Skip to content
Permalink
Browse files
Adding port check for Referer header
  • Loading branch information
effrafax committed Jan 30, 2017
1 parent 95f1b3e commit e9bc4818844bf684e4fd16e3a5adc99fe9eb9f96
Showing 2 changed files with 11 additions and 6 deletions.
@@ -161,6 +161,7 @@ private int getPort(final URL url) {
private boolean checkSourceRequestHeader(final URL targetUrl, final HttpServletRequest request) {
boolean headerFound=false;
String origin = request.getHeader(ORIGIN);
int targetPort = getPort(targetUrl);
if (origin!=null) {
try {
URL originUrl = new URL(origin);
@@ -175,7 +176,6 @@ private boolean checkSourceRequestHeader(final URL targetUrl, final HttpServletR
return false;
}
int originPort = getPort(originUrl);
int targetPort = getPort(targetUrl);
if (targetPort != originPort) {
log.warn("Origin Header Port does not match originUrl={}, targetUrl={}",originUrl,targetUrl);
return false;
@@ -195,6 +195,11 @@ private boolean checkSourceRequestHeader(final URL targetUrl, final HttpServletR
log.warn("Referer Header Host does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl);
return false;
}
int refererPort = getPort(refererUrl);
if (targetPort != refererPort) {
log.warn("Referer Header Port does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl);
return false;
}
} catch (MalformedURLException ex) {
log.warn("Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage());
return false;
@@ -158,6 +158,7 @@ public void stopServer()

protected UserService getUserService()
{

return getUserService( null );
}

@@ -175,7 +176,7 @@ protected UserService getUserService( String authzHeader )
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client(service).header("Referer","http://localhost");
WebClient.client(service).header("Referer","http://localhost:"+port);
WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );

@@ -197,8 +198,7 @@ protected RoleManagementService getRoleManagementService( String authzHeader )
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client( service ).header("Referer","http://localhost/");

WebClient.client(service).header("Referer","http://localhost:"+port);

WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@@ -219,7 +219,7 @@ protected LoginService getLoginService( String authzHeader )
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client( service ).header("Referer","http://localhost/");
WebClient.client(service).header("Referer","http://localhost:"+port);

WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@@ -242,7 +242,7 @@ protected LdapGroupMappingService getLdapGroupMappingService( String authzHeader
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client( service ).header("Referer","http://localhost/");
WebClient.client(service).header("Referer","http://localhost:"+port);

WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );

0 comments on commit e9bc481

Please sign in to comment.