Skip to content

Commit

Permalink
First merge
Browse files Browse the repository at this point in the history
  • Loading branch information
@amontenegro
amontenegro committed Nov 15, 2024
1 parent 6250a3d commit 4be510b
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 28 deletions.
27 changes: 22 additions & 5 deletions orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilter.java
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
package org.orcid.core.web.filters;

import java.io.IOException;
import java.net.URISyntaxException;

import javax.annotation.Resource;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.filter.OncePerRequestFilter;

/**
Expand All @@ -18,6 +21,8 @@

public class CorsFilter extends OncePerRequestFilter {

private static Log log = LogFactory.getLog(CorsFilter.class);

@Resource
CrossDomainWebManger crossDomainWebManger;

Expand All @@ -28,11 +33,23 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
if(crossDomainWebManger.allowed(request)) {
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,x-csrf-token");
}else{
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type, Accept");
}

boolean allowCrossDomain = false;

try {
allowCrossDomain = crossDomainWebManger.allowed(request);
} catch (URISyntaxException e) {
String origin = request.getHeader("origin");
String referer = request.getHeader("referer");
log.error("Unable to process your request due an invalid URI exception, please check your origin and request headers: origin = '" + origin + "' referer = '" + referer + "'" , e);
// Lets log the exception and assume cross domain call was rejected
}

if(allowCrossDomain) {
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,x-csrf-token");
} else {
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type, Accept");
}
}
filterChain.doFilter(request, response);
}
Expand Down
33 changes: 23 additions & 10 deletions orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package org.orcid.core.web.filters;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

Expand All @@ -10,6 +11,8 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.orcid.core.manager.impl.OrcidUrlManager;
import org.orcid.pojo.ajaxForm.PojoUtil;
import org.springframework.beans.factory.annotation.Value;
Expand All @@ -21,24 +24,34 @@

public class CorsFilterWeb extends OncePerRequestFilter {

private static Log log = LogFactory.getLog(CorsFilterWeb.class);

@Resource
CrossDomainWebManger crossDomainWebManger;

@Value("${org.orcid.core.baseUri}")
@Value("${org.orcid.core.web.filters}")
private String baseUri;

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if (crossDomainWebManger.allowed(request)) {
String origin = request.getHeader("origin");
response.addHeader("Access-Control-Allow-Origin", origin);
response.addHeader("Access-Control-Allow-Credentials", "true");

if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
try {
if (crossDomainWebManger.allowed(request)) {
String origin = request.getHeader("origin");
response.addHeader("Access-Control-Allow-Origin", origin);
response.addHeader("Access-Control-Allow-Credentials", "true");

if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token,x-xsrf-token");
return;
}
}
} catch (URISyntaxException e) {
String origin = request.getHeader("origin");
String referer = request.getHeader("referer");
log.error("Unable to process your request due an invalid URI exception, please check your origin and request headers: origin = '" + origin + "' referer = '" + referer + "'" , e);
throw new ServletException("Unable to process your request due an invalid URI exception", e);
}

filterChain.doFilter(request, response);
Expand Down
20 changes: 11 additions & 9 deletions orcid-core/src/main/java/org/orcid/core/web/filters/CrossDomainWebManger.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package org.orcid.core.web.filters;

import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
Expand All @@ -24,7 +26,7 @@ public class CrossDomainWebManger {

private List<String> domainsRegex;

public boolean allowed(HttpServletRequest request) throws MalformedURLException {
public boolean allowed(HttpServletRequest request) throws URISyntaxException {
String path = OrcidUrlManager.getPathWithoutContextPath(request);

// Check origin header
Expand All @@ -35,9 +37,10 @@ public boolean allowed(HttpServletRequest request) throws MalformedURLException
}
} else {
// Check referer header for localhost
if (!PojoUtil.isEmpty(request.getHeader("referer"))) {
URL netUrl = new URL(request.getHeader("referer"));
String domain = netUrl.getHost();
String referer = request.getHeader("referer");
if (!PojoUtil.isEmpty(referer)) {
URI uri = new URI(request.getHeader("referer"));
String domain = uri.getHost();
if (LOCALHOST.equals(domain)) {
return true;
}
Expand All @@ -52,9 +55,9 @@ public boolean allowed(HttpServletRequest request) throws MalformedURLException
return false;
}

public boolean validateDomain(String url) throws MalformedURLException {
URL netUrl = new URL(url);
String domain = netUrl.getHost();
public boolean validateDomain(String url) throws URISyntaxException {
URI uri = new URI(url);
String domain = uri.getHost();
for (String allowedDomain : getAllowedDomainsRegex()) {
if (domain.matches(allowedDomain)) {
return true;
Expand All @@ -76,8 +79,7 @@ private List<String> getAllowedDomainsRegex() {
}

private String transformPatternIntoRegex(String domainPattern) {
String result = domainPattern.replace(".", "\\.");
return result;
return domainPattern.replace(".", "\\.");
}

public boolean validatePath(String path) {
Expand Down
15 changes: 14 additions & 1 deletion orcid-core/src/main/java/org/orcid/core/web/filters/JsonpCallbackFilterWeb.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import java.io.IOException;
import java.io.OutputStream;
import java.net.URISyntaxException;
import java.util.Map;

import javax.annotation.Resource;
Expand Down Expand Up @@ -40,7 +41,19 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
Map<String, String[]> parms = httpRequest.getParameterMap();

if (parms.containsKey("callback")) {
if(crossDomainWebManger.allowed(request)) {

boolean allowCrossDomain = false;

try {
allowCrossDomain = crossDomainWebManger.allowed(request);
} catch (URISyntaxException e) {
String origin = request.getHeader("origin");
String referer = request.getHeader("referer");
log.error("Unable to process your request due an invalid URI exception, please check your origin and request headers: origin = '" + origin + "' referer = '" + referer + "'" , e);
// Lets log the exception and assume this was rejected so it is not considered a JSONP call
}

if(allowCrossDomain) {
if (log.isDebugEnabled())
log.debug("Wrapping response with JSONP callback '" + parms.get("callback")[0] + "'");

Expand Down
12 changes: 9 additions & 3 deletions orcid-core/src/test/java/org/orcid/core/web/filters/CrossDomainWebMangerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;

import java.net.MalformedURLException;
import java.net.URISyntaxException;

import javax.annotation.Resource;

Expand Down Expand Up @@ -33,7 +34,7 @@ public class CrossDomainWebMangerTest {
"/userStatus.jsonwhatever/test","/userStatus.json/whatever","/userStatus.jsonwhatever","/userStatus.jsonwhatever/test"};

@Test
public void testDomains() throws MalformedURLException {
public void testDomains() throws URISyntaxException {
for(String allowed : allowedDomains) {
assertTrue("testing: " + allowed, crossDomainWebManger.validateDomain(allowed));
}
Expand All @@ -44,7 +45,7 @@ public void testDomains() throws MalformedURLException {
}

@Test
public void testPaths() throws MalformedURLException {
public void testPaths() throws URISyntaxException {
for(String allowed : allowedPaths) {
assertTrue("testing: " + allowed, crossDomainWebManger.validatePath(allowed));
}
Expand All @@ -53,4 +54,9 @@ public void testPaths() throws MalformedURLException {
assertFalse("Testing: " + forbidden, crossDomainWebManger.validatePath(forbidden));
}
}

@Test
public void failTest() {
fail();
}
}

0 comments on commit 4be510b

Please sign in to comment.