8
\$\begingroup\$

I would like to hear what you think about my simple HTTP Server implementation with a template engine in Java.

Have I overlooked any "pitfalls or caveats", or is there anything else to note?

Gradle dependencies:

dependencies {
    implementation 'org.slf4j:slf4j-simple:2.0.17' // for logging
    implementation 'org.apache.commons:commons-text:1.14.0' // path handling
}

Server class:

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UncheckedIOException;
import java.net.InetSocketAddress;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import java.util.StringTokenizer;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import org.apache.commons.text.StringSubstitutor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class MyHttpServer {
  public record MyHttpHandler(String path, HttpHandler handler) {}

  public enum ContentType {
    HTML("text/html"),
    JSON("application/json"),
    TEXT("text/plain");

    ContentType(String type) {}
  }

  private static final Logger LOGGER = LoggerFactory.getLogger(MyHttpServer.class);

  private static final HashMap<String, String> templates = new HashMap<>();

  public static void start(MyHttpHandler... handlers) throws IOException {
    if (handlers == null || handlers.length == 0) {
      throw new IllegalArgumentException("At least one handler must be provided.");
    }
    System.setProperty("java.net.preferIPv4Stack", "true");
    HttpServer server = HttpServer.create(new InetSocketAddress(80), 0);
    LOGGER.info("MyHttpServer initialized.");
    for (MyHttpHandler handler : handlers) {
      if (handler == null || handler.path() == null || handler.path().isBlank()) {
        throw new IllegalArgumentException("Handler path cannot be null or empty.");
      }
      server.createContext(
          handler.path(),
          exchange -> {
            LOGGER.info(
                "Received request from client: {} for URL: {}",
                getClientIpAddress(exchange),
                exchange.getRequestURI());
            try {
              handler.handler().handle(exchange);
            } catch (Exception e) {
              LOGGER.warn("Exception in handler for path {}: {}", handler.path(), e.getMessage());
              sendCustomResponse(
                  exchange,
                  500,
                  ContentType.TEXT,
                  null,
                  "An error occurred while processing your request.",
                  e.getMessage());
            }
            LOGGER.info(
                "Request processing completed for client: {} with status code: {}",
                getClientIpAddress(exchange),
                exchange.getResponseCode());
          });
      LOGGER.info("Handler added for path: {}", handler.path());
    }
    server.setExecutor(null); // creates a default executor
    server.start();
    LOGGER.info("Server started on port 80.");
  }

  public static String getClientIpAddress(HttpExchange request) {
    String xForwardedForHeader = request.getRequestHeaders().getFirst("X-Forwarded-For");
    if (xForwardedForHeader == null) {
      return request.getRemoteAddress().getAddress().getHostAddress();
    }
    // As of https://en.wikipedia.org/wiki/X-Forwarded-For
    // The general format of the field is: X-Forwarded-For: client, proxy1, proxy2 ...
    // we only want the client
    return new StringTokenizer(xForwardedForHeader, ",").nextToken().trim();
  }

  public static String getPathPart(HttpExchange ex, int index) {
    String[] parts = ex.getRequestURI().getRawPath().split("/");
    if (index < 0 || index >= parts.length) {
      return null;
    }
    return URLDecoder.decode(parts[index], StandardCharsets.UTF_8);
  }

  private static String getTemplate(String path, String... args) throws IOException {
    if (!templates.containsKey(path)) {
      try (InputStream templateStream = Main.class.getResourceAsStream(path)) {
        assert templateStream != null;
        templates.put(path, new String(templateStream.readAllBytes(), StandardCharsets.UTF_8));
      }
    }
    return StringSubstitutor.replace(
        templates.get(path),
        IntStream.range(0, args.length)
            .boxed()
            .collect(
                Collectors.toMap(
                    i -> "" + i, // key is the index as a string
                    i -> args[i] // value is the corresponding argument
                    )),
        "{{",
        "}}");
  }

  public static void sendCustomResponse(
      HttpExchange exchange,
      int statusCode,
      ContentType contentType,
      String templatePath,
      String... templateValues) {
    try {
      String responseBody =
          templatePath != null
              ? getTemplate(templatePath, templateValues)
              : Arrays.toString(templateValues);
      exchange.getResponseHeaders().add("Content-Type", contentType + "; charset=utf-8");
      exchange.sendResponseHeaders(statusCode, responseBody.length());
      try (OutputStream os = exchange.getResponseBody()) {
        os.write(responseBody.getBytes(StandardCharsets.UTF_8));
      }
    } catch (IOException e) {
      LOGGER.error("Failed to send custom response: {}", e.getMessage());
      throw new UncheckedIOException(e);
    }
  }
}

Example main class (a greeter):

import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;

public class Main {
  public static void main(String[] args) throws IOException {
    DateFormat df = new SimpleDateFormat("hh:mm:ss a", Locale.ENGLISH);
    MyHttpServer.start(
        new MyHttpServer.MyHttpHandler(
            "/",
            exchange ->
                MyHttpServer.sendCustomResponse(
                    exchange,
                    200,
                    MyHttpServer.ContentType.HTML,
                    "templates/index.html",
                    df.format(new Date()),
                    "Anonymous User")),
        new MyHttpServer.MyHttpHandler(
            "/hello",
            exchange ->
                MyHttpServer.sendCustomResponse(
                    exchange,
                    200,
                    MyHttpServer.ContentType.HTML,
                    "templates/index.html",
                    df.format(new Date()),
                    MyHttpServer.getPathPart(exchange, 2))));
  }
}

Example HTML template (src/main/resources/templates/index.html):

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>My example page</title>
</head>

