Class WebSocketConnectionOriginFilter
- java.lang.Object
-
- org.apache.wicket.protocol.ws.api.WebSocketConnectionOriginFilter
-
- All Implemented Interfaces:
IWebSocketConnectionFilter
public class WebSocketConnectionOriginFilter extends Object implements IWebSocketConnectionFilter
This filter will reject those requests which contain 'Origin' header that does not match the origin of the application host. This kind of extended security might be necessary if the application needs to enforce the Same Origin Policy which is not provided by the HTML5 WebSocket protocol.- Author:
- Gergely Nagy
- See Also:
- http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
-
-
Field Summary
Fields Modifier and Type Field Description static String
ORIGIN_MISMATCH
Explanatory text for the client to explain why the connection is getting abortedstatic int
POLICY_VIOLATION_ERROR_CODE
Error code 1008 indicates that an endpoint is terminating the connection because it has received a message that violates its policy.
-
Constructor Summary
Constructors Constructor Description WebSocketConnectionOriginFilter(List<String> allowedDomains)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description ConnectionRejected
doFilter(javax.servlet.http.HttpServletRequest servletRequest)
Method for rejecting connections based on the current requestList<String>
getAllowedDomains()
The list of whitelisted domains which are allowed to initiate a websocket connection.void
setAllowedDomains(Iterable<String> domains)
The list of whitelisted domains which are allowed to initiate a websocket connection.
-
-
-
Field Detail
-
POLICY_VIOLATION_ERROR_CODE
public static final int POLICY_VIOLATION_ERROR_CODE
Error code 1008 indicates that an endpoint is terminating the connection because it has received a message that violates its policy. This is a generic status code that can be returned when there is no other more suitable status code (e.g., 1003 or 1009) or if there is a need to hide specific details about the policy.- See Also:
- Constant Field Values
-
ORIGIN_MISMATCH
public static final String ORIGIN_MISMATCH
Explanatory text for the client to explain why the connection is getting aborted- See Also:
- Constant Field Values
-
-
Constructor Detail
-
WebSocketConnectionOriginFilter
public WebSocketConnectionOriginFilter(List<String> allowedDomains)
-
-
Method Detail
-
doFilter
public ConnectionRejected doFilter(javax.servlet.http.HttpServletRequest servletRequest)
Description copied from interface:IWebSocketConnectionFilter
Method for rejecting connections based on the current request- Specified by:
doFilter
in interfaceIWebSocketConnectionFilter
- Parameters:
servletRequest
- The servlet request holding the request headers
-
setAllowedDomains
public void setAllowedDomains(Iterable<String> domains)
The list of whitelisted domains which are allowed to initiate a websocket connection. This list will be eventually used by theIWebSocketConnectionFilter
to abort potentially unsafe connections. Example domain names might be:http://www.example.com http://ww2.example.com
- Parameters:
domains
- The collection of domains
-
getAllowedDomains
public List<String> getAllowedDomains()
The list of whitelisted domains which are allowed to initiate a websocket connection. This list will be eventually used by theIWebSocketConnectionFilter
to abort potentially unsafe connections
-
-