353073 removed old origin handling

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnection.java

@@ -14,7 +14,7 @@ public interface WebSocketConnection extends Connection
 {
     void fillBuffersFrom(Buffer buffer);
     
-    void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException;
+    void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException;
     
     List<Extension> getExtensions();
     

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD00.java

@@ -362,7 +362,7 @@ public class WebSocketConnectionD00 extends AbstractConnection implements WebSoc
         void access(EndPoint endp);
     }
 
-    public void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException
+    public void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException
     {
         String uri=request.getRequestURI();
         String query=request.getQueryString();
@@ -370,7 +370,9 @@ public class WebSocketConnectionD00 extends AbstractConnection implements WebSoc
             uri+="?"+query;
         String host=request.getHeader("Host");
         
+        String origin=request.getHeader("Host");
         String key1 = request.getHeader("Sec-WebSocket-Key1");
+        
         if (key1!=null)
         {
             String key2 = request.getHeader("Sec-WebSocket-Key2");

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD06.java

@@ -710,7 +710,7 @@ public class WebSocketConnectionD06 extends AbstractConnection implements WebSoc
     }
 
     /* ------------------------------------------------------------ */
-    public void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException
+    public void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException
     {
         String uri=request.getRequestURI();
         String query=request.getQueryString();

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketConnectionD10.java

@@ -806,7 +806,7 @@ public class WebSocketConnectionD10 extends AbstractConnection implements WebSoc
     }
 
     /* ------------------------------------------------------------ */
-    public void handshake(HttpServletRequest request, HttpServletResponse response, String origin, String subprotocol) throws IOException
+    public void handshake(HttpServletRequest request, HttpServletResponse response, String subprotocol) throws IOException
     {
         String uri=request.getRequestURI();
         String query=request.getQueryString();

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketFactory.java

@@ -38,9 +38,21 @@ public class WebSocketFactory
 {
     public interface Acceptor
     {
+        /* ------------------------------------------------------------ */
+        /**
+         * @param request
+         * @param protocol
+         * @return
+         */
         WebSocket doWebSocketConnect(HttpServletRequest request, String protocol);
 
-        String checkOrigin(HttpServletRequest request, String host, String origin);
+        /* ------------------------------------------------------------ */
+        /** Check the origin of an incoming WebSocket handshake request
+         * @param request
+         * @param origin
+         * @return boolean to indicate that the origin is acceptable.
+         */
+        boolean checkOrigin(HttpServletRequest request, String origin);
     }
 
     private final Map<String,Class<? extends Extension>> _extensionClasses = new HashMap<String, Class<? extends Extension>>();
@@ -128,7 +140,7 @@ public class WebSocketFactory
      * @param protocol  The websocket protocol
      * @throws IOException in case of I/O errors
      */
-    public void upgrade(HttpServletRequest request, HttpServletResponse response, WebSocket websocket, String origin, String protocol)
+    public void upgrade(HttpServletRequest request, HttpServletResponse response, WebSocket websocket, String protocol)
             throws IOException
     {
         if (!"websocket".equalsIgnoreCase(request.getHeader("Upgrade")))
@@ -176,7 +188,7 @@ public class WebSocketFactory
         }
 
         // Let the connection finish processing the handshake
-        connection.handshake(request, response, origin, protocol);
+        connection.handshake(request, response, protocol);
         response.flushBuffer();
 
         // Give the connection any unused data from the HTTP connection.
@@ -205,11 +217,20 @@ public class WebSocketFactory
     {
         if ("websocket".equalsIgnoreCase(request.getHeader("Upgrade")))
         {
+            String origin = request.getHeader("Sec-WebSocket-Origin");
+            if (origin==null)
+                origin = request.getHeader("Origin");
+            if (!_acceptor.checkOrigin(request,origin))
+            {
+                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                return false;
+            }
+            
+            // Try each requested protocol
+            WebSocket websocket = null;
             String protocol = request.getHeader("Sec-WebSocket-Protocol");
             if (protocol == null) // TODO remove once draft period is over
                 protocol = request.getHeader("WebSocket-Protocol");
-
-            WebSocket websocket = null;
             for (String p : parseProtocols(protocol))
             {
                 websocket = _acceptor.doWebSocketConnect(request, p);
@@ -220,17 +241,16 @@ public class WebSocketFactory
                 }
             }
 
-            String host = request.getHeader("Host");
+            // Did we get a websocket?
-            String origin = request.getHeader("Origin");
+            if (websocket == null)
-            origin = _acceptor.checkOrigin(request, host, origin);
-
-            if (websocket != null)
             {
-                upgrade(request, response, websocket, origin, protocol);
+                response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
-                return true;
+                return false;
             }
 
-            response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
+            // Send the upgrade
+            upgrade(request, response, websocket, protocol);
+            return true;
         }
 
         return false;

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketHandler.java

@@ -100,11 +100,9 @@ public abstract class WebSocketHandler extends HandlerWrapper implements WebSock
     }
     
     /* ------------------------------------------------------------ */
-    public String checkOrigin(HttpServletRequest request, String host, String origin)
+    public boolean checkOrigin(HttpServletRequest request, String origin)
     {
-        if (origin==null)
+        return true;
-            origin=host;
-        return origin;
     }
     
 }

jetty-websocket/src/main/java/org/eclipse/jetty/websocket/WebSocketServlet.java

@@ -14,6 +14,8 @@
 package org.eclipse.jetty.websocket;
 
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -65,11 +67,10 @@ public abstract class WebSocketServlet extends HttpServlet implements WebSocketF
         super.service(request,response);
     }
 
-    public String checkOrigin(HttpServletRequest request, String host, String origin)
+    /* ------------------------------------------------------------ */
+    public boolean checkOrigin(HttpServletRequest request, String origin)
     {
-        if (origin==null)
+        return true;
-            origin=host;
-        return origin;
     }