Re: [jetty-users] Jsp configuration class

2021-04-01 Thread Som Lima 
Hi,

using Heroku archetype jetty 11,
It appeared the jetty configurations may be different
when running mvn jetty:run  compared to running
embedded jetty using the main class. (below)
That is to say I would need to add further programmatic configuration to
the embedded jetty.

/**
 *  This class launches the web application in an embedded Jetty container.
 *  This is the entry point to your application. The Java
 *  command that is used for launching should fire this main method.
 */
public class Main {

public static void main(String[] args) throws Exception{
// The port that we should run on can be set into an environment
variable
// Look for that variable and default to 8080 if it isn't there.
String webPort = System.getenv("PORT");
if (webPort == null || webPort.isEmpty()) {
webPort = "8080";
}

final Server server = new Server(Integer.valueOf(webPort));
final WebAppContext root = new WebAppContext();

root.setContextPath("/");
// Parent loader priority is a class loader setting that Jetty
accepts.
// By default Jetty will behave like most web containers in that it
will
// allow your application to replace non-server libraries that are
part of the
// container. Setting parent loader priority to true changes this
behavior.
// Read more here:
http://wiki.eclipse.org/Jetty/Reference/Jetty_Classloading
root.setParentLoaderPriority(true);

final String webappDirLocation = "src/main/webapp/";
root.setDescriptor(webappDirLocation + "/WEB-INF/web.xml");
root.setResourceBase(webappDirLocation);

server.setHandler(root);

server.start();
server.join();
}
}



On Thu, 1 Apr 2021, 22:14 Greg Wilkins,  wrote:

> Som,
>
> Configuration.ClassList is from Jetty-9 and is no longer needed in Jetty
> 10 or 11.
> The Configuraition mechanism generally requires less classpath
> manipulation in 10 or 11, so I'd try just deleting that line.   Do you know
> why you are trying to obtain a classlist ?
>
> Perhaps look for the corresponding example in the jetty 11 source code?
>
>
> On Tue, 30 Mar 2021 at 23:36, Som Lima  wrote:
>
>> I was hoping for some feedback  on the error.
>>
>> Configuration.ClassList classlist = Configuration.ClassList
>> .setServerDefault(server);
>>
>> Multiple markers at this line
>> - ClassList cannot be resolved or is not a field
>> - Configuration.ClassList cannot be resolved to a
>> type
>>
>> I think was due to  an incompatible server object.
>>
>>
>> Whether my guess was correct or not  ?
>>
>>
>>
>> On Fri, 26 Mar 2021, 23:49 Som Lima,  wrote:
>>
>>> Problem version
>>>
>>> org.apache.maven.plugins
>>> maven-compiler-plugin
>>> 3.8.0
>>> true
>>> 
>>> 11
>>> 11
>>> 
>>>
>>>
>>> 11.0.1
>>> 
>>>
>>>
>>> On Fri, 26 Mar 2021, 23:45 Som Lima,  wrote:
>>>
 Now
 9.4.35.v20201120
 on
 11
 11
 


 On Fri, 26 Mar 2021, 23:40 Joakim Erdfelt,  wrote:

> What version of Jetty are you using?
>
> Joakim Erdfelt / joa...@webtide.com
>
>
> On Fri, Mar 26, 2021 at 6:34 PM Som Lima 
> wrote:
>
>> Hi Thanks,
>>
>> I did try this Configuration.ClassList approach earlier  but I was
>> getting an error "
>> Multiple markers at this line
>> - ClassList cannot be resolved or is not a field
>> - Configuration.ClassList cannot be resolved to a
>> type
>>
>> I think was due to  an incompatible server object.
>>
>> I am working in another project now
>> this time I inserted the code ,  no eclipse IDE errors reported I
>> guess the server object is compatible.
>> My code looks like this but still I am missing JSP feature. Not sure
>> the syntax for that.
>> console error message"  No JSP support.  Check that JSP jars are in
>> lib/jsp and that the JSP option has been specified to start."
>>
>>
>> *I have these two dependencies in pom.xml*
>>
>> 
>> org.eclipse.jetty
>> apache-jsp
>> ${jetty.version}
>> 
>> 
>> jstl
>> jstl
>> 1.2
>> 
>>
>>
>> *This is what my code looks like but I don't think I have the jsp
>> configuration in either  variations*
>>
>>context.setBaseResource(Resource.newResource(webResourceBase));
>> context.setConfigurations(new Configuration[]
>> {
>> new AnnotationConfiguration(),
>> new WebInfConfiguration(),
>> new WebXmlConfiguration(),
>> new MetaInfConfiguration(),
>> new FragmentConfiguration(),
>> new EnvConfiguration(),
>> new PlusConfiguration(),
>> new JettyWebXmlConfiguration()
>> });
>>
>>

