Add Nohttp Checks

build.gradle

@@ -4,6 +4,7 @@ buildscript {
 	}
 	dependencies {
 		classpath("io.spring.gradle:propdeps-plugin:0.0.9.RELEASE")
+		classpath("io.spring.nohttp:nohttp-gradle:0.0.2.RELEASE")
 		classpath("org.asciidoctor:asciidoctorj-pdf:1.5.0-alpha.16")
 	}
 }
@@ -251,9 +252,21 @@ configure(rootProject) {
 	description = "Spring Framework"
 
 	apply plugin: "groovy"
+	apply plugin: "io.spring.nohttp"
 	apply from: "${gradleScriptDir}/jdiff.gradle"
 	apply from: "${gradleScriptDir}/docs.gradle"
 
+	nohttp {
+		source.exclude "**/test-output/**"
+		whitelistFile = project.file("src/nohttp/whitelist.lines")
+		def projectDirURI = project.projectDir.toURI()
+		allprojects.forEach { p ->
+			def outURI = p.file("out").toURI()
+			def pattern = projectDirURI.relativize(outURI).path + "**"
+			source.exclude pattern
+		}
+	}
+
 	dependencyManagement {
 		imports {
 			mavenBom "io.projectreactor:reactor-bom:${reactorVersion}"

gradlew

@@ -7,7 +7,7 @@
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,

gradlew.bat

@@ -5,7 +5,7 @@
 @rem you may not use this file except in compliance with the License.
 @rem You may obtain a copy of the License at
 @rem
-@rem      http://www.apache.org/licenses/LICENSE-2.0
+@rem      https://www.apache.org/licenses/LICENSE-2.0
 @rem
 @rem Unless required by applicable law or agreed to in writing, software
 @rem distributed under the License is distributed on an "AS IS" BASIS,

spring-beans/src/main/java/org/springframework/beans/factory/xml/BeanDefinitionParserDelegate.java

@@ -1406,7 +1406,7 @@ public BeanDefinitionHolder decorateIfRequired(
 					return decorated;
 				}
 			}
-			else if (namespaceUri.startsWith("http://www.springframework.org/")) {
+			else if (namespaceUri.startsWith("http://www.springframework.org/schema/")) {
 				error("Unable to locate Spring NamespaceHandler for XML schema namespace [" + namespaceUri + "]", node);
 			}
 			else {

spring-test/src/main/java/org/springframework/test/web/servlet/htmlunit/HostRequestMatcher.java

@@ -41,11 +41,11 @@
  * <p>Alternatively, one can also specify the port. For example, the following would match
  * any request to the host {@code "code.jquery.com"} with the port of {@code 80}.
  *
- * <pre class="code">WebRequestMatcher cdnMatcher = new HostMatcher("code.jquery.com:80");</pre>
+ * <pre class="code">WebRequestMatcher cdnMatcher = new HostMatcher("code.jquery.example:80");</pre>
  *
- * <p>The above {@code cdnMatcher} would match {@code "http://code.jquery.com/jquery.js"}
- * which has a default port of {@code 80} and {@code "http://code.jquery.com:80/jquery.js"}.
- * However, it would not match {@code "https://code.jquery.com/jquery.js"}
+ * <p>The above {@code cdnMatcher} would match {@code "http://code.jquery.example/jquery.js"}
+ * which has a default port of {@code 80} and {@code "http://code.jquery.example:80/jquery.js"}.
+ * However, it would not match {@code "https://code.jquery.example/jquery.js"}
  * which has a default port of {@code 443}.
  *
  * @author Rob Winch

spring-test/src/test/java/org/springframework/test/web/client/match/MockRestRequestMatchersTests.java

@@ -42,30 +42,30 @@ public class MockRestRequestMatchersTests {
 
 	@Test
 	public void requestTo() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/bar"));
+		this.request.setURI(new URI("http://www.foo.example/bar"));
 
