Package org.apache.wicket.protocol.http
Class OriginResourceIsolationPolicy
- java.lang.Object
-
- org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
-
- All Implemented Interfaces:
IResourceIsolationPolicy
- Direct Known Subclasses:
CsrfPreventionRequestCycleListener
public class OriginResourceIsolationPolicy extends Object implements IResourceIsolationPolicy
IResourceIsolationPolicy
based onWebRequest.HEADER_ORIGIN
andWebRequest.HEADER_REFERER
headers.This origin-based listener can be used in combination with the
ResourceIsolationRequestCycleListener
to add support for legacy browsers that don't send Sec-Fetch-* headers yet.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
IResourceIsolationPolicy.ResourceIsolationOutcome
-
-
Constructor Summary
Constructors Constructor Description OriginResourceIsolationPolicy()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description OriginResourceIsolationPolicy
addAcceptedOrigin(String acceptedOrigin)
Adds an origin (host name/domain name) to the white list.protected String
getTargetUriFromRequest(javax.servlet.http.HttpServletRequest request)
Creates a RFC-6454 comparable URI from therequest
requested resource.protected boolean
isLocalOrigin(javax.servlet.http.HttpServletRequest containerRequest, String originHeader)
Checks whether theOrigin
HTTP header of the request matches where the request came from.IResourceIsolationPolicy.ResourceIsolationOutcome
isRequestAllowed(javax.servlet.http.HttpServletRequest request, IRequestablePage targetPage)
Is the given request allowed.protected boolean
isWhitelistedHost(String sourceUri)
Checks whether the domain part of thesourceUri
(Origin
orReferer
header) is whitelisted.protected String
normalizeUri(String uri)
Creates a RFC-6454 comparable URI from theuri
string.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
setHeaders
-
-
-
-
Constructor Detail
-
OriginResourceIsolationPolicy
public OriginResourceIsolationPolicy()
-
-
Method Detail
-
addAcceptedOrigin
public OriginResourceIsolationPolicy addAcceptedOrigin(String acceptedOrigin)
Adds an origin (host name/domain name) to the white list. An origin is in the form of <domainname>.<TLD>, and can contain a subdomain. Every Origin header that matches a domain from the whitelist is accepted and not checked any further for CSRF issues. E.g. whenexample.com
is in the white list, this allows requests from (i.e. with anOrigin:
header containing)example.com
andblabla.example.com
but rejects requests fromblablaexample.com
andexample2.com
.- Parameters:
acceptedOrigin
- the acceptable origin- Returns:
- this
-
isRequestAllowed
public IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed(javax.servlet.http.HttpServletRequest request, IRequestablePage targetPage)
Description copied from interface:IResourceIsolationPolicy
Is the given request allowed.- Specified by:
isRequestAllowed
in interfaceIResourceIsolationPolicy
- Parameters:
request
- requesttargetPage
- targeted page- Returns:
- whether the request is allowed based on its origin
-
isLocalOrigin
protected boolean isLocalOrigin(javax.servlet.http.HttpServletRequest containerRequest, String originHeader)
Checks whether theOrigin
HTTP header of the request matches where the request came from.- Parameters:
containerRequest
- the current container requestoriginHeader
- the contents of theOrigin
HTTP header- Returns:
true
when the origin of the request matches theOrigin
HTTP header
-
getTargetUriFromRequest
protected final String getTargetUriFromRequest(javax.servlet.http.HttpServletRequest request)
Creates a RFC-6454 comparable URI from therequest
requested resource.- Parameters:
request
- the incoming request- Returns:
- only the scheme://host[:port] part, or
null
when the origin string is not compliant
-
normalizeUri
protected final String normalizeUri(String uri)
Creates a RFC-6454 comparable URI from theuri
string.- Parameters:
uri
- the contents of the Origin or Referer HTTP header- Returns:
- only the scheme://host[:port] part, or
null
when the URI string is not compliant
-
isWhitelistedHost
protected boolean isWhitelistedHost(String sourceUri)
Checks whether the domain part of thesourceUri
(Origin
orReferer
header) is whitelisted.- Parameters:
sourceUri
- the contents of theOrigin
orReferer
HTTP header- Returns:
true
when the source domain was whitelisted
-
-