Class OriginResourceIsolationPolicy

java.lang.Object
org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
All Implemented Interfaces:
IResourceIsolationPolicy

IResourceIsolationPolicy based on WebRequest.HEADER_ORIGIN and WebRequest.HEADER_REFERER headers.

This origin-based listener can be used in combination with the ResourceIsolationRequestCycleListener to add support for legacy browsers that don't send Sec-Fetch-* headers yet.

  • Constructor Details

  • Method Details

    • addAcceptedOrigin

      Adds an origin (host name/domain name) to the white list. An origin is in the form of <domainname>.<TLD>, and can contain a subdomain. Every Origin header that matches a domain from the whitelist is accepted and not checked any further for CSRF issues. E.g. when example.com is in the white list, this allows requests from (i.e. with an Origin: header containing) example.com and blabla.example.com but rejects requests from blablaexample.com and example2.com.
      Parameters:
      acceptedOrigin - the acceptable origin
      Returns:
      this
    • isRequestAllowed

      public IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed(jakarta.servlet.http.HttpServletRequest request, IRequestablePage targetPage)
      Description copied from interface: IResourceIsolationPolicy
      Is the given request allowed.
      Specified by:
      isRequestAllowed in interface IResourceIsolationPolicy
      Parameters:
      request - request
      targetPage - targeted page
      Returns:
      whether the request is allowed based on its origin
    • isLocalOrigin

      protected boolean isLocalOrigin(jakarta.servlet.http.HttpServletRequest containerRequest, String originHeader)
      Checks whether the Origin HTTP header of the request matches where the request came from.
      Parameters:
      containerRequest - the current container request
      originHeader - the contents of the Origin HTTP header
      Returns:
      true when the origin of the request matches the Origin HTTP header
    • getTargetUriFromRequest

      protected final String getTargetUriFromRequest(jakarta.servlet.http.HttpServletRequest request)
      Creates a RFC-6454 comparable URI from the request requested resource.
      Parameters:
      request - the incoming request
      Returns:
      only the scheme://host[:port] part, or null when the origin string is not compliant
    • normalizeUri

      protected final String normalizeUri(String uri)
      Creates a RFC-6454 comparable URI from the uri string.
      Parameters:
      uri - the contents of the Origin or Referer HTTP header
      Returns:
      only the scheme://host[:port] part, or null when the URI string is not compliant
    • isWhitelistedHost

      protected boolean isWhitelistedHost(String sourceUri)
      Checks whether the domain part of the sourceUri (Origin or Referer header) is whitelisted.
      Parameters:
      sourceUri - the contents of the Origin or Referer HTTP header
      Returns:
      true when the source domain was whitelisted