-		MockRestRequestMatchers.requestTo("http://www.foo.com/bar").match(this.request);
+		MockRestRequestMatchers.requestTo("http://www.foo.example/bar").match(this.request);
 	}
 
 	@Test  // SPR-15819
 	public void requestToUriTemplate() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/bar"));
+		this.request.setURI(new URI("http://www.foo.example/bar"));
 
-		MockRestRequestMatchers.requestToUriTemplate("http://www.foo.com/{bar}", "bar").match(this.request);
+		MockRestRequestMatchers.requestToUriTemplate("http://www.foo.example/{bar}", "bar").match(this.request);
 	}
 
 	@Test
 	public void requestToNoMatch() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/bar"));
+		this.request.setURI(new URI("http://www.foo.example/bar"));
 
 		assertThatThrownBy(
-			() -> MockRestRequestMatchers.requestTo("http://www.foo.com/wrong").match(this.request))
+			() -> MockRestRequestMatchers.requestTo("http://www.foo.example/wrong").match(this.request))
 				.isInstanceOf(AssertionError.class);
 	}
 
 	@Test
 	public void requestToContains() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/bar"));
+		this.request.setURI(new URI("http://www.foo.example/bar"));
 
 		MockRestRequestMatchers.requestTo(containsString("bar")).match(this.request);
 	}
@@ -157,14 +157,14 @@ public void headersWithMissingValue() throws Exception {
 
 	@Test
 	public void queryParam() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/a?foo=bar&foo=baz"));
+		this.request.setURI(new URI("http://www.foo.example/a?foo=bar&foo=baz"));
 
 		MockRestRequestMatchers.queryParam("foo", "bar", "baz").match(this.request);
 	}
 
 	@Test
 	public void queryParamMissing() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/a"));
+		this.request.setURI(new URI("http://www.foo.example/a"));
 
 		assertThatThrownBy(() -> MockRestRequestMatchers.queryParam("foo", "bar").match(this.request))
 			.isInstanceOf(AssertionError.class)
@@ -173,7 +173,7 @@ public void queryParamMissing() throws Exception {
 
 	@Test
 	public void queryParamMissingValue() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/a?foo=bar&foo=baz"));
+		this.request.setURI(new URI("http://www.foo.example/a?foo=bar&foo=baz"));
 
 		assertThatThrownBy(() -> MockRestRequestMatchers.queryParam("foo", "bad").match(this.request))
 			.isInstanceOf(AssertionError.class)
@@ -182,14 +182,14 @@ public void queryParamMissingValue() throws Exception {
 
 	@Test
 	public void queryParamContains() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/a?foo=bar&foo=baz"));
+		this.request.setURI(new URI("http://www.foo.example/a?foo=bar&foo=baz"));
 
 		MockRestRequestMatchers.queryParam("foo", containsString("ba")).match(this.request);
 	}
 
 	@Test
 	public void queryParamContainsWithMissingValue() throws Exception {
-		this.request.setURI(new URI("http://www.foo.com/a?foo=bar&foo=baz"));
+		this.request.setURI(new URI("http://www.foo.example/a?foo=bar&foo=baz"));
 
 		assertThatThrownBy(() -> MockRestRequestMatchers.queryParam("foo", containsString("bx")).match(this.request))
 			.isInstanceOf(AssertionError.class)

spring-test/src/test/java/org/springframework/test/web/servlet/htmlunit/HostRequestMatcherTests.java

@@ -31,14 +31,14 @@ public class HostRequestMatcherTests extends AbstractWebRequestMatcherTests {
 	public void localhost() throws Exception {
 		WebRequestMatcher matcher = new HostRequestMatcher("localhost");
 		assertMatches(matcher, "http://localhost/jquery-1.11.0.min.js");
-		assertDoesNotMatch(matcher, "http://example.com/jquery-1.11.0.min.js");
+		assertDoesNotMatch(matcher, "http://company.example/jquery-1.11.0.min.js");
 	}
 
