adding security fixes

components/device-mgt/org.wso2.carbon.device.mgt.api/pom.xml

@@ -248,6 +248,14 @@
             <artifactId>jackson-annotations</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.hibernate</groupId>
+            <artifactId>hibernate-validator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.ws.rs</groupId>
+            <artifactId>javax.ws.rs-api</artifactId>
+        </dependency>
     </dependencies>
 
 </project>

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/ErrorResponse.java

@@ -34,7 +34,7 @@ public class ErrorResponse {
     private String moreInfo = null;
     private List<ErrorListItem> errorItems = new ArrayList<>();
 
-    private ErrorResponse() {
+    public ErrorResponse() {
     }
 
     @JsonProperty(value = "code")

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/PolicyWrapper.java

@@ -22,6 +22,7 @@ import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
 import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
 
+import javax.validation.constraints.Size;
 import java.util.List;
 
 @ApiModel(value = "PolicyWrapper", description = "This class carries all information related to Policy "
@@ -29,9 +30,11 @@ import java.util.List;
 public class PolicyWrapper {
 
     @ApiModelProperty(name = "policyName", value = "The name of the policy", required = true)
+    @Size(max = 45)
     private String policyName;
 
     @ApiModelProperty(name = "description", value = "Gives a description on the policy", required = true)
+    @Size(max = 1000)
     private String description;
 
     @ApiModelProperty(name = "compliance", value = "Provides the non-compliance rules. WSO2 EMM provides the"
@@ -41,6 +44,7 @@ public class PolicyWrapper {
             + "Monitor - If the device does not adhere to the given policies the server is notified of the "
             + "violation unknown to the user and the administrator can take the necessary actions with regard"
             + " to the reported", required = true)
+    @Size(max = 100)
     private String compliance;
 
     @ApiModelProperty(name = "ownershipType", value = "The policy ownership type. It can be any of the "
@@ -49,6 +53,7 @@ public class PolicyWrapper {
             + "BYOD (Bring Your Own Device) - The policy will only be applied on the BYOD device type\n"
             + "COPE (Corporate-Owned, Personally-Enabled) - The policy will only be applied on the COPE "
             + "device type", required = true)
+    @Size(max = 45)
     private String ownershipType;
 
     @ApiModelProperty(name = "active", value = "If the value is true it indicates that the policy is active. "

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/Profile.java

@@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.jaxrs.beans;
 
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
-import org.wso2.carbon.device.mgt.core.dto.DeviceType;
 
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlRootElement;

