webjar stops working [SPR-12432]

[spring-projects-issues]

Titi Wangsa opened SPR-12432 and commented

The application manages to get the resources for webjar when using spring 4.1.0.
4.1.1 also works.
when i use 4.1.2, I get 404 errors
that is the only thing I changed.

example url:
http://localhost:8080/app1/webjars/jquery/2.1.1/jquery.min.js
works with spring 4.1.0
works with spring 4.1.1
does not work with 4.1.2 - giving 404 error

when i traced it, it lead to
org.springframework.web.servlet.resource.PathResourceResolver
the method "isResourceUnderLocation"
constantly returns false
this method is called by "checkResource", and this is new since 4.1.2.

---

Affects: 3.2.12, 4.0.8, 4.1.2

Backported to: 4.0.9, 3.2.13

[spring-projects-issues]

Brian Clozel commented

Hi Titi Wangsa
This check makes sure that the resources you're serving are under locations intended for serving static resources; this new check is part of the security fix described here.

Could you copy/paste here the following:

• your addResourceHandlers(ResourceHandlerRegistry registry) configuration
• the tree structure of your project (under which locations your static resources live)

You'll probably need to alter a bit your configuration or explicitly configure allowed locations in PathResourceResolver.

Thanks,

[spring-projects-issues]

Titi Wangsa commented

the problem is, these are webjar resources,
resources that are inside a jar
org.springframework.web.servlet.resource.PathResourceResolver:176
the values for
resourcepath = ../WEB-INF/lib/bootstrap-3.3.1.jar!/META-INF/resources/webjars/bootstrap/3.3.1/css/bootstrap.min.css
locationpath = ../WEB-INF/lib/bootstrapvalidator-0.5.2.jar!/META-INF/resources/webjars/
in my thymeleaf html file

<link rel="stylesheet" th:href="@{/webjars/bootstrap/3.3.1/css/bootstrap.min.css}"></link>

and in my spring-servlet.xml

<mvc:resources location="/resources/" mapping="/resources/**" />

i do not know why it is getting "bootstrapvalidator" for locationpath

[spring-projects-issues]

Brian Clozel commented

org.springframework.web.servlet.resource.PathResourceResolver:176 - this part of the code is checking if the current resolved resource lives under a configured location; so this must be called multiple times.

Are you sure you gave me all mvc:resources related configuration? Maybe some of them are defined in javaconfig? Maybe you're using Spring Boot?

I've created a repro project to narrow down the current issue, and I couldn't reproduce it. You can check this working example here, and see that it's using as resourcehandler configuration:

registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");

Actually, with your current configuration I don't know how this worked with the previous versions.

[spring-projects-issues]

Titi Wangsa commented

i followed the configuration here
for servlet 3 containers
http://www.webjars.org/documentation#springmvc

i have a working copy on github that works on 4.1.1 but fails on 4.1.2
https://github.com/blacksnow666/qir

[spring-projects-issues]

Titi Wangsa commented

created a minimal project to demonstrate this
https://github.com/blacksnow666/bug412

[spring-projects-issues]

Titi Wangsa commented

i dug deeper,
in your example, it works,
i stopped at line 179

resource = class path resource [META-INF/resources/webjars/bootstrap/3.3.1/css/bootstrap.min.css]
location = class path resource [META-INF/resources/webjars/]

resourcepath = META-INF/resources/webjars/bootstrap/3.3.1/css/bootstrap.min.css
bootstrap css path

locationpath = META-INF/resources/webjars/

resourcePath.startsWith(locationPath) = true
so it works

in my config:
resource = ServletContext resource [/webjars/bootstrap/3.3.1/css/bootstrap.min.css]
location = ServletContext resource [/webjars/]

different resource class, yours was "class path resource", because you had the "classpath:" prefix, in ```
registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");

mine is a "ServletContext resource" because there was no "classpath:" prefix.

resourcepath = file:/Users/titiwangsadamhore/sts-bundle/pivotal-tc-server-developer-3.0.0.RELEASE/base-instance/wtpwebapps/bug412/WEB-INF/lib/bootstrap-3.3.1.jar!/META-INF/resources/webjars/bootstrap/3.3.1/css/bootstrap.min.css
bootstrap css path

locationpath
file:/Users/titiwangsadamhore/sts-bundle/pivotal-tc-server-developer-3.0.0.RELEASE/base-instance/wtpwebapps/bug412/WEB-INF/lib/jquery-2.1.1.jar!/META-INF/resources/webjars/
jquery path

resourcePath.startsWith(locationPath) = false

[spring-projects-issues]

Titi Wangsa commented

maybe we change from ```
org.springframework.web.servlet.resource.PathResourceResolver:171

else if (resource instanceof UrlResource) {
     resourcePath = resource.getURL().toExternalForm();
     locationPath = location.getURL().toExternalForm();
}
else {
     resourcePath = resource.getURL().getPath();
     locationPath = location.getURL().getPath();
}

to

else if (resource instanceof UrlResource) {
     resourcePath = resource.getURL().toExternalForm();
     locationPath = location.getURL().toExternalForm();
}
else if (resource instanceof ServletContextResource) {
     resourcePath = ((ServletContextResource)resource).getPath();
     locationPath = ((ServletContextResource)location).getPath();
}
else {
     resourcePath = resource.getURL().getPath();
     locationPath = location.getURL().getPath();
}

i think this should allow checking for allowed location and will not break codes where webjar mapping is not using classpath, such as the one that i use.

or maybe even just return true if ```
resource instanceof ServletContextResource
```?

[spring-projects-issues]

Brian Clozel commented

Hi Titi Wangsa

Thanks for this report; this is indeed a regression that we will fix in the next 3.2.x, 4.0.x and 4.1.x versions.

In the meantime, using a classpath-based location is a known workaround:

// in configuration class, overriding addResourceHandlers
registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");

<!-- in a servlet xml configuration file -->
<mvc:resources location="classpath:/META-INF/resources/webjars/" mapping="/webjars/**" />

[spring-projects-issues]

Titi Wangsa commented

Thanks mate.
Can we close this issue?

[spring-projects-issues]

Brian Clozel commented

I'll resolve it when the fix will be merged in master - and we'll close this issue when the actual version fixing this is released.
That way you'll be notified as soon as it's possible to upgrade.