Change SockJS and Websocket default allowedOrigins to same origin

This commit adds support for a same origin check that compares
Origin header to Host header. It also changes the default setting
from all origins allowed to only same origin allowed.

Issues: SPR-12697, SPR-12685
(cherry picked from commit 6062e15)

Author: sdeleuze

spring-web/src/main/java/org/springframework/web/util/WebUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.util.Enumeration;
+import java.util.List;
 import java.util.Map;
 import java.util.StringTokenizer;
 import java.util.TreeMap;
@@ -32,6 +33,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.springframework.http.server.ServerHttpRequest;
 import org.springframework.util.Assert;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
@@ -43,6 +45,7 @@
  *
  * @author Rod Johnson
  * @author Juergen Hoeller
+ * @author Sebastien Deleuze
  */
 public abstract class WebUtils {
 
@@ -765,4 +768,47 @@ public static MultiValueMap<String, String> parseMatrixVariables(String matrixVa
 		}
 		return result;
 	}
+
+	/**
+	 * Check the given request origin against a list of allowed origins.
+	 * A list containing "*" means that all origins are allowed.
+	 * An empty list means only same origin is allowed.
+	 *
+	 * @return true if the request origin is valid, false otherwise
+	 * @since 4.1.5
+	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
+	 */
+	public static boolean isValidOrigin(ServerHttpRequest request, List<String> allowedOrigins) {
+		Assert.notNull(request, "Request must not be null");
+		Assert.notNull(allowedOrigins, "Allowed origins must not be null");
+
+		String origin = request.getHeaders().getOrigin();
+		if (origin == null || allowedOrigins.contains("*")) {
+			return true;
+		}
+		else if (allowedOrigins.isEmpty()) {
+			UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
+			UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
+			int originPort = getPort(originComponents);
+			int requestPort = getPort(requestComponents);
+			return originComponents.getHost().equals(requestComponents.getHost()) && (originPort == requestPort);
+		}
+		else {
+			return allowedOrigins.contains(origin);
+		}
+	}
+
+	private static int getPort(UriComponents component) {
+		int port = component.getPort();
+		if (port == -1) {
+			if ("http".equals(component.getScheme())) {
+				port = 80;
+			}
+			else if ("https".equals(component.getScheme())) {
+				port = 443;
+			}
+		}
+		return port;
+	}
+
 }

spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,12 +16,18 @@
 
 package org.springframework.web.util;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import org.junit.Test;
 
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServletServerHttpRequest;
+import org.springframework.mock.web.test.MockHttpServletRequest;
 import org.springframework.util.MultiValueMap;
 
 import static org.junit.Assert.*;
@@ -30,6 +36,7 @@
  * @author Juergen Hoeller
  * @author Arjen Poutsma
  * @author Rossen Stoyanchev
+ * @author Sebastien Deleuze
  */
 public class WebUtilsTests {
 
@@ -98,4 +105,57 @@ public void parseMatrixVariablesString() {
 		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
 	}
 
+	@Test
+	public void isValidOrigin() {
+		List<String> allowedOrigins = new ArrayList<>();
+		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
+
+		servletRequest.setServerName("mydomain1.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		servletRequest.setServerName("mydomain1.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com:80");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		servletRequest.setServerName("mydomain1.com");
+		servletRequest.setServerPort(443);
+		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		servletRequest.setServerName("mydomain1.com");
+		servletRequest.setServerPort(443);
+		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com:443");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		servletRequest.setServerName("mydomain1.com");
+		servletRequest.setServerPort(123);
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com:123");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		servletRequest.setServerName("mydomain1.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");
+		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		servletRequest.setServerName("mydomain1.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
+		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		allowedOrigins = Arrays.asList("*");
+		servletRequest.setServerName("mydomain1.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		allowedOrigins = Arrays.asList("http://mydomain1.com");
+		servletRequest.setServerName("mydomain2.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com");
+		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
+
+		allowedOrigins = Arrays.asList("http://mydomain1.com");
+		servletRequest.setServerName("mydomain2.com");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain3.com");
+		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
+	}
+
 }

