Move ClassMatcher to core to have a consistent fix for addServerClasses in all environments

documentation/jetty-documentation/src/main/asciidoc/operations-guide/modules/modules.adoc

@@ -128,7 +128,7 @@ Appends the value to the existing value.
 This is useful to append a value to properties that accept a comma separated list of values, for example:
 +
 ----
-jetty.webapp.addServerClasses+=,com.acme
+jetty.webapp.addProtectedClasses+=,com.acme
 ----
 +
 // TODO: check what happens if the property is empty and +=,value is done: is the comma stripped? If so add a sentence about this.

jetty-core/jetty-ee/pom.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.eclipse.jetty</groupId>
+    <artifactId>jetty-core</artifactId>
+    <version>12.0.9-SNAPSHOT</version>
+  </parent>
+  <artifactId>jetty-ee</artifactId>
+  <name>Core :: EE Common</name>
+
+  <properties>
+    <bundle-symbolic-name>${project.groupId}.ee</bundle-symbolic-name>
+    <spotbugs.onlyAnalyze>org.eclipse.jetty.ee.*</spotbugs.onlyAnalyze>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-server</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-slf4j-impl</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.tests</groupId>
+      <artifactId>jetty-test-multipart</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.toolchain</groupId>
+      <artifactId>jetty-test-helper</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+        <extensions>true</extensions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <argLine>@{argLine} ${jetty.surefire.argLine} --add-reads org.eclipse.jetty.ee=org.eclipse.jetty.logging</argLine>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

jetty-core/jetty-ee/src/main/config/etc/jetty-ee-webapp.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
+
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <Call class="org.eclipse.jetty.ee.WebAppClassLoading" name="addProtectedClasses">
+    <Arg><Ref refid="Server"/></Arg>
+    <Arg>
+      <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+        <Arg><Property name="jetty.server.addProtectedClasses"/></Arg>
+      </Call>
+    </Arg>
+  </Call>
+
+  <Call class="org.eclipse.jetty.ee.WebAppClassLoading" name="addHiddenClasses">
+    <Arg><Ref refid="Server"/></Arg>
+    <Arg>
+      <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+        <Arg><Property name="jetty.server.addHiddenClasses"/></Arg>
+      </Call>
+    </Arg>
+  </Call>
+
+</Configure>

jetty-core/jetty-ee/src/main/config/modules/ee-webapp.mod

@@ -0,0 +1,31 @@
+# DO NOT EDIT THIS FILE - See: https://eclipse.dev/jetty/documentation/
+
+[description]
+# tag::description[]
+This module provide common configuration of Java Servlet web applications over all environments.
+# end::description[]
+
+[xml]
+etc/jetty-ee-webapp.xml
+
+[lib]
+lib/jetty-ee-${jetty.version}.jar
+
+[ini-template]
+# tag::ini-template[]
+## Add to the server wide default jars and packages protected or hidden from webapps.
+## Protected (aka System) classes cannot be overridden by a webapp.
+## Hidden (aka Server) classes cannot be seen by a webapp
+## Lists of patterns are comma separated and may be either:
+##  + a qualified classname e.g. 'com.acme.Foo' 
+##  + a package name e.g. 'net.example.'
+##  + a jar file e.g. '${jetty.base.uri}/lib/dependency.jar' 
+##  + a directory of jars,resource or classes e.g. '${jetty.base.uri}/resources' 
+##  + A pattern preceded with a '-' is an exclusion, all other patterns are inclusions
+##
+## The +=, operator appends to a CSV list with a comma as needed.
+##
+#jetty.server.addProtectedClasses+=,org.example.
+#jetty.server.addHiddenClasses+=,org.example.
+# end::ini-template[]
+

jetty-core/jetty-ee/src/main/java/module-info.java

@@ -0,0 +1,22 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+module org.eclipse.jetty.ee
+{
+    requires org.slf4j;
+
+    requires transitive org.eclipse.jetty.util;
+    requires transitive org.eclipse.jetty.server;
+
+    exports org.eclipse.jetty.ee;
+}

jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/WebAppClassLoading.java

@@ -0,0 +1,214 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.ee;
+
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.util.Attributes;
+import org.eclipse.jetty.util.ClassMatcher;
+import org.eclipse.jetty.util.component.Environment;
+
+/**
+ * Common attributes and methods for configuring the {@link ClassLoader Class loading} of web application:
+ * <ul>
+ *     <li>Protected (a.k.a. System) classes are classes typically provided by the JVM, that cannot be replaced by the
+ *         web application, and they are always loaded via the environment or system classloader.  They are visible but
+ *         protected.</li>
+ *     <li>Hidden (a.k.a. Server) classes are those used to implement the Server and are not made available to the
+ *         web application. They are hidden from the web application {@link ClassLoader}.</li>
+ * </ul>
+ * <p>These protections are set to reasonable defaults {@link #DEFAULT_PROTECTED_CLASSES} and {@link #DEFAULT_HIDDEN_CLASSES},
+ * which may be programmatically configured and will affect the defaults applied to all web applications in the same JVM.
+ *
+ * <p>
+ * The defaults applied by a specific {@link Server} can be configured using {@link #addProtectedClasses(Server, String...)} and
+ * {@link #addHiddenClasses(Server, String...)}. Alternately the {@link Server} attributes {@link #PROTECTED_CLASSES_ATTRIBUTE}
+ * and {@link #HIDDEN_CLASSES_ATTRIBUTE} may be used to direct set a {@link ClassMatcher} to use for all web applications
+ * within the server instance.
+ * </p>
+ * <p>
+ * The defaults applied by a specific {@link Environment} can be configured using {@link #addProtectedClasses(Environment, String...)} and
+ * {@link #addHiddenClasses(Environment, String...)}. Alternately the {@link Environment} attributes {@link #PROTECTED_CLASSES_ATTRIBUTE}
+ * and {@link #HIDDEN_CLASSES_ATTRIBUTE} may be used to direct set a {@link ClassMatcher} to use for all web applications
+ * within the server instance.
+ * </p>
+ * <p>
+ * Ultimately, the configurations set by this class only affects the defaults applied to each web application 
+ * {@link org.eclipse.jetty.server.handler.ContextHandler Context} and the {@link ClassMatcher} fields of the web applications
+ * can be directly access to configure a specific context.
+ * </p>
+ */
+public class WebAppClassLoading
+{
+    public static final String PROTECTED_CLASSES_ATTRIBUTE = "org.eclipse.jetty.webapp.systemClasses";
+    public static final String HIDDEN_CLASSES_ATTRIBUTE = "org.eclipse.jetty.webapp.serverClasses";
+
+    /**
+     * The default protected (system) classes used by a web application, which will be applied to the {@link ClassMatcher}s created
+     * by {@link #getProtectedClasses(Environment)}.
+     */
+    public static final ClassMatcher DEFAULT_PROTECTED_CLASSES = new ClassMatcher(
+        "java.",                            // Java SE classes (per servlet spec v2.5 / SRV.9.7.2)
+        "javax.",                           // Java SE classes (per servlet spec v2.5 / SRV.9.7.2)
+        "jakarta.",                         // Jakarta classes (per servlet spec v5.0 / Section 15.2.1)
+        "org.xml.",                         // javax.xml
+        "org.w3c."                          // javax.xml
+    );
+
+    /**
+     * The default hidden (server) classes used by a web application, which can be applied to the {@link ClassMatcher}s created
+     * by {@link #getHiddenClasses(Environment)}.
+     */
+    public static final ClassMatcher DEFAULT_HIDDEN_CLASSES = new ClassMatcher(
+        "org.eclipse.jetty."                // hide jetty classes
+    );
+
+    /**
+     * Get the default protected (system) classes for a {@link Server}
+     * @param server The {@link Server} for the defaults
+     * @return The default protected (system) classes for the {@link Server}, which will be empty if not previously configured.
+     */
+    public static ClassMatcher getProtectedClasses(Server server)
+    {
+        return getClassMatcher(server, PROTECTED_CLASSES_ATTRIBUTE, null);
+    }
+
+    /**
+     * Get the default protected (system) classes for an {@link Environment}
+     * @param environment The {@link Server} for the defaults
+     * @return The default protected (system) classes for the {@link Environment}, which will be the {@link #DEFAULT_PROTECTED_CLASSES} if not previously configured.
+     */
+    public static ClassMatcher getProtectedClasses(Environment environment)
+    {
+        return getClassMatcher(environment, PROTECTED_CLASSES_ATTRIBUTE, DEFAULT_PROTECTED_CLASSES);
+    }
+
+    /**
+     * Add a protected (system) Class pattern to use for all WebAppContexts.
+     * @param patterns the patterns to use
+     */