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/BadRequestException.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+
+/**
+ * Custom exception class for wrapping BadRequest related exceptions.
+ */
+public class BadRequestException extends WebApplicationException {
+
+    public BadRequestException(ErrorResponse error) {
+        super(Response.status(Response.Status.BAD_REQUEST).entity(error).build());
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ConstraintViolationException.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
+import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtUtil;
+
+import javax.validation.ConstraintViolation;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import java.util.Set;
+
+public class ConstraintViolationException extends WebApplicationException {
+    private String message;
+
+    public <T> ConstraintViolationException(Set<ConstraintViolation<T>> violations) {
+        super(Response.status(Response.Status.BAD_REQUEST)
+                .entity(DeviceMgtUtil.getConstraintViolationErrorDTO(violations))
+                .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
+                .build());
+
+        //Set the error message
+        StringBuilder stringBuilder = new StringBuilder();
+        for (ConstraintViolation violation : violations) {
+            stringBuilder.append(violation.getRootBeanClass().getSimpleName());
+            stringBuilder.append(".");
+            stringBuilder.append(violation.getPropertyPath());
+            stringBuilder.append(": ");
+            stringBuilder.append(violation.getMessage());
+            stringBuilder.append(", ");
+        }
+        message = stringBuilder.toString();
+    }
+
+    @Override
+    public String getMessage() {
+        return message;
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ErrorDTO.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class ErrorDTO {
+
+    private Long code = null;
+    private String message = null;
+    private String description = null;
+
+    public void setMoreInfo(String moreInfo) {
+        this.moreInfo = moreInfo;
+    }
+
+    public void setCode(Long code) {
+        this.code = code;
+    }
+
+    public void setMessage(String message) {
+        this.message = message;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public void setError(List<ErrorDTO> error) {
+        this.error = error;
+    }
+
+    private String moreInfo = null;
+
+    public String getMessage() {
+        return message;
+    }
+
+    public Long getCode() {
+        return code;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public String getMoreInfo() {
+        return moreInfo;
+    }
+
+    public List<ErrorDTO> getError() {
+        return error;
+    }
+
+    public String toString() {
+        StringBuilder stringBuilder = new StringBuilder();
+        stringBuilder.append("class ErrorDTO {\n");
+        stringBuilder.append("  code: ").append(code).append("\n");
+        stringBuilder.append("  message: ").append(message).append("\n");
+        stringBuilder.append("  description: ").append(description).append("\n");
+        stringBuilder.append("  moreInfo: ").append(moreInfo).append("\n");
+        stringBuilder.append("  error: ").append(error).append("\n");
+        stringBuilder.append("}\n");
+        return stringBuilder.toString();
+    }
+
+    private List<ErrorDTO> error = new ArrayList<>();
+
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ForbiddenException.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+
+/**
+ * Exception class that is corresponding to 401 Forbidden response
+ */
+
+public class ForbiddenException extends WebApplicationException {
+
+    private String message;
+
+    public ForbiddenException() {
+        super(Response.status(Response.Status.FORBIDDEN)
+                .build());
+    }
+
+    public ForbiddenException(ErrorDTO errorDTO) {
+        super(Response.status(Response.Status.FORBIDDEN)
+                .entity(errorDTO)
+                .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
+                .build());
+        message = errorDTO.getDescription();
+    }
+
+    @Override
+    public String getMessage() {
+        return message;
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/GlobalThrowableMapper.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+import com.google.gson.JsonParseException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtUtil;
+
+import javax.naming.AuthenticationException;
+import javax.ws.rs.ClientErrorException;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+
+/**
+ * Handle the cxf level exceptions.
+ */
+public class GlobalThrowableMapper implements ExceptionMapper {
+    private static final Log log = LogFactory.getLog(GlobalThrowableMapper.class);
+
+    private ErrorDTO e500 = new ErrorDTO();
+
+    GlobalThrowableMapper() {
+        e500.setCode((long) 500);
+        e500.setMessage("Internal server error.");
+        e500.setMoreInfo("");
+        e500.setDescription("The server encountered an internal error. Please contact administrator.");
+
+    }
+
+    @Override
+    public Response toResponse(Throwable e) {
+
+        if (e instanceof JsonParseException) {
+            String errorMessage = "Malformed request body.";
+            if (log.isDebugEnabled()) {
+                log.error(errorMessage, e);
+            }
+            return DeviceMgtUtil.buildBadRequestException(errorMessage).getResponse();
+        }
+        if (e instanceof NotFoundException) {
+            return ((NotFoundException) e).getResponse();
+        }
+        if (e instanceof UnexpectedServerErrorException) {
+            if (log.isDebugEnabled()) {
+                log.error("Unexpected server error.", e);
+            }
+            return ((UnexpectedServerErrorException) e).getResponse();
+        }
+        if (e instanceof ConstraintViolationException) {
+            if (log.isDebugEnabled()) {
+                log.error("Constraint violation.", e);
+            }
+            return ((ConstraintViolationException) e).getResponse();
+        }
+        if (e instanceof IllegalArgumentException) {
+            ErrorDTO errorDetail = new ErrorDTO();
+            errorDetail.setCode((long) 400);
+            errorDetail.setMoreInfo("");
+            errorDetail.setMessage("");
+            errorDetail.setDescription(e.getMessage());
+            return Response
+                    .status(Response.Status.BAD_REQUEST)
+                    .entity(errorDetail)
+                    .build();
+        }
+        if (e instanceof ClientErrorException) {
+            if (log.isDebugEnabled()) {
+                log.error("Client error.", e);
+            }
+            return ((ClientErrorException) e).getResponse();
+        }
+        if (e instanceof AuthenticationException) {
+            ErrorDTO errorDetail = new ErrorDTO();
+            errorDetail.setCode((long) 401);
+            errorDetail.setMoreInfo("");
+            errorDetail.setMessage("");
+            errorDetail.setDescription(e.getMessage());
+            return Response
+                    .status(Response.Status.UNAUTHORIZED)
+                    .entity(errorDetail)
+                    .build();
+        }
+        if (e instanceof ForbiddenException) {
+            if (log.isDebugEnabled()) {
+                log.error("Resource forbidden.", e);
+            }
+            return ((ForbiddenException) e).getResponse();
+        }
+        //unknown exception log and return
+        if (log.isDebugEnabled()) {
+            log.error("An Unknown exception has been captured by global exception mapper.", e);
+        }
+        return Response.status(Response.Status.INTERNAL_SERVER_ERROR).header("Content-Type", "application/json")
+                .entity(e500).build();
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/NotFoundException.java

@@ -0,0 +1,47 @@
+/*
+ *   Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ *   WSO2 Inc. licenses this file to you under the Apache License,
+ *   Version 2.0 (the "License"); you may not use this file except
+ *   in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+
+import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
+import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+
+public class NotFoundException extends WebApplicationException {
+    private String message;
+    private static final long serialVersionUID = 147943572342342340L;
+
+    public NotFoundException(ErrorResponse error) {
+        super(Response.status(Response.Status.NOT_FOUND).entity(error).build());
+    }
+    public NotFoundException(ErrorDTO errorDTO) {
+        super(Response.status(Response.Status.NOT_FOUND)
+                .entity(errorDTO)
+                .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
+                .build());
+        message = errorDTO.getDescription();
+    }
+
+    @Override
+    public String getMessage() {
+        return message;
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/UnexpectedServerErrorException.java

