Disable Server header by default when using SSL with Jetty 9

Closes gh-7359

Disable Server header by default when using SSL with Jetty 9
Closes gh-7359
a1dda12b · Andy Wilkinson · 72e696bc · a1dda12b · a1dda12b
Commit a1dda12b authored Nov 11, 2016 by Andy Wilkinson
2 changed files
--- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java
+++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java
@@ -692,6 +692,7 @@ public class JettyEmbeddedServletContainerFactory
 		public ServerConnector getConnector(Server server,
 				SslContextFactory sslContextFactory, int port) {
 			HttpConfiguration config = new HttpConfiguration();
+			config.setSendServerVersion(false);
 			config.addCustomizer(new SecureRequestCustomizer());
 			HttpConnectionFactory connectionFactory = new HttpConnectionFactory(config);
 			SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(

--- a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
+++ b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -420,6 +420,41 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 				.contains("scheme=https");
 	}
+	@Test
+	public void serverHeaderIsDisabledByDefaultWhenUsingSsl() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks"));
+		this.container = factory.getEmbeddedServletContainer(
+				new ServletRegistrationBean(new ExampleServlet(true, false), "/hello"));
+		this.container.start();
+		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+				new SSLContextBuilder()
+						.loadTrustMaterial(null, new TrustSelfSignedStrategy()).build());
+		HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
+				.build();
+		ClientHttpResponse response = getClientResponse(getLocalUrl("https", "/hello"),
+				HttpMethod.GET, new HttpComponentsClientHttpRequestFactory(httpClient));
+		assertThat(response.getHeaders().get("Server")).isNullOrEmpty();
+	}
+	@Test
+	public void serverHeaderCanBeCustomizedWhenUsingSsl() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		factory.setServerHeader("MyServer");
+		factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks"));
+		this.container = factory.getEmbeddedServletContainer(
+				new ServletRegistrationBean(new ExampleServlet(true, false), "/hello"));
+		this.container.start();
+		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+				new SSLContextBuilder()
+						.loadTrustMaterial(null, new TrustSelfSignedStrategy()).build());
+		HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
+				.build();
+		ClientHttpResponse response = getClientResponse(getLocalUrl("https", "/hello"),
+				HttpMethod.GET, new HttpComponentsClientHttpRequestFactory(httpClient));
+		assertThat(response.getHeaders().get("Server")).containsExactly("MyServer");
+	}
 	protected final void testBasicSslWithKeyStore(String keyStore) throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);