Re: [jetty-users] Jsp configuration class

2021-04-01 Thread Greg Wilkins 
Som,

Configuration.ClassList is from Jetty-9 and is no longer needed in Jetty 10
or 11.
The Configuraition mechanism generally requires less classpath manipulation
in 10 or 11, so I'd try just deleting that line.   Do you know why you are
trying to obtain a classlist ?

Perhaps look for the corresponding example in the jetty 11 source code?


On Tue, 30 Mar 2021 at 23:36, Som Lima  wrote:

> I was hoping for some feedback  on the error.
>
> Configuration.ClassList classlist = Configuration.ClassList
> .setServerDefault(server);
>
> Multiple markers at this line
> - ClassList cannot be resolved or is not a field
> - Configuration.ClassList cannot be resolved to a
> type
>
> I think was due to  an incompatible server object.
>
>
> Whether my guess was correct or not  ?
>
>
>
> On Fri, 26 Mar 2021, 23:49 Som Lima,  wrote:
>
>> Problem version
>>
>> org.apache.maven.plugins
>> maven-compiler-plugin
>> 3.8.0
>> true
>> 
>> 11
>> 11
>> 
>>
>>
>> 11.0.1
>> 
>>
>>
>> On Fri, 26 Mar 2021, 23:45 Som Lima,  wrote:
>>
>>> Now
>>> 9.4.35.v20201120
>>> on
>>> 11
>>> 11
>>> 
>>>
>>>
>>> On Fri, 26 Mar 2021, 23:40 Joakim Erdfelt,  wrote:
>>>
 What version of Jetty are you using?

 Joakim Erdfelt / joa...@webtide.com


 On Fri, Mar 26, 2021 at 6:34 PM Som Lima 
 wrote:

> Hi Thanks,
>
> I did try this Configuration.ClassList approach earlier  but I was
> getting an error "
> Multiple markers at this line
> - ClassList cannot be resolved or is not a field
> - Configuration.ClassList cannot be resolved to a
> type
>
> I think was due to  an incompatible server object.
>
> I am working in another project now
> this time I inserted the code ,  no eclipse IDE errors reported I
> guess the server object is compatible.
> My code looks like this but still I am missing JSP feature. Not sure
> the syntax for that.
> console error message"  No JSP support.  Check that JSP jars are in
> lib/jsp and that the JSP option has been specified to start."
>
>
> *I have these two dependencies in pom.xml*
>
> 
> org.eclipse.jetty
> apache-jsp
> ${jetty.version}
> 
> 
> jstl
> jstl
> 1.2
> 
>
>
> *This is what my code looks like but I don't think I have the jsp
> configuration in either  variations*
>
>context.setBaseResource(Resource.newResource(webResourceBase));
> context.setConfigurations(new Configuration[]
> {
> new AnnotationConfiguration(),
> new WebInfConfiguration(),
> new WebXmlConfiguration(),
> new MetaInfConfiguration(),
> new FragmentConfiguration(),
> new EnvConfiguration(),
> new PlusConfiguration(),
> new JettyWebXmlConfiguration()
> });
>
> // === setup jetty plus ==
> Configuration.ClassList classlist = Configuration.ClassList
> .setServerDefault(server);
> classlist.addAfter(
> "org.eclipse.jetty.webapp.FragmentConfiguration",
> "org.eclipse.jetty.plus.webapp.EnvConfiguration",
> "org.eclipse.jetty.plus.webapp.PlusConfiguration");
>
> classlist.addBefore("org.eclipse.jetty.webapp.JettyWebXmlConfiguration",
> "org.eclipse.jetty.annotations.AnnotationConfiguration");
>
> context.setContextPath("/");
>
> On Fri, 26 Mar 2021, 22:19 Joakim Erdfelt,  wrote:
>
>> The order of that Configuration list is very important.
>>
>> It would be better to utilize the Server level component and just add
>> the missing pieces you need.
>>
>> See:
>>
>>-
>>
>> https://github.com/eclipse/jetty.project/blob/jetty-9.4.38.v20210224/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java#L168-L177
>>-
>>
>> https://github.com/jetty-project/embedded-jetty-jsp/blob/4918be37b938fff9fada5910ca04c59d8969cc90/src/main/java/org/eclipse/jetty/demo/Main.java#L131-L136
>>
>>
>> // === setup jetty plus ==
>> Configuration.ClassList classlist =
>> Configuration.ClassList.setServerDefault(server);
>>
>> // Add JNDI support
>> classlist.addAfter(
>> "org.eclipse.jetty.webapp.FragmentConfiguration",
>> "org.eclipse.jetty.plus.webapp.EnvConfiguration",
>> "org.eclipse.jetty.plus.webapp.PlusConfiguration");
>>
>> // Add Annotation Scanning Support
>>
>> classlist.addBefore("org.eclipse.jetty.webapp.JettyWebXmlConfiguration",
>> "org.eclipse.jetty.annotations.AnnotationConfiguration");
>>
>> Leave the existing Configurations in