spring-websocket/src/main/java/org/springframework/web/socket/config/HandlersBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -83,11 +83,7 @@ public BeanDefinition parse(Element element, ParserContext context) {
 			ManagedList<? super Object> interceptors = WebSocketNamespaceUtils.parseBeanSubElements(interceptorsElement, context);
 			String allowedOriginsAttribute = element.getAttribute("allowed-origins");
 			List<String> allowedOrigins = Arrays.asList(StringUtils.tokenizeToStringArray(allowedOriginsAttribute, ","));
-			if (!allowedOrigins.isEmpty()) {
-				OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
-				interceptor.setAllowedOrigins(allowedOrigins);
-				interceptors.add(interceptor);
-			}
+			interceptors.add(new OriginHandshakeInterceptor(allowedOrigins));
 			strategy = new WebSocketHandlerMappingStrategy(handshakeHandler, interceptors);
 		}
 

spring-websocket/src/main/java/org/springframework/web/socket/config/MessageBrokerBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -288,11 +288,7 @@ private RuntimeBeanReference registerRequestHandler(Element element, RuntimeBean
 			ManagedList<? super Object> interceptors = WebSocketNamespaceUtils.parseBeanSubElements(interceptorsElement, context);
 			String allowedOriginsAttribute = element.getAttribute("allowed-origins");
 			List<String> allowedOrigins = Arrays.asList(StringUtils.tokenizeToStringArray(allowedOriginsAttribute, ","));
-			if (!allowedOrigins.isEmpty()) {
-				OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
-				interceptor.setAllowedOrigins(allowedOrigins);
-				interceptors.add(interceptor);
-			}
+			interceptors.add(new OriginHandshakeInterceptor(allowedOrigins));
 			ConstructorArgumentValues cavs = new ConstructorArgumentValues();
 			cavs.addIndexedArgumentValue(0, subProtoHandler);
 			if (handshakeHandler != null) {

spring-websocket/src/main/java/org/springframework/web/socket/config/WebSocketNamespaceUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -105,12 +105,8 @@ else if (handshakeHandler != null) {
 			ManagedList<? super Object> interceptors = WebSocketNamespaceUtils.parseBeanSubElements(interceptorsElement, context);
 			String allowedOriginsAttribute = element.getAttribute("allowed-origins");
 			List<String> allowedOrigins = Arrays.asList(StringUtils.tokenizeToStringArray(allowedOriginsAttribute, ","));
-			if (!allowedOrigins.isEmpty()) {
-				sockJsServiceDef.getPropertyValues().add("allowedOrigins", allowedOrigins);
-				OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
-				interceptor.setAllowedOrigins(allowedOrigins);
-				interceptors.add(interceptor);
-			}
+			sockJsServiceDef.getPropertyValues().add("allowedOrigins", allowedOrigins);
+			interceptors.add(new OriginHandshakeInterceptor(allowedOrigins));
 			sockJsServiceDef.getPropertyValues().add("handshakeInterceptors", interceptors);
 
 			String attrValue = sockJsElement.getAttribute("name");

spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/AbstractWebSocketHandlerRegistration.java

@@ -88,11 +88,10 @@ public WebSocketHandlerRegistration addInterceptors(HandshakeInterceptor... inte
 	}
 
 	@Override
-	public WebSocketHandlerRegistration setAllowedOrigins(String... origins) {
-		Assert.notEmpty(origins, "No allowed origin specified");
+	public WebSocketHandlerRegistration setAllowedOrigins(String... allowedOrigins) {
 		this.allowedOrigins.clear();
-		if (!ObjectUtils.isEmpty(origins)) {
-			this.allowedOrigins.addAll(Arrays.asList(origins));
+		if (!ObjectUtils.isEmpty(allowedOrigins)) {
+			this.allowedOrigins.addAll(Arrays.asList(allowedOrigins));
 		}
 		return this;
 	}
@@ -117,11 +116,7 @@ public SockJsServiceRegistration withSockJS() {
 	protected HandshakeInterceptor[] getInterceptors() {
 		List<HandshakeInterceptor> interceptors = new ArrayList<HandshakeInterceptor>();
 		interceptors.addAll(this.interceptors);
-		if (!this.allowedOrigins.isEmpty()) {
-			OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
-			interceptor.setAllowedOrigins(this.allowedOrigins);
-			interceptors.add(interceptor);
-		}
+		interceptors.add(new OriginHandshakeInterceptor(this.allowedOrigins));
 		return interceptors.toArray(new HandshakeInterceptor[interceptors.size()]);
 	}
 

spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/SockJsServiceRegistration.java

@@ -206,6 +206,17 @@ public SockJsServiceRegistration setInterceptors(HandshakeInterceptor... interce
 		return this;
 	}
 
