View Javadoc
1   /*
2    * Copyright 2022 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.example.http2.file;
17  
18  import io.netty.buffer.ByteBuf;
19  import io.netty.buffer.Unpooled;
20  import io.netty.channel.ChannelDuplexHandler;
21  import io.netty.channel.ChannelFuture;
22  import io.netty.channel.ChannelHandlerContext;
23  import io.netty.channel.ChannelProgressiveFuture;
24  import io.netty.channel.ChannelProgressiveFutureListener;
25  import io.netty.handler.codec.http.HttpHeaderNames;
26  import io.netty.handler.codec.http.HttpResponseStatus;
27  import io.netty.handler.codec.http2.DefaultHttp2DataFrame;
28  import io.netty.handler.codec.http2.DefaultHttp2Headers;
29  import io.netty.handler.codec.http2.DefaultHttp2HeadersFrame;
30  import io.netty.handler.codec.http2.Http2DataChunkedInput;
31  import io.netty.handler.codec.http2.Http2DataFrame;
32  import io.netty.handler.codec.http2.Http2FrameStream;
33  import io.netty.handler.codec.http2.Http2Headers;
34  import io.netty.handler.codec.http2.Http2HeadersFrame;
35  import io.netty.handler.stream.ChunkedFile;
36  import io.netty.util.CharsetUtil;
37  import io.netty.util.internal.SystemPropertyUtil;
38  
39  import javax.activation.MimetypesFileTypeMap;
40  import java.io.File;
41  import java.io.FileNotFoundException;
42  import java.io.RandomAccessFile;
43  import java.io.UnsupportedEncodingException;
44  import java.net.URLDecoder;
45  import java.text.SimpleDateFormat;
46  import java.util.Calendar;
47  import java.util.Date;
48  import java.util.GregorianCalendar;
49  import java.util.Locale;
50  import java.util.TimeZone;
51  import java.util.regex.Pattern;
52  
53  import static io.netty.handler.codec.http.HttpMethod.GET;
54  import static io.netty.handler.codec.http.HttpResponseStatus.FORBIDDEN;
55  import static io.netty.handler.codec.http.HttpResponseStatus.FOUND;
56  import static io.netty.handler.codec.http.HttpResponseStatus.INTERNAL_SERVER_ERROR;
57  import static io.netty.handler.codec.http.HttpResponseStatus.METHOD_NOT_ALLOWED;
58  import static io.netty.handler.codec.http.HttpResponseStatus.NOT_FOUND;
59  import static io.netty.handler.codec.http.HttpResponseStatus.NOT_MODIFIED;
60  import static io.netty.handler.codec.http.HttpResponseStatus.OK;
61  
62  /**
63   * A simple handler that serves incoming HTTP requests to send their respective
64   * HTTP responses.  It also implements {@code 'If-Modified-Since'} header to
65   * take advantage of browser cache, as described in
66   * <a href="https://tools.ietf.org/html/rfc2616#section-14.25">RFC 2616</a>.
