url parameter base fixed verion strategy [SPR-15892]

[spring-projects-issues]

Zsolt Fatér opened SPR-15892 and commented

Pull request url: #1503

Prefix based version path strategy has a problem with css.

If css include any relative url, the server can not resolve relative url, because it has two version prefix in the url.

Example

The version: 1.0.0

The css url: http://localhost/application/1.0.0/css/test.css

Original css content

body {
    background-image: url("img/picture.jpg");
    background-size: cover;
}

Modified css content

body {
    background-image: url("1.0.0/img/picture.jpg");
    background-size: cover;
}

The picture.jpg url will be: http://localhost/application/1.0.0/css/1.0.0/img/picture.jpg but the expected is http://locahost/application/1.0.0/css/img/picture.jpg

Solution

We was make the UrlParameterFixedVersrionStrategy class.

The css url: http://localhost/application/css/test.css?v=1.0.0

Modified css content

body {
    background-image: url("img/picture.jpg?v=1.0.0");
    background-size: cover;
}

the picture.jpg url: http://localhost/application/css/img/picture.jpg?v=1.0.0

MvcConfig example

import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.resource.AbstractVersionStrategy;
import org.springframework.web.servlet.resource.UrlParameterFixedVersionStrategy;
import org.springframework.web.servlet.resource.VersionResourceResolver;

@Configuration
@ComponentScan({"test.controller"})
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        AbstractVersionStrategy fixedVersionStrategy = new UrlParameterFixedVersionStrategy("1.0.0");
        VersionResourceResolver versionResourceResolver = new VersionResourceResolver()
                .addVersionStrategy(fixedVersionStrategy, "/**");

        registry.addResourceHandler("/**")
                .addResourceLocations("classpath:/other-resources/")
                .resourceChain(true)
                .addResolver(versionResourceResolver);
    }

}

---

Reference URL: #1503

[spring-projects-issues]

Brian Clozel commented

Hi Zsolt Fatér!

The issue you're describing seems to be solved with #19166.
I'm also a bit hesitant about the PR for two reasons:

• Many (outdated?) resources still point that using the query string for that is not the best idea; I understand that most proxies now support that, but it seems CDNs don't always enable that by default (i.e. they don't consider by default the query string for caching purposes)
• Looking at the code parsing/updating the query string, it seems to be too much involved and could be a source of security issues. When it comes to serving static resources, there are many pitfalls coming with the processing of the request URL (see this CVE, for example).

We've considered backporting #19166 to the 4.x branch, but it was already a big change of behaviour back then - it's even worse now with 4.x being very stable and in maintenance mode.

Thanks for creating this issue (and your contribution)!

[bclozel]

Closing this as #19166 solves the use case described here. We didn't get much demand for this nor new use cases.