Module org.apache.wicket.core
Package org.apache.wicket.protocol.http
Class OriginResourceIsolationPolicy
java.lang.Object
org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
- All Implemented Interfaces:
IResourceIsolationPolicy
IResourceIsolationPolicy
based on WebRequest.HEADER_ORIGIN
and
WebRequest.HEADER_REFERER
headers.
This origin-based listener can be used in combination with the
ResourceIsolationRequestCycleListener
to add support for legacy browsers that don't send
Sec-Fetch-* headers yet.
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
IResourceIsolationPolicy.ResourceIsolationOutcome
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionaddAcceptedOrigin
(String acceptedOrigin) Adds an origin (host name/domain name) to the white list.protected final String
getTargetUriFromRequest
(jakarta.servlet.http.HttpServletRequest request) Creates a RFC-6454 comparable URI from therequest
requested resource.protected boolean
isLocalOrigin
(jakarta.servlet.http.HttpServletRequest containerRequest, String originHeader) Checks whether theOrigin
HTTP header of the request matches where the request came from.isRequestAllowed
(jakarta.servlet.http.HttpServletRequest request, IRequestablePage targetPage) Is the given request allowed.protected boolean
isWhitelistedHost
(String sourceUri) Checks whether the domain part of thesourceUri
(Origin
orReferer
header) is whitelisted.protected final String
normalizeUri
(String uri) Creates a RFC-6454 comparable URI from theuri
string.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
setHeaders
-
Constructor Details
-
OriginResourceIsolationPolicy
public OriginResourceIsolationPolicy()
-
-
Method Details
-
addAcceptedOrigin
Adds an origin (host name/domain name) to the white list. An origin is in the form of <domainname>.<TLD>, and can contain a subdomain. Every Origin header that matches a domain from the whitelist is accepted and not checked any further for CSRF issues. E.g. whenexample.com
is in the white list, this allows requests from (i.e. with anOrigin:
header containing)example.com
andblabla.example.com
but rejects requests fromblablaexample.com
andexample2.com
.- Parameters:
acceptedOrigin
- the acceptable origin- Returns:
- this
-
isRequestAllowed
public IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed(jakarta.servlet.http.HttpServletRequest request, IRequestablePage targetPage) Description copied from interface:IResourceIsolationPolicy
Is the given request allowed.- Specified by:
isRequestAllowed
in interfaceIResourceIsolationPolicy
- Parameters:
request
- requesttargetPage
- targeted page- Returns:
- whether the request is allowed based on its origin
-
isLocalOrigin
protected boolean isLocalOrigin(jakarta.servlet.http.HttpServletRequest containerRequest, String originHeader) Checks whether theOrigin
HTTP header of the request matches where the request came from.- Parameters:
containerRequest
- the current container requestoriginHeader
- the contents of theOrigin
HTTP header- Returns:
true
when the origin of the request matches theOrigin
HTTP header
-
getTargetUriFromRequest
Creates a RFC-6454 comparable URI from therequest
requested resource.- Parameters:
request
- the incoming request- Returns:
- only the scheme://host[:port] part, or
null
when the origin string is not compliant
-
normalizeUri
Creates a RFC-6454 comparable URI from theuri
string.- Parameters:
uri
- the contents of the Origin or Referer HTTP header- Returns:
- only the scheme://host[:port] part, or
null
when the URI string is not compliant
-
isWhitelistedHost
Checks whether the domain part of thesourceUri
(Origin
orReferer
header) is whitelisted.- Parameters:
sourceUri
- the contents of theOrigin
orReferer
HTTP header- Returns:
true
when the source domain was whitelisted
-