Bump jetty-webapp from 8.2.0.v20160908 to 9.4.34.v20201102 in /remote-api (#270)

* Bump jetty-webapp in /remote-api Upping jetty to 10.0.11 with a few necessary modifications to avoid errors Swapping charsets to lowercase, adding ignoring of ambiguous link security issues for jetty (since it is only used in Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mstrankowski <marcin.strankowski@hyland.com>
2025-07-24 17:32:48 +00:00 · 2022-08-08 11:59:07 +02:00
parent 3a34c42d2f
commit 924005e94e
6 changed files with 110 additions and 156 deletions
--- a/remote-api/src/test/java/org/alfresco/repo/web/util/AbstractJettyComponent.java
+++ b/remote-api/src/test/java/org/alfresco/repo/web/util/AbstractJettyComponent.java
@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Remote API
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.repo.web.util;

 import java.io.BufferedReader;
@@ -32,6 +32,7 @@ import java.io.InputStreamReader;
 import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
+import java.util.Arrays;
 import java.util.Date;

 import javax.servlet.ServletContext;
@@ -44,7 +45,8 @@ import org.alfresco.util.TempFileProvider;
 import org.alfresco.util.WebApplicationContextLoader;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.eclipse.jetty.security.HashLoginService;
+import org.eclipse.jetty.http.UriCompliance;
+import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.springframework.beans.BeanUtils;
@@ -145,6 +147,8 @@ public abstract class AbstractJettyComponent implements JettyComponent
 		    
 		    configureWebAppContext(webAppContext);

+			ignoreAmbiguousLinks(server);
+
 		    server.start();

 			if(logger.isDebugEnabled())
@@ -203,15 +207,27 @@ public abstract class AbstractJettyComponent implements JettyComponent
 				}
 			}    
 		});
-	    
-	    // with a login-config in web.xml, jetty seems to require this in order to start successfully
-	    webAppContext.getSecurityHandler().setLoginService(new HashLoginService());

 	    // arbitrary temporary file location
 	    File tmp = new File(TempFileProvider.getSystemTempDir(), String.valueOf(System.currentTimeMillis()));
 	    webAppContext.setResourceBase(tmp.getAbsolutePath());		
 	}

+	/**
+	 * In newer jetty versions there is a stricter check for links e.g. "//" is not allowed, which clashes
+	 * with some of our tests, because even a NodeRef triggers it - "workspace://..."
+	 * Since Jetty is only used in tests it's alright to block this behaviour.
+	 *
+	 * @param server
+	 */
+	private void ignoreAmbiguousLinks(Server server) {
+		Arrays.stream(server.getConnectors())
+				.flatMap(c -> c.getConnectionFactories().stream())
+				.filter(cf -> cf instanceof HttpConnectionFactory)
+				.map(cf -> (HttpConnectionFactory) cf)
+				.forEach(hcf -> hcf.getHttpConfiguration().setUriCompliance(UriCompliance.RFC3986));
+	}
+
 	public void shutdown()
 	{
 		try
--- a/remote-api/src/test/java/org/alfresco/rest/api/tests/EnterpriseJettyComponent.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/EnterpriseJettyComponent.java
@@ -1,34 +1,30 @@
-/*
- * #%L
- * Alfresco Remote API
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.rest.api.tests;

-import org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet;
-import org.eclipse.jetty.servlet.ServletHolder;
-import org.eclipse.jetty.webapp.WebAppContext;
-
 /**
 * Manages an embedded jetty server, hooking it up to the repository spring context and providing 
 * authenticated, tenant-based access through the tenant servlet.
@@ -42,15 +38,4 @@ public class EnterpriseJettyComponent extends PublicApiJettyComponent
 	{
 		super(port, contextPath, configLocations, classLocations);
 	}
-	
-	@Override
-	protected void configureWebAppContext(WebAppContext webAppContext)
-	{
-		super.configureWebAppContext(webAppContext);
-
-	    // the tenant servlet with alfresco managed authentication
-	    ServletHolder servletHolder = new ServletHolder(CmisAtomPubServlet.class);
-	    servletHolder.setInitParameter("callContextHandler", "org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler");
-	    webAppContext.addServlet(servletHolder, "/cmisatom/*");
-	}
 }
--- a/remote-api/src/test/java/org/alfresco/rest/api/tests/ModulePackagesApiTest.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/ModulePackagesApiTest.java
@@ -123,7 +123,7 @@ public class ModulePackagesApiTest extends AbstractBaseApiTest
        assertNotNull(response);
        assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode());
        assertEquals("no-cache", response.getHeaders().get("Cache-Control"));
-        assertEquals("application/json;charset=UTF-8", response.getHeaders().get("Content-Type"));
+        assertEquals("application/json;charset=utf-8", response.getHeaders().get("Content-Type"));

        PublicApiClient.ExpectedErrorResponse errorResponse = RestApiUtil.parseErrorResponse(response.getJsonResponse());
        assertNotNull(errorResponse);
--- a/remote-api/src/test/java/org/alfresco/rest/api/tests/PublicApiJettyComponent.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/PublicApiJettyComponent.java
@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Remote API
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.rest.api.tests;

 import org.alfresco.repo.web.util.AbstractJettyComponent;
@@ -48,63 +48,16 @@ public class PublicApiJettyComponent extends AbstractJettyComponent
 	@Override
 	protected void configureWebAppContext(WebAppContext webAppContext)
 	{
-//		ServletContext servletContext = webAppContext.getServletContext();