@@ -0,0 +1,49 @@
+/*
+ *   Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ *   WSO2 Inc. licenses this file to you under the Apache License,
+ *   Version 2.0 (the "License"); you may not use this file except
+ *   in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+
+import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
+import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+
+public class UnexpectedServerErrorException extends WebApplicationException {
+    private String message;
+    private static final long serialVersionUID = 147943579458906890L;
+
+    public UnexpectedServerErrorException(ErrorResponse error) {
+        super(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(error).build());
+    }
+    public UnexpectedServerErrorException(ErrorDTO errorDTO) {
+        super(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
+                .entity(errorDTO)
+                .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
+                .build());
+        message = errorDTO.getDescription();
+    }
+
+    @Override
+    public String getMessage() {
+        return message;
+    }
+
+
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ValidationInterceptor.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.jaxrs.exception;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.jaxrs.lifecycle.ResourceProvider;
+import org.apache.cxf.jaxrs.model.ClassResourceInfo;
+import org.apache.cxf.jaxrs.model.OperationResourceInfo;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageContentsList;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
+import javax.validation.executable.ExecutableValidator;
+import java.lang.reflect.Method;
+import java.util.List;
+import java.util.Set;
+
+public class ValidationInterceptor extends AbstractPhaseInterceptor<Message> {
+    private Log log = LogFactory.getLog(getClass());
+    private Validator validator = null; //validator interface is thread-safe
+
+    public ValidationInterceptor() {
+        super(Phase.PRE_INVOKE);
+        ValidatorFactory defaultFactory = Validation.buildDefaultValidatorFactory();
+        validator = defaultFactory.getValidator();
+        if (validator == null) {
+            log.warn("Bean Validation provider could not be found, no validation will be performed");
+        } else {
+            log.debug("Validation In-Interceptor initialized successfully");
+        }
+    }
+
+    @Override
+    public void handleMessage(Message message) throws Fault {
+        final OperationResourceInfo operationResource = message.getExchange().get(OperationResourceInfo.class);
+        if (operationResource == null) {
+            log.info("OperationResourceInfo is not available, skipping validation");
+            return;
+        }
+
+        final ClassResourceInfo classResource = operationResource.getClassResourceInfo();
+        if (classResource == null) {
+            log.info("ClassResourceInfo is not available, skipping validation");
+            return;
+        }
+
+        final ResourceProvider resourceProvider = classResource.getResourceProvider();
+        if (resourceProvider == null) {
+            log.info("ResourceProvider is not available, skipping validation");
+            return;
+        }
+
+        final List<Object> arguments = MessageContentsList.getContentsList(message);
+        final Method method = operationResource.getAnnotatedMethod();
+        final Object instance = resourceProvider.getInstance(message);
+        if (method != null && arguments != null) {
+            //validate the parameters(arguments) over the invoked method
+            validate(method, arguments.toArray(), instance);
+
+            //validate the fields of each argument
+            for (Object arg : arguments) {
+                if (arg != null)
+                    validate(arg);
+            }
+        }
+
+    }
+
+    public <T> void validate(final Method method, final Object[] arguments, final T instance) {
+        if (validator == null) {
+            log.warn("Bean Validation provider could not be found, no validation will be performed");
+            return;
+        }
+
+        ExecutableValidator methodValidator = validator.forExecutables();
+        Set<ConstraintViolation<T>> violations = methodValidator.validateParameters(instance,
+                method, arguments);
+
+        if (!violations.isEmpty()) {
+            throw new ConstraintViolationException(violations);
+        }
+    }
+
+    public <T> void validate(final T object) {
+        if (validator == null) {
+            log.warn("Bean Validation provider could be found, no validation will be performed");
+            return;
+        }
+
+        Set<ConstraintViolation<T>> violations = validator.validate(object);
+
+        if (!violations.isEmpty()) {
+            throw new ConstraintViolationException(violations);
+        }
+    }
+
+    public void handleFault(org.apache.cxf.message.Message messageParam) {
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java

@@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.Activity;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ActivityList;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -100,7 +101,9 @@ public interface ActivityInfoProviderService {
                     name = "id",
                     value = "Activity id of the operation/activity to be retrieved.",
                     required = true)
-            @PathParam("id") String id,
+            @PathParam("id")
+            @Size(max = 45)
+            String id,
             @ApiParam(
                     name = "If-Modified-Since",
                     value = "Validates if the requested variant has not been modified since the time specified",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java