+    public static void addProtectedClasses(String... patterns)
+    {
+        DEFAULT_PROTECTED_CLASSES.add(patterns);
+    }
+
+    /**
+     * Add a protected (system) Class pattern to use for all WebAppContexts of a given {@link Server}.
+     * @param attributes The {@link Attributes} instance to add classes to
+     * @param patterns the patterns to use
+     */
+    public static void addProtectedClasses(Attributes attributes, String... patterns)
+    {
+        if (patterns != null && patterns.length > 0)
+            getClassMatcher(attributes, PROTECTED_CLASSES_ATTRIBUTE, null).add(patterns);
+    }
+
+    /**
+     * Add a protected (system) Class pattern to use for all WebAppContexts of a given {@link Server}.
+     * @param server The {@link Server} instance to add classes to
+     * @param patterns the patterns to use
+     */
+    public static void addProtectedClasses(Server server, String... patterns)
+    {
+        if (patterns != null && patterns.length > 0)
+            getClassMatcher(server, PROTECTED_CLASSES_ATTRIBUTE, null).add(patterns);
+    }
+
+    /**
+     * Add a protected (system) Class pattern to use for WebAppContexts of a given environment.
+     * @param environment The {@link Environment} instance to add classes to
+     * @param patterns the patterns to use
+     */
+    public static void addProtectedClasses(Environment environment, String... patterns)
+    {
+        if (patterns != null && patterns.length > 0)
+            getClassMatcher(environment, PROTECTED_CLASSES_ATTRIBUTE, DEFAULT_PROTECTED_CLASSES).add(patterns);
+    }
+
+    /**
+     * Get the default hidden (server) classes for a {@link Server}
+     * @param server The {@link Server} for the defaults
+     * @return The default hidden (server) classes for the {@link Server}, which will be empty if not previously configured.
+     *
+     */
+    public static ClassMatcher getHiddenClasses(Server server)
+    {
+        return getClassMatcher(server, HIDDEN_CLASSES_ATTRIBUTE, null);
+    }
+
+    /**
+     * Get the default hidden (server) classes for an {@link Environment}
+     * @param environment The {@link Server} for the defaults
+     * @return The default hidden (server) classes for the {@link Environment}, which will be {@link #DEFAULT_PROTECTED_CLASSES} if not previously configured.
+     */
+    public static ClassMatcher getHiddenClasses(Environment environment)
+    {
+        return getClassMatcher(environment, HIDDEN_CLASSES_ATTRIBUTE, DEFAULT_HIDDEN_CLASSES);
+    }
+
+    /**
+     * Add a hidden (server) Class pattern to use for all WebAppContexts of a given {@link Server}.
+     * @param patterns the patterns to use
+     */
+    public static void addHiddenClasses(String... patterns)
+    {
+        DEFAULT_HIDDEN_CLASSES.add(patterns);
+    }
+
+    /**
+     * Add a hidden (server) Class pattern to use for all WebAppContexts of a given {@link Server}.
+     * @param attributes The {@link Attributes} instance to add classes to
+     * @param patterns the patterns to use
+     */
+    @Deprecated (forRemoval = true)
+    public static void addHiddenClasses(Attributes attributes, String... patterns)
+    {
+        if (patterns != null && patterns.length > 0)
+            getClassMatcher(attributes, HIDDEN_CLASSES_ATTRIBUTE, null).add(patterns);
+    }
+
+    /**
+     * Add a hidden (server) Class pattern to use for all WebAppContexts of a given {@link Server}.
+     * @param server The {@link Server} instance to add classes to
+     * @param patterns the patterns to use
+     */
+    public static void addHiddenClasses(Server server, String... patterns)
+    {
+        if (patterns != null && patterns.length > 0)
+            getClassMatcher(server, HIDDEN_CLASSES_ATTRIBUTE, null).add(patterns);
+    }
+
+    /**
+     * Add a hidden (server) Class pattern to use for all ee9 WebAppContexts.
+     * @param environment The {@link Environment} instance to add classes to
+     * @param patterns the patterns to use
+     */
+    public static void addHiddenClasses(Environment environment, String... patterns)
+    {
+        if (patterns != null && patterns.length > 0)
+            getClassMatcher(environment, HIDDEN_CLASSES_ATTRIBUTE, DEFAULT_HIDDEN_CLASSES).add(patterns);
+    }
+
+    private static ClassMatcher getClassMatcher(Attributes attributes, String attribute, ClassMatcher defaultPatterns)
+    {
+        Object existing = attributes.getAttribute(attribute);
+        if (existing instanceof ClassMatcher cm)
+            return cm;
+
+        ClassMatcher classMatcher = (existing instanceof String[] stringArray)
+            ? new ClassMatcher(stringArray) : new ClassMatcher(defaultPatterns);
+        attributes.setAttribute(attribute, classMatcher);
+        return classMatcher;
+    }
+
+}