RFR: 8245095: Implementation of JEP 408: Simple Web Server [v3]

Julia Boes jboes at openjdk.java.net
Wed Sep 22 15:26:35 UTC 2021

On Fri, 17 Sep 2021 14:11:38 GMT, Julia Boes <jboes at openjdk.org> wrote:

> Thanks for sharing your experience on this, it's appreciated. is common default for Apache httpd [1], Ngnix [2], the Python web server [3]. This being said, I want to make sure we're taking the right decision here so let me seek some further advice on this.
> [1] http://httpd.apache.org/docs/2.4/bind.html
> [2] https://docs.nginx.com/nginx/admin-guide/web-server/web-server/
> [3] https://github.com/python/cpython/blob/3.4/Lib/http/server.py

Further review concluded that a default binding to creates too a high level of exposure, particularly for a low-threshold utility like this server. Binding to an unrestricted address is a known way for attackers to launch a Denial-of-Service attack,  classified by MITRE as CWE-1327 [1]. We therefore update the default binding to the loopback address and amend the help output with information on how to bind to, e.g.:

$ java -m jdk.httpserver -h
Usage: java -m jdk.httpserver [-b bind address] [-p port] [-d directory]
                              [-o none|info|verbose] [-h to show options]
-b, --bind-address    - Address to bind to. Default: (loopback).
                        For (all interfaces) use -b or -b ::0.
-d, --directory       - Directory to serve. Default: current directory.
-o, --output          - Output format. none|info|verbose. Default: info.
-p, --port            - Port to listen on. Default: 8000.
-h, -?, --help        - Print this help message.
To stop the server, press Ctrl + C.
Thanks again for flagging this, @jaikiran .

[1] https://cwe.mitre.org/data/definitions/1327.html


PR: https://git.openjdk.java.net/jdk/pull/5505

More information about the core-libs-dev mailing list