From a1dda12bcb7deabd85a549296a0a361c9f3f2372 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Fri, 11 Nov 2016 11:46:57 +0000 Subject: [PATCH] Disable Server header by default when using SSL with Jetty 9 Closes gh-7359 --- .../JettyEmbeddedServletContainerFactory.java | 1 + ...tEmbeddedServletContainerFactoryTests.java | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java index 2845854061..f419c11ef5 100644 --- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java +++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java @@ -692,6 +692,7 @@ public class JettyEmbeddedServletContainerFactory public ServerConnector getConnector(Server server, SslContextFactory sslContextFactory, int port) { HttpConfiguration config = new HttpConfiguration(); + config.setSendServerVersion(false); config.addCustomizer(new SecureRequestCustomizer()); HttpConnectionFactory connectionFactory = new HttpConnectionFactory(config); SslConnectionFactory sslConnectionFactory = new SslConnectionFactory( diff --git a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java index 21fc482704..5ce1d248e3 100644 --- a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java +++ b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java @@ -420,6 +420,41 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests { .contains("scheme=https"); } + @Test + public void serverHeaderIsDisabledByDefaultWhenUsingSsl() throws Exception { + AbstractEmbeddedServletContainerFactory factory = getFactory(); + factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks")); + this.container = factory.getEmbeddedServletContainer( + new ServletRegistrationBean(new ExampleServlet(true, false), "/hello")); + this.container.start(); + SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory( + new SSLContextBuilder() + .loadTrustMaterial(null, new TrustSelfSignedStrategy()).build()); + HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory) + .build(); + ClientHttpResponse response = getClientResponse(getLocalUrl("https", "/hello"), + HttpMethod.GET, new HttpComponentsClientHttpRequestFactory(httpClient)); + assertThat(response.getHeaders().get("Server")).isNullOrEmpty(); + } + + @Test + public void serverHeaderCanBeCustomizedWhenUsingSsl() throws Exception { + AbstractEmbeddedServletContainerFactory factory = getFactory(); + factory.setServerHeader("MyServer"); + factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks")); + this.container = factory.getEmbeddedServletContainer( + new ServletRegistrationBean(new ExampleServlet(true, false), "/hello")); + this.container.start(); + SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory( + new SSLContextBuilder() + .loadTrustMaterial(null, new TrustSelfSignedStrategy()).build()); + HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory) + .build(); + ClientHttpResponse response = getClientResponse(getLocalUrl("https", "/hello"), + HttpMethod.GET, new HttpComponentsClientHttpRequestFactory(httpClient)); + assertThat(response.getHeaders().get("Server")).containsExactly("MyServer"); + } + protected final void testBasicSslWithKeyStore(String keyStore) throws Exception { AbstractEmbeddedServletContainerFactory factory = getFactory(); addTestTxtFile(factory);