[CALCITE-6280] Jetty version number leaked by Avatica http server

server/src/main/java/org/apache/calcite/avatica/server/HttpServer.java

@@ -35,6 +35,7 @@
 import org.eclipse.jetty.server.AbstractConnectionFactory;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -319,7 +320,9 @@ private ConstraintSecurityHandler getSecurityHandler() {
 
   protected ServerConnector getServerConnector() {
     HttpConnectionFactory factory = new HttpConnectionFactory();
-    factory.getHttpConfiguration().setRequestHeaderSize(maxAllowedHeaderSize);
+    HttpConfiguration httpConfiguration = factory.getHttpConfiguration();
+    httpConfiguration.setSendServerVersion(false);
+    httpConfiguration.setRequestHeaderSize(maxAllowedHeaderSize);
 
     if (null == sslFactory) {
       return new ServerConnector(server, factory);

server/src/test/java/org/apache/calcite/avatica/server/BasicAuthHttpServerTest.java

@@ -26,11 +26,14 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import java.net.HttpURLConnection;
+import java.net.URL;
 import java.util.Properties;
 
 import static org.hamcrest.core.StringContains.containsString;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
 
@@ -159,6 +162,15 @@ public class BasicAuthHttpServerTest extends HttpAuthBase {
           e.getMessage());
     }
   }
+
+  @Test
+  public void testServerVersionNotReturnedForUnauthorisedAccess() throws Exception {
+    URL httpServerUrl = new URL("http://localhost:" + server.getPort());
+    HttpURLConnection conn = (HttpURLConnection) httpServerUrl.openConnection();
+    conn.setRequestMethod("GET");
+    assertEquals("Unauthorized response status code", 401, conn.getResponseCode());
+    assertNull("Server information was not expected", conn.getHeaderField("server"));
+  }
 }
 
 // End BasicAuthHttpServerTest.java

server/src/test/java/org/apache/calcite/avatica/server/DigestAuthHttpServerTest.java

@@ -26,11 +26,14 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import java.net.HttpURLConnection;
+import java.net.URL;
 import java.util.Properties;
 
 import static org.hamcrest.core.StringContains.containsString;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
 
@@ -172,6 +175,14 @@ public class DigestAuthHttpServerTest extends HttpAuthBase {
           e.getMessage());
     }
   }
+  @Test
+  public void testServerVersionNotReturnedForUnauthorisedAccess() throws Exception {
+    URL httpServerUrl = new URL("http://localhost:" + server.getPort());
+    HttpURLConnection conn = (HttpURLConnection) httpServerUrl.openConnection();
+    conn.setRequestMethod("GET");
+    assertEquals("Unauthorized response status code", 401, conn.getResponseCode());
+    assertNull("Server information was not expected", conn.getHeaderField("server"));
+  }
 }
 
 // End DigestAuthHttpServerTest.java

server/src/test/java/org/apache/calcite/avatica/server/HttpServerCustomizerTest.java

@@ -26,10 +26,13 @@
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
+import java.net.HttpURLConnection;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
+import static org.junit.Assert.assertNull;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -83,6 +86,30 @@ public class HttpServerCustomizerTest {
    */
   private static class UnsupportedServer {
   }
+
+  @Test
+  public void testServerVersionNotReturnedForUnauthorisedAccess() throws Exception {
+    ServerCustomizer<Server> mockCustomizer1 =
+            (ServerCustomizer<Server>) mock(ServerCustomizer.class);
+    ServerCustomizer<Server> mockCustomizer2 =
+            (ServerCustomizer<Server>) mock(ServerCustomizer.class);
+    Service service = new LocalService(mockMeta);
+    HttpServer server =
+            HttpServer.Builder.<Server>newBuilder().withHandler(service,
+                            Driver.Serialization.PROTOBUF)
+                    .withServerCustomizers(
+                            Arrays.asList(mockCustomizer1, mockCustomizer2), Server.class)
+                    .withPort(0).build();
+    try {
+      server.start();
+      URL httpServerUrl = new URL("http://localhost:" + server.getPort());
+      HttpURLConnection conn = (HttpURLConnection) httpServerUrl.openConnection();
+      conn.setRequestMethod("GET");
+      assertNull("Server information was not expected", conn.getHeaderField("server"));
+    } finally {
+      server.stop();
+    }
+  }
 }
 
 // End HttpServerCustomizerTest.java

server/src/test/java/org/apache/calcite/avatica/server/HttpServerSpnegoWithoutJaasTest.java

@@ -56,6 +56,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 /**
@@ -186,6 +187,14 @@ private static void setupUsers(File keytabDir) throws KrbException {
     assertEquals(401, conn.getResponseCode());
   }
 
+  @Test public void testServerVersionNotReturnedForUnauthorisedAccess() throws Exception {
+    LOG.info("Connecting to {}", httpServerUrl.toString());
+    HttpURLConnection conn = (HttpURLConnection) httpServerUrl.openConnection();
+    conn.setRequestMethod("GET");
+    assertEquals("Unauthorized response status code", 401, conn.getResponseCode());
+    assertNull("Server information was not expected", conn.getHeaderField("server"));
+  }
+
   @Test public void testAuthenticatedClientsAllowed() throws Exception {
     // Create the subject for the client
     final Subject clientSubject = AvaticaJaasKrbUtil.loginUsingKeytab(