Commit 83ed6a53 authored by Matija Obreza's avatar Matija Obreza

OriginCheckFilter: check Referrer header for GET requests

parent 75c22943
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
package org.genesys.blocks.security.component; package org.genesys.blocks.security.component;
import java.io.IOException; import java.io.IOException;
import java.util.Collections;
import java.util.Set; import java.util.Set;
import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
...@@ -76,32 +77,47 @@ public class OAuthClientOriginCheckFilter extends OncePerRequestFilter { ...@@ -76,32 +77,47 @@ public class OAuthClientOriginCheckFilter extends OncePerRequestFilter {
} }
private boolean checkValidOrigin(HttpServletRequest request, OAuth2Authentication authAuth) { private boolean checkValidOrigin(HttpServletRequest request, OAuth2Authentication authAuth) {
if (logger.isTraceEnabled()) {
logger.trace(request.getRequestURI());
for (String headerName : Collections.list(request.getHeaderNames())) {
logger.trace(">> " + headerName + ": " + request.getHeader(headerName));
}
}
String reqOrigin = request.getHeader("Origin"); String reqOrigin = request.getHeader("Origin");
String reqReferrer = request.getHeader("Referer"); // GET requests don't carry Origin?
if (authAuth.getOAuth2Request() != null) { if (authAuth.getOAuth2Request() != null) {
boolean isGet = request.getMethod().equalsIgnoreCase("get");
String clientId = authAuth.getOAuth2Request().getClientId(); String clientId = authAuth.getOAuth2Request().getClientId();
try { try {
Set<String> allowedOrigins = clientOriginsCache.get(clientId); Set<String> allowedOrigins = clientOriginsCache.get(clientId);
if (!allowedOrigins.isEmpty()) { if (!allowedOrigins.isEmpty()) {
if (reqOrigin == null) { if (reqOrigin == null && reqReferrer == null) {
if (logger.isInfoEnabled()) { if (logger.isInfoEnabled()) {
logger.info("No origin header in request. Denying."); logger.info("No origin/referrer header in request. Denying.");
} }
return false; return false;
} }
for (String allowedOrigin : allowedOrigins) { for (String allowedOrigin : allowedOrigins) {
if (reqOrigin.startsWith(allowedOrigin)) { if (reqOrigin != null && reqOrigin.startsWith(allowedOrigin)) {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("Origin match: " + reqOrigin + " startsWith " + allowedOrigin); logger.debug("Origin match: " + reqOrigin + " startsWith " + allowedOrigin);
} }
return true; return true;
} }
if (isGet && reqReferrer != null && reqReferrer.startsWith(allowedOrigin)) {
if (logger.isDebugEnabled()) {
logger.debug("Referrer match: " + reqReferrer + " startsWith " + allowedOrigin);
}
return true;
}
} }
// No declared origins match // No declared origins match
if (logger.isInfoEnabled()) { if (logger.isInfoEnabled()) {
logger.info("No origin match: " + reqOrigin + " in " + allowedOrigins.toString()); logger.info("No origin/referrer match: " + reqOrigin + "/" + reqReferrer + " in " + allowedOrigins.toString());
} }
return false; return false;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment