/** * Check the given request origin against a list of allowed origins. * A list containing "*" means that all origins are allowed. * An empty list means only same origin is allowed. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request origin is valid, {@code false} otherwise * @since 4.1.5 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a> */ public static boolean isValidOrigin(HttpRequest request, Collection<String> allowedOrigins) { Assert.notNull(request, "Request must not be null"); Assert.notNull(allowedOrigins, "Allowed origins must not be null"); String origin = request.getHeaders().getOrigin(); if (origin == null || allowedOrigins.contains("*")) { return true; } else if (CollectionUtils.isEmpty(allowedOrigins)) { return isSameOrigin(request); } else { return allowedOrigins.contains(origin); } }
@Override public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception { if (!WebUtils.isSameOrigin(request) && !WebUtils.isValidOrigin(request, this.allowedOrigins)) { response.setStatusCode(HttpStatus.FORBIDDEN); if (logger.isDebugEnabled()) { logger.debug("Handshake request rejected, Origin header value " + request.getHeaders().getOrigin() + " not allowed"); } return false; } return true; }
protected boolean checkOrigin(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) throws IOException { if (WebUtils.isSameOrigin(request)) { return true; } if (!WebUtils.isValidOrigin(request, this.allowedOrigins)) { if (logger.isWarnEnabled()) { logger.warn("Origin header value '" + request.getHeaders().getOrigin() + "' not allowed."); } response.setStatusCode(HttpStatus.FORBIDDEN); return false; } return true; }
/** * Check if the request is a same-origin one, based on {@code Origin}, and * {@code Host} headers. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request is a same-origin one, {@code false} in case * of a cross-origin request */ public static boolean isSameOrigin(ServerHttpRequest request) { String origin = request.getHeaders().getOrigin(); if (origin == null) { return true; } URI uri = request.getURI(); String actualScheme = uri.getScheme(); String actualHost = uri.getHost(); int actualPort = getPort(uri.getScheme(), uri.getPort()); Assert.notNull(actualScheme, "Actual request scheme must not be null"); Assert.notNull(actualHost, "Actual request host must not be null"); Assert.isTrue(actualPort != -1, "Actual request port must not be undefined"); UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build(); return (actualScheme.equals(originUrl.getScheme()) && actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl.getScheme(), originUrl.getPort())); }
/** * Check the given request origin against a list of allowed origins. * A list containing "*" means that all origins are allowed. * An empty list means only same origin is allowed. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request origin is valid, {@code false} otherwise * @since 4.1.5 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a> */ public static boolean isValidOrigin(HttpRequest request, Collection<String> allowedOrigins) { Assert.notNull(request, "Request must not be null"); Assert.notNull(allowedOrigins, "Allowed origins must not be null"); String origin = request.getHeaders().getOrigin(); if (origin == null || allowedOrigins.contains("*")) { return true; } else if (CollectionUtils.isEmpty(allowedOrigins)) { return isSameOrigin(request); } else { return allowedOrigins.contains(origin); } }
String origin = headers.getOrigin(); if (origin == null) { return true;
/** * Check if the request is a same-origin one, based on {@code Origin}, and * {@code Host} headers. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request is a same-origin one, {@code false} in case * of a cross-origin request */ public static boolean isSameOrigin(ServerHttpRequest request) { String origin = request.getHeaders().getOrigin(); if (origin == null) { return true; } URI uri = request.getURI(); String actualScheme = uri.getScheme(); String actualHost = uri.getHost(); int actualPort = getPort(uri.getScheme(), uri.getPort()); Assert.notNull(actualScheme, "Actual request scheme must not be null"); Assert.notNull(actualHost, "Actual request host must not be null"); Assert.isTrue(actualPort != -1, "Actual request port must not be undefined"); UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build(); return (actualScheme.equals(originUrl.getScheme()) && actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl.getScheme(), originUrl.getPort())); }
String origin = headers.getOrigin(); if (origin == null) { return true;
CorsConfiguration config, boolean preFlightRequest) throws IOException { String requestOrigin = request.getHeaders().getOrigin(); String allowOrigin = checkOrigin(config, requestOrigin); HttpHeaders responseHeaders = response.getHeaders();
HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); String requestOrigin = request.getHeaders().getOrigin(); String allowOrigin = checkOrigin(config, requestOrigin); if (allowOrigin == null) {
