NettyWebServer: start tries to call bootstrap.setFactory a second time, but that is illegal. Instead move all the code of setting up bootstrap to the start method and in stop set bootstrap to null again.

NettyWebServerTest: A test is included which does excatly that: start, stop, start, stop of the WebServer

This came from one of my colleagues. @s1monw any comments?

42c0fad77794e632a5a4cc69df7f65360460b022

This change is seemingly harmless in that it is simply adding names to various webbit threads. The problem is that the ThreadFactory implementation is creating daemon threads. For apps that are relying on the webbit threads to be user threads in order to keep the app alive, they will simply exit after calling start.

I’m pretty sure this is not the intention since every sample creates a WebServer and starts it. To see the behavior, choose any of the webbit sample apps, run it, and observe that it exits out and doesn’t stay alive. Since NamedThreadFactory seems to have been copied from another project, I’m not sure if the proper fix is the flip isDaemon(false) in NamedThreadFactory.newThread(). I suppose we could just remove the “copied from Lucene” comment so there is no confusion. Let me know how we should go about fixing this.

When the browser makes a request specifying the 'Range' header, Webbit should respond with HTTP 206 (Partial Content) instead of HTTP 200 and the appropriate Content-Range and Accept-Ranges headers.

At the moment, it doesn't and it manifests itself as a weird sound reliability bug. Chrome will make a Range request for specific types of media - such as audio and video. It appears to serve the content correctly, but attempting to play() the media a second time fails. I've verified (using Apache HTTPD) that this is not an issue if HTTP Range is implemented correctly.

Here's a TCP dump of a conversation between Chrome and the webserver for loading a sound via the

Webbit:

GET /foo.wav HTTP/1.1 
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.816.0 Safari/535.1
Accept: */*
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Range: bytes=0-

HTTP/1.1 200 OK
Server: Webbit
Content-Length: 46198

blahblahblah...

Apache:

GET /foo.wav HTTP/1.1
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.816.0 Safari/535.1
Accept: */*
Accept-Language: en-US,en;q=0.8 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Range: bytes=0-

HTTP/1.1 206 Partial Content
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"184364-1320695950000"
Last-Modified: Mon, 07 Nov 2011 19:59:10 GMT
Content-Range: bytes 0-184363/184364
Content-Type: audio/x-wav
Content-Length: 46198
Date: Tue, 08 Nov 2011 23:00:47 GMT

blahblahblah...

I have integrated Autobahn's awesome test suite on my master branch. It has 200 test cases, which should help us weed out any bugs in the WebSocket implementation. Instructions about how to set it up and run it is in the README.

The annoying thing is that the first test fails. (You can run a subset of tests by setting e.g. "cases": ["1.1.2"] in fuzzing_client_spec.json).

The problem is that the connection is closed immediately after connection - before any messages are received. I'm not sure what's causing this. I was able to run all of the tests agains Jetty without problems.

Any idea what could be causing this?

Trying to compile the Quick Start WebSocketHandler in the README.md against the webbit-0.4.0-full.jar. Doing the same compile against the webbit-0.3.8-full.jar is OK. In both cases I'm using Oracle's 1.6 JRE in the Eclipse IDE.

Think the WebSocketHandler example code needs updating for 0.4.0 as there is now an onPing method required and the existing onPong method now uses byte[] instead of String for message.

Also getting:

Type mismatch: cannot convert from Future<capture#1-of ? extends > WebServer>to WebServer

on the code that creates the WebServer.

Its the Type mismatch that has me completely stuck!!

Writing RESTful apps with Webbit is rather cumbersome due to the lack of more powerful path match handling.

The uritemplate spec makes it easier to define parameterised URLs.

The JAX-RS spec defines a @UriTemplate annotation and a UriBuilder class that understands uri-templates. As with most things coming out of the JCP it is half-baked (UriBuilder is abstract and you have to implement your own, which various projects have done), but it's just too much of a PITA.

A much simpler and non-intrusive implementation is in the uri-template project on Google Code.

This pull request is a proof of concept that seems to work well. It will be much easier to use Webbit to build RESTful applications with this in place - much nicer than my webbit-rest project which drags in all that JAX-RS crap.

Ideally I'd like this to be included in Webbit by default, replacing the java.util.Pattern based PathMatchHandler. If we go down this route we'd have to jarjar the uritemplate jar inside webbit.

Currently my branch only builds with make since the uritemplate jar is not in any maven repos.

Let me know what you think.

• replace HttpCookie.parse with netty CookieDecoder for jdk6 compatibility
• increase wait time for timing dependent tests so a slower CI server won't time out

If you create a web server via WebServers.createWebServer(port) it does not stop cleanly under some conditions. The one of the auto-created executors is not shut down when stopping.

In lieu of full Socket.IO support (issue 18), at least support Flash based WebSockets, so more browsers can make use of Webbit.

https://github.com/gimite/web-socket-js

Although this sounds like it should be a separate project, it may be awkward, because the Flash policy checking mechanism doesn't speak valid HTTP, so it may require the underlying networking code to be changed.

Shall it be possible to stop and start the Webserver whithout creating a new instance? When I call "stop()" and then "start()" again on NettyWebServer I get an IllegalStateException, because the boostrap object already has a factory. When I change the code and put the setting up of the boostrap object from the constructor to the start method and set boostrap to null in the stop method, it works. At least there are no apparent errors :)

Christoph

This changeset provides a simple way to implement HTTP streaming.

About the implementation:

• HttpResponse#chunked signals that the response is going to be a chunked one (i.e. "Transfer-Encoding: chunked")
• calling HttpResponse#write afterwards will write chunks to the channel
• often times streaming is continuous (i.e. response#end never gets called) unless staleConnectionTimeout kicks in
• however, if response#end does get called, make sure to write a DefaultHttpChunk with 0 byte to the channel to signal the browser that streaming is over

Bumps gson from 2.2.4 to 2.8.9.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps junit from 4.11 to 4.13.1.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

• Want to take over the Java ecosystem? All you need is a MITM!
• Update: Want to take over the Java ecosystem? All you need is a MITM!

This is a security fix for a vulnerability in your Apache Maven pom.xml file(s).

The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. This leaves your build vulnerable to allowing a Man in the Middle (MITM) attackers to execute arbitrary code on your or your computer or CI/CD system.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10.

POC code has existed since 2014 to maliciously compromise a JAR file in-flight. MITM attacks against HTTP are increasingly common, for example Comcast is known to have done it to their own users.

This contribution is a part of a submission to the GitHub Security Lab Bug Bounty program.

Detecting this and Future Vulnerabilities

This vulnerability was automatically detected by LGTM.com using this CodeQL Query.

As of September 2019 LGTM.com and Semmle are officially a part of GitHub.

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) LGTM App.

I'm not an employee of GitHub nor of Semmle, I'm simply a user of LGTM.com and an open-source security researcher.

Source

Yes, this contribution was automatically generated, however, the code to generate this PR was lovingly hand crafted to bring this security fix to your repository.

The source code that generated and submitted this PR can be found here: JLLeitschuh/bulk-security-pr-generator

Opting-Out

If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/bulk-security-pr-generator
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/bulk-security-pr-generator/issues/2

I'm using Webbit for streaming video over a websocket, I want to apply some adaptive streaming, but I am scratching my head on how I can detect the bandwidth of the user, or just whether to check when data is still outgoing. WebsocketConnection.send(data) will return immediately afaik.

Is there a way in Webbit to check whether a connection is busy? Is that even an option?

I have a problem with webbit. Is there a way to add a ACCESS_CONTROL_ALLOW_ORIGIN header to the normal web server?

Currently my code looks like this.

    webSocket = new WebSocketHandler();
    WebServer webServer = WebServers.createWebServer(2021);

    webServer.add("/", webSocket);
    webServer.start();