
+ assert it.code() == 200
+ }
+ waitForTraceCount(3)
+ def spans = rootSpans.toList().toSorted { it.span.duration }
+ spans.size() == 3
+ def sampledSpans = spans.findAll {
+ it.meta.keySet().any {
+ it.startsWith('_dd.appsec.s.req.')
+ }
+ }
+ sampledSpans.size() == 1
+ def span = sampledSpans[0]
+ span.meta.containsKey('_dd.appsec.s.req.query')
+ span.meta.containsKey('_dd.appsec.s.req.params')
+ span.meta.containsKey('_dd.appsec.s.req.headers')
+ }
+
+
+ void 'test response schema extraction'() {
+ given:
+ def url = "http://localhost:${httpPort}/hello/api_security/response"
+ def body = [
+ "main" : [["key": "id001", "value": 1345.67], ["value": 1567.89, "key": "id002"]],
+ "nullable": null,
+ ]
+ def request = new Request.Builder()
+ .url(url)
+ .post(RequestBody.create(MediaType.get('application/json'), JsonOutput.toJson(body)))
+ .build()
+
+ when:
+ final response = client.newCall(request).execute()
+ waitForTraceCount(1)
+
+ then:
+ response.code() == 200
+ def span = rootSpans.first()
+ span.meta.containsKey('_dd.appsec.s.res.headers')
+ span.meta.containsKey('_dd.appsec.s.res.body')
+ final schema = new JsonSlurper().parse(unzip(span.meta.get('_dd.appsec.s.res.body')))
+ assert schema == [["main": [[[["key": [8], "value": [16]]]], ["len": 2]], "nullable": [1]]]
+ }
+
+ private static byte[] unzip(final String text) {
+ final inflaterStream = new GZIPInputStream(new ByteArrayInputStream(text.decodeBase64()))
+ return inflaterStream.getBytes()
+ }
+}