 	@Test
 	public void multipleHosts() throws Exception {
 		WebRequestMatcher matcher = new HostRequestMatcher("localhost", "example.com");
 		assertMatches(matcher, "http://localhost/jquery-1.11.0.min.js");
-		assertMatches(matcher, "http://example.com/jquery-1.11.0.min.js");
+		assertMatches(matcher, "https://example.com/jquery-1.11.0.min.js");
 	}
 
 	@Test

spring-test/src/test/java/org/springframework/test/web/servlet/htmlunit/HtmlUnitRequestBuilderTests.java

@@ -71,7 +71,7 @@ public class HtmlUnitRequestBuilderTests {
 
 	@Before
 	public void setup() throws Exception {
-		webRequest = new WebRequest(new URL("http://example.com:80/test/this/here"));
+		webRequest = new WebRequest(new URL("https://example.com/test/this/here"));
 		webRequest.setHttpMethod(HttpMethod.GET);
 		requestBuilder = new HtmlUnitRequestBuilder(sessions, webClient, webRequest);
 	}
@@ -174,7 +174,7 @@ public void buildRequestContextPathUsesFirstSegmentByDefault() {
 
 	@Test
 	public void buildRequestContextPathUsesNoFirstSegmentWithDefault() throws MalformedURLException {
-		webRequest.setUrl(new URL("http://example.com/"));
+		webRequest.setUrl(new URL("https://example.com/"));
 		String contextPath = requestBuilder.buildRequest(servletContext).getContextPath();
 
 		assertThat(contextPath).isEqualTo("");
@@ -342,7 +342,8 @@ public void buildRequestLocalName() {
 	}
 
 	@Test
-	public void buildRequestLocalPort() {
+	public void buildRequestLocalPort() throws Exception {
+		webRequest.setUrl(new URL("http://localhost:80/test/this/here"));
 		MockHttpServletRequest actualRequest = requestBuilder.buildRequest(servletContext);
 
 		assertThat(actualRequest.getLocalPort()).isEqualTo(80);
@@ -599,6 +600,7 @@ public void buildRequestRemoteHost() throws Exception {
 
 	@Test
 	public void buildRequestRemotePort() throws Exception {
+		webRequest.setUrl(new URL("http://localhost:80/test/this/here"));
 		MockHttpServletRequest actualRequest = requestBuilder.buildRequest(servletContext);
 
 		assertThat(actualRequest.getRemotePort()).isEqualTo(80);
@@ -615,7 +617,7 @@ public void buildRequestRemotePort8080() throws Exception {
 
 	@Test
 	public void buildRequestRemotePort80WithDefault() throws Exception {
-		webRequest.setUrl(new URL("http://example.com/"));
+		webRequest.setUrl(new URL("http://company.example/"));
 
 		MockHttpServletRequest actualRequest = requestBuilder.buildRequest(servletContext);
 
@@ -647,11 +649,12 @@ public void buildRequestUri() {
 	@Test
 	public void buildRequestUrl() {
 		String uri = requestBuilder.buildRequest(servletContext).getRequestURL().toString();
-		assertThat(uri).isEqualTo("http://example.com/test/this/here");
+		assertThat(uri).isEqualTo("https://example.com/test/this/here");
 	}
 
 	@Test
 	public void buildRequestSchemeHttp() throws Exception {
+		webRequest.setUrl(new URL("http://localhost:80/test/this/here"));
 		MockHttpServletRequest actualRequest = requestBuilder.buildRequest(servletContext);
 
 		assertThat(actualRequest.getScheme()).isEqualTo("http");
@@ -674,6 +677,7 @@ public void buildRequestServerName() throws Exception {
 
 	@Test
 	public void buildRequestServerPort() throws Exception {
+		webRequest.setUrl(new URL("http://localhost:80/test/this/here"));
 		MockHttpServletRequest actualRequest = requestBuilder.buildRequest(servletContext);
 
 		assertThat(actualRequest.getServerPort()).isEqualTo(80);

spring-test/src/test/java/org/springframework/test/web/servlet/htmlunit/MockMvcConnectionBuilderSupportTests.java

