Package org.apache.wicket.protocol.ws.api

Class WebSocketConnectionOriginFilter

java.lang.Object

org.apache.wicket.protocol.ws.api.WebSocketConnectionOriginFilter

All Implemented Interfaces:

IWebSocketConnectionFilter

public class WebSocketConnectionOriginFilter
extends Object
implements IWebSocketConnectionFilter

This filter will reject those requests which contain 'Origin' header that does not match the origin of the application host. This kind of extended security might be necessary if the application needs to enforce the Same Origin Policy which is not provided by the HTML5 WebSocket protocol.

Author:

Gergely Nagy

See Also:

http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

Field Summary

Fields

Modifier and Type	Field	Description
static String	ORIGIN_MISMATCH	Explanatory text for the client to explain why the connection is getting aborted
static int	POLICY_VIOLATION_ERROR_CODE	Error code 1008 indicates that an endpoint is terminating the connection because it has received a message that violates its policy.

Constructor Summary

Constructors

Constructor	Description
WebSocketConnectionOriginFilter(List<String> allowedDomains)

Method Summary

Modifier and Type	Method	Description
ConnectionRejected	doFilter(javax.servlet.http.HttpServletRequest servletRequest)	Method for rejecting connections based on the current request
List<String>	getAllowedDomains()	The list of whitelisted domains which are allowed to initiate a websocket connection.
void	setAllowedDomains(Iterable<String> domains)	The list of whitelisted domains which are allowed to initiate a websocket connection.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

POLICY_VIOLATION_ERROR_CODE

public static final int POLICY_VIOLATION_ERROR_CODE

Error code 1008 indicates that an endpoint is terminating the connection because it has received a message that violates its policy. This is a generic status code that can be returned when there is no other more suitable status code (e.g., 1003 or 1009) or if there is a need to hide specific details about the policy.

See RFC 6455, Section 7.4.1 Defined Status Codes.

See Also:

Constant Field Values

ORIGIN_MISMATCH

public static final String ORIGIN_MISMATCH

Explanatory text for the client to explain why the connection is getting aborted

See Also:

Constant Field Values

Constructor Detail

WebSocketConnectionOriginFilter

public WebSocketConnectionOriginFilter(List<String> allowedDomains)

Method Detail

doFilter

public ConnectionRejected doFilter(javax.servlet.http.HttpServletRequest servletRequest)

Description copied from interface: IWebSocketConnectionFilter

Method for rejecting connections based on the current request

Specified by:

doFilter in interface IWebSocketConnectionFilter

Parameters:

servletRequest - The servlet request holding the request headers

setAllowedDomains

public void setAllowedDomains(Iterable<String> domains)

The list of whitelisted domains which are allowed to initiate a websocket connection. This list will be eventually used by the IWebSocketConnectionFilter to abort potentially unsafe connections. Example domain names might be:

      http://www.example.com
      http://ww2.example.com
 

Parameters:

domains - The collection of domains

getAllowedDomains

public List<String> getAllowedDomains()

The list of whitelisted domains which are allowed to initiate a websocket connection. This list will be eventually used by the IWebSocketConnectionFilter to abort potentially unsafe connections