Resource Not Found after Spring 4.1.2 Update when deploy with JRebel 6.0.0

Asked 12/11, 2014 at 21:26 Answered 2/4, 2015 at 14:12

Spring 4.1.2 (4.0.8 and 3.2.12) contains a Security Bugfix SPR-12354 that prevents the ResourceHttpRequestHandler (the thing behind <mvc:resources>) to load files from outside the the resource folder.

On the other hand: is JRebel (I use it with its default configuration). And it seams that JRebel do some magic to load the resources not from the wtp folder but directly form the "source" folder.

So after upgrading from Spring 3.2.11 to 3.2.12 (and an other similar Application from 4.0.7 to 4.0.8) Springs ResourceHttpRequestHandler does not longer deliver the resource files that are "maintained" by JRebel. Instead is delivers a 404. The reason is that Spring compare the absolute file path of the configured resource folder with the absolute file path of the file that is going to be delivered. If the ResourceHttpRequestHandler perceived that the file is outside of configured resource folder, then it assume that the url that was used to select the file is malicious. Therefore the ResourceHttpRequestHandler and response with a 404 resource not found.

I expect that JRebel can been configured not to "maintain" js, png and css files, but I don't know how. And this is the question: How to configure JRebel that a Spring MVC Application (v 4.0.8) still deliver Resources with ResourceHttpRequestHandler?

(I expect that almost every JRebel User is facing this problem after upgrading to Spring 4.1.2, 4.0.8 or 3.2.12).

(don't get me wrong, this is NOT a question how to manipulate Spring not to check that the files are outside of the configures resource folder. I have had a look at the source code and the observed behaviour is the behaviour that is intended by the authors of the Bug fix. - This question is about configuring JRebel)

Deviation answered 12/11, 2014 at 21:26 Comment(3)

Thanks for the downvote. But please leave a comment so that I know what you disliked, so that I can write better question next time. – Deviation 12/11, 2014 at 21:40

I'm getting the same problem, but I'm not using JRebel. I just update from Spring 4.1.0 to 4.1.2 and now the Resources is not working, returning always NOT FOUND error! Can you help me? – Favoritism 3/12, 2014 at 13:10

@Beto Neto: please write an new question about your problem. You can link to this question for explanation about the Spring Update, but ask your own question, because the answer will/must differ. – Deviation 3/12, 2014 at 13:56

The problem is fixed in JRebel (I can not reproduce it with the current JRebel 6.1.1) - I guess it is fixed since 6.0.2 (23rd December 2014)

Fixed an issue where Spring ResourceHttpRequestHandler could not serve resources outside of webroot.

(JRebel Changelog https://zeroturnaround.com/software/jrebel/download/changelog/6-x/)

For the one that are interested how they solved it:

I can only guess because it is strange. Spring 4.1.6 (that is the version I used for the test) has the class org.springframework.web.servlet.resource.PathResourceResolver has the method checkResource(Resource resource, Resource location):

protected boolean checkResource(Resource resource, Resource location) throws IOException {
    if (isResourceUnderLocation(resource, location)) {
        return true;
    }
    if (getAllowedLocations() != null) {
        for (Resource current : getAllowedLocations()) {
            if (isResourceUnderLocation(resource, current)) {
                return true;
            }
        }
    }
    return false;
}

The first if: isResourceUnderLocation... is the method that check whether or not the request is accessing a resource outside the configured resource folder

isResourceUnderLocation(Resource resource, Resource location) {
    ...
    resourcePath = ((ServletContextResource) resource).getPath();
    locationPath = StringUtils.cleanPath(((ServletContextResource) location).getPath());
    ...
    if (!resourcePath.startsWith(locationPath)) {
        return false;
    }
    ...
 }

When I use the debugger to check what is going on, while JRebel is active, then something strange happend: when the JVM hit the line if (isResourceUnderLocation(resource, location)) {, then the method isResourceUnderLocation gets not invoked!

So I came to the conclusion that JRebel does some bytecode manipulation to prevent that the check (and the whole isResourceUnderLocation method) gets executed.

Deviation answered 2/4, 2015 at 14:12 Comment(0)

Thank you for very good problem description!

Looks like this Spring change introduced the incompatibility into the JRebel. I am from JRebel team and will make sure this will be fixed!

As a workaround you can use <exclude> tag in your rebel.xml <web> element to tell JRebel not to touch these specific files. Here is more info of how to configure it http://manuals.zeroturnaround.com/jrebel/standalone/config.html#exclude

Other easier workaround is just removing the <web> element altogether.

Sphenic answered 13/11, 2014 at 7:47 Comment(2)

I used the example provided by josefine's answer (based on your answer). But then JRebel does not "deploy" an resources like css files (because they are excluded) - on the other hand JRebel requires that Eclipse/Tomcat autodeploy feature is disabled. So I have to restart the server by hand every time I change a CSS file! This makes JRebel unuseable! - Did I overlooked something? - Do you have a short answer, or should I create a new Stackoverflow question? – Deviation 28/11, 2014 at 10:41

It has been a while now, is there a fix for this problem available? As stated in a comment before, your workaround unfortunately does not apply to my needs. – Lauretta 17/2, 2015 at 12:51

Based on smartman's anwser I configured rebel.xml as follows:

   <classpath>
         <dir name="${rebel.workspace.path}/myproject/target/classes">
         </dir>
         <dir name="${rebel.workspace.path}/myproject/target/test-classes">
         </dir>
   </classpath>

   <web>
         <link target="/">
                <dir name="${rebel.workspace.path}/myproject/src/main/webapp">
                       <exclude name="resources/**"/>
                </dir>
         </link>
   </web>

This will exclude all resources, but at least it will update the views (jsp- and tag-files). But when I do lots of frontend development, where I need to change controller, views and styles simultaniously, this configuration is useless and I have to turn off jrebel all together.

Lauretta answered 28/11, 2014 at 9:50 Comment(1)

It is assumed that /myproject/src/main/webapp/resources contains only that resources that are delived by <mvc:resources> like images, css, js,... but not the jsp files. – Deviation 28/11, 2014 at 10:23