wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketConnectionOriginFilter.java - wicket - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.wicket.protocol.ws.api;

 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;

 import jakarta.servlet.http.HttpServletRequest;

 import org.apache.wicket.util.lang.Args;
 import org.apache.wicket.util.string.Strings;

 /**
  * This filter will reject those requests which contain 'Origin' header that does not match the origin of the
  * application host. This kind of extended security might be necessary if the application needs to enforce the
  * Same Origin Policy which is not provided by the HTML5 WebSocket protocol.
  *
  * @see <a href="http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html">http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html</a>
  *
  * @author Gergely Nagy
  */
 public class WebSocketConnectionOriginFilter implements IWebSocketConnectionFilter
 {

 	/**
 	 * Error code 1008 indicates that an endpoint is terminating the connection because it has received a message that
      * violates its policy. This is a generic status code that can be returned when there is no other more suitable
      * status code (e.g., 1003 or 1009) or if there is a need to hide specific details about the policy.
 	 * <p>
 	 * See <a href="https://tools.ietf.org/html/rfc6455#section-7.4.1">RFC 6455, Section 7.4.1 Defined Status Codes</a>.
 	 */
 	public static final int POLICY_VIOLATION_ERROR_CODE = 1008;

 	/**
 	 * Explanatory text for the client to explain why the connection is getting aborted
 	 */
 	public static final String ORIGIN_MISMATCH = "Origin mismatch";

 	private final List<String> allowedDomains;

 	public WebSocketConnectionOriginFilter(final List<String> allowedDomains)
 	{
 		this.allowedDomains = Args.notNull(allowedDomains, "allowedDomains");
 	}

 	@Override
 	public ConnectionRejected doFilter(HttpServletRequest servletRequest)
 	{
 		if (allowedDomains != null && !allowedDomains.isEmpty())
 		{
 			String oUrl = getOriginUrl(servletRequest);
 			if (invalid(oUrl, allowedDomains))
 			{
 				return new ConnectionRejected(POLICY_VIOLATION_ERROR_CODE, ORIGIN_MISMATCH);
 			}
 		}

 		return null;
 	}

 	/**
 	 * The list of whitelisted domains which are allowed to initiate a websocket connection. This
 	 * list will be eventually used by the
 	 * {@link org.apache.wicket.protocol.ws.api.IWebSocketConnectionFilter} to abort potentially
 	 * unsafe connections. Example domain names might be:
 	 *
 	 * <pre>
 	 *      http://www.example.com
 	 *      http://ww2.example.com
 	 * </pre>
 	 *
 	 * @param domains
 	 *            The collection of domains
 	 */
 	public void setAllowedDomains(Iterable<String> domains) {
 		this.allowedDomains.clear();
 		if (domains != null)
 		{
 			for (String domain : domains)
 			{
 				this.allowedDomains.add(domain);
 			}
 		}
 	}

 	/**
 	 * The list of whitelisted domains which are allowed to initiate a websocket connection. This
 	 * list will be eventually used by the
 	 * {@link org.apache.wicket.protocol.ws.api.IWebSocketConnectionFilter} to abort potentially
 	 * unsafe connections
 	 */
 	public List<String> getAllowedDomains()
 	{
 		return allowedDomains;
 	}

 	private boolean invalid(String oUrl, List<String> allowedDomains)
 	{
 		return Strings.isEmpty(oUrl) || !allowedDomains.contains(oUrl);
 	}

 	private String getOriginUrl(final HttpServletRequest servletRequest)
 	{
 		Enumeration<String> originHeaderValues = servletRequest.getHeaders("Origin");
 		List<String> origins;
 		if (originHeaderValues != null)
 		{
 			origins = Collections.list(originHeaderValues);
 		}
 		else
 		{
 			origins = Collections.emptyList();
 		}

 		if (origins.size() != 1)
 		{
 			return null;
 		}
 		return origins.get(0);
 	}
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.wicket.protocol.ws.api;

	import java.util.Collections;
	import java.util.Enumeration;
	import java.util.List;

	import jakarta.servlet.http.HttpServletRequest;

	import org.apache.wicket.util.lang.Args;
	import org.apache.wicket.util.string.Strings;

	/**
	* This filter will reject those requests which contain 'Origin' header that does not match the origin of the
	* application host. This kind of extended security might be necessary if the application needs to enforce the
	* Same Origin Policy which is not provided by the HTML5 WebSocket protocol.
	*
	* @see <a href="http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html">http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html</a>
	*
	* @author Gergely Nagy
	*/
	public class WebSocketConnectionOriginFilter implements IWebSocketConnectionFilter
	{

	/**
	* Error code 1008 indicates that an endpoint is terminating the connection because it has received a message that
	* violates its policy. This is a generic status code that can be returned when there is no other more suitable
	* status code (e.g., 1003 or 1009) or if there is a need to hide specific details about the policy.
	* <p>
	* See <a href="https://tools.ietf.org/html/rfc6455#section-7.4.1">RFC 6455, Section 7.4.1 Defined Status Codes</a>.
	*/
	public static final int POLICY_VIOLATION_ERROR_CODE = 1008;

	/**
	* Explanatory text for the client to explain why the connection is getting aborted
	*/
	public static final String ORIGIN_MISMATCH = "Origin mismatch";

	private final List<String> allowedDomains;

	public WebSocketConnectionOriginFilter(final List<String> allowedDomains)
	{
	this.allowedDomains = Args.notNull(allowedDomains, "allowedDomains");
	}

	@Override
	public ConnectionRejected doFilter(HttpServletRequest servletRequest)
	{
	if (allowedDomains != null && !allowedDomains.isEmpty())
	{
	String oUrl = getOriginUrl(servletRequest);
	if (invalid(oUrl, allowedDomains))
	{
	return new ConnectionRejected(POLICY_VIOLATION_ERROR_CODE, ORIGIN_MISMATCH);
	}
	}

	return null;
	}

	/**
	* The list of whitelisted domains which are allowed to initiate a websocket connection. This
	* list will be eventually used by the
	* {@link org.apache.wicket.protocol.ws.api.IWebSocketConnectionFilter} to abort potentially
	* unsafe connections. Example domain names might be:
	*
	* <pre>
	* http://www.example.com
	* http://ww2.example.com
	* </pre>
	*
	* @param domains
	* The collection of domains
	*/
	public void setAllowedDomains(Iterable<String> domains) {
	this.allowedDomains.clear();
	if (domains != null)
	{
	for (String domain : domains)
	{
	this.allowedDomains.add(domain);
	}
	}
	}

	/**
	* The list of whitelisted domains which are allowed to initiate a websocket connection. This
	* list will be eventually used by the
	* {@link org.apache.wicket.protocol.ws.api.IWebSocketConnectionFilter} to abort potentially
	* unsafe connections
	*/
	public List<String> getAllowedDomains()
	{
	return allowedDomains;
	}

	private boolean invalid(String oUrl, List<String> allowedDomains)
	{
	return Strings.isEmpty(oUrl) \|\| !allowedDomains.contains(oUrl);
	}

	private String getOriginUrl(final HttpServletRequest servletRequest)
	{
	Enumeration<String> originHeaderValues = servletRequest.getHeaders("Origin");
	List<String> origins;
	if (originHeaderValues != null)
	{
	origins = Collections.list(originHeaderValues);
	}
	else
	{
	origins = Collections.emptyList();
	}

	if (origins.size() != 1)
	{
	return null;
	}
	return origins.get(0);
	}
	}