@@ -31,6 +31,7 @@ import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 import org.wso2.carbon.policy.mgt.common.Policy;
 import org.wso2.carbon.policy.mgt.common.monitor.ComplianceData;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -100,24 +101,28 @@ public interface DeviceManagementService {
                     name = "name",
                     value = "The device name, such as shamu, bullhead or angler.",
                     required = false)
+            @Size(max = 45)
             String name,
             @ApiParam(
                     name = "type",
                     value = "The device type, such as ios, android or windows.",
                     required = false)
             @QueryParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "user",
                     value = "Username of owner of the devices.",
                     required = false)
             @QueryParam("user")
+            @Size(max = 45)
             String user,
             @ApiParam(
                     name = "roleName",
                     value = "Role name of the devices to be fetched.",
                     required = false)
             @QueryParam("roleName")
+            @Size(max = 45)
             String roleName,
             @ApiParam(
                     name = "ownership",
@@ -125,12 +130,14 @@ public interface DeviceManagementService {
                     value = "Ownership of the devices to be fetched registered under.",
                     required = false)
             @QueryParam("ownership")
+            @Size(max = 45)
             String ownership,
             @ApiParam(
                     name = "status",
                     value = "Enrollment status of devices to be fetched.",
                     required = false)
             @QueryParam("status")
+            @Size(max = 45)
             String status,
             @ApiParam(
                     name = "since",
@@ -216,12 +223,14 @@ public interface DeviceManagementService {
                     value = "The device type, such as ios, android or windows.",
                     required = true)
             @PathParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "id",
                     value = "The device identifier of the device.",
                     required = true)
             @PathParam("id")
+            @Size(max = 45)
             String id,
             @ApiParam(
                     name = "If-Modified-Since",
@@ -301,12 +310,14 @@ public interface DeviceManagementService {
                     value = "The device type, such as ios, android or windows.",
                     required = true)
             @PathParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "id",
                     value = "The device identifier of the device.",
                     required = true)
             @PathParam("id")
+            @Size(max = 45)
             String id,
             @ApiParam(
                     name = "If-Modified-Since",
@@ -370,7 +381,7 @@ public interface DeviceManagementService {
             })
     @Permission(
             scope = "device-search",
-            permissions = {"/permission/admin/device-mgt/admin/devices/list" }
+            permissions = {"/permission/admin/device-mgt/admin/devices/list"}
     )
     Response searchDevices(
             @ApiParam(
@@ -462,12 +473,14 @@ public interface DeviceManagementService {
                     name = "type",
                     value = "The device type, such as ios, android or windows.", required = true)
             @PathParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "id",
                     value = "The device identifier of the device.",
                     required = true)
             @PathParam("id")
+            @Size(max = 45)
             String id,
             @ApiParam(
                     name = "If-Modified-Since",
@@ -563,12 +576,14 @@ public interface DeviceManagementService {
                     value = "The device type, such as ios, android or windows.",
                     required = true)
             @PathParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "id",
                     value = "The device identifier of the device.",
                     required = true)
             @PathParam("id")
+            @Size(max = 45)
             String id,
             @ApiParam(
                     name = "If-Modified-Since",
@@ -658,12 +673,14 @@ public interface DeviceManagementService {
                     value = "The device type, such as ios, android or windows.",
                     required = true)
             @PathParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "id",
                     value = "Device Identifier",
                     required = true)
             @PathParam("id")
+            @Size(max = 45)
             String id,
             @ApiParam(
                     name = "If-Modified-Since",
@@ -674,7 +691,6 @@ public interface DeviceManagementService {
             String ifModifiedSince);
 
 
-
     @GET
     @Path("{type}/{id}/compliance-data")
     @ApiOperation(
@@ -708,10 +724,13 @@ public interface DeviceManagementService {
                     value = "The device type, such as ios, android or windows.",
                     required = true)
             @PathParam("type")
+            @Size(max = 45)
             String type,
             @ApiParam(
                     name = "id",
                     value = "Device Identifier",
                     required = true)
-            @PathParam("id") String id);
+            @PathParam("id")
+            @Size(max = 45)
+            String id);
 }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java

@@ -21,12 +21,12 @@ package org.wso2.carbon.device.mgt.jaxrs.service.api;
 import io.swagger.annotations.*;
 import org.wso2.carbon.apimgt.annotations.api.API;
 import org.wso2.carbon.apimgt.annotations.api.Permission;
-import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
 import org.wso2.carbon.device.mgt.common.notification.mgt.Notification;
-import org.wso2.carbon.device.mgt.jaxrs.NotificationContext;
 import org.wso2.carbon.device.mgt.jaxrs.NotificationList;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 
+import javax.validation.constraints.Max;
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -103,7 +103,7 @@ public interface NotificationManagementService {
                     value = "Status of the notification.",
                     allowableValues = "NEW, CHECKED",
                     required = false)
-            @QueryParam("status")
+            @QueryParam("status") @Size(max = 45)
                     String status,
             @ApiParam(
                     name = "If-Modified-Since",
@@ -157,6 +157,6 @@ public interface NotificationManagementService {
                     name = "id",
                     value = "Notification ID.",
                     required = true)
-            @PathParam("id")
+            @PathParam("id") @Max(45)
                     int id);
 }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java

@@ -22,9 +22,10 @@ import io.swagger.annotations.*;
 import org.wso2.carbon.apimgt.annotations.api.Permission;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 import org.wso2.carbon.device.mgt.jaxrs.beans.PolicyWrapper;
-import org.wso2.carbon.policy.mgt.common.Policy;
 import org.wso2.carbon.device.mgt.jaxrs.beans.PriorityUpdatedPolicyWrapper;
+import org.wso2.carbon.policy.mgt.common.Policy;
 
