Author: markt
Date: Wed Feb 8 08:54:07 2012
New Revision: 1241822
URL: http://svn.apache.org/viewvc?rev=1241822&view=rev
Log:
Provide a hook to check the origin.
Based on a patch by Johno Crawford.
Modified:
tomcat/trunk/java/org/apache/catalina/websocket/WebSocketServlet.java
Modified: tomcat/trunk/java/org/apache/catalina/websocket/WebSocketServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/websocket/WebSocketServlet.java?rev=1241822&r1=1241821&r2=1241822&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/websocket/WebSocketServlet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/websocket/WebSocketServlet.java Wed
Feb 8 08:54:07 2012
@@ -90,8 +90,13 @@ public abstract class WebSocketServlet e
return;
}
- // TODO Read client handshake - Origin
- // Sec-WebSocket-Protocol
+ String origin = req.getHeader("Origin");
+ if (!verifyOrigin(origin)) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+
+ // TODO Read client handshake - Sec-WebSocket-Protocol
// Sec-WebSocket-Extensions
// TODO Extensions require the ability to specify something (API TBD)
@@ -143,5 +148,20 @@ public abstract class WebSocketServlet e
}
}
+ /**
+ * Intended to be overridden by sub-classes that wish to verify the origin
+ * of a WebSocket request before processing it.
+ *
+ * @param origin The value of the origin header from the request which
+ * may be <code>null</code>
+ *
+ * @return <code>true</code> to accept the request. <code>false</code> to
+ * reject it. This default implementation always returns
+ * <code>true</code>.
+ */
+ protected boolean verifyOrigin(String origin) {
+ return true;
+ }
+
protected abstract StreamInbound createWebSocketInbound();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
