From 676ff75d9d49b2dc3f4842fe4e22558f08367a60 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Thu, 15 Oct 2015 15:30:18 -0700
Subject: [PATCH 1/3] Polish

---
 .../embedded/AbstractEmbeddedServletContainerFactory.java | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactory.java
index 8a51bdc4c1c..91809f563fc 100644
--- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactory.java
+++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactory.java
@@ -92,6 +92,10 @@ public abstract class AbstractEmbeddedServletContainerFactory
 		return null;
 	}
 
+	private File getWarFileDocumentRoot() {
+		return getArchiveFileDocumentRoot(".war");
+	}
+
 	private File getArchiveFileDocumentRoot(String extension) {
 		File file = getCodeSourceArchive();
 		if (this.logger.isDebugEnabled()) {
@@ -104,10 +108,6 @@ public abstract class AbstractEmbeddedServletContainerFactory
 		return null;
 	}
 
-	private File getWarFileDocumentRoot() {
-		return getArchiveFileDocumentRoot(".war");
-	}
-
 	private File getCommonDocumentRoot() {
 		for (String commonDocRoot : COMMON_DOC_ROOTS) {
 			File root = new File(commonDocRoot);

From 56643222cfba8e811e18b6d744a3f25ab8d8adf5 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Thu, 15 Oct 2015 15:31:28 -0700
Subject: [PATCH 2/3] Add simple war sample

---
 spring-boot-samples/pom.xml                   |  1 +
 .../spring-boot-sample-war/pom.xml            | 86 +++++++++++++++++++
 .../main/java/sample/war/MyController.java    | 30 +++++++
 .../java/sample/war/SampleWarApplication.java | 33 +++++++
 .../src/main/webapp/webapp.txt                |  1 +
 5 files changed, 151 insertions(+)
 create mode 100644 spring-boot-samples/spring-boot-sample-war/pom.xml
 create mode 100644 spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/MyController.java
 create mode 100644 spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/SampleWarApplication.java
 create mode 100644 spring-boot-samples/spring-boot-sample-war/src/main/webapp/webapp.txt

diff --git a/spring-boot-samples/pom.xml b/spring-boot-samples/pom.xml
index d77c6f55b9b..7c8b54d1118 100644
--- a/spring-boot-samples/pom.xml
+++ b/spring-boot-samples/pom.xml
@@ -68,6 +68,7 @@
 		<module>spring-boot-sample-undertow</module>
 		<module>spring-boot-sample-undertow-ssl</module>
 		<module>spring-boot-sample-velocity</module>
+		<module>spring-boot-sample-war</module>
 		<module>spring-boot-sample-web-freemarker</module>
 		<module>spring-boot-sample-web-groovy-templates</module>
 		<module>spring-boot-sample-web-method-security</module>
diff --git a/spring-boot-samples/spring-boot-sample-war/pom.xml b/spring-boot-samples/spring-boot-sample-war/pom.xml
new file mode 100644
index 00000000000..959bf51486e
--- /dev/null
+++ b/spring-boot-samples/spring-boot-sample-war/pom.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<!-- Your own application should inherit from spring-boot-starter-parent -->
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-samples</artifactId>
+		<version>1.2.7.BUILD-SNAPSHOT</version>
+	</parent>
+	<artifactId>spring-boot-sample-war</artifactId>
+	<packaging>war</packaging>
+	<name>Spring Boot War Sample</name>
+	<description>Spring Boot War Sample</description>
+	<url>http://projects.spring.io/spring-boot/</url>
+	<organization>
+		<name>Pivotal Software, Inc.</name>
+		<url>http://www.spring.io</url>
+	</organization>
+	<properties>
+		<main.basedir>${basedir}/../..</main.basedir>
+		<m2eclipse.wtp.contextRoot>/</m2eclipse.wtp.contextRoot>
+	</properties>
+	<dependencies>
+		<!-- Compile -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>javax.servlet-api</artifactId>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-tomcat</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+	<profiles>
+		<profile>
+			<id>tomcat</id>
+			<dependencies>
+				<dependency>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-tomcat</artifactId>
+					<scope>provided</scope>
+				</dependency>
+			</dependencies>
+		</profile>
+		<profile>
+			<id>jetty</id>
+			<dependencies>
+				<dependency>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-jetty</artifactId>
+					<scope>provided</scope>
+				</dependency>
+			</dependencies>
+		</profile>
+		<profile>
+			<id>undertow</id>
+			<dependencies>
+				<dependency>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-undertow</artifactId>
+					<scope>provided</scope>
+				</dependency>
+			</dependencies>
+		</profile>
+	</profiles>
+</project>
diff --git a/spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/MyController.java b/spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/MyController.java
new file mode 100644
index 00000000000..fc4732ca35b
--- /dev/null
+++ b/spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/MyController.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2012-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.war;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class MyController {
+
+	@RequestMapping("/")
+	public String hello() {
+		return "Hello World!";
+	}
+
+}
diff --git a/spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/SampleWarApplication.java b/spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/SampleWarApplication.java
new file mode 100644
index 00000000000..6336f74d455
--- /dev/null
+++ b/spring-boot-samples/spring-boot-sample-war/src/main/java/sample/war/SampleWarApplication.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2012-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.war;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.web.SpringBootServletInitializer;
+
+/**
+ * Sample WAR application
+ */
+@SpringBootApplication
+public class SampleWarApplication extends SpringBootServletInitializer {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SampleWarApplication.class, args);
+	}
+
+}
diff --git a/spring-boot-samples/spring-boot-sample-war/src/main/webapp/webapp.txt b/spring-boot-samples/spring-boot-sample-war/src/main/webapp/webapp.txt
new file mode 100644
index 00000000000..8df12e9d878
--- /dev/null
+++ b/spring-boot-samples/spring-boot-sample-war/src/main/webapp/webapp.txt
@@ -0,0 +1 @@
+Hello WebApp

