Disable Server header by default when using SSL with Jetty 9

wilkinsona · wilkinsona · commit a1dda12bcb7d · 2016-11-11T11:46:57.000Z
Closes gh-7359
diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java
@@ -692,6 +692,7 @@ private static class Jetty9SslServerConnectorFactory
 		public ServerConnector getConnector(Server server,
 				SslContextFactory sslContextFactory, int port) {
 			HttpConfiguration config = new HttpConfiguration();
+			config.setSendServerVersion(false);
 			config.addCustomizer(new SecureRequestCustomizer());
 			HttpConnectionFactory connectionFactory = new HttpConnectionFactory(config);
 			SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(
diff --git a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -420,6 +420,41 @@ public void sslGetScheme() throws Exception { // gh-2232
 				.contains("scheme=https");
 	}
 
+	@Test
+	public void serverHeaderIsDisabledByDefaultWhenUsingSsl() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks"));
+		this.container = factory.getEmbeddedServletContainer(
+				new ServletRegistrationBean(new ExampleServlet(true, false), "/hello"));
+		this.container.start();
+		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+				new SSLContextBuilder()
+						.loadTrustMaterial(null, new TrustSelfSignedStrategy()).build());
+		HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
+				.build();
+		ClientHttpResponse response = getClientResponse(getLocalUrl("https", "/hello"),
+				HttpMethod.GET, new HttpComponentsClientHttpRequestFactory(httpClient));
+		assertThat(response.getHeaders().get("Server")).isNullOrEmpty();
+	}
+
+	@Test
+	public void serverHeaderCanBeCustomizedWhenUsingSsl() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		factory.setServerHeader("MyServer");
+		factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks"));
+		this.container = factory.getEmbeddedServletContainer(
+				new ServletRegistrationBean(new ExampleServlet(true, false), "/hello"));
+		this.container.start();
+		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+				new SSLContextBuilder()
+						.loadTrustMaterial(null, new TrustSelfSignedStrategy()).build());
+		HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
+				.build();
+		ClientHttpResponse response = getClientResponse(getLocalUrl("https", "/hello"),
+				HttpMethod.GET, new HttpComponentsClientHttpRequestFactory(httpClient));
+		assertThat(response.getHeaders().get("Server")).containsExactly("MyServer");
+	}
+
 	protected final void testBasicSslWithKeyStore(String keyStore) throws Exception {
 		AbstractEmbeddedServletContainerFactory factory = getFactory();
 		addTestTxtFile(factory);