+import javax.validation.Valid;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -105,7 +106,7 @@ public interface PolicyManagementService {
                     name = "policy",
                     value = "Policy details related to the operation.",
                     required = true)
-                    PolicyWrapper policy);
+                    @Valid PolicyWrapper policy);
 
     @GET
     @ApiOperation(
@@ -306,7 +307,7 @@ public interface PolicyManagementService {
                     name = "policy",
                     value = "Policy details related to the operation.",
                     required = true)
-                    PolicyWrapper policy);
+                    @Valid PolicyWrapper policy);
 
     @POST
     @Path("/remove-policy")

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java

@@ -23,6 +23,7 @@ import org.wso2.carbon.apimgt.annotations.api.API;
 import org.wso2.carbon.device.mgt.common.Device;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -88,12 +89,16 @@ public interface DeviceManagementAdminService {
                     name = "name",
                     value = "Name of the device.",
                     required = true)
-            @QueryParam("name") String name,
+            @QueryParam("name")
+            @Size(max = 45)
+            String name,
             @ApiParam(
                     name = "type",
                     value = "Type of the device.",
                     required = true)
-            @QueryParam("type") String type,
+            @QueryParam("type")
+            @Size(min = 2, max = 45)
+            String type,
             @ApiParam(
                     name = "tenant-domain",
                     value = "Name of the tenant.",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java

@@ -23,6 +23,7 @@ import org.wso2.carbon.apimgt.annotations.api.Permission;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 import org.wso2.carbon.device.mgt.jaxrs.beans.PasswordResetWrapper;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -70,7 +71,9 @@ public interface UserManagementAdminService {
                     name = "username",
                     value = "Username of the user.",
                     required = true)
-            @PathParam("username") String username,
+            @PathParam("username")
+            @Size(max = 45)
+            String username,
             @ApiParam(
                     name = "credentials",
                     value = "Credential.",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java

@@ -29,6 +29,7 @@ import org.wso2.carbon.device.mgt.jaxrs.service.api.ActivityInfoProviderService;
 import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
 import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -47,7 +48,8 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
     @GET
     @Override
     @Path("/{id}")
-    public Response getActivity(@PathParam("id") String id,
+    public Response getActivity(@PathParam("id")
+                                @Size(max = 45) String id,
                                 @HeaderParam("If-Modified-Since") String ifModifiedSince) {
         Activity activity;
         DeviceManagementProviderService dmService;

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ConfigurationServiceImpl.java

@@ -26,7 +26,6 @@ import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfiguration
 import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 import org.wso2.carbon.device.mgt.jaxrs.service.api.ConfigurationManagementService;
 import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
-import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.UnexpectedServerErrorException;
 import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
 import org.wso2.carbon.device.mgt.jaxrs.util.MDMAppConstants;
 import org.wso2.carbon.policy.mgt.common.PolicyManagementException;

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/DeviceManagementServiceImpl.java

@@ -44,6 +44,7 @@ import org.wso2.carbon.policy.mgt.common.monitor.ComplianceData;
 import org.wso2.carbon.policy.mgt.common.monitor.PolicyComplianceException;
 import org.wso2.carbon.policy.mgt.core.PolicyManagerService;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -62,12 +63,12 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
     @GET
     @Override
     public Response getDevices(
-            @QueryParam("name") String name,
+            @QueryParam("name") @Size(max = 45) String name,
-            @QueryParam("type") String type,
+            @QueryParam("type") @Size(max = 45) String type,
-            @QueryParam("user") String user,
+            @QueryParam("user") @Size(max = 45) String user,
-            @QueryParam("roleName") String roleName,
+            @QueryParam("roleName") @Size(max = 45) String roleName,
-            @QueryParam("ownership") String ownership,
+            @QueryParam("ownership") @Size(max = 45) String ownership,
-            @QueryParam("status") String status,
+            @QueryParam("status") @Size(max = 45) String status,
             @QueryParam("since") String since,
             @HeaderParam("If-Modified-Since") String ifModifiedSince,
             @QueryParam("offset") int offset,
@@ -80,7 +81,7 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
             PaginationResult result;
             DeviceList devices = new DeviceList();
 
