Merge pull request #17538 from adavid9

* gh-17538:
  Polish "Hide loader classes from Tomcat's ServletContext resource paths"
  Hide loader classes from Tomcat's ServletContext resource paths

Closes gh-17538
pull/17590/head
Andy Wilkinson 5 years ago
commit 173ff87b98

@ -31,6 +31,7 @@ import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.ServletContainerInitializer;
@ -88,6 +89,7 @@ import org.springframework.util.StringUtils;
* @author Andy Wilkinson
* @author Eddú Meléndez
* @author Christoffer Sawicki
* @author Dawid Antecki
* @since 2.0.0
* @see #setPort(int)
* @see #setContextLifecycleListeners(Collection)
@ -751,7 +753,9 @@ public class TomcatServletWebServerFactory extends AbstractServletWebServerFacto
@Override
public Set<String> listWebAppPaths(String path) {
return this.delegate.listWebAppPaths(path);
return this.delegate.listWebAppPaths(path).stream()
.filter((webAppPath) -> !webAppPath.startsWith("/org/springframework/boot"))
.collect(Collectors.toSet());
}
@Override

@ -18,6 +18,8 @@ package com.example;
import java.io.IOException;
import java.net.URL;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
@ -38,31 +40,62 @@ import org.springframework.context.annotation.Bean;
@SpringBootApplication
public class ResourceHandlingApplication {
@Bean
public ServletRegistrationBean<?> resourceServletRegistration() {
ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(new GetResourceServlet());
registration.addUrlMappings("/servletContext");
return registration;
}
@Bean
public ServletRegistrationBean<?> resourcePathsServletRegistration() {
ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(
new GetResourcePathsServlet());
registration.addUrlMappings("/resourcePaths");
return registration;
}
public static void main(String[] args) {
new SpringApplicationBuilder(ResourceHandlingApplication.class).properties("server.port:0")
.listeners(new WebServerPortFileWriter("target/server.port")).run(args);
}
@Bean
public ServletRegistrationBean<?> resourceServletRegistration() {
ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(new HttpServlet() {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
URL resource = getServletContext().getResource(req.getQueryString());
if (resource == null) {
resp.sendError(404);
}
else {
resp.getWriter().println(resource);
resp.getWriter().flush();
private static final class GetResourcePathsServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
collectResourcePaths("/").forEach(resp.getWriter()::println);
resp.getWriter().flush();
}
private Set<String> collectResourcePaths(String path) {
Set<String> allResourcePaths = new LinkedHashSet<>();
Set<String> pathsForPath = getServletContext().getResourcePaths(path);
if (pathsForPath != null) {
for (String resourcePath : pathsForPath) {
allResourcePaths.add(resourcePath);
allResourcePaths.addAll(collectResourcePaths(resourcePath));
}
}
return allResourcePaths;
}
}
private static final class GetResourceServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
URL resource = getServletContext().getResource(req.getQueryString());
if (resource == null) {
resp.sendError(404);
}
else {
resp.getWriter().println(resource);
resp.getWriter().flush();
}
}
});
registration.addUrlMappings("/servletContext");
return registration;
}
}

@ -16,7 +16,13 @@
package org.springframework.boot.context.embedded;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.junit.Test;
import org.junit.runner.RunWith;
@ -67,4 +73,29 @@ public class EmbeddedServletContainerWarDevelopmentIntegrationTests
assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
}
@Test
public void loaderClassesAreNotAvailableViaResourcePaths() {
ResponseEntity<String> entity = this.rest.getForEntity("/resourcePaths", String.class);
assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(readLines(entity.getBody()))
.noneMatch((resourcePath) -> resourcePath.startsWith("/org/springframework/boot/loader"));
}
private List<String> readLines(String input) {
if (input == null) {
return Collections.emptyList();
}
List<String> lines = new ArrayList<>();
try (BufferedReader reader = new BufferedReader(new StringReader(input))) {
String line;
while ((line = reader.readLine()) != null) {
lines.add(line);
}
return lines;
}
catch (IOException ex) {
throw new RuntimeException("Failed to read lines from input '" + input + "'");
}
}
}

@ -16,7 +16,13 @@
package org.springframework.boot.context.embedded;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.junit.Test;
import org.junit.runner.RunWith;
@ -90,4 +96,29 @@ public class EmbeddedServletContainerWarPackagingIntegrationTests
assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
}
@Test
public void loaderClassesAreNotAvailableViaResourcePaths() {
ResponseEntity<String> entity = this.rest.getForEntity("/resourcePaths", String.class);
assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(readLines(entity.getBody()))
.noneMatch((resourcePath) -> resourcePath.startsWith("/org/springframework/boot/loader"));
}
private List<String> readLines(String input) {
if (input == null) {
return Collections.emptyList();
}
List<String> lines = new ArrayList<>();
try (BufferedReader reader = new BufferedReader(new StringReader(input))) {
String line;
while ((line = reader.readLine()) != null) {
lines.add(line);
}
return lines;
}
catch (IOException ex) {
throw new RuntimeException("Failed to read lines from input '" + input + "'");
}
}
}

Loading…
Cancel
Save