[GitHub] wicket pull request: Cross-Site Websocket Hijacking Protection

[Fogetti]

GitHub user Fogetti opened a pull request:

    https://github.com/apache/wicket/pull/113

    Cross-Site Websocket Hijacking Protection

    This pull request is to replace my previous attempt:
    https://github.com/apache/wicket/pull/112
    
    Now I rebased my changes in my feature branch to master without formatting.
    
    This pull request introduces a few new things in 
wicket-native-websocket-core. The basic idea is to prevent hijacking the 
websocket connections when the request arrives from an invalid origin. The 
valid origin domains can be configured by the new websocketsettings or can be 
completely turned off if protection is not necessary.
    
    New classes:
    ```java
    ConnectionRejectedException
    IWebSocketConnectionFilter
    WebSocketConnectionOriginFilter
    WebSocketAbortedPayload
    AbortedMessage
    WebSocketTesterProcessorTest
    ```
    
    New websocket settings:
    ```java
    isHijackingProtectionEnabled
    getAllowedDomains
    ```
    
    And finally new methods on `WebSocketBehavior` and `WebSocketResource`:
    ```java
    onAbort()
    ```
    
    The easiest way to understand what's going on is to run the test class:
    ```java
    WebSocketTesterProcessorTest
    ```

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Fogetti/wicket master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/wicket/pull/113.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #113
    
----
commit 11b5ae00786287d7635d82ddf7c0c2570f8ae9d7
Author: admin <gergely.n...@mail.rakuten.com>
Date:   2015-03-20T08:18:56Z

    Cross-Site WebSocket Hijacking protection added. WebsocketSettings
    extended with allowedDomains. Hijacking protection flag added to
    websocket settings. WebSocketBehavior and WebSocketResource got new
    methods called onAbort(). New broadcast message type: AbortedMessage
    introduced. New payload type: WebSocketAbortedPayload introduced.
    AbstractWebSocketProcessor closes connection when protection check
    fails. WebSocketTesterProcessorTest fixed and cleaned up

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---