When using embedded Jetty, an error response to a HEAD request has a body

[andreaceccanti]

Dear Spring Boot devs,

according to the HTTP RFC:

The HEAD method is identical to GET except that the server MUST NOT
send a message body in the response (i.e., the response terminates at
the end of the header section).

AFAIU this should also apply to error responses, but when the Jetty embedded container
is used the requirement is not respected.

Starting from a vanilla Spring Boot app created from the Spring Initializer, a simple way
to check this is do an HEAD for a resource that does not exist.

The result when the Tomcat container is used is:

08:14 $ telnet localhost 8080
Trying 127.0.0.1...
Connected to localunixsocket.
Escape character is '^]'.
HEAD /not-found HTTP/1.1
Host: localhost:8080

HTTP/1.1 401
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 01 Oct 2020 06:14:23 GMT``

The result when Jetty is used is:

08:14 $ telnet localhost 8080
Trying 127.0.0.1...
Connected to localunixsocket.
Escape character is '^]'.
HEAD /not-found HTTP/1.1
Host: localhost:8080

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: application/json
Transfer-Encoding: chunked

72
{"timestamp":"2020-10-01T06:15:50.050+00:00","status":401,"error":"Unauthorized","message":"","path":"/not-found"}
0

The two apps are built using maven. The only difference in the pom.xml is the selection of the embedded container:

diff --git a/../head-tomcat/pom.xml b/pom.xml
index 70b7a17..549e6e3 100644
--- a/../head-tomcat/pom.xml
+++ b/pom.xml
@@ -1,12 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
 		<version>2.3.4.RELEASE</version>
-		<relativePath/> <!-- lookup parent from repository -->
+		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>com.example</groupId>
 	<artifactId>head</artifactId>
@@ -23,9 +22,21 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-tomcat</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jetty</artifactId>
 		</dependency>
 
 		<dependency>

One of our services relies on features in Jetty, so we cannot easily switch to the Tomcat container, and this HEAD behavior is causing problems to some clients.

Thanks!

[andreaceccanti]

The bug applies also to the 2.3.x codebase AFAIU. Will it be fixed also in that branch?

Thanks!

[snicoll]

@andreaceccanti all changes are merged forward. There is a link to the merge commit above your comment.

[andreaceccanti]

Oh, sorry for the noise!

Thanks!