+	/**
+	 * @since 4.1.2
+	 */
+	protected SockJsServiceRegistration setAllowedOrigins(String... allowedOrigins) {
+		this.allowedOrigins.clear();
+		if (!ObjectUtils.isEmpty(allowedOrigins)) {
+			this.allowedOrigins.addAll(Arrays.asList(allowedOrigins));
+		}
+		return this;
+	}
+
 	/**
 	 * This option can be used to disable automatic addition of CORS headers for
 	 * SockJS requests.
@@ -229,17 +240,6 @@ public SockJsServiceRegistration setMessageCodec(SockJsMessageCodec codec) {
 		return this;
 	}
 
-	/**
-	 * @since 4.1.2
-	 */
-	protected SockJsServiceRegistration setAllowedOrigins(String... origins) {
-		this.allowedOrigins.clear();
-		if (!ObjectUtils.isEmpty(origins)) {
-			this.allowedOrigins.addAll(Arrays.asList(origins));
-		}
-		return this;
-	}
-
 	protected SockJsService getSockJsService() {
 		TransportHandlingSockJsService service = createSockJsService();
 		service.setHandshakeInterceptors(this.interceptors);
@@ -264,12 +264,12 @@ protected SockJsService getSockJsService() {
 		if (this.webSocketEnabled != null) {
 			service.setWebSocketEnabled(this.webSocketEnabled);
 		}
+		if (this.allowedOrigins != null) {
+			service.setAllowedOrigins(this.allowedOrigins);
+		}
 		if (this.suppressCors != null) {
 			service.setSuppressCors(this.suppressCors);
 		}
-		if (!this.allowedOrigins.isEmpty()) {
-			service.setAllowedOrigins(this.allowedOrigins);
-		}
 		if (this.messageCodec != null) {
 			service.setMessageCodec(this.messageCodec);
 		}

spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/StompWebSocketEndpointRegistration.java

@@ -52,8 +52,8 @@ public interface StompWebSocketEndpointRegistration {
 	 * As a consequence, IE 6 to 9 are not supported when origins are restricted.
 	 *
 	 * <p>Each provided allowed origin must start by "http://", "https://" or be "*"
-	 * (means that all origins are allowed). Empty allowed origin list is not supported.
-	 * By default, all origins are allowed.
+	 * (means that all origins are allowed). By default, only same origin requests are
+	 * allowed (empty list).
 	 *
 	 * @since 4.1.2
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>

spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/WebMvcStompWebSocketEndpointRegistration.java

@@ -85,10 +85,11 @@ public StompWebSocketEndpointRegistration addInterceptors(HandshakeInterceptor..
 	}
 
 	@Override
-	public StompWebSocketEndpointRegistration setAllowedOrigins(String... origins) {
-		Assert.notEmpty(origins, "No allowed origin specified");
+	public StompWebSocketEndpointRegistration setAllowedOrigins(String... allowedOrigins) {
 		this.allowedOrigins.clear();
-		this.allowedOrigins.addAll(Arrays.asList(origins));
+		if (!ObjectUtils.isEmpty(allowedOrigins)) {
+			this.allowedOrigins.addAll(Arrays.asList(allowedOrigins));
+		}
 		return this;
 	}
 
@@ -112,11 +113,7 @@ public SockJsServiceRegistration withSockJS() {
 	protected HandshakeInterceptor[] getInterceptors() {
 		List<HandshakeInterceptor> interceptors = new ArrayList<HandshakeInterceptor>();
 		interceptors.addAll(this.interceptors);
-		if (!this.allowedOrigins.isEmpty()) {
-			OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
-			interceptor.setAllowedOrigins(this.allowedOrigins);
-			interceptors.add(interceptor);
-		}
+		interceptors.add(new OriginHandshakeInterceptor(this.allowedOrigins));
 		return interceptors.toArray(new HandshakeInterceptor[interceptors.size()]);
 	}
 

spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/WebSocketHandlerRegistration.java

@@ -54,8 +54,8 @@ public interface WebSocketHandlerRegistration {
 	 * As a consequence, IE 6 to 9 are not supported when origins are restricted.
 	 *
 	 * <p>Each provided allowed origin must start by "http://", "https://" or be "*"
-	 * (means that all origins are allowed). Empty allowed origin list is not supported.
-	 * By default, all origins are allowed.
+	 * (means that all origins are allowed). By default, only same origin requests are
+	 * allowed (empty list).
 	 *
 	 * @since 4.1.2
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>