Allow "ws" and "wss" for isValidCorsOrigin checks

Issue: SPR-12956

Author: rstoyanchev

spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java

@@ -317,6 +317,29 @@ public static UriComponentsBuilder fromHttpRequest(HttpRequest request) {
 	}
 
 
+	/**
+	 * Create an instance by parsing the "origin" header of an HTTP request.
+	 */
+	public static UriComponentsBuilder fromOriginHeader(String origin) {
+		UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
+		if (StringUtils.hasText(origin)) {
+			int schemaIdx = origin.indexOf("://");
+			String schema = (schemaIdx != -1 ? origin.substring(0, schemaIdx) : "http");
+			builder.scheme(schema);
+			String hostString = (schemaIdx != -1 ? origin.substring(schemaIdx + 3) : origin);
+			if (hostString.contains(":")) {
+				String[] hostAndPort = StringUtils.split(hostString, ":");
+				builder.host(hostAndPort[0]);
+				builder.port(Integer.parseInt(hostAndPort[1]));
+			}
+			else {
+				builder.host(hostString);
+			}
+		}
+		return builder;
+	}
+
+
 	// build methods
 
 	/**

spring-web/src/main/java/org/springframework/web/util/WebUtils.java

@@ -23,6 +23,7 @@
 import java.util.Map;
 import java.util.StringTokenizer;
 import java.util.TreeMap;
+
 import javax.servlet.ServletContext;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletRequestWrapper;
@@ -38,6 +39,7 @@
 
 import org.springframework.http.HttpRequest;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
@@ -790,21 +792,10 @@ public static boolean isValidOrigin(HttpRequest request, Collection<String> allo
 		if (origin == null || allowedOrigins.contains("*")) {
 			return true;
 		}
-		else if (allowedOrigins.isEmpty()) {
-			UriComponents originComponents;
-			try {
-				originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
-			}
-			catch (IllegalArgumentException ex) {
-				if (logger.isWarnEnabled()) {
-					logger.warn("Failed to parse Origin header value [" + origin + "]");
-				}
-				return false;
-			}
-			UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
-			int originPort = getPort(originComponents);
-			int requestPort = getPort(requestComponents);
-			return (originComponents.getHost().equals(requestComponents.getHost()) && originPort == requestPort);
+		else if (CollectionUtils.isEmpty(allowedOrigins)) {
+			UriComponents actualUrl = UriComponentsBuilder.fromHttpRequest(request).build();
+			UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
+			return (actualUrl.getHost().equals(originUrl.getHost()) && getPort(actualUrl) == getPort(originUrl));
 		}
 		else {
 			return allowedOrigins.contains(origin);
@@ -814,10 +805,10 @@ else if (allowedOrigins.isEmpty()) {
 	private static int getPort(UriComponents component) {
 		int port = component.getPort();
 		if (port == -1) {
-			if ("http".equals(component.getScheme())) {
+			if ("http".equals(component.getScheme()) || "ws".equals(component.getScheme())) {
 				port = 80;
 			}
-			else if ("https".equals(component.getScheme())) {
+			else if ("https".equals(component.getScheme()) || "wss".equals(component.getScheme())) {
 				port = 443;
 			}
 		}

spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

@@ -16,8 +16,8 @@
 
 package org.springframework.web.util;
 
-import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -106,60 +106,45 @@ public void parseMatrixVariablesString() {
 	}
 