-            if(name != null && !name.isEmpty()){
+            if (name != null && !name.isEmpty()) {
                 request.setDeviceName(name);
             }
             if (type != null && !type.isEmpty()) {
@@ -180,8 +181,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
     @Path("/{type}/{id}")
     @Override
     public Response getDevice(
-            @PathParam("type") String type,
+            @PathParam("type") @Size(max = 45) String type,
-            @PathParam("id") String id,
+            @PathParam("id") @Size(max = 45) String id,
             @HeaderParam("If-Modified-Since") String ifModifiedSince) {
         Device device;
         try {
@@ -207,8 +208,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
     @Path("/{type}/{id}/features")
     @Override
     public Response getFeaturesOfDevice(
-            @PathParam("type") String type,
+            @PathParam("type") @Size(max = 45) String type,
-            @PathParam("id") String id,
+            @PathParam("id") @Size(max = 45) String id,
             @HeaderParam("If-Modified-Since") String ifModifiedSince) {
         List<Feature> features;
         DeviceManagementProviderService dms;
@@ -258,8 +259,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
     @Path("/{type}/{id}/applications")
     @Override
     public Response getInstalledApplications(
-            @PathParam("type") String type,
+            @PathParam("type") @Size(max = 45) String type,
-            @PathParam("id") String id,
+            @PathParam("id") @Size(max = 45) String id,
             @HeaderParam("If-Modified-Since") String ifModifiedSince,
             @QueryParam("offset") int offset,
             @QueryParam("limit") int limit) {
@@ -287,8 +288,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
     @Path("/{type}/{id}/operations")
     @Override
     public Response getDeviceOperations(
-            @PathParam("type") String type,
+            @PathParam("type") @Size(max = 45) String type,
-            @PathParam("id") String id,
+            @PathParam("id") @Size(max = 45) String id,
             @HeaderParam("If-Modified-Since") String ifModifiedSince,
             @QueryParam("offset") int offset,
             @QueryParam("limit") int limit) {
@@ -318,8 +319,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
     @GET
     @Path("/{type}/{id}/effective-policy")
     @Override
-    public Response getEffectivePolicyOfDevice(@PathParam("type") String type,
+    public Response getEffectivePolicyOfDevice(@PathParam("type") @Size(max = 45) String type,
-                                               @PathParam("id") String id,
+                                               @PathParam("id") @Size(max = 45) String id,
                                                @HeaderParam("If-Modified-Since") String ifModifiedSince) {
         try {
             RequestValidationUtil.validateDeviceIdentifier(type, id);
@@ -339,8 +340,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
 
     @GET
     @Path("{type}/{id}/compliance-data")
-    public Response getComplianceDataOfDevice(@PathParam("type") String type,
+    public Response getComplianceDataOfDevice(@PathParam("type") @Size(max = 45) String type,
-                                              @PathParam("id") String id) {
+                                              @PathParam("id") @Size(max = 45) String id) {
 
         RequestValidationUtil.validateDeviceIdentifier(type, id);
         PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService();

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/NotificationManagementServiceImpl.java

@@ -31,6 +31,8 @@ import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
 import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.UnexpectedServerErrorException;
 import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
 
+import javax.validation.constraints.Max;
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -46,7 +48,7 @@ public class NotificationManagementServiceImpl implements NotificationManagement
     @GET
     @Override
     public Response getNotifications(
-            @QueryParam("status") String status,
+            @QueryParam("status") @Size(max = 45) String status,
             @HeaderParam("If-Modified-Since") String ifModifiedSince,
             @QueryParam("offset") int offset, @QueryParam("limit") int limit) {
 
@@ -79,7 +81,7 @@ public class NotificationManagementServiceImpl implements NotificationManagement
     @PUT
     @Path("/{id}/mark-checked")
     public Response updateNotificationStatus(
-            @PathParam("id") int id) {
+            @PathParam("id") @Max(45)int id) {
         String msg;
         Notification.Status status = Notification.Status.CHECKED;
         Notification notification;

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/PolicyManagementServiceImpl.java

@@ -41,6 +41,7 @@ import org.wso2.carbon.policy.mgt.common.PolicyAdministratorPoint;
 import org.wso2.carbon.policy.mgt.common.PolicyManagementException;
 import org.wso2.carbon.policy.mgt.core.PolicyManagerService;
 
+import javax.validation.Valid;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -59,7 +60,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService {
 
     @POST
     @Override
-    public Response addPolicy(PolicyWrapper policyWrapper) {
+    public Response addPolicy(@Valid PolicyWrapper policyWrapper) {
         RequestValidationUtil.validatePolicyDetails(policyWrapper);
         PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService();
 
@@ -111,7 +112,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService {
         }
     }
 
-    private Policy getPolicyFromWrapper(PolicyWrapper policyWrapper) throws DeviceManagementException {
+    private Policy getPolicyFromWrapper(@Valid PolicyWrapper policyWrapper) throws DeviceManagementException {
         Policy policy = new Policy();
         policy.setPolicyName(policyWrapper.getPolicyName());
         policy.setDescription(policyWrapper.getDescription());
@@ -187,7 +188,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService {
     @PUT
     @Path("/{id}")
     @Override
-    public Response updatePolicy(@PathParam("id") int id, PolicyWrapper policyWrapper) {
+    public Response updatePolicy(@PathParam("id") int id, @Valid PolicyWrapper policyWrapper) {
         RequestValidationUtil.validatePolicyDetails(policyWrapper);
         PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService();
         try {

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/DeviceManagementAdminServiceImpl.java

@@ -31,6 +31,7 @@ import org.wso2.carbon.device.mgt.jaxrs.service.api.admin.DeviceManagementAdminS
 import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
 import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -45,8 +46,8 @@ public class DeviceManagementAdminServiceImpl implements DeviceManagementAdminSe
 
