I also wonder if it makes sense to either only serve files with public permissions, or at least Filter some critical files like .ssh/* and *.jks. Those command-line servers are often started „accidentially“ in the home directory.
-- http://bernd.eckenfels.net ________________________________ Von: net-dev <net-dev-r...@openjdk.java.net> im Auftrag von Jaikiran Pai <j...@openjdk.java.net> Gesendet: Thursday, September 16, 2021 4:08:46 PM An: build-...@openjdk.java.net <build-...@openjdk.java.net>; core-libs-...@openjdk.java.net <core-libs-...@openjdk.java.net>; net-dev@openjdk.java.net <net-dev@openjdk.java.net> Betreff: Re: RFR: 8245095: Implementation of JEP 408: Simple Web Server [v3] On Thu, 16 Sep 2021 10:14:47 GMT, Julia Boes <jb...@openjdk.org> wrote: >> This change implements a simple web server that can be run on the >> command-line with `java -m jdk.httpserver`. >> >> This is facilitated by adding an entry point for the `jdk.httpserver` >> module, an implementation class whose main method is run when the above >> command is executed. This is the first such module entry point in the JDK. >> >> The server is a minimal HTTP server that serves the static files of a given >> directory, similar to existing alternatives on other platforms and >> convenient for testing, development, and debugging. >> >> Additionally, a small API is introduced for programmatic creation and >> customization. >> >> Testing: tier1-3. > > Julia Boes has updated the pull request incrementally with one additional > commit since the last revision: > > correct path handling src/jdk.httpserver/share/classes/module-info.java line 55: > 53: * [-o none|info|verbose] [-h to show > options] > 54: * Options: > 55: * -b, --bind-address - Address to bind to. Default: 0.0.0.0 (all > interfaces). I understand that the purpose of this simple server is for development and testing only. But even then, for security considerations, would it be more appropriate to default the bind address to a loopback address instead of making it accessible potentially to entire public? In the past, application servers which used to bind to all interfaces by default have now moved to using the loopback address as a default to avoid such accidental exposing of the server. ------------- PR: https://git.openjdk.java.net/jdk/pull/5505