CorsConfiguration config, boolean preFlightRequest) throws IOException { String requestOrigin = request.getHeaders().getOrigin(); String allowOrigin = checkOrigin(config, requestOrigin); HttpHeaders responseHeaders = response.getHeaders();
HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); String requestOrigin = request.getHeaders().getOrigin(); String allowOrigin = checkOrigin(config, requestOrigin); if (allowOrigin == null) {
@Test public void connect() throws Exception { HttpHeaders handshakeHeaders = new HttpHeaders(); handshakeHeaders.setOrigin("foo"); TransportRequest request = mock(TransportRequest.class); given(request.getSockJsUrlInfo()).willReturn(new SockJsUrlInfo(new URI("http://example.com"))); given(request.getHandshakeHeaders()).willReturn(handshakeHeaders); given(request.getHttpRequestHeaders()).willReturn(new HttpHeaders()); TestXhrTransport transport = new TestXhrTransport(); WebSocketHandler handler = mock(WebSocketHandler.class); transport.connect(request, handler); ArgumentCaptor<Runnable> captor = ArgumentCaptor.forClass(Runnable.class); verify(request).getSockJsUrlInfo(); verify(request).addTimeoutTask(captor.capture()); verify(request).getTransportUrl(); verify(request).getHandshakeHeaders(); verify(request).getHttpRequestHeaders(); verifyNoMoreInteractions(request); assertEquals(1, transport.actualHandshakeHeaders.size()); assertEquals("foo", transport.actualHandshakeHeaders.getOrigin()); assertFalse(transport.actualSession.isDisconnected()); captor.getValue().run(); assertTrue(transport.actualSession.isDisconnected()); }
@Override public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception { return request.getHeaders().getOrigin() != null; }
/** * Check the given request origin against a list of allowed origins. * A list containing "*" means that all origins are allowed. * An empty list means only same origin is allowed. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request origin is valid, {@code false} otherwise * @since 4.1.5 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a> */ public static boolean isValidOrigin(HttpRequest request, Collection<String> allowedOrigins) { Assert.notNull(request, "Request must not be null"); Assert.notNull(allowedOrigins, "Allowed origins must not be null"); String origin = request.getHeaders().getOrigin(); if (origin == null || allowedOrigins.contains("*")) { return true; } else if (CollectionUtils.isEmpty(allowedOrigins)) { return isSameOrigin(request); } else { return allowedOrigins.contains(origin); } }
@Override public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception { if (!WebUtils.isSameOrigin(request) && !WebUtils.isValidOrigin(request, this.allowedOrigins)) { response.setStatusCode(HttpStatus.FORBIDDEN); if (logger.isDebugEnabled()) { logger.debug("Handshake request rejected, Origin header value " + request.getHeaders().getOrigin() + " not allowed"); } return false; } return true; }
@Override public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception { if (!WebUtils.isSameOrigin(request) && !WebUtils.isValidOrigin(request, this.allowedOrigins)) { response.setStatusCode(HttpStatus.FORBIDDEN); if (logger.isDebugEnabled()) { logger.debug("Handshake request rejected, Origin header value " + request.getHeaders().getOrigin() + " not allowed"); } return false; } return true; }
protected boolean checkOrigin(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) throws IOException { if (WebUtils.isSameOrigin(request)) { return true; } if (!WebUtils.isValidOrigin(request, this.allowedOrigins)) { if (logger.isWarnEnabled()) { logger.warn("Origin header value '" + request.getHeaders().getOrigin() + "' not allowed."); } response.setStatusCode(HttpStatus.FORBIDDEN); return false; } return true; }
protected boolean checkOrigin(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) throws IOException { if (WebUtils.isSameOrigin(request)) { return true; } if (!WebUtils.isValidOrigin(request, this.allowedOrigins)) { if (logger.isWarnEnabled()) { logger.warn("Origin header value '" + request.getHeaders().getOrigin() + "' not allowed."); } response.setStatusCode(HttpStatus.FORBIDDEN); return false; } return true; }
/** * Check if the request is a same-origin one, based on {@code Origin}, and * {@code Host} headers. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request is a same-origin one, {@code false} in case * of a cross-origin request */ public static boolean isSameOrigin(ServerHttpRequest request) { String origin = request.getHeaders().getOrigin(); if (origin == null) { return true; } URI uri = request.getURI(); String actualScheme = uri.getScheme(); String actualHost = uri.getHost(); int actualPort = getPort(uri.getScheme(), uri.getPort()); Assert.notNull(actualScheme, "Actual request scheme must not be null"); Assert.notNull(actualHost, "Actual request host must not be null"); Assert.isTrue(actualPort != -1, "Actual request port must not be undefined"); UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build(); return (actualScheme.equals(originUrl.getScheme()) && actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl.getScheme(), originUrl.getPort())); }