     @Override
     @GET
-    public Response getDevicesByName(@QueryParam("name") String name,
+    public Response getDevicesByName(@QueryParam("name") @Size(max = 45) String name,
-                                     @QueryParam("type") String type,
+                                     @QueryParam("type") @Size(min = 2, max = 45) String type,
                                      @QueryParam("tenant-domain") String tenantDomain,
                                      @HeaderParam("If-Modified-Since") String ifModifiedSince,
                                      @QueryParam("offset") int offset,

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/UserManagementAdminServiceImpl.java

@@ -22,6 +22,7 @@ import org.wso2.carbon.device.mgt.jaxrs.beans.PasswordResetWrapper;
 import org.wso2.carbon.device.mgt.jaxrs.service.api.admin.UserManagementAdminService;
 import org.wso2.carbon.device.mgt.jaxrs.util.CredentialManagementResponseBuilder;
 
+import javax.validation.constraints.Size;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -34,7 +35,9 @@ public class UserManagementAdminServiceImpl implements UserManagementAdminServic
     @POST
     @Path("/{username}/credentials")
     @Override
-    public Response resetUserPassword(@PathParam("username") String user, PasswordResetWrapper credentials) {
+    public Response resetUserPassword(@PathParam("username")
+                                      @Size(max = 45)
+                                          String user, PasswordResetWrapper credentials) {
         return CredentialManagementResponseBuilder.buildResetPasswordResponse(user, credentials);
     }
 

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/util/RequestValidationUtil.java

@@ -19,10 +19,10 @@
 package org.wso2.carbon.device.mgt.jaxrs.service.impl.util;
 
 import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
-import org.wso2.carbon.device.mgt.common.PaginationRequest;
 import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfiguration;
 import org.wso2.carbon.device.mgt.common.notification.mgt.Notification;
 import org.wso2.carbon.device.mgt.jaxrs.beans.*;
+
 import java.util.ArrayList;
 import java.util.List;
 
@@ -324,6 +324,12 @@ public class RequestValidationUtil {
                     new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request parameter limit is a " +
                             "negative value.").build());
         }
+        if (limit - offset > 100) {
+            throw new InputValidationException(
+                    new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request results list should" +
+                            " be less than or equal 100 values.").build());
+        }
+
     }
 
 }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/Constants.java

@@ -27,4 +27,18 @@ public class Constants {
 	public static final String USER_CLAIM_FIRST_NAME = "http://wso2.org/claims/givenname";
 	public static final String USER_CLAIM_LAST_NAME = "http://wso2.org/claims/lastname";
 
+	public final class ErrorMessages {
+		private ErrorMessages () { throw new AssertionError(); }
+
+		public static final String STATUS_BAD_REQUEST_MESSAGE_DEFAULT = "Bad Request";
+
+	}
+
+	public final class DeviceConstants {
+		private DeviceConstants () { throw new AssertionError(); }
+
+		public static final String APPLICATION_JSON = "application/json";
+		public static final String HEADER_CONTENT_TYPE = "Content-Type";
+	}
+
 }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtUtil.java

@@ -18,11 +18,16 @@
 
 package org.wso2.carbon.device.mgt.jaxrs.util;
 
+import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorListItem;
+import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
 import org.wso2.carbon.device.mgt.jaxrs.beans.ProfileFeature;
+import org.wso2.carbon.device.mgt.jaxrs.exception.BadRequestException;
 import org.wso2.carbon.policy.mgt.common.Profile;
 
+import javax.validation.ConstraintViolation;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 
 public class DeviceMgtUtil {
 
@@ -58,4 +63,49 @@ public class DeviceMgtUtil {
         return profileFeature;
 
     }
+
+    /**
+     * Returns a new BadRequestException
+     *
+     * @param description description of the exception
+     * @return a new BadRequestException with the specified details as a response DTO
+     */
+    public static BadRequestException buildBadRequestException(String description) {
+        ErrorResponse errorResponse = getErrorResponse(Constants.
+                ErrorMessages.STATUS_BAD_REQUEST_MESSAGE_DEFAULT,400l, description);
+        return new BadRequestException(errorResponse);
+    }
+
+    /**
+     * Returns generic ErrorResponse.
+     * @param message specific error message
+     * @param code
+     * @param description
+     * @return generic Response with error specific details.
+     */
+    public static ErrorResponse getErrorResponse(String message, Long code, String description) {
+        ErrorResponse errorResponse = new ErrorResponse();
+        errorResponse.setCode(code);
+        errorResponse.setMoreInfo("");
+        errorResponse.setMessage(message);
+        errorResponse.setDescription(description);
+        return errorResponse;
+    }
+
+    public static <T> ErrorResponse getConstraintViolationErrorDTO(Set<ConstraintViolation<T>> violations) {
+        ErrorResponse errorResponse = new ErrorResponse();
+        errorResponse.setDescription("Validation Error");
+        errorResponse.setMessage("Bad Request");
+        errorResponse.setCode(400l);
+        errorResponse.setMoreInfo("");
+        List<ErrorListItem> errorListItems = new ArrayList<>();
+        for (ConstraintViolation violation : violations) {
+            ErrorListItem errorListItemDTO = new ErrorListItem();
+            errorListItemDTO.setCode(400 + "_" + violation.getPropertyPath());
+            errorListItemDTO.setMessage(violation.getPropertyPath() + ": " + violation.getMessage());
+            errorListItems.add(errorListItemDTO);
+        }
+        errorResponse.setErrorItems(errorListItems);
+        return errorResponse;
+    }
 }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/cxf-servlet.xml