 	    // the tenant servlet with alfresco managed authentication
 	    ServletHolder servletHolder = new ServletHolder(PublicApiWebScriptServlet.class);
 	    servletHolder.setInitParameter("authenticator", "publicapi.authenticator");
 	    webAppContext.addServlet(servletHolder, "/" + publicApiServletName + "/*");
-	    
-//	    DependencyInjectedFilter apiFilter = (DependencyInjectedFilter)getApplicationContext().getBean("publicAPICMISFilter");
-//	    BeanProxyFilter filter = new BeanProxyFilter(servletContext, apiFilter);
-//	    FilterHolder filterHolder = new FilterHolder(filter);
-//	    webAppContext.addFilter(filterHolder, "/" + publicApiServletName + "/*", null);
+

 	    // the tenant servlet with alfresco managed authentication
 	    servletHolder = new ServletHolder(CmisAtomPubServlet.class);
 	    servletHolder.setInitParameter("callContextHandler", "org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler");
-	    webAppContext.addServlet(servletHolder, "/cmisatom/*");
+		webAppContext.addServlet(servletHolder, "/cmisatom/*");
 	}
-	
-//	private static class BeanProxyFilter implements Filter
-//	{
-//	    private DependencyInjectedFilter filter;
-//	    private ServletContext context;    
-//	    
-//	    private BeanProxyFilter(ServletContext context, DependencyInjectedFilter filter)
-//	    {
-//	    	this.context = context;
-//	    	this.filter = filter;
-//	    }
-//
-//	    /**
-//	     * Initialize the filter.
-//	     * 
-//	     * @param args
-//	     *            FilterConfig
-//	     * @throws ServletException
-//	     *             the servlet exception
-//	     * @exception ServletException
-//	     */
-//	    public void init(FilterConfig args) throws ServletException
-//	    {
-//	    }
-//
-//	    /* (non-Javadoc)
-//	     * @see javax.servlet.Filter#destroy()
-//	     */
-//	    public void destroy()
-//	    {
-//	        this.filter = null;
-//	    }
-//
-//	    /* (non-Javadoc)
-//	     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
-//	     */
-//	    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
-//	            ServletException
-//	    {
-//	        this.filter.doFilter(this.context, request, response, chain);
-//	    }
-//	}
 }
--- a/remote-api/src/test/java/org/alfresco/rest/api/tests/SharedLinkApiTest.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/SharedLinkApiTest.java
@@ -303,7 +303,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertArrayEquals(file1_originalBytes, response.getResponseAsBytes());
        Map<String, String> responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(file1_MimeType+";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(file1_MimeType+";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get("Expires"));
        assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", responseHeaders.get("Content-Disposition"));
        String lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER);
@@ -319,7 +319,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertArrayEquals(file1_originalBytes, response.getResponseAsBytes());
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(file1_MimeType+";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(file1_MimeType+";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER));
        assertNotNull(responseHeaders.get("Expires"));
        assertNull(responseHeaders.get("Content-Disposition"));
@@ -330,7 +330,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertArrayEquals(content2Text.getBytes(), response.getResponseAsBytes());
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(file2_MimeType+";charset=ISO-8859-1", responseHeaders.get("Content-Type"));
+        assertEquals(file2_MimeType+";charset=iso-8859-1", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get("Expires"));
        assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER));
        assertEquals("attachment; filename=\"" + fileName2 + "\"; filename*=UTF-8''" + fileName2 + "", responseHeaders.get("Content-Disposition"));
@@ -392,7 +392,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertTrue(response.getResponseAsBytes().length > 0);
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER));
        assertNotNull(responseHeaders.get("Expires"));
        String docName = "doclib";
@@ -405,7 +405,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertTrue(response.getResponseAsBytes().length > 0);
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG+";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get("Expires"));
        assertNull(responseHeaders.get("Content-Disposition"));
        lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER);
@@ -816,7 +816,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertArrayEquals(file1_originalBytes, response.getResponseAsBytes());
        Map<String, String> responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(file1_MimeType + ";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(file1_MimeType + ";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get("Expires"));
        assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", responseHeaders.get("Content-Disposition"));
        String lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER);
@@ -832,7 +832,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertArrayEquals(file1_originalBytes, response.getResponseAsBytes());
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(file1_MimeType + ";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(file1_MimeType + ";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER));
        assertNotNull(responseHeaders.get("Expires"));
        assertNull(responseHeaders.get("Content-Disposition"));
@@ -888,7 +888,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertTrue(response.getResponseAsBytes().length > 0);
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get(LAST_MODIFIED_HEADER));
        assertNotNull(responseHeaders.get("Expires"));
        String docName = "doclib";
@@ -901,7 +901,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertTrue(response.getResponseAsBytes().length > 0);
        responseHeaders = response.getHeaders();
        assertNotNull(responseHeaders);
-        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=UTF-8", responseHeaders.get("Content-Type"));
+        assertEquals(MimetypeMap.MIMETYPE_IMAGE_PNG + ";charset=utf-8", responseHeaders.get("Content-Type"));
        assertNotNull(responseHeaders.get("Expires"));
        assertNull(responseHeaders.get("Content-Disposition"));
        lastModifiedHeader = responseHeaders.get(LAST_MODIFIED_HEADER);