Fix breaking change due to Jetty / Servlet API URI compliance enforce…

…ment Due to a change in Jetty 12 and the Servlet API 6, it is no longer valid to pass URL-encoded values as path parameters. This is problematic for REST APIs such as Dependency-Track's, where this behavior causes endpoints to be unusable with certain parameters: DependencyTrack/dependency-track#4238 Restore the legacy behavior of Jetty 9 for now. For the next major version bump of Alpine, this can be reversed to follow Servlet API 6 more strictly.
nscuro · Oct 10, 2024 · 4771493 · 4771493
1 parent cd7bd40
commit 4771493
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/alpine-executable-war/src/main/java/alpine/embedded/EmbeddedJettyServer.java b/alpine-executable-war/src/main/java/alpine/embedded/EmbeddedJettyServer.java
@@ -19,7 +19,9 @@
 package alpine.embedded;
 
 import org.eclipse.jetty.ee10.servlet.ErrorPageErrorHandler;
+import org.eclipse.jetty.ee10.servlet.ServletHandler;
 import org.eclipse.jetty.ee10.webapp.WebAppContext;
+import org.eclipse.jetty.http.UriCompliance;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -73,6 +75,20 @@ public static void main(final String[] args) throws Exception {
         final HttpConfiguration httpConfig = new HttpConfiguration();
         httpConfig.addCustomizer( new org.eclipse.jetty.server.ForwardedRequestCustomizer() ); // Add support for X-Forwarded headers
 
+        // Enable legacy (mimicking Jetty 9) URI compliance.
+        // This is required to allow URL encoding in path segments, e.g. "/foo/bar%2Fbaz".
+        // https://github.com/jetty/jetty.project/issues/12162
+        // https://github.com/jetty/jetty.project/issues/11448
+        // https://jetty.org/docs/jetty/12/programming-guide/server/compliance.html#uri
+        //
+        // NB: The setting on its own is not sufficient. Decoding of ambiguous URIs
+        // must additionally be enabled in the servlet handler. This can only be done
+        // after the server is started, further down below.
+        //
+        // TODO: Remove this for the next major version bump. Since we're going against Servlet API
+        //  here, the only viable long-term solution is to adapt REST APIs to follow Servlet API 6 spec.
+        httpConfig.setUriCompliance(UriCompliance.LEGACY);
+
         final HttpConnectionFactory connectionFactory = new HttpConnectionFactory( httpConfig );
         final ServerConnector connector = new ServerConnector(server, connectionFactory);
         connector.setHost(host);
@@ -113,6 +129,10 @@ public static void main(final String[] args) throws Exception {
         server.addBean(new ErrorHandler());
         try {
             server.start();
+            for (final ServletHandler handler : server.getContainedBeans(ServletHandler.class)) {
+                LOGGER.debug("Enabling decoding of ambiguous URIs for servlet handler: {}", handler.getClass().getName());
+                handler.setDecodeAmbiguousURIs(true);
+            }
             addJettyShutdownHook(server);
             server.join();
         } catch (Exception e) {