Same Origin check in both AbstractSockJSService and OriginHandshakeInterceptor is not working with Tyrus client [SPR-12956] #17548
Description
Rostislav Georgiev Georgiev opened SPR-12956 and commented
Same Origin check in both AbstractSockJSService and OriginHandshakeInterceptor is delegating the check to WebUtils.isValidOrigin() . In this method a UriComponentsBuilder.fromHttpUrl(origin) is used, but if the origin header is set to only "host:port", which is the case with Tyrus client, an exception is thrown and validation is "false". So the only option is to configure the server with "*".
Here a snippet from Tyrus' client Handshake.java class:
public static void updateHostAndOrigin(final UpgradeRequest upgradeRequest) {
URI requestUri = upgradeRequest.getRequestURI();
String host = requestUri.getHost();
int port = requestUri.getPort();
if (upgradeRequest.isSecure()) {
if (port != 443 && port != -1) {
host += ":" + port;
}
} else {
if (port != 80 && port != -1) {
host += ":" + port;
}
}
Map<String, List<String>> requestHeaders = upgradeRequest.getHeaders();
requestHeaders.put(UpgradeRequest.HOST, Collections.singletonList(host));
requestHeaders.put(UpgradeRequest.ORIGIN_HEADER, Collections.singletonList(host));
}Maybe it's a bug in the Tyrus implementation, which is not appending the scheme. The Tyrus version used is 1.10.
In addition, some .NET libraries are specifying the request's schema as part of Origin value, which leads to Origin value like "ws://host:port" or "wss://host:port", which again fails the validation.
Affects: 4.1.6