Allow "ws" and "wss" for isValidCorsOrigin checks

Issue: SPR-12956
This commit is contained in:
Rossen Stoyanchev
2015-05-03 10:23:13 +02:00
parent 222f6998e4
commit 68ecb92d1f
7 changed files with 117 additions and 148 deletions

View File

@@ -317,6 +317,29 @@ public class UriComponentsBuilder implements Cloneable {
}
/**
* Create an instance by parsing the "origin" header of an HTTP request.
*/
public static UriComponentsBuilder fromOriginHeader(String origin) {
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
if (StringUtils.hasText(origin)) {
int schemaIdx = origin.indexOf("://");
String schema = (schemaIdx != -1 ? origin.substring(0, schemaIdx) : "http");
builder.scheme(schema);
String hostString = (schemaIdx != -1 ? origin.substring(schemaIdx + 3) : origin);
if (hostString.contains(":")) {
String[] hostAndPort = StringUtils.split(hostString, ":");
builder.host(hostAndPort[0]);
builder.port(Integer.parseInt(hostAndPort[1]));
}
else {
builder.host(hostString);
}
}
return builder;
}
// build methods
/**

View File

@@ -23,6 +23,7 @@ import java.util.Enumeration;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.TreeMap;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestWrapper;
@@ -38,6 +39,7 @@ import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpRequest;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
@@ -790,21 +792,10 @@ public abstract class WebUtils {
if (origin == null || allowedOrigins.contains("*")) {
return true;
}
else if (allowedOrigins.isEmpty()) {
UriComponents originComponents;
try {
originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
}
catch (IllegalArgumentException ex) {
if (logger.isWarnEnabled()) {
logger.warn("Failed to parse Origin header value [" + origin + "]");
}
return false;
}
UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
int originPort = getPort(originComponents);
int requestPort = getPort(requestComponents);
return (originComponents.getHost().equals(requestComponents.getHost()) && originPort == requestPort);
else if (CollectionUtils.isEmpty(allowedOrigins)) {
UriComponents actualUrl = UriComponentsBuilder.fromHttpRequest(request).build();
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (actualUrl.getHost().equals(originUrl.getHost()) && getPort(actualUrl) == getPort(originUrl));
}
else {
return allowedOrigins.contains(origin);
@@ -814,10 +805,10 @@ public abstract class WebUtils {
private static int getPort(UriComponents component) {
int port = component.getPort();
if (port == -1) {
if ("http".equals(component.getScheme())) {
if ("http".equals(component.getScheme()) || "ws".equals(component.getScheme())) {
port = 80;
}
else if ("https".equals(component.getScheme())) {
else if ("https".equals(component.getScheme()) || "wss".equals(component.getScheme())) {
port = 443;
}
}