Merge pull request #426 from apache/feature/FELIX-6782-Allow-adding-custom-headers-to-Jetty-error-pages

FELIX-6782 allow adding custom headers to jetty error pages

Author: paulrutter

http/README.md

@@ -414,6 +414,7 @@ properties can be used (some legacy property names still exist but are not docum
 | `org.apache.felix.http.jetty.maxFormSize`                | The maximum size accepted for a form post, in bytes (ony applies to form parameters). Defaults to 200 KB.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | `org.apache.felix.http.jetty.requestSizeLimit`           | Maximum size of the request body in bytes. Default is unlimited. Added in Jetty12 1.0.30.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | `org.apache.felix.http.jetty.responseSizeLimit`          | Maximum size of the response body in bytes. Default is unlimited. Default is unlimited. Added in Jetty12 1.0.30.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| `org.apache.felix.http.jetty.errorPageCustomHeaders`     | Configures the custom headers to add to all error pages served by Jetty. Separate key-value pairs with `##`, e.g. `X-Custom-Header=Value##X-Custom-Header2=Value2`. Added in Jetty12 1.0.32.                                                                                                                                                                                                                                                                                                                                                                                 |
 | `org.apache.felix.http.mbeans`                           | If `true`, enables the MBean server functionality. The default is `false`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `org.apache.felix.http.jetty.sendServerHeader`           | If `false`, the `Server` HTTP header is no longer included in responses. The default is `false`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | `org.eclipse.jetty.servlet.SessionCookie`                | Name of the cookie used to transport the Session ID. The default is `JSESSIONID`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java

@@ -220,6 +220,12 @@ public ObjectClassDefinition getObjectClassDefinition( String id, String locale
                 204800,
                 bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_RESPONSE_SIZE_LIMIT)));
 
+        adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_ERROR_PAGE_CUSTOM_HEADERS,
+                "Custom headers to add to error pages",
+                "Felix specific property to configure the custom headers to add to all error pages served by Jetty. Separate key-value pairs with ##.",
+                null,
+                bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_ERROR_PAGE_CUSTOM_HEADERS)));
+
         adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_HTTP_PATH_EXCLUSIONS,
                 "Path Exclusions",
                 "Contains a list of context path prefixes. If a Web Application Bundle is started with a context path matching any " +

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java

@@ -115,6 +115,9 @@ public final class JettyConfig
     /** Felix specific property to configure the response size limit. Default is unlimited. See https://jetty.org/docs/jetty/12/programming-guide/server/http.html#handler-use-size-limit */
     public static final String FELIX_JETTY_RESPONSE_SIZE_LIMIT = "org.apache.felix.http.jetty.responseSizeLimit";
 
+    /** Felix specific property to configure the custom headers to add to all error pages served by Jetty. Separate key-value pairs with ##. */
+    public static final String FELIX_JETTY_ERROR_PAGE_CUSTOM_HEADERS = "org.apache.felix.http.jetty.errorPageCustomHeaders";
+
     /** Felix specific property to enable Jetty MBeans. Valid values are "true", "false". Default is false */
     public static final String FELIX_HTTP_MBEANS = "org.apache.felix.http.mbeans";
 
@@ -509,6 +512,10 @@ public int getResponseSizeLimit()
         return getIntProperty(FELIX_JETTY_RESPONSE_SIZE_LIMIT, -1);
     }
 
+    public String getFelixJettyErrorPageCustomHeaders() {
+        return getProperty(FELIX_JETTY_ERROR_PAGE_CUSTOM_HEADERS, null);
+    }
+
     /**
      * Returns the configured session timeout in minutes or zero if not
      * configured.

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyErrorHandler.java

@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.felix.http.jetty.internal;
+
+import java.util.Map;
+
+import org.eclipse.jetty.ee10.servlet.ErrorHandler;
+import org.eclipse.jetty.http.HttpFields.Mutable;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.util.Callback;
+
+public class JettyErrorHandler extends ErrorHandler {
+    private final Map<String, String> customHeaders;
+
+    public JettyErrorHandler(Map<String, String> customHeaders) {
+        this.customHeaders = customHeaders;
+    }
+
+    @Override
+    public boolean handle(Request request, Response response, Callback callback) throws Exception {
+        if (!customHeaders.isEmpty()) {
+            Mutable headers = response.getHeaders();
+            customHeaders.forEach(headers::put);
+        }
+
+        return super.handle(request, response, callback);
+    }
+}

