[BUG][JAVA] incorrect annotations generated in jersey3 jaxrs interfaces

[knoxg]

Bug Report Checklist

• Have you provided a full/minimal spec to reproduce the issue?
• Have you validated the input using an OpenAPI validator (example)?
• Have you tested with the latest master to confirm the issue still exists?
• Have you searched for related issues/PRs?
• What's the actual output vs expected output?
• [Optional] Sponsorship to speed up the bug fix or feature request (example)

Description

The jersey3 generator creates @QueryParam annotations instead of @FormParam annotations for form parameters

openapi-generator version

7.12.0

OpenAPI declaration file content or url

paths:
  /createToken:
    post:
      summary: |
         Create a token from username and password
      operationId: "createToken"
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: "object"
              properties:
                username:
                  type: "string"
                password:
                  type: "string"
      responses:
        "200":
          description: "token response"
          content:
            application/json:
              schema:
                type: "string"

Note both username and password fields are expected to be in the request body.

( Full spec here: https://github.com/knoxg/openapi-generator-formparam-spec/blob/main/src/main/openapi/formparam-api.yaml )

Generation Details

Generate jersey3 stubs using the openapi-generator-maven-plugin, containing

<configuration>
    <generatorName>jaxrs-jersey</generatorName>
    <configOptions>
        <library>jersey3</library>
         ...
    </configOptions>
    ...
<configuration>

I've created a project which generates the client stubs here: https://github.com/knoxg/openapi-generator-formparam-spec

Steps to reproduce

Run mvn install on the openapi-generator-formparam-spec project

The generated com.randomnoun.example.api.CreateTokenApi.java contains:

    @jakarta.ws.rs.POST
    @Consumes({ "application/x-www-form-urlencoded" })
    @Produces({ "application/json" })
    @Operation(summary = "Create a token from username and password ", description = "", responses = {
            @ApiResponse(responseCode = "200", description = "token response", content = 
                @Content(schema = @Schema(implementation = String.class))),
            }, tags={  }) 
    public Response createToken(@Schema(description = "") @QueryParam("username") String username,@Schema(description = "") @QueryParam("password") String password,@Context SecurityContext securityContext)
    throws NotFoundException {
        return delegate.createToken(username, password, securityContext);
    }

note the @QueryParam annotations, which indicate these are parsed from the queryString, although the spec states these should be parsed from the request body.

I've created another project which implements this interface here: https://github.com/knoxg/openapi-generator-formparam-impl

This dummy implementation just returns the supplied username and password fields; i.e.

return Response.ok().entity("username=" + username + ", password=" + password).build();

( from https://github.com/knoxg/openapi-generator-formparam-impl/blob/main/src/main/java/com/randomnoun/example/api/impl/CreateTokenApiServiceImpl.java )

After building and running this webapp, the following curl request to this server

$ curl -s --show-error --fail-with-body -X POST \
  -d "username=scott&password=tiger" \
  http://localhost:8080/openapi-generator-formparam-impl/api/createToken

produces

username=null, password=null

which is incorrect.

However, this request

$ curl -s --show-error --fail-with-body -X POST \
  'http://localhost:8080/openapi-generator-formparam-impl/api/createToken?username=scott&password=tiger'

returns

username=scott, password=tiger

indicating that the fields are incorrectly being consumed from the URL as queryString parameters.

We don't want these fields in the URL as they contain sensitive information.

Related issues/PRs

The jersey3 integration was implemented on PR #16335.

There is a comment on that PR ( #16335 (comment) ) which leads to this commit: adcb4fa

which replaces the @FormParam annotation with @QueryParam.

Note that the commit is modifying formParams.mustache. That template should contain form parameters; query parameters are generated from queryParams.mustache

Suggest a fix

Replacing the @QueryParam with @FormParam resolves this issue.

Will create a PR with this fix.

[knoxg]

Have created a PR with the fix: #20993

com.randomnoun.example.api.CreateTokenApi.java now contains the expected annotations:

    @jakarta.ws.rs.POST
    @Consumes({ "application/x-www-form-urlencoded" })
    @Produces({ "application/json" })
    @Operation(summary = "Create a token from username and password ", description = "", responses = {
            @ApiResponse(responseCode = "200", description = "authentication response", content = 
                @Content(schema = @Schema(implementation = String.class))),
            }, tags={  }) 
    public Response createToken(@Schema(description = "") @FormParam("username") String username,@Schema(description = "") @FormParam("password") String password,@Context SecurityContext securityContext)
    throws NotFoundException {
        return delegate.createToken(username, password, securityContext);
    }

and the server can now read the parameters in the request body:

$ curl -s --show-error --fail-with-body -X POST \
  -d "username=scott&password=tiger" \
  http://localhost:8080/openapi-generator-formparam-impl/api/createToken

returns

username=scott, password=tiger

as expected