<body>
<h1>Welcome to my example page!</h1>
<p>The time is now: {{0}}.</p>
<p>Enjoy your stay, {{1}}!</p>
</body>
</html>
\$\endgroup\$
5
  • 1
    \$\begingroup\$ What happens if I ask this server for ../../../../../../../etc/passwd? What about %2fetc%2fpasswd? Or %c0%afetc%c0%afpasswd? \$\endgroup\$
    – Toby Speight
    Commented 2 days ago
  • \$\begingroup\$ @TobySpeight What should happen then? There is no file system access based on the path (from outside). If you mean whether this implementation protects against a malicious "user" of that implementation, then no. The user should choose all arguments carefully, but that is usually always the case, I think. \$\endgroup\$
    – Tobias Grothe
    Commented 2 days ago
  • 1
    \$\begingroup\$ "No filesystem access" wasn't obvious to me - I couldn't find the definitions for Main.class.getResourceAsStream(path)). But it's 15-20 years since I last did Java, so apologies if I've misunderstood. In any case, a network-facing server, particularly for HTTP, is not something to be undertaken lightly! \$\endgroup\$
    – Toby Speight
    Commented 2 days ago
  • \$\begingroup\$ I think, but I don't know for sure, that only the resource folder (inside a jar or not) or the class path root can be addressed - not the entire FS. See also here. But I'm not a JRE security expert, even though I often work with Java. ;) \$\endgroup\$
    – Tobias Grothe
    Commented 2 days ago
  • 1
    \$\begingroup\$ @TobySpeight SomeClass.class is a class literal and gets you a java.lang.Class object for SomeClass. So this invokes Class.getResource(String name) \$\endgroup\$
    – Jannik S.
    Commented 2 days ago

2 Answers 2

Reset to default
8
\$\begingroup\$

I presume you are on purpose. Anyways, onto the mayor faults...:

LOGGER.warn("Exception in handler for path {}: {}", handler.path(), e.getMessage());

I'd say Throwables flying out of the handle method should be logged on error level. Also, please log the entire error object and not just the message, otherwise someone looking at the log might have to do a goose chase on what actually threw (particularely if the project is larger than this)

sendCustomResponse(
   exchange,
   500,
   ContentType.TEXT,
   null,
   "An error occurred while processing your request.",
   e.getMessage());

Please never print out error messages deliberately. Its easy to cause a security leak by doing so, and your average user without malicious intentions doesn't gain anything usefull anyway.

MyHttpServer.getTemplate(...) uses Main.class to load resources even though it wouldn't ordinarely have access to the class this "server" was started from.

private static final HashMap<String, String> templates = new HashMap<>();

Please use a thread-safe map implementation (HashMap isn't without external syncronisation). You're getting away without it here since the default executor doesn't use threads. However, I'd be nearvous if a single change elsewhere can introduce a thread concurrency bug here.

if (!templates.containsKey(path)) {
    try (InputStream templateStream = Main.class.getResourceAsStream(path)) {
            assert templateStream != null;
            templates.put(path, new String(templateStream.readAllBytes(), StandardCharsets.UTF_8));
        }
    }

Please use .computeIfAbsent here. Otherwise you might run into issiues on operating systems that do not support concurrent file access.

exchange.sendResponseHeaders(statusCode, responseBody.length());
try (OutputStream os = exchange.getResponseBody()) {
    os.write(responseBody.getBytes(StandardCharsets.UTF_8));
}

Please convert to bytes first, then set the length. Otherwise you might run into issiues with multibyte characters, e.g. Emoji.

exchange.getResponseHeaders().add("Content-Type", contentType + "; charset=utf-8");

This will result in Content-Type: HTML; charset=utf-8 and is probbably not what you wanted. Also, use set here. Otherwise, this might result in tears if this is the second invocation (because the handler threw)

Also, some other stuff:

  • Please put these classes into a named package. The unnamed package isn't realy made for things consisting of multiple source files. Your template path will need to start with a slash if so, though.
  • Please use a class from java.time rather than the (outdated) j.u.Date. Has the additional effect of making the formatting threadsafe.
  • /hello will 500 if no name is specified (return something in the 4xx range, possibly 400 instead).
  • The fact that ContentType is an enum is unfortunate. It prevents me from writing binary data, if I wanted to.
  • I'm having issiues calling this class an HTTP server. We have aspects of HTTP, in the MyHttpServer class, but the actual Buisywork happens in com.sun.httpserver. The main stuff here appears to be a Request dispatcher, of sorts, (Registering endpoints, calling handlers, catching Exceptions & responding with 500), but we also have parts of a template engine of sorts (getTemplate) and some misc stuff.
\$\endgroup\$
1
  • \$\begingroup\$ Thanks, I have adjusted the tags of this question. You're right with the enumerations, intended was the corresponding enum value, not the name. \$\endgroup\$
    – Tobias Grothe
    Commented Aug 25 at 6:43
4
\$\begingroup\$

A couple of tweaks would make it safer:

  • Escape values before rendering. Right now you insert raw values into HTML. Even just replacing the basics helps:

    private static String escape(String s) {
        return s.replace("&", "&amp;")
                .replace("<", "&lt;")
                .replace(">", "&gt;");
    }

Use escape(value) before dropping into the template.

  • Path handling. getPathPart returning null means null can end up in the output. I’d rather return an Optional or fail with a 400:

    static Optional<String> pathPart(HttpExchange ex, int idx) {
        String[] parts = ex.getRequestURI().getPath().split("/");
        return idx >= 0 && idx < parts.length
               ? Optional.of(parts[idx])
               : Optional.empty();
    }
\$\endgroup\$
1
  • 1
    \$\begingroup\$ Good point, Base64 encoding and decoding should do the trick in the first point. See here, for example. \$\endgroup\$
    – Tobias Grothe
    Commented 2 days ago

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.