fix: Make StyleSheet for AppShell support non-root context path (#22441)

* fix: Make StyleSheet for AppShell support non-root context path

* test modules use custom servlet mapping

---------

Co-authored-by: Marco Collovati <marco@vaadin.com>

Author: mshabarov

flow-server/src/main/java/com/vaadin/flow/server/AppShellRegistry.java

@@ -190,7 +190,7 @@ public String validateClass(Class<?> clz) {
         return error;
     }
 
-    private AppShellSettings createSettings(String contextPath) {
+    private AppShellSettings createSettings(VaadinRequest request) {
         AppShellSettings settings = new AppShellSettings();
 
         getAnnotations(Meta.class).forEach(
@@ -225,7 +225,7 @@ private AppShellSettings createSettings(String contextPath) {
 
         Set<String> stylesheets = new LinkedHashSet<>();
         for (StyleSheet sheet : getAnnotations(StyleSheet.class)) {
-            String href = resolveStyleSheetHref(sheet.value(), contextPath);
+            String href = resolveStyleSheetHref(sheet.value(), request);
             if (href != null && !href.isBlank()) {
                 stylesheets.add(href);
             }
@@ -235,41 +235,43 @@ private AppShellSettings createSettings(String contextPath) {
         return settings;
     }
 
-    private String resolveStyleSheetHref(String href, String contextPath) {
+    private String resolveStyleSheetHref(String href, VaadinRequest request) {
         if (href == null || href.isBlank()) {
             return null;
         }
+        if (HandlerHelper
+                .isPathUnsafe(href.startsWith("/") ? href : "/" + href)) {
+            log.warn(
+                    "@StyleSheet href containing traversals ('../') are not allowed, ignored: {}",
+                    href);
+            return null;
+        }
         href = href.trim();
         // Accept absolute http(s) URLs unchanged
         String lower = href.toLowerCase();
         if (lower.startsWith("http://") || lower.startsWith("https://")) {
             return href;
         }
-        // Accept context-relative URLs: context://path -> /path
-        String contextProtocol = ApplicationConstants.CONTEXT_PROTOCOL_PREFIX;
-        if (lower.startsWith(contextProtocol)) {
-            String path = href.substring(contextProtocol.length());
-            if (!path.startsWith("/")) {
-                path = "/" + path;
-            }
-            if (contextPath != null && !contextPath.isEmpty()) {
-                return contextPath + path;
-            }
-            return path;
-        }
         // Treat ./ as relative path to static resources location
         if (href.startsWith("./")) {
             href = href.substring(2);
         }
         // Accept bare paths beginning with '/' as-is
-        href = href.startsWith("/") ? href : "/" + href;
-        if (HandlerHelper.isPathUnsafe(href)) {
-            log.warn(
-                    "@StyleSheet href containing traversals ('../') are not allowed, ignored: "
-                            + href);
-            return null;
+        if (href.startsWith("/")) {
+            return href;
+        }
+
+        String contextPath = request.getContextPath();
+        if (!contextPath.isEmpty()) {
+            String contextProtocol = ApplicationConstants.CONTEXT_PROTOCOL_PREFIX;
+            if (!lower.startsWith(contextProtocol)) {
+                // Prepend context protocol so URL is resolved with context path
+                href = contextProtocol + href;
+            }
         }
-        return href;
+        BootstrapHandler.BootstrapUriResolver resolver = new BootstrapHandler.BootstrapUriResolver(
+                contextPath + "/", null);
+        return resolver.resolveVaadinUri(href);
     }
 
     /**
@@ -283,7 +285,7 @@ private String resolveStyleSheetHref(String href, String contextPath) {
      *            The request to handle
      */
     public void modifyIndexHtml(Document document, VaadinRequest request) {
-        AppShellSettings settings = createSettings(request.getContextPath());
+        AppShellSettings settings = createSettings(request);
         if (appShellClass != null) {
             VaadinService.getCurrent().getInstantiator()
                     .getOrCreate(appShellClass).configurePage(settings);

flow-server/src/test/java/com/vaadin/flow/server/startup/VaadinAppShellInitializerTest.java

@@ -225,7 +225,6 @@ public static class MyAppShellWithDuplicateStyles
     @StyleSheet("foo/bar.css")
     @StyleSheet("HTTP://cdn.Example.com/u.css")
     @StyleSheet("context://assets/site.css")
-    @StyleSheet("context:///already-absolute.css")
     public static class MyAppShellWithVariousStyleSheets
             implements AppShellConfigurator {
     }
@@ -564,12 +563,11 @@ public void styleSheetResolution_variousScenarios() throws Exception {
                 createVaadinRequest("/", "/ctx"));
 
         List<Element> links = document.head().select("link[rel=stylesheet]");
-        assertEquals(5, links.size());
+        assertEquals(4, links.size());
         assertEquals("/trimmed.css", links.get(0).attr("href"));
-        assertEquals("/foo/bar.css", links.get(1).attr("href"));
+        assertEquals("/ctx/foo/bar.css", links.get(1).attr("href"));
         assertEquals("HTTP://cdn.Example.com/u.css", links.get(2).attr("href"));
         assertEquals("/ctx/assets/site.css", links.get(3).attr("href"));
-        assertEquals("/ctx/already-absolute.css", links.get(4).attr("href"));
     }
 
     @Test
@@ -582,7 +580,7 @@ public void styleSheetResolution_handlesDotSlash() throws Exception {
 
         List<Element> links = document.head().select("link[rel=stylesheet]");
         assertEquals(1, links.size());
-        assertEquals("/local.css", links.get(0).attr("href"));
+        assertEquals("/ctx/local.css", links.get(0).attr("href"));
     }
 
     @Test
@@ -602,15 +600,6 @@ private VaadinServletRequest createVaadinRequest(String pathInfo) {
         return new VaadinServletRequest(request, service);
     }
 
-    private HttpServletRequest createRequest(String pathInfo) {
-        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
-        Mockito.when(request.getServletPath()).thenReturn("");
-        Mockito.when(request.getPathInfo()).thenReturn(pathInfo);
-        Mockito.when(request.getRequestURL())
-                .thenReturn(new StringBuffer(pathInfo));
-        return request;
-    }
-
     private Logger mockLog(Class clz) throws Exception {
         // wrap logger for clz in an spy
         Logger spy = Mockito.spy(LoggerFactory.getLogger(clz.getName()));
@@ -650,6 +639,10 @@ private VaadinServletRequest createVaadinRequest(String pathInfo,
         return new VaadinServletRequest(request, service);
     }
 
+    private HttpServletRequest createRequest(String pathInfo) {
+        return createRequest(pathInfo, "");
+    }
+
     private HttpServletRequest createRequest(String pathInfo,
             String contextPath) {
         HttpServletRequest request = Mockito.mock(HttpServletRequest.class);

flow-tests/test-themes/src/main/java/com/vaadin/flow/uitest/ui/theme/AppShell.java

@@ -27,6 +27,6 @@
 @NpmPackage(value = "@fortawesome/fontawesome-free", version = TestVersion.FONTAWESOME, assets = {
         "svgs/regular/**:npm/icons" })
 @LoadDependenciesOnStartup
-@StyleSheet("@vaadin/aura/fake-aura.css")
+@StyleSheet("context://@vaadin/aura/fake-aura.css")
 public class AppShell implements AppShellConfigurator {
 }