RFR: 8245095: Implementation of JEP 408: Simple Web Server [v3]

Bernd Eckenfels ecki at zusammenkunft.net
Thu Sep 16 22:07:32 UTC 2021 

I also wonder if it makes sense to either only serve files with public permissions, or at least Filter some critical files like .ssh/* and *.jks. Those command-line servers are often started „accidentially“ in the home directory.


--
http://bernd.eckenfels.net
________________________________
Von: net-dev <net-dev-retn at openjdk.java.net> im Auftrag von Jaikiran Pai <jpai at openjdk.java.net>
Gesendet: Thursday, September 16, 2021 4:08:46 PM
An: build-dev at openjdk.java.net <build-dev at openjdk.java.net>; core-libs-dev at openjdk.java.net <core-libs-dev at openjdk.java.net>; net-dev at openjdk.java.net <net-dev at openjdk.java.net>
Betreff: Re: RFR: 8245095: Implementation of JEP 408: Simple Web Server [v3]

On Thu, 16 Sep 2021 10:14:47 GMT, Julia Boes <jboes at openjdk.org> wrote:

>> This change implements a simple web server that can be run on the command-line with `java -m jdk.httpserver`.
>>
>> This is facilitated by adding an entry point for the `jdk.httpserver` module, an implementation class whose main method is run when the above command is executed. This is the first such module entry point in the JDK.
>>
>> The server is a minimal HTTP server that serves the static files of a given directory, similar to existing alternatives on other platforms and convenient for testing, development, and debugging.
>>
>> Additionally, a small API is introduced for programmatic creation and customization.
>>
>> Testing: tier1-3.
>
> Julia Boes has updated the pull request incrementally with one additional commit since the last revision:
>
>   correct path handling

src/jdk.httpserver/share/classes/module-info.java line 55:

> 53:  *                                  [-o none|info|verbose] [-h to show options]
> 54:  *    Options:
> 55:  *    -b, --bind-address    - Address to bind to. Default: 0.0.0.0 (all interfaces).

I understand that the purpose of this simple server is for development and testing only. But even then, for security considerations, would it be more appropriate to default the bind address to a loopback address instead of making it accessible potentially to entire public? In the past, application servers which used to bind to all interfaces by default have now moved to using the loopback address as a default to avoid such accidental exposing of the server.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5505

More information about the core-libs-dev mailing list