[jetty-users] Eclipse Jetty 9.4.39, 10.0.2, and 11.0.2 Have Been Released!

2021-04-01 Thread Chris Walker 
Greetings!


The Jetty team is happy to announce the immediate availability of new
releases for the Eclipse Jetty 9.4.x, 10.0.x, and 11.0.x branches. All
three releases include a number of bug fixes and improvements. It is
recommended that all users upgrade as soon as they are able. *Importantly*,
these releases address CVE-2021-28163, CVE-2021-28164, and CVE-2021-28165.


A full list of changes for this release is listed at the end of this email.


This release available on the Eclipse Jetty project download page or from
the Maven Central repository:

   -

   Eclipse: https://www.eclipse.org/jetty/download.html
   -

   Maven Central: https://repo1.maven.org/maven2/org/eclipse/jetty/


Documentation for this release can be found on the Eclipse Jetty project
site:

   -

   https://www.eclipse.org/jetty/documentation/


If you find any issues with this release, or if you want to suggest future
enhancements, please file an issue on the Jetty GitHub page:

   -

   https://github.com/eclipse/jetty.project/issues/new


Commercial production and development support for Jetty is offered through
Webtide (www.webtide.com). Please contact us 
for more information or email ch...@webtide.com to discuss your specific
needs.


Best Regards,

The Jetty Development Team




*9.4.39.v20210325Changelog*

   - #6034 SslContextFactory may select a wildcard certificate during SNI
   selection when a more specific SSL certificate is present
   - #6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or
   newer
   - #6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid
   to work on Android
   - #6063 Allow override of hazelcast version when using module
   - #6072 jetty server high CPU when client send data length > 17408
   - #6085 Jetty keeps Sessions in use after "Duplicate valid session
   cookies" Message
   - #6101 Normalise ambiguous URIs
   - #6102 Exclude webapps directory from deployment scan




*10.0.2Changelog*

   - #4275 Path Normalization/Traversal - Context Matching
   - #5828 Allow to create a WebSocketContainer passing HttpClient
   - #5832 Ctrl-C after jetty:run produces NoClassDefFoundError
   - #5835 Review Durable Filters, Servlets and Listeners
   - #5977 Cache-Control header set by a filter is override by the value
   from DefaultServlet configuration
   - #5994 QueuedThreadPool "free" threads
   - #5996 ERROR : No module found to provide logback-impl for
   logback-access{enabled}
   - #5999 HttpURI ArrayIndexOutOfBounds
   - #6001 Ambiguous URI legacy compliance mode
   - #6008 Allow absolute paths to be provided in start.ini for request log
   directory.
   - #6011 OSGi Cannot start Jetty with osgi.boot - Configurations add
   wrong method taken
   - #6020 Review Jetty Maven Plugin scanning defaults
   - #6021 Standardize Path resolution in XmlConfiguration
   - #6024 Error starting jetty-10: Provider
   org.eclipse.jetty.websocket.javax.client.JavaxWebSocketShutdownContainer
   not found
   - #6026 the jvm DEBUG flag is not working org.eclipse.jetty.LEVEL=DEBUG
   - #6034 SslContextFactory may select a wildcard certificate during SNI
   selection when a more specific SSL certificate is present
   - #6037 Review logging modules for j.u.l.
   - #6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or
   newer
   - #6063 Allow override of hazelcast version when using module
   - #6072 jetty server high CPU when client send data length > 17408
   - #6076 Embedded Jetty throws null pointer exception
   - #6082 SslConnection compacting
   - #6085 Jetty keeps Sessions in use after "Duplicate valid session
   cookies" Message
   - #6101 Normalise ambiguous URIs
   - #6102 Exclude webapps directory from deployment scan