@@ -108,13 +108,13 @@ public void mockMvcExampleDotCom() throws Exception {
 
 		assertMockMvcUsed(conn, "http://localhost/");
 		assertMockMvcUsed(conn, "https://example.com/");
-		assertMockMvcNotUsed(conn, "http://other.com/");
+		assertMockMvcNotUsed(conn, "http://other.example/");
 	}
 
 	@Test
 	public void mockMvcAlwaysUseMockMvc() throws Exception {
 		WebConnection conn = this.builder.alwaysUseMockMvc().createConnection(this.client);
-		assertMockMvcUsed(conn, "http://other.com/");
+		assertMockMvcUsed(conn, "http://other.example/");
 	}
 
 	@Test

spring-test/src/test/java/org/springframework/test/web/servlet/htmlunit/MockWebResponseBuilderTests.java

@@ -50,7 +50,7 @@ public class MockWebResponseBuilderTests {
 
 	@Before
 	public void setup() throws Exception {
-		this.webRequest = new WebRequest(new URL("http://example.com:80/test/this/here"));
+		this.webRequest = new WebRequest(new URL("http://company.example:80/test/this/here"));
 		this.responseBuilder = new MockWebResponseBuilder(System.currentTimeMillis(), this.webRequest, this.response);
 	}
 
@@ -66,7 +66,7 @@ public void constructorWithNullWebRequest() {
 	@Test
 	public void constructorWithNullResponse() throws Exception {
 		assertThatIllegalArgumentException().isThrownBy(() ->
-				new MockWebResponseBuilder(0L, new WebRequest(new URL("http://example.com:80/test/this/here")), null));
+				new MockWebResponseBuilder(0L, new WebRequest(new URL("http://company.example:80/test/this/here")), null));
 	}
 
 

spring-web/src/test/java/org/springframework/http/server/ServletServerHttpRequestTests.java

@@ -81,18 +81,22 @@ public void getUriWithQueryString() throws URISyntaxException {
 
 	@Test  // SPR-16414
 	public void getUriWithQueryParam() throws URISyntaxException {
+		mockRequest.setScheme("https");
+		mockRequest.setServerPort(443);
 		mockRequest.setServerName("example.com");
 		mockRequest.setRequestURI("/path");
 		mockRequest.setQueryString("query=foo");
-		assertThat(request.getURI()).isEqualTo(new URI("http://example.com/path?query=foo"));
+		assertThat(request.getURI()).isEqualTo(new URI("https://example.com/path?query=foo"));
 	}
 
 	@Test  // SPR-16414
 	public void getUriWithMalformedQueryParam() throws URISyntaxException {
+		mockRequest.setScheme("https");
+		mockRequest.setServerPort(443);
 		mockRequest.setServerName("example.com");
 		mockRequest.setRequestURI("/path");
 		mockRequest.setQueryString("query=foo%%x");
-		assertThat(request.getURI()).isEqualTo(new URI("http://example.com/path"));
+		assertThat(request.getURI()).isEqualTo(new URI("https://example.com/path"));
 	}
 
 	@Test  // SPR-13876

spring-web/src/test/java/org/springframework/web/cors/DefaultCorsProcessorTests.java

@@ -50,7 +50,7 @@ public class DefaultCorsProcessorTests {
 	public void setup() {
 		this.request = new MockHttpServletRequest();
 		this.request.setRequestURI("/test.html");
-		this.request.setServerName("domain1.com");
+		this.request.setServerName("domain1.example");
 		this.conf = new CorsConfiguration();
 		this.response = new MockHttpServletResponse();
 		this.response.setStatus(HttpServletResponse.SC_OK);
@@ -71,7 +71,7 @@ public void requestWithoutOriginHeader() throws Exception {
 	@Test
 	public void sameOriginRequest() throws Exception {
 		this.request.setMethod(HttpMethod.GET.name());
-		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain1.com");
+		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain1.example");
 