From c804299c8d58e62d470ff8573a8e1b61df985050 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Thu, 15 Oct 2015 16:02:41 -0700
Subject: [PATCH 3/3] Prevent Undertow from exposing classpath files

Update `UndertowEmbeddedServletContainerFactory` so that the
`ClassPathResourceManager` is no longer registered by default.

Prior to this commit the resource manager would be registered whenever
a valid document root could not be found. This had the effect of
exposing all classpath files.

Fixes gh-4015
---
 .../UndertowEmbeddedServletContainerFactory.java      |  6 +-----
 .../AbstractEmbeddedServletContainerFactoryTests.java | 11 +++++++++++
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
index 3683c59649d..26b0a827915 100644
--- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
+++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
@@ -56,7 +56,6 @@ import org.xnio.SslClientAuthMode;
 import io.undertow.Undertow;
 import io.undertow.Undertow.Builder;
 import io.undertow.UndertowMessages;
-import io.undertow.server.handlers.resource.ClassPathResourceManager;
 import io.undertow.server.handlers.resource.FileResourceManager;
 import io.undertow.server.handlers.resource.Resource;
 import io.undertow.server.handlers.resource.ResourceChangeListener;
@@ -370,10 +369,7 @@ public class UndertowEmbeddedServletContainerFactory
 		if (root != null && root.isFile()) {
 			return new JarResourcemanager(root);
 		}
-		if (this.resourceLoader != null) {
-			return new ClassPathResourceManager(this.resourceLoader.getClassLoader(), "");
-		}
-		return new ClassPathResourceManager(getClass().getClassLoader(), "");
+		return ResourceManager.EMPTY_RESOURCE_MANAGER;
 	}
 
 	private void configureErrorPages(DeploymentInfo servletBuilder) {
diff --git a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
index 6e2e3846c20..72eba6b75e8 100644
--- a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
+++ b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -482,6 +482,17 @@ public abstract class AbstractEmbeddedServletContainerFactoryTests {
 				equalTo("test"));
 	}
 
+	@Test
+	public void cannotReadClassPathFiles() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		this.container = factory
+				.getEmbeddedServletContainer(exampleServletRegistration());
+		this.container.start();
+		ClientHttpResponse response = getClientResponse(
+				getLocalUrl("/org/springframework/boot/SpringApplication.class"));
+		assertThat(response.getStatusCode(), equalTo(HttpStatus.NOT_FOUND));
+	}
+
 	private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) {
 		return getSsl(clientAuth, keyPassword, keyStore, null);
 	}