*11.0.2Changelog*

   - #4275 Path Normalization/Traversal - Context Matching
   - #5828 Allow to create a WebSocketContainer passing HttpClient
   - #5832 Ctrl-C after jetty:run produces NoClassDefFoundError
   - #5835 Review Durable Filters, Servlets and Listeners
   - #5977 Cache-Control header set by a filter is override by the value
   from DefaultServlet configuration
   - #5994 QueuedThreadPool "free" threads
   - #5996 ERROR : No module found to provide logback-impl for
   logback-access{enabled}
   - #5999 HttpURI ArrayIndexOutOfBounds
   - #6001 Ambiguous URI legacy compliance mode
   - #6008 Allow absolute paths to be provided in start.ini for request log
   directory.
   - #6011 OSGi Cannot start Jetty with osgi.boot - Configurations add
   wrong method taken
   - #6020 Review Jetty Maven Plugin scanning defaults
   - #6021 Standardize Path resolution in XmlConfiguration
   - #6024 Error starting jetty-10: Provider
   org.eclipse.jetty.websocket.javax.client.JavaxWebSocketShutdownContainer
   not found
   - #6026 the jvm DEBUG flag is not working org.eclipse.jetty.LEVEL=DEBUG
   - #6034 SslContextFactory may select a wildcard certificate during SNI
   selection when a more specific SSL certificate is

[jetty-users] Recent CVEs in Eclipse Jetty

2021-04-01 Thread Chris Walker 
Hello,

The Eclipse Jetty team wanted to make the community aware of three recent
CVEs that were discovered in the Jetty project. All three have been patched
in the most recent releases of Jetty. Details concerning each CVE, as well
as workarounds, are below.

*CVE-2021-28165 - Invalid Large TLS Frame causes 100% Usage*

*Affected Jetty Versions*
7.2.2-9.4.38, 10.0.0.alpha0-10.0.1, 11.0.0.alpha0-11.0.1

*Impact*
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket,
the server may receive an invalid large (greater than 17408) TLS frame that
is incorrectly handled, causing CPU resources to eventually reach 100%
usage.

*Patched Jetty Versions*
9.4.39, 10.0.2, 11.0.2

*Workarounds*
Please see the Security Advisory

for the workaround to this issue.

*CVE ID*
CVE-2021-28165

*CWE*
CWE-400

*CVSS Score*
7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

*CVE-2021-28164 - Ambiguous paths can access WEB-INF*

*Affected Jetty Versions*
9.4.37 - 9.4.38

*Impact*
Since 9.4.37, the default compliance mode allows requests with URIs that
contain %2e or %2e%2e segments to access protected resources within the
WEB-INF directory. For example, a request to /context/%2e/WEB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information
regarding the implementation of a web application.

*Patched Jetty Versions*
9.4.39

*Workarounds*
The HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by
updating start.d/http.ini to include:

jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS


*CVE ID*
CVE-2021-28164

*CWEs*
CWE-200, CWE-551

*CVSS Score*
5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

*CVE-2021-28163 - Symlink Directory Exposes Webapp Directory Contents*

*Affected Jetty Versions*
9.4.32-9.4.38, 10.0.0.beta2-10.0.1, 11.0.0.beta2-11.0.1

*Impact*
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a
symlink (soft link in Linux), the contents of the ${jetty.base}/webapps
directory may be deployed as a static web application, exposing the content
of the directory for download.

For example, the problem manifests in the following ${jetty.base}:

# The webapps directory is a symlink
$ tree jetty-base/
jetty-base/
├── etc
├── lib
├── resources
├── start.d
├── deploy
│   └── async-rest.war
└── webapps -> deploy

# The jetty-base directory is a symlink
$ /var/www/jetty -> /srv/jetty-base/
/srv/jetty-base/
├── etc
├── lib
├── resources
├── start.d
└── webapps
└── async-rest.war


*Patched Jetty Versions*
9.4.39, 10.0.2, 11.0.2

*Workarounds*
Do not use a symlink for the webapps directory.

*CVE ID*
CVE-2021-28163

*CWE*
CWE-200

*CVSS Score*
2.7 Low
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Commercial production and development support for Jetty is offered through
Webtide (www.webtide.com). Please contact us 
for more information or email ch...@webtide.com to discuss your specific
needs.


Best Regards,

The Jetty Development Team
___
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users