67   *
68   * <h3>How Browser Caching Works</h3>
69   * <p>
70   * Web browser caching works with HTTP headers as illustrated by the following
71   * sample:
72   * <ol>
73   * <li>Request #1 returns the content of {@code /file1.txt}.</li>
74   * <li>Contents of {@code /file1.txt} is cached by the browser.</li>
75   * <li>Request #2 for {@code /file1.txt} does not return the contents of the
76   *     file again. Rather, a 304 Not Modified is returned. This tells the
77   *     browser to use the contents stored in its cache.</li>
78   * <li>The server knows the file has not been modified because the
79   *     {@code If-Modified-Since} date is the same as the file's last
80   *     modified date.</li>
81   * </ol>
82   *
83   * <pre>
84   * Request #1 Headers
85   * ===================
86   * GET /file1.txt HTTP/1.1
87   *
88   * Response #1 Headers
89   * ===================
90   * HTTP/1.1 200 OK
91   * Date:               Tue, 01 Mar 2011 22:44:26 GMT
92   * Last-Modified:      Wed, 30 Jun 2010 21:36:48 GMT
93   * Expires:            Tue, 01 Mar 2012 22:44:26 GMT
94   * Cache-Control:      private, max-age=31536000
95   *
96   * Request #2 Headers
97   * ===================
98   * GET /file1.txt HTTP/1.1
99   * If-Modified-Since:  Wed, 30 Jun 2010 21:36:48 GMT
100  *
101  * Response #2 Headers
102  * ===================
103  * HTTP/1.1 304 Not Modified
104  * Date:               Tue, 01 Mar 2011 22:44:28 GMT
105  *
106  * </pre>
107  */
108 public class Http2StaticFileServerHandler extends ChannelDuplexHandler {
109 
110     public static final String HTTP_DATE_FORMAT = "EEE, dd MMM yyyy HH:mm:ss zzz";
111     public static final String HTTP_DATE_GMT_TIMEZONE = "GMT";
112     public static final int HTTP_CACHE_SECONDS = 60;
113 
114     private Http2FrameStream stream;
115 
116     @Override
117     public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
118         if (msg instanceof Http2HeadersFrame) {
119             Http2HeadersFrame headersFrame = (Http2HeadersFrame) msg;
120             this.stream = headersFrame.stream();
121 
122             if (!GET.toString().equals(headersFrame.headers().method().toString())) {
123                 sendError(ctx, METHOD_NOT_ALLOWED);
124                 return;
125             }
126 
127             final String uri = headersFrame.headers().path().toString();
128             final String path = sanitizeUri(uri);
129             if (path == null) {
130                 sendError(ctx, FORBIDDEN);
131                 return;
132             }
133 
134             File file = new File(path);
135             if (file.isHidden() || !file.exists()) {
136                 sendError(ctx, NOT_FOUND);
137                 return;
138             }
139 
140             if (file.isDirectory()) {
141                 if (uri.endsWith("/")) {
142                     sendListing(ctx, file, uri);
143                 } else {
144                     sendRedirect(ctx, uri + '/');
145                 }
146                 return;
147             }
148 
149             if (!file.isFile()) {
150                 sendError(ctx, FORBIDDEN);
151                 return;
152             }
153 
154             // Cache Validation
155             CharSequence ifModifiedSince = headersFrame.headers().get(HttpHeaderNames.IF_MODIFIED_SINCE);
156             if (ifModifiedSince != null && !ifModifiedSince.toString().isEmpty()) {
157                 SimpleDateFormat dateFormatter = new SimpleDateFormat(HTTP_DATE_FORMAT, Locale.US);
158                 Date ifModifiedSinceDate = dateFormatter.parse(ifModifiedSince.toString());
159 
160                 // Only compare up to the second because the datetime format we send to the client
161                 // does not have milliseconds
162                 long ifModifiedSinceDateSeconds = ifModifiedSinceDate.getTime() / 1000;
163                 long fileLastModifiedSeconds = file.lastModified() / 1000;
164                 if (ifModifiedSinceDateSeconds == fileLastModifiedSeconds) {
165                     sendNotModified(ctx);
166                     return;
167                 }
168             }
169 
170             RandomAccessFile raf;
171             try {
172                 raf = new RandomAccessFile(file, "r");
173             } catch (FileNotFoundException ignore) {
174                 sendError(ctx, NOT_FOUND);
175                 return;
176             }
177             long fileLength = raf.length();
178 
179             Http2Headers headers = new DefaultHttp2Headers();
180             headers.status("200");
181             headers.setLong(HttpHeaderNames.CONTENT_LENGTH, fileLength);
182 
183             setContentTypeHeader(headers, file);
184             setDateAndCacheHeaders(headers, file);
185 
186             // Write the initial line and the header.
187             ctx.writeAndFlush(new DefaultHttp2HeadersFrame(headers).stream(stream));
188 
189             // Write the content.