@@ -17,12 +17,11 @@
   ~ under the License.
   -->
 
-<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xmlns="http://www.springframework.org/schema/beans"
+       xmlns:jaxrs="http://cxf.apache.org/jaxrs" xmlns:cxf="http://cxf.apache.org/core"
-       xsi:schemaLocation="
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+         http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd">
-         http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd">
 
     <jaxrs:server id="services" address="/">
         <jaxrs:serviceBeans>
@@ -51,6 +50,8 @@
 
     <bean id="swaggerWriter" class="io.swagger.jaxrs.listing.SwaggerSerializers" />
     <bean id="swaggerResource" class="io.swagger.jaxrs.listing.ApiListingResource" />
+    <bean id="ValidationInterceptor" class="org.wso2.carbon.device.mgt.jaxrs.exception.ValidationInterceptor"/>
+    <bean id="GlobalExceptionMapper" class="org.wso2.carbon.device.mgt.jaxrs.exception.GlobalThrowableMapper"/>
 
     <bean id="swaggerConfig" class="io.swagger.jaxrs.config.BeanConfig">
         <property name="resourcePackage" value="org.wso2.carbon.device.mgt.jaxrs"/>
@@ -80,6 +81,12 @@
     <bean id="dashboardServiceBean" class="org.wso2.carbon.device.mgt.jaxrs.service.impl.DashboardImpl"/>
     <bean id="deviceTypeManagementAdminService" class="org.wso2.carbon.device.mgt.jaxrs.service.impl.admin.DeviceTypeManagementServiceImpl"/>
     <bean id="jsonProvider" class="org.wso2.carbon.device.mgt.jaxrs.common.GsonMessageBodyHandler"/>
+
     <!--<bean id="errorHandler" class="org.wso2.carbon.device.mgt.jaxrs.common.ErrorHandler"/>-->
+    <cxf:bus>
+        <cxf:inInterceptors>
+            <ref bean="ValidationInterceptor"/>
+        </cxf:inInterceptors>
+    </cxf:bus>
 
 </beans>

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java

@@ -63,7 +63,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
             throws DeviceAccessAuthorizationException {
         int tenantId = this.getTenantId();
         if (username == null || username.isEmpty()) {
-            return false;
+            return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType());
         }
         //check for admin and ownership permissions
         if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {

pom.xml

@@ -1080,10 +1080,6 @@
                         <groupId>asm</groupId>
                         <artifactId>asm</artifactId>
                     </exclusion>
-                    <exclusion>
-                        <groupId>org.apache.cxf</groupId>
-                        <artifactId>cxf-api</artifactId>
-                    </exclusion>
                     <exclusion>
                         <groupId>org.apache.cxf</groupId>
                         <artifactId>cxf-rt-core</artifactId>
@@ -1111,10 +1107,6 @@
                         <groupId>javax.ws.rs</groupId>
                         <artifactId>jsr311-api</artifactId>
                     </exclusion>
-                    <exclusion>
-                        <groupId>org.apache.cxf</groupId>
-                        <artifactId>cxf-api</artifactId>
-                    </exclusion>
                     <exclusion>
                         <groupId>org.apache.cxf</groupId>
                         <artifactId>cxf-rt-core</artifactId>
@@ -1140,12 +1132,6 @@
                 <groupId>org.apache.cxf</groupId>
                 <artifactId>cxf-rt-transports-http</artifactId>
                 <version>${cxf.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.apache.cxf</groupId>
-                        <artifactId>cxf-api</artifactId>
-                    </exclusion>
-                </exclusions>
             </dependency>
             <dependency>
                 <groupId>org.apache.cxf</groupId>
@@ -1521,6 +1507,11 @@
                 <artifactId>encoder</artifactId>
                 <version>${owasp.encoder.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.hibernate</groupId>
+                <artifactId>hibernate-validator</artifactId>
+                <version>${hibernate-validator.version}</version>
+            </dependency>
 
         </dependencies>
     </dependencyManagement>
@@ -1891,6 +1882,8 @@
         <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
         <jackson-annotations.version>2.7.4</jackson-annotations.version>
         <owasp.encoder.version>1.2.0.wso2v1</owasp.encoder.version>
+
+        <hibernate-validator.version>5.0.2.Final</hibernate-validator.version>
     </properties>
 
 </project>