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java

@@ -30,18 +30,23 @@
 import java.util.Collections;
 import java.util.Dictionary;
 import java.util.Enumeration;
+import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.Executor;
 import java.util.concurrent.Executors;
 
+import jakarta.servlet.SessionCookieConfig;
+import jakarta.servlet.SessionTrackingMode;
+
 import org.apache.felix.http.base.internal.HttpServiceController;
 import org.apache.felix.http.base.internal.logger.SystemLogger;
 import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
 import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
+import org.eclipse.jetty.ee10.servlet.ServletHandler;
 import org.eclipse.jetty.ee10.servlet.ServletHolder;
 import org.eclipse.jetty.ee10.servlet.SessionHandler;
-import org.eclipse.jetty.ee10.servlet.ServletHandler;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.http.UriCompliance;
 import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
@@ -72,9 +77,6 @@
 import org.osgi.framework.ServiceRegistration;
 import org.osgi.service.servlet.runtime.HttpServiceRuntimeConstants;
 
-import jakarta.servlet.SessionCookieConfig;
-import jakarta.servlet.SessionTrackingMode;
-
 public final class JettyService
 {
     /** PID for configuration of the HTTP service. */
@@ -310,6 +312,13 @@ private void initializeJetty() throws Exception
             loginService.setUserStore(new UserStore());
             this.server.addBean(loginService);
 
+            // Check if custom headers are configured for Jetty error pages
+            // If so, split them on ## and pass as map to the JettyErrorHandler
+            final String errorPageCustomHeaders = this.config.getFelixJettyErrorPageCustomHeaders();
+            if (errorPageCustomHeaders != null) {
+                addErrorHandler(errorPageCustomHeaders);
+            }
+
             ServletContextHandler context = new ServletContextHandler(this.config.getContextPath(),                    
                     ServletContextHandler.SESSIONS);
 
@@ -471,6 +480,21 @@ private void initializeJetty() throws Exception
         }
     }
 
+    private void addErrorHandler(String errorPageCustomHeaders) {
+            final String[] customHeaders = errorPageCustomHeaders.split("##");
+            final Map<String, String> headers = new HashMap<>();
+            for (String customHeader : customHeaders) {
+                if (customHeader == null || !customHeader.contains("=") || customHeader.endsWith("=")) {
+                    SystemLogger.LOGGER.warn("Ignoring invalid error page custom header: {}", customHeader);
+                    continue;
+                }
+                final String key = customHeader.substring(0, customHeader.indexOf("="));
+                final String value = customHeader.substring(customHeader.indexOf("=") + 1);
+                headers.put(key.trim(), value.trim());
+            }
+            this.server.setErrorHandler(new JettyErrorHandler(headers));
+    }
+
     private static String fixJettyVersion(final BundleContext ctx)
     {
         // FELIX-4311: report the real version of Jetty...

http/jetty12/src/test/java/org/apache/felix/http/jetty/it/JettyUriComplianceModeDefaultIT.java

@@ -18,6 +18,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.ops4j.pax.exam.CoreOptions.mavenBundle;
 import static org.ops4j.pax.exam.cm.ConfigurationAdminOptions.newConfiguration;
 
@@ -74,6 +75,7 @@ protected Option[] additionalOptions() throws IOException {
     protected Option felixHttpConfig(int httpPort) {
         return newConfiguration("org.apache.felix.http")
                 .put("org.osgi.service.http.port", httpPort)
+                .put("org.apache.felix.http.jetty.errorPageCustomHeaders", "Strict-Transport-Security=max-age=31536000##X-Custom-Header=123")
                 .asOption();
     }
 
@@ -101,8 +103,17 @@ public void testUriCompliance() throws Exception {
         assertEquals(200, response.getStatus());
         assertEquals("OK", response.getContentAsString());
 
+        // Validate custom headers in case of success page, should not be present
+        assertNull(response.getHeaders().get("Strict-Transport-Security"));
+        assertNull(response.getHeaders().get("X-Custom-Header"));
+
+
         // blocked with HTTP 400 by default
-        assertEquals(400, httpClient.GET(destUriAmbigousPath).getStatus());
+        // validate custom headers in case of error page
+        ContentResponse responseAmbiguousPath = httpClient.GET(destUriAmbigousPath);
+        assertEquals(400, responseAmbiguousPath.getStatus());
+        assertEquals("max-age=31536000", responseAmbiguousPath.getHeaders().get("Strict-Transport-Security"));
+        assertEquals("123", responseAmbiguousPath.getHeaders().get("X-Custom-Header"));
 
         httpClient.close();
     }