Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Same Origin check in both AbstractSockJSService and OriginHandshakeInterceptor is not working with Tyrus client [SPR-12956] #17548

Closed
spring-issuemaster opened this issue Apr 26, 2015 · 4 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Apr 26, 2015

Rostislav Georgiev Georgiev opened SPR-12956 and commented

Same Origin check in both AbstractSockJSService and OriginHandshakeInterceptor is delegating the check to WebUtils.isValidOrigin() . In this method a UriComponentsBuilder.fromHttpUrl(origin) is used, but if the origin header is set to only "host:port", which is the case with Tyrus client, an exception is thrown and validation is "false". So the only option is to configure the server with "*".
Here a snippet from Tyrus' client Handshake.java class:

public static void updateHostAndOrigin(final UpgradeRequest upgradeRequest) {
        URI requestUri = upgradeRequest.getRequestURI();

        String host = requestUri.getHost();
        int port = requestUri.getPort();
        if (upgradeRequest.isSecure()) {
            if (port != 443 && port != -1) {
                host += ":" + port;
            }
        } else {
            if (port != 80 && port != -1) {
                host += ":" + port;
            }
        }

        Map<String, List<String>> requestHeaders = upgradeRequest.getHeaders();
        requestHeaders.put(UpgradeRequest.HOST, Collections.singletonList(host));
        requestHeaders.put(UpgradeRequest.ORIGIN_HEADER, Collections.singletonList(host));
    }

Maybe it's a bug in the Tyrus implementation, which is not appending the scheme. The Tyrus version used is 1.10.

In addition, some .NET libraries are specifying the request's schema as part of Origin value, which leads to Origin value like "ws://host:port" or "wss://host:port", which again fails the validation.


Affects: 4.1.6

Referenced from: commits b44044e, 68ecb92

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 4, 2015

Rossen Stoyanchev commented

I definitely seems like a bug in Tyrus. The Web Origin spec clearly talks about why including the scheme is essential see here. That said I've made a change to fall back on "http" if the scheme is missing. That allows working around client behavior without opening https. I've also ensured that same origin checks work with "ws" and "wss", and that CORS configuration does not prevent setting allowed origins with "ws" and "wss".

Sébastien Deleuze, could you take a look at the change before I backport to 4.1.7? See commit 68ecb9.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 4, 2015

Sébastien Deleuze commented

From my POV, these changes perfectly make sense and everything seems ok with the https://github.com/sdeleuze/spring-origin-test sample application.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 4, 2015

Rossen Stoyanchev commented

Thanks, this is now also backported to 4.1.x.

Rostislav Georgiev Georgiev it would be great if you could retry your case.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 6, 2015

Rostislav Georgiev Georgiev commented

Verified it with Tyrus client, works like a charm. Didn't tested it with "wss" as protocol in origin header, but looking at change it should work too.
Thanks for fixing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.