RFR: 8245095: Implementation of JEP 408: Simple Web Server [v3]
jpai at openjdk.java.net
Thu Sep 16 14:08:46 UTC 2021
On Thu, 16 Sep 2021 10:14:47 GMT, Julia Boes <jboes at openjdk.org> wrote:
>> This change implements a simple web server that can be run on the command-line with `java -m jdk.httpserver`.
>> This is facilitated by adding an entry point for the `jdk.httpserver` module, an implementation class whose main method is run when the above command is executed. This is the first such module entry point in the JDK.
>> The server is a minimal HTTP server that serves the static files of a given directory, similar to existing alternatives on other platforms and convenient for testing, development, and debugging.
>> Additionally, a small API is introduced for programmatic creation and customization.
>> Testing: tier1-3.
> Julia Boes has updated the pull request incrementally with one additional commit since the last revision:
> correct path handling
src/jdk.httpserver/share/classes/module-info.java line 55:
> 53: * [-o none|info|verbose] [-h to show options]
> 54: * Options:
> 55: * -b, --bind-address - Address to bind to. Default: 0.0.0.0 (all interfaces).
I understand that the purpose of this simple server is for development and testing only. But even then, for security considerations, would it be more appropriate to default the bind address to a loopback address instead of making it accessible potentially to entire public? In the past, application servers which used to bind to all interfaces by default have now moved to using the loopback address as a default to avoid such accidental exposing of the server.
More information about the core-libs-dev