From bfda9e0523c5821318e25772c7b00ea56eeec645 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Mon, 15 Aug 2011 16:16:34 +1000 Subject: [PATCH] 353073 removed old origin handling --- .../jetty/websocket/WebSocketConnection.java | 2 +- .../websocket/WebSocketConnectionD00.java | 4 +- .../websocket/WebSocketConnectionD06.java | 2 +- .../websocket/WebSocketConnectionD10.java | 2 +- .../jetty/websocket/WebSocketFactory.java | 46 +++++++++++++------ .../jetty/websocket/WebSocketHandler.java | 6 +-- .../jetty/websocket/WebSocketServlet.java | 9 ++-- 7 files changed, 46 insertions(+), 25 deletions(-) diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnection.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnection.java index 5545b27fc80..8a4f7f78ae3 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnection.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnection.java @@ -14,7 +14,7 @@ public interface WebSocketConnection extends Connection { void fillBuffersFrom(Buffer buffer); - void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException; + void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException; List getExtensions(); diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java index eed3c066cf9..5a75534d564 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java @@ -362,7 +362,7 @@ public class WebSocketConnectionD00 extends AbstractConnection implements WebSoc void access(EndPoint endp); } - public void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException + public void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException { String uri=request.getRequestURI(); String query=request.getQueryString(); @@ -370,7 +370,9 @@ public class WebSocketConnectionD00 extends AbstractConnection implements WebSoc uri+="?"+query; String host=request.getHeader("Host"); + String origin=request.getHeader("Host"); String key1 = request.getHeader("Sec-WebSocket-Key1"); + if (key1!=null) { String key2 = request.getHeader("Sec-WebSocket-Key2"); diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java index d254007fafa..1fcf970d298 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java @@ -710,7 +710,7 @@ public class WebSocketConnectionD06 extends AbstractConnection implements WebSoc } /* ------------------------------------------------------------ */ - public void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException + public void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException { String uri=request.getRequestURI(); String query=request.getQueryString(); diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD10.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD10.java index d7986bb590d..6a536ac3edc 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD10.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD10.java @@ -806,7 +806,7 @@ public class WebSocketConnectionD10 extends AbstractConnection implements WebSoc } /* ------------------------------------------------------------ */ - public void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException + public void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException { String uri=request.getRequestURI(); String query=request.getQueryString(); diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketFactory.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketFactory.java index f3e043c8da2..99907e1dc8b 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketFactory.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketFactory.java @@ -38,9 +38,21 @@ public class WebSocketFactory { public interface Acceptor { + /* ------------------------------------------------------------ */ + /** + * @param request + * @param protocol + * @return + */ WebSocket doWebSocketConnect(HttpServletRequest request, String protocol); - String checkOrigin(HttpServletRequest request, String host, String origin); + /* ------------------------------------------------------------ */ + /** Check the origin of an incoming WebSocket handshake request + * @param request + * @param origin + * @return boolean to indicate that the origin is acceptable. + */ + boolean checkOrigin(HttpServletRequest request, String origin); } private final Map> _extensionClasses = new HashMap>(); @@ -128,7 +140,7 @@ public class WebSocketFactory * @param protocol The websocket protocol * @throws IOException in case of I/O errors */ - public void upgrade(HttpServletRequest request, HttpServletResponse response, WebSocket websocket, String origin, String protocol) + public void upgrade(HttpServletRequest request, HttpServletResponse response, WebSocket websocket, String protocol) throws IOException { if (!"websocket".equalsIgnoreCase(request.getHeader("Upgrade"))) @@ -176,7 +188,7 @@ public class WebSocketFactory } // Let the connection finish processing the handshake - connection.handshake(request, response, origin, protocol); + connection.handshake(request, response, protocol); response.flushBuffer(); // Give the connection any unused data from the HTTP connection. @@ -205,11 +217,20 @@ public class WebSocketFactory { if ("websocket".equalsIgnoreCase(request.getHeader("Upgrade"))) { + String origin = request.getHeader("Sec-WebSocket-Origin"); + if (origin==null) + origin = request.getHeader("Origin"); + if (!_acceptor.checkOrigin(request,origin)) + { + response.sendError(HttpServletResponse.SC_FORBIDDEN); + return false; + } + + // Try each requested protocol + WebSocket websocket = null; String protocol = request.getHeader("Sec-WebSocket-Protocol"); if (protocol == null) // TODO remove once draft period is over protocol = request.getHeader("WebSocket-Protocol"); - - WebSocket websocket = null; for (String p : parseProtocols(protocol)) { websocket = _acceptor.doWebSocketConnect(request, p); @@ -220,17 +241,16 @@ public class WebSocketFactory } } - String host = request.getHeader("Host"); - String origin = request.getHeader("Origin"); - origin = _acceptor.checkOrigin(request, host, origin); - - if (websocket != null) + // Did we get a websocket? + if (websocket == null) { - upgrade(request, response, websocket, origin, protocol); - return true; + response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE); + return false; } - response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE); + // Send the upgrade + upgrade(request, response, websocket, protocol); + return true; } return false; diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketHandler.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketHandler.java index a2e87a1a0ec..870fd702018 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketHandler.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketHandler.java @@ -100,11 +100,9 @@ public abstract class WebSocketHandler extends HandlerWrapper implements WebSock } /* ------------------------------------------------------------ */ - public String checkOrigin(HttpServletRequest request, String host, String origin) + public boolean checkOrigin(HttpServletRequest request, String origin) { - if (origin==null) - origin=host; - return origin; + return true; } } diff --git a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketServlet.java b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketServlet.java index f485076535b..b9121377306 100644 --- a/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketServlet.java +++ b/jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketServlet.java @@ -14,6 +14,8 @@ package org.eclipse.jetty.websocket; import java.io.IOException; +import java.net.URI; +import java.net.URISyntaxException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; @@ -65,11 +67,10 @@ public abstract class WebSocketServlet extends HttpServlet implements WebSocketF super.service(request,response); } - public String checkOrigin(HttpServletRequest request, String host, String origin) + /* ------------------------------------------------------------ */ + public boolean checkOrigin(HttpServletRequest request, String origin) { - if (origin==null) - origin=host; - return origin; + return true; }