OriginCheckFilter: check Referrer header for GET requests

83ed6a53 · Matija Obreza · 75c22943 · 83ed6a53
Commit 83ed6a53 authored Feb 14, 2019 by Matija Obreza
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 5 deletions

security/src/main/java/org/genesys/blocks/security/component/OAuthClientOriginCheckFilter.java ...ocks/security/component/OAuthClientOriginCheckFilter.java +21 -5

No files found.
--- a/security/src/main/java/org/genesys/blocks/security/component/OAuthClientOriginCheckFilter.java
+++ b/security/src/main/java/org/genesys/blocks/security/component/OAuthClientOriginCheckFilter.java
@@ -16,6 +16,7 @@
 package org.genesys.blocks.security.component;

 import java.io.IOException;
+import java.util.Collections;
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -76,32 +77,47 @@ public class OAuthClientOriginCheckFilter extends OncePerRequestFilter {
 	}

 	private boolean checkValidOrigin(HttpServletRequest request, OAuth2Authentication authAuth) {
+		if (logger.isTraceEnabled()) {
+			logger.trace(request.getRequestURI());
+			for (String headerName : Collections.list(request.getHeaderNames())) {
+				logger.trace(">> " + headerName + ": " + request.getHeader(headerName));
+			}
+		}
 		String reqOrigin = request.getHeader("Origin");
+		String reqReferrer = request.getHeader("Referer"); // GET requests don't carry Origin?

 		if (authAuth.getOAuth2Request() != null) {
+			boolean isGet = request.getMethod().equalsIgnoreCase("get");
 			String clientId = authAuth.getOAuth2Request().getClientId();
-
+			
 			try {
 				Set<String> allowedOrigins = clientOriginsCache.get(clientId);
 				
 				if (!allowedOrigins.isEmpty()) {
-					if (reqOrigin == null) {
+					if (reqOrigin == null && reqReferrer == null) {
 						if (logger.isInfoEnabled()) {
-							logger.info("No origin header in request. Denying.");
+							logger.info("No origin/referrer header in request. Denying.");
 						}
 						return false;
 					}
 					for (String allowedOrigin : allowedOrigins) {
-						if (reqOrigin.startsWith(allowedOrigin)) {
+						if (reqOrigin != null && reqOrigin.startsWith(allowedOrigin)) {
 							if (logger.isDebugEnabled()) {
 								logger.debug("Origin match: " + reqOrigin + " startsWith " + allowedOrigin);
 							}
 							return true;
 						}
+
+						if (isGet && reqReferrer != null && reqReferrer.startsWith(allowedOrigin)) {
+							if (logger.isDebugEnabled()) {
+								logger.debug("Referrer match: " + reqReferrer + " startsWith " + allowedOrigin);
+							}
+							return true;
+						}
 					}
 					// No declared origins match
 					if (logger.isInfoEnabled()) {
-						logger.info("No origin match: " + reqOrigin + " in " + allowedOrigins.toString());
+						logger.info("No origin/referrer match: " + reqOrigin + "/" + reqReferrer + " in " + allowedOrigins.toString());
 					}
 					return false;
 				}