190             ChannelFuture sendFileFuture;
191             sendFileFuture = ctx.writeAndFlush(new Http2DataChunkedInput(
192                     new ChunkedFile(raf, 0, fileLength, 8192), stream), ctx.newProgressivePromise());
193 
194             sendFileFuture.addListener(new ChannelProgressiveFutureListener() {
195                 @Override
196                 public void operationProgressed(ChannelProgressiveFuture future, long progress, long total) {
197                     if (total < 0) { // total unknown
198                         System.err.println(future.channel() + " Transfer progress: " + progress);
199                     } else {
200                         System.err.println(future.channel() + " Transfer progress: " + progress + " / " + total);
201                     }
202                 }
203 
204                 @Override
205                 public void operationComplete(ChannelProgressiveFuture future) {
206                     System.err.println(future.channel() + " Transfer complete.");
207                 }
208             });
209         } else {
210             // Unsupported message type
211             System.out.println("Unsupported message type: " + msg);
212         }
213     }
214 
215     @Override
216     public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
217         cause.printStackTrace();
218         if (ctx.channel().isActive()) {
219             sendError(ctx, INTERNAL_SERVER_ERROR);
220         }
221     }
222 
223     private static final Pattern INSECURE_URI = Pattern.compile(".*[<>&\"].*");
224 
225     private static String sanitizeUri(String uri) throws UnsupportedEncodingException {
226         // Decode the path.
227         uri = URLDecoder.decode(uri, "UTF-8");
228 
229         if (uri.isEmpty() || uri.charAt(0) != '/') {
230             return null;
231         }
232 
233         // Convert file separators.
234         uri = uri.replace('/', File.separatorChar);
235 
236         // Simplistic dumb security check.
237         // You will have to do something serious in the production environment.
238         if (uri.contains(File.separator + '.') ||
239                 uri.contains('.' + File.separator) ||
240                 uri.charAt(0) == '.' || uri.charAt(uri.length() - 1) == '.' ||
241                 INSECURE_URI.matcher(uri).matches()) {
242             return null;
243         }
244 
245         // Convert to absolute path.
246         return SystemPropertyUtil.get("user.dir") + File.separator + uri;
247     }
248 
249     private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[^-\\._]?[^<>&\\\"]*");
250 
251     private void sendListing(ChannelHandlerContext ctx, File dir, String dirPath) {
252         StringBuilder buf = new StringBuilder()
253                 .append("<!DOCTYPE html>\r\n")
254                 .append("<html><head><meta charset='utf-8' /><title>")
255                 .append("Listing of: ")
256                 .append(dirPath)
257                 .append("</title></head><body>\r\n")
258 
259                 .append("<h3>Listing of: ")
260                 .append(dirPath)
261                 .append("</h3>\r\n")
262 
263                 .append("<ul>")
264                 .append("<li><a href=\"../\">..</a></li>\r\n");
265 
266         File[] files = dir.listFiles();
267         if (files != null) {
268             for (File f : files) {
269                 if (f.isHidden() || !f.canRead()) {
270                     continue;
271                 }
272 
273                 String name = f.getName();
274                 if (!ALLOWED_FILE_NAME.matcher(name).matches()) {
275                     continue;
276                 }
277 
278                 buf.append("<li><a href=\"")
279                         .append(name)
280                         .append("\">")
281                         .append(name)
282                         .append("</a></li>\r\n");
283             }
284         }
285 
286         buf.append("</ul></body></html>\r\n");
287 
288         ByteBuf buffer = ctx.alloc().buffer(buf.length());
289         buffer.writeCharSequence(buf.toString(), CharsetUtil.UTF_8);
290 
291         Http2Headers headers = new DefaultHttp2Headers();
292         headers.status(OK.toString());
293         headers.add(HttpHeaderNames.CONTENT_TYPE, "text/html; charset=UTF-8");
294 
295         ctx.write(new DefaultHttp2HeadersFrame(headers).stream(stream));
296         ctx.writeAndFlush(new DefaultHttp2DataFrame(buffer, true).stream(stream));
297     }
298 
299     private void sendRedirect(ChannelHandlerContext ctx, String newUri) {
300         Http2Headers headers = new DefaultHttp2Headers();
301         headers.status(FOUND.toString());
302         headers.add(HttpHeaderNames.LOCATION, newUri);
303 
304         ctx.writeAndFlush(new DefaultHttp2HeadersFrame(headers, true).stream(stream));
305     }
306 
307     private void sendError(ChannelHandlerContext ctx, HttpResponseStatus status) {
308         Http2Headers headers = new DefaultHttp2Headers();
309         headers.status(status.toString());
310         headers.add(HttpHeaderNames.CONTENT_TYPE, "text/plain; charset=UTF-8");
311 
312         Http2HeadersFrame headersFrame = new DefaultHttp2HeadersFrame(headers);
313         headersFrame.stream(stream);
314 
315         Http2DataFrame dataFrame = new DefaultHttp2DataFrame(
316                 Unpooled.copiedBuffer("Failure: " + status + "\r\n", CharsetUtil.UTF_8), true);
317         dataFrame.stream(stream);
318 
319         ctx.write(headersFrame);
320         ctx.writeAndFlush(dataFrame);
321     }
322 
323     /**
324      * When file timestamp is the same as what the browser is sending up, send a "304 Not Modified"
325      *
326      * @param ctx Context
327      */
328     private void sendNotModified(ChannelHandlerContext ctx) {
329         Http2Headers headers = new DefaultHttp2Headers();
330         headers.status(NOT_MODIFIED.toString());
331         setDateHeader(headers);
332 
333         ctx.writeAndFlush(new DefaultHttp2HeadersFrame(headers, true).stream(stream));
334     }
335 
336     /**
337      * Sets the Date header for the HTTP response
338      *
339      * @param headers Http2 Headers
340      */
341     private static void setDateHeader(Http2Headers headers) {
342         SimpleDateFormat dateFormatter = new SimpleDateFormat(HTTP_DATE_FORMAT, Locale.US);
343         dateFormatter.setTimeZone(TimeZone.getTimeZone(HTTP_DATE_GMT_TIMEZONE));
344 
345         Calendar time = new GregorianCalendar();
346         headers.set(HttpHeaderNames.DATE, dateFormatter.format(time.getTime()));
347     }
348 
349     /**
350      * Sets the Date and Cache headers for the HTTP Response
351      *
352      * @param headers     Http2 Headers
353      * @param fileToCache file to extract content type
354      */
355     private static void setDateAndCacheHeaders(Http2Headers headers, File fileToCache) {
356         SimpleDateFormat dateFormatter = new SimpleDateFormat(HTTP_DATE_FORMAT, Locale.US);
357         dateFormatter.setTimeZone(TimeZone.getTimeZone(HTTP_DATE_GMT_TIMEZONE));
358 
359         // Date header
360         Calendar time = new GregorianCalendar();
361         headers.set(HttpHeaderNames.DATE, dateFormatter.format(time.getTime()));
362 
363         // Add cache headers
364         time.add(Calendar.SECOND, HTTP_CACHE_SECONDS);
365         headers.set(HttpHeaderNames.EXPIRES, dateFormatter.format(time.getTime()));
366         headers.set(HttpHeaderNames.CACHE_CONTROL, "private, max-age=" + HTTP_CACHE_SECONDS);
367         headers.set(HttpHeaderNames.LAST_MODIFIED, dateFormatter.format(new Date(fileToCache.lastModified())));
368     }
369 
370     /**
371      * Sets the content type header for the HTTP Response
372      *
373      * @param headers Http2 Headers
374      * @param file    file to extract content type
375      */
376     private static void setContentTypeHeader(Http2Headers headers, File file) {
377         MimetypesFileTypeMap mimeTypesMap = new MimetypesFileTypeMap();
378         headers.set(HttpHeaderNames.CONTENT_TYPE, mimeTypesMap.getContentType(file.getPath()));
379     }
380 }