 	@Test
-	public void isValidOrigin() {
-		List<String> allowedOrigins = new ArrayList<>();
+	public void isValidOriginSuccess() {
+
+		List<String> allowed = Collections.emptyList();
+		assertTrue(checkOrigin("mydomain1.com", -1, "http://mydomain1.com", allowed));
+		assertTrue(checkOrigin("mydomain1.com", -1, "http://mydomain1.com:80", allowed));
+		assertTrue(checkOrigin("mydomain1.com", 443, "https://mydomain1.com", allowed));
+		assertTrue(checkOrigin("mydomain1.com", 443, "https://mydomain1.com:443", allowed));
+		assertTrue(checkOrigin("mydomain1.com", 123, "http://mydomain1.com:123", allowed));
+		assertTrue(checkOrigin("mydomain1.com", -1, "ws://mydomain1.com", allowed));
+		assertTrue(checkOrigin("mydomain1.com", 443, "wss://mydomain1.com", allowed));
+
+		allowed = Collections.singletonList("*");
+		assertTrue(checkOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed));
+
+		allowed = Collections.singletonList("http://mydomain1.com");
+		assertTrue(checkOrigin("mydomain2.com", -1, "http://mydomain1.com", allowed));
+	}
+
+	@Test
+	public void isValidOriginFailure() {
+
+		List<String> allowed = Collections.emptyList();
+		assertFalse(checkOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed));
+		assertFalse(checkOrigin("mydomain1.com", -1, "https://mydomain1.com", allowed));
+		assertFalse(checkOrigin("mydomain1.com", -1, "invalid-origin", allowed));
+
+		allowed = Collections.singletonList("http://mydomain1.com");
+		assertFalse(checkOrigin("mydomain2.com", -1, "http://mydomain3.com", allowed));
+	}
+
+	private boolean checkOrigin(String serverName, int port, String originHeader, List<String> allowed) {
 		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
 		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
-
-		servletRequest.setServerName("mydomain1.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("mydomain1.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com:80");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("mydomain1.com");
-		servletRequest.setServerPort(443);
-		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("mydomain1.com");
-		servletRequest.setServerPort(443);
-		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com:443");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("mydomain1.com");
-		servletRequest.setServerPort(123);
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com:123");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("mydomain1.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");
-		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("mydomain1.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
-		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		servletRequest.setServerName("invalid-origin");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin");
-		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		allowedOrigins = Arrays.asList("*");
-		servletRequest.setServerName("mydomain1.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		allowedOrigins = Arrays.asList("http://mydomain1.com");
-		servletRequest.setServerName("mydomain2.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain1.com");
-		assertTrue(WebUtils.isValidOrigin(request, allowedOrigins));
-
-		allowedOrigins = Arrays.asList("http://mydomain1.com");
-		servletRequest.setServerName("mydomain2.com");
-		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain3.com");
-		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
+		servletRequest.setServerName(serverName);
+		if (port != -1) {
+			servletRequest.setServerPort(port);
+		}
+		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
+		return WebUtils.isValidOrigin(request, allowed);
 	}
 
 }

spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java

@@ -65,22 +65,18 @@ public OriginHandshakeInterceptor(Collection<String> allowedOrigins) {
 	}
 
 	/**
-	 * Configure allowed {@code Origin} header values. This check is mostly designed for
-	 * browser clients. There is nothing preventing other types of client to modify the
-	 * {@code Origin} header value.
+	 * Configure allowed {@code Origin} header values. This check is mostly
+	 * designed for browsers. There is nothing preventing other types of client
+	 * to modify the {@code Origin} header value.
 	 *
-	 * <p>Each provided allowed origin must start by "http://", "https://" or be "*"
-	 * (means that all origins are allowed).
+	 * <p>Each provided allowed origin must have a scheme, and optionally a port
+	 * (e.g. "http://example.org", "http://example.org:9090"). An allowed origin
+	 * string may also be "*" in which case all origins are allowed.
 	 *
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
 	 */
 	public void setAllowedOrigins(Collection<String> allowedOrigins) {
 		Assert.notNull(allowedOrigins, "Allowed origin Collection must not be null");
-		for (String allowedOrigin : allowedOrigins) {
-			Assert.isTrue(allowedOrigin.equals("*") || allowedOrigin.startsWith("http://") ||
-					allowedOrigin.startsWith("https://"), "Invalid allowed origin provided: \"" +
-					allowedOrigin + "\". It must start with \"http://\", \"https://\" or be \"*\"");
-		}
 		this.allowedOrigins.clear();
 		this.allowedOrigins.addAll(allowedOrigins);
 	}
@@ -93,6 +89,7 @@ public Collection<String> getAllowedOrigins() {
 		return Collections.unmodifiableList(this.allowedOrigins);
 	}
 
+
 	@Override
 	public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response,
 			WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception {

spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java

@@ -276,31 +276,25 @@ public boolean isWebSocketEnabled() {
 	}
 
 	/**
-	 * Configure allowed {@code Origin} header values. This check is mostly designed for
-	 * browser clients. There is nothing preventing other types of client to modify the
-	 * {@code Origin} header value.
+	 * Configure allowed {@code Origin} header values. This check is mostly
+	 * designed for browsers. There is nothing preventing other types of client
+	 * to modify the {@code Origin} header value.
 	 *
-	 * <p>When SockJS is enabled and origins are restricted, transport types that do not
-	 * allow to check request origin (JSONP and Iframe based transports) are disabled.
-	 * As a consequence, IE 6 to 9 are not supported when origins are restricted.
+	 * <p>When SockJS is enabled and origins are restricted, transport types
+	 * that do not allow to check request origin (JSONP and Iframe based
+	 * transports) are disabled. As a consequence, IE 6 to 9 are not supported
+	 * when origins are restricted.
 	 *
-	 * <p>Each provided allowed origin must start by "http://", "https://" or be "*"
-	 * (means that all origins are allowed).
+	 * <p>Each provided allowed origin must have a scheme, and optionally a port
+	 * (e.g. "http://example.org", "http://example.org:9090"). An allowed origin
+	 * string may also be "*" in which case all origins are allowed.
 	 *
 	 * @since 4.1.2
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
 	 * @see <a href="https://github.com/sockjs/sockjs-client#supported-transports-by-browser-html-served-from-http-or-https">SockJS supported transports by browser</a>
 	 */
 	public void setAllowedOrigins(List<String> allowedOrigins) {
 		Assert.notNull(allowedOrigins, "Allowed origin List must not be null");
-		for (String allowedOrigin : allowedOrigins) {
-			Assert.isTrue(
-					allowedOrigin.equals("*") || allowedOrigin.startsWith("http://") ||
-							allowedOrigin.startsWith("https://"),
-					"Invalid allowed origin provided: \"" +
-							allowedOrigin +
-							"\". It must start with \"http://\", \"https://\" or be \"*\"");
-		}
 		this.allowedOrigins.clear();
 		this.allowedOrigins.addAll(allowedOrigins);
 	}
@@ -451,7 +445,9 @@ protected abstract void handleRawWebSocketRequest(ServerHttpRequest request,
 	protected abstract void handleTransportRequest(ServerHttpRequest request, ServerHttpResponse response,
 			WebSocketHandler webSocketHandler, String sessionId, String transport) throws SockJsException;
 
-	protected boolean checkOrigin(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) throws IOException {
+	protected boolean checkOrigin(ServerHttpRequest request, ServerHttpResponse response,
+			HttpMethod... httpMethods) throws IOException {
+
 		String origin = request.getHeaders().getOrigin();
 
 		if (origin == null) {
@@ -514,7 +510,8 @@ public void handle(ServerHttpRequest request, ServerHttpResponse response) throw
 				addNoCacheHeaders(response);
 				if (checkOrigin(request, response)) {
 					response.getHeaders().setContentType(new MediaType("application", "json", UTF8_CHARSET));
-					String content = String.format(INFO_CONTENT, random.nextInt(), isSessionCookieNeeded(), isWebSocketEnabled());
+					String content = String.format(INFO_CONTENT, random.nextInt(),
+							isSessionCookieNeeded(), isWebSocketEnabled());
 					response.getBody().write(content.getBytes());
 				}
 

spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java

@@ -17,7 +17,9 @@
 package org.springframework.web.socket.server.support;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentSkipListSet;
@@ -39,31 +41,17 @@
 public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
 
 	@Test(expected = IllegalArgumentException.class)
-	public void nullAllowedOriginList() {
+	public void invalidInput() {
 		new OriginHandshakeInterceptor(null);
 	}
 
-	@Test(expected = IllegalArgumentException.class)
-	public void invalidAllowedOrigin() {
-		new OriginHandshakeInterceptor(Arrays.asList("domain.com"));
-	}
-
-	@Test
-	public void emtpyAllowedOriginList() {
-		new OriginHandshakeInterceptor(Arrays.asList());
-	}
-
-	@Test
-	public void validAllowedOrigins() {
-		new OriginHandshakeInterceptor(Arrays.asList("http://domain.com", "https://domain.com", "*"));
-	}
-
 	@Test
 	public void originValueMatch() throws Exception {
 		Map<String, Object> attributes = new HashMap<String, Object>();
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
-		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com"));
+		List<String> allowed = Collections.singletonList("http://mydomain1.com");
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
 		assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertNotEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}
@@ -73,7 +61,8 @@ public void originValueNoMatch() throws Exception {
 		Map<String, Object> attributes = new HashMap<String, Object>();
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
-		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain2.com"));
+		List<String> allowed = Collections.singletonList("http://mydomain2.com");
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
 		assertFalse(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}
@@ -83,7 +72,8 @@ public void originListMatch() throws Exception {
 		Map<String, Object> attributes = new HashMap<String, Object>();
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
-		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
+		List<String> allowed = Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com");
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
 		assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertNotEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}
@@ -93,7 +83,8 @@ public void originListNoMatch() throws Exception {
 		Map<String, Object> attributes = new HashMap<String, Object>();
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain4.com");
-		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
+		List<String> allowed = Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com");
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
 		assertFalse(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}
@@ -117,7 +108,7 @@ public void originMatchAll() throws Exception {
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
 		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
-		interceptor.setAllowedOrigins(Arrays.asList("*"));
+		interceptor.setAllowedOrigins(Collections.singletonList("*"));
 		assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertNotEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}
@@ -128,7 +119,7 @@ public void sameOriginMatch() throws Exception {
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
 		this.servletRequest.setServerName("mydomain2.com");
-		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList());
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Collections.emptyList());
 		assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertNotEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}
@@ -139,7 +130,7 @@ public void sameOriginNoMatch() throws Exception {
 		WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
 		this.servletRequest.setServerName("mydomain2.com");
-		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList());
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Collections.emptyList());
 		assertFalse(interceptor.beforeHandshake(request, response, wsHandler, attributes));
 		assertEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
 	}