Bug 63311 - Allow to use https: protocol in xsi:schemaLocation of web.xml, web-fragment.xml (validation fails with recent releases of Spring)
Summary: Allow to use https: protocol in xsi:schemaLocation of web.xml, web-fragment.x...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.17
Hardware: PC All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-03 03:33 UTC by Konstantin Kolinko
Modified: 2019-04-09 13:10 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2019-04-03 03:33:35 UTC
Spring Framework has a META-INF/web-fragment.xml file in their spring-web-4.3.*.jar library. In the version 4.3.23 that was released on March 31st they changed the value of xsi:schemaLocation in that file:

-	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-fragment_3_0.xsd"
+	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee https://java.sun.com/xml/ns/javaee/web-fragment_3_0.xsd"

The schema URL was changed from "http:" to "https:".

The problem is that if Tomcat or web application are configured so that the web.xml and web-fragment.xml files are validated, the web application fails to start.

Steps to reproduce
with ROOT application on a clean Tomcat 9.0.17 install:

1. Add the following line to conf/catalina.properties:

org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true

2. Create directory webapps/ROOT/WEB-INF/lib and place the following jar file there:

spring-web-4.3.23.RELEASE.jar

The library can be downloaded from the following page:
https://search.maven.org/artifact/org.springframework/spring-web/4.3.23.RELEASE/jar

3. Start Tomcat.

4. ACTUAL:
The ROOT web application fails to start, and the following error is printed into catalina.2019-04-**.log:

03-Apr-2019 **:**:**.234 SEVERE [main] org.apache.tomcat.util.digester.Digester.warning Parse warning at line [5] column [41]
03-Apr-2019 **:**:**.248 SEVERE [main] org.apache.tomcat.util.digester.Digester.error Parse error at line [5] column [41]
 org.xml.sax.SAXParseException; systemId: jar:file:*OMITTED*/webapps/ROOT/WEB-INF/lib/spring-web-4.3.23.RELEASE.jar!/META-INF/web-fragment.xml; lineNumber: 5; columnNumber: 41; cvc-elt.1: Cannot find the declaration of element 'web-fragment'.
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:396)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1901)
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:741)
	[...]
	at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1431)
	at org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml(WebXmlParser.java:119)
	at org.apache.tomcat.util.descriptor.web.FragmentJarScannerCallback.scan(FragmentJarScannerCallback.java:77)
	at org.apache.tomcat.util.scan.StandardJarScanner.process(StandardJarScanner.java:378)
	at org.apache.tomcat.util.scan.StandardJarScanner.scan(StandardJarScanner.java:191)
	at org.apache.catalina.startup.ContextConfig.processJarsForWebFragments(ContextConfig.java:1956)
	at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1122)
	at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:768)
	at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:301)
	[...]

EXPECTED:
If the library is downgraded to version 4.3.22, the web application starts successfully.
Comment 1 Konstantin Kolinko 2019-04-03 03:47:09 UTC
Commit that did the change in Spring Framework (beware that it has 612 changed files):

https://github.com/spring-projects/spring-framework/commit/d40ed0942bbf184694ab522b54d616d63111c6be?diff=unified
Comment 2 Konstantin Kolinko 2019-04-03 04:02:50 UTC
In the tag libraries in spring-webmvc-4.3.23.RELEASE.jar they also changed

META-INF/spring.tld
META-INF/spring-form.tld

- xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee https://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"

That caused a failure during scanning of tlds and compilation failures for JSPs in some configurations (7.0.93, metadata-complete="true" so that fragments are not scanned, the exact steps are TBD).

Why the ROOT app of 9.0.17 that has metadata-complete="true" performs scanning and validation for web-fragment.xml is a separate question.


Workaround

If I turn validation off by setting

org.apache.catalina.STRICT_SERVLET_COMPLIANCE=false

the affected web applications start successfully.
Comment 3 Mark Thomas 2019-04-07 22:11:08 UTC
Fixed in:
- master for 9.0.18 onwards
- 8.5.x for 8.5.40 onwards
- 7.0.x for 7.0.94 onwards
Comment 4 Konstantin Kolinko 2019-04-09 13:10:46 UTC
I tested builds of current master and 7.0.x branches. The issue is fixed.
Thank you.