Package org.astrogrid.samp.web

Class CorsHttpServer

  • Direct Known Subclasses:
    LoggingCorsHttpServer
    public class CorsHttpServer
extends HttpServer
    HttpServer which allows or rejects cross-origin access according to the W3C Cross-Origin Resource Sharing standard. This standard is used by XMLHttpResource Level 2 and some other web-based platforms, implemented by a number of modern browsers, and works by the browser inserting and interpreting special headers when cross-origin requests are made by sandboxed clients. The effect is that sandboxed clients will under some circumstances be permitted to access resources served by instances of this server, where they wouldn't for an HTTP server which did not take special measures.
    Since:
    2 Feb 2011
    Author:
    Mark Taylor
    See Also:
    Cross-Origin Resource Sharing W3C Standard

    • Field Detail

      • ALLOW_ORIGIN_KEY

        private static final java.lang.String ALLOW_ORIGIN_KEY
        See Also:
        Constant Field Values

      • REQUEST_METHOD_KEY

        private static final java.lang.String REQUEST_METHOD_KEY
        See Also:
        Constant Field Values

      • ALLOW_METHOD_KEY

        private static final java.lang.String ALLOW_METHOD_KEY
        See Also:
        Constant Field Values

      • ALLOW_HEADERS_KEY

        private static final java.lang.String ALLOW_HEADERS_KEY
        See Also:
        Constant Field Values

      • ORIGIN_REGEX

        private static final java.util.regex.Pattern ORIGIN_REGEX

      • localHostAddress_

        private static final java.net.InetAddress localHostAddress_

      • logger_

        private static final java.util.logging.Logger logger_

      • EXTRAHOSTS_PROP

        public static final java.lang.String EXTRAHOSTS_PROP
        System property ("jsamp.web.extrahosts") which can be used to supply host addresses explicitly permitted to connect via the Web Profile alongside the local host. Normally any non-local host is blocked from access to the CORS web server for security reasons. However, any host specified by hostname or IP number as one element of a comma-separated list in the value of this system property will also be allowed. This might be used to allow access from a "friendly" near-local host like a tablet.
        See Also:
        Constant Field Values

      • extraAddrSet_

        private static final java.util.Set extraAddrSet_
        Set of permitted InetAddrs along side localhost.

    • Constructor Detail

      • CorsHttpServer

        public CorsHttpServer​(java.net.ServerSocket socket,
                      OriginAuthorizer authorizer)
               throws java.io.IOException
        Constructor.
        Parameters:
        socket - socket hosting the service
        authorizer - defines which domains requests will be permitted from
        Throws:
        java.io.IOException

    • Method Detail

      • serve

        public HttpServer.Response serve​(HttpServer.Request request)
        Description copied from class: HttpServer
        Does the work for providing output corresponding to a given HTTP request. This implementation calls each Handler in turn and the first one to provide a non-null response is used.
        Overrides:
        serve in class HttpServer
        Parameters:
        request - represents an HTTP request that has been received
        Returns:
        represents the content of an HTTP response that should be sent

      • serveSimpleOriginRequest

        private HttpServer.Response serveSimpleOriginRequest​(HttpServer.Request request,
                                                     java.lang.String originTxt)
        Does the work for serving simple requests which bear an origin header. Simple requests are effectively ones which do not require pre-flight requests - see the CORS standard for details.
        Parameters:
        request - HTTP request
        originTxt - content of the Origin header
        Returns:
        HTTP response

      • servePreflightOriginRequest

        private HttpServer.Response servePreflightOriginRