On 22/02/2019 13:16, Johan Compagner wrote: > https://docs.oracle.com/javaee/7/api/javax/websocket/server/ServerEndpointConfig.Configurator.html#checkOrigin-java.lang.String- > > first it says > > " The platform default implementation of this method makes a check of the > validity of the Origin header sent along with the opening handshake > following the recommendation at: Sending the Server's Opening Handshake > <http://tools.ietf.org/html/rfc6455#section-4.2>. " > > As far as we can test the websocket is always allowed. So what does tomcat > do?
Nothing. > I see the default implementation does just > getContainerDefaultConfigurator > https://github.com/eclipse-ee4j/websocket-api/blob/master/api/server/src/main/java/javax/websocket/server/ServerEndpointConfig.java#L155 > > and what is the default configurator? That is the Jakarta EE (i.e. old Oracle) implementation of the WebSocket API. Tomcat has its own API implementation. For 9.0.x it can be found at: https://svn.apache.org/viewvc/tomcat/trunk/java/javax/websocket/ Tomcat's default configurator for 9.0.x is: https://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java?view=annotate which, as you can see, allows any origin. I don't see how the default implementation can do anything else since I don't see how Tomcat can know (as per section 10.2 of RFC 6455) whether the endpoint is "not intended to process input from any web page but only for certain sites". To me, that is clearly something that belongs at the application level. > Also what i find weird about that message, but i guess nothing tomcat can > really do about is the single param that you get.. > What if we always want to allow if the origin and the host itself are the > same > But we only get the origin. So we have to have a configured list? Problem > is that that is not so easy todo because our application can be deployed > under many different domains by our customers. > > So i guess we can test it in the modifyHandshake but what should we do if > we test the host and the origin? but should we then throw an exception? An alternative approach is to configure the WebSocket endpoints programmatically in a ServletContextListener. You can then get the host name via ServletContext#getVirtualServerName() and create a custom Configurator with the appropriate filtering. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
