GitHub user Fogetti opened a pull request:
https://github.com/apache/wicket/pull/110
Build/wicket 7.0.0 m5
This pull request introduces a few new things in
wicket-native-websocket-core. The basic idea is to prevent hijacking the
websocket connections when the request arrives from an invalid origin. The
valid origin domains can be configured by the new websocketsettings or can be
completely turned off if protection is not necessary.
New classes:
```java
ConnectionRejectedException
IWebSocketConnectionFilter
WebSocketConnectionOriginFilter
WebSocketAbortedPayload
AbortedMessage
WebSocketTesterProcessorTest
```
New websocket settings:
```java
isHijackingProtectionEnabled
getAllowedDomains
```
And finally new methods on `WebSocketBehavior` and `WebSocketResource`:
```java
onAbort()
```
The easiest way to understand what's going on is to run the test class:
```java
WebSocketTesterProcessorTest
```
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/Fogetti/wicket build/wicket-7.0.0-M5
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/wicket/pull/110.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #110
----
commit f2f83b14371f518fff71a7b18d6f292df8de0221
Author: admin <[email protected]>
Date: 2015-03-18T11:26:33Z
Cross-Site WebSocket Hijacking protection added
commit c50b5b1fb9069c5500a5d31d435d36fe4f0b7481
Author: admin <[email protected]>
Date: 2015-03-19T01:39:06Z
WebsocketSettings extended with allowedDomains
commit dd56f50a53ff0322e120033fbcf0826da47d84e6
Author: admin <[email protected]>
Date: 2015-03-18T11:26:33Z
Cross-Site WebSocket Hijacking protection added
commit f58fe52c4bf706e45bd7c6aec2e073a04107ff00
Author: admin <[email protected]>
Date: 2015-03-19T01:39:06Z
WebsocketSettings extended with allowedDomains
commit 7e913c4f70d8ec7d21958cde0c969985d98f0ee2
Author: admin <[email protected]>
Date: 2015-03-19T02:38:19Z
Hijacking protection flag added to websocket settings
commit 0860d0b4c897c4deb48b6a3b1a9ac1ad92123b9a
Author: admin <[email protected]>
Date: 2015-03-19T04:42:27Z
WebSocketBehavior and WebSocketResource got new methods called
onAbort(). New broadcast message type: AbortedMessage introduced. New
payload type: WebSocketAbortedPayload introduced.
AbstractWebSocketProcessor closes connection when protection check
fails.
commit de0b7d8188b1cdea7c416098a44f58ac8fc20685
Author: admin <[email protected]>
Date: 2015-03-19T05:04:25Z
Merge branch 'wicket-7.0.0-M5-hijacking-protection' into
build/wicket-7.0.0-M5
Conflicts:
wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/WebSocketSettings.java
wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/AbstractWebSocketProcessor.java
wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/ConnectionRejectedException.java
wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/IWebSocketConnectionFilter.java
wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketConnectionOriginFilter.java
wicket-native-websocket/wicket-native-websocket-core/src/test/java/org/apache/wicket/protocol/ws/util/tester/WebSocketTesterProcessorTest.java
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
