Details
-
Enhancement
-
Resolution: Unresolved
-
Major
-
None
-
2.3.7.Final
-
None
Description
Hi,
in the course of applying mitigations for https://spring.io/security/cve-2023-34035 it came up that Undertow always creates a default servlet in https://github.com/undertow-io/undertow/blob/2.3.7.Final/servlet/src/main/java/io/undertow/servlet/handlers/ServletPathMatches.java#L308 that is causing very vanilla Spring-Boot applications to fail on startup due to the mappings not being clearly assignable to a specific servlet registration (without any further code).
While there are workarounds posted and discussions going on the improve the migration path for Spring-Security https://github.com/spring-projects/spring-security/issues/13568 I wondered why this needs to be registered in the first place if a default servlet is given.
Unfortunately, I couldn't find a ticket that references the decision behind the default servlet registration, but only the commit 71c5a691 which is unfortunately not providing more info.
There is https://issues.redhat.com/browse/UNDERTOW-149 which introduced a check for the managed default servlet not being registered twice, which the PR still kept.
I'll shortly provide a PR to address & discuss this. See
https://github.com/undertow-io/undertow/pull/1506