 		this.processor.processRequest(this.conf, this.request, this.response);
 		assertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isFalse();
@@ -124,7 +124,7 @@ public void actualRequestCredentials() throws Exception {
 		this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
 		this.conf.addAllowedOrigin("https://domain1.com");
 		this.conf.addAllowedOrigin("https://domain2.com");
-		this.conf.addAllowedOrigin("http://domain3.com");
+		this.conf.addAllowedOrigin("http://domain3.example");
 		this.conf.setAllowCredentials(true);
 
 		this.processor.processRequest(this.conf, this.request, this.response);
@@ -296,7 +296,7 @@ public void preflightRequestCredentials() throws Exception {
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.conf.addAllowedOrigin("https://domain1.com");
 		this.conf.addAllowedOrigin("https://domain2.com");
-		this.conf.addAllowedOrigin("http://domain3.com");
+		this.conf.addAllowedOrigin("http://domain3.example");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.setAllowCredentials(true);
 
@@ -318,7 +318,7 @@ public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.conf.addAllowedOrigin("https://domain1.com");
 		this.conf.addAllowedOrigin("*");
-		this.conf.addAllowedOrigin("http://domain3.com");
+		this.conf.addAllowedOrigin("http://domain3.example");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.setAllowCredentials(true);
 

spring-web/src/test/java/org/springframework/web/cors/reactive/CorsUtilsTests.java

@@ -39,7 +39,7 @@ public class CorsUtilsTests {
 
 	@Test
 	public void isCorsRequest() {
-		ServerHttpRequest request = get("http://domain.com/").header(HttpHeaders.ORIGIN, "https://domain.com").build();
+		ServerHttpRequest request = get("http://domain.example/").header(HttpHeaders.ORIGIN, "https://domain.com").build();
 		assertThat(CorsUtils.isCorsRequest(request)).isTrue();
 	}
 
@@ -69,32 +69,32 @@ public void isNotPreFlightRequest() {
 
 	@Test  // SPR-16262
 	public void isSameOriginWithXForwardedHeaders() {
-		String server = "mydomain1.com";
-		testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.com");
-		testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.com");
-		testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", -1, "https://mydomain2.com");
-		testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", -1, "https://mydomain2.com");
-		testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
-		testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
+		String server = "mydomain1.example";
+		testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.example");
+		testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.example");
+		testWithXForwardedHeaders(server, -1, "https", "mydomain2.example", -1, "https://mydomain2.example");
+		testWithXForwardedHeaders(server, 123, "https", "mydomain2.example", -1, "https://mydomain2.example");
+		testWithXForwardedHeaders(server, -1, "https", "mydomain2.example", 456, "https://mydomain2.example:456");
+		testWithXForwardedHeaders(server, 123, "https", "mydomain2.example", 456, "https://mydomain2.example:456");
 	}
 
 	@Test  // SPR-16262
 	public void isSameOriginWithForwardedHeader() {
-		String server = "mydomain1.com";
-		testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.com");
-		testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.com");
-		testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com", "https://mydomain2.com");
-		testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com", "https://mydomain2.com");
-		testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
-		testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
+		String server = "mydomain1.example";
+		testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.example");
+		testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.example");
+		testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.example", "https://mydomain2.example");
+		testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.example", "https://mydomain2.example");
+		testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.example:456", "https://mydomain2.example:456");
+		testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.example:456", "https://mydomain2.example:456");
 	}
 
 	@Test  // SPR-16362
 	@SuppressWarnings("deprecation")
 	public void isSameOriginWithDifferentSchemes() {
 		MockServerHttpRequest request = MockServerHttpRequest
-				.get("http://mydomain1.com")
-				.header(HttpHeaders.ORIGIN, "https://mydomain1.com")
+				.get("http://mydomain1.example")
+				.header(HttpHeaders.ORIGIN, "https://mydomain1.example")
 				.build();
 		assertThat(CorsUtils.isSameOrigin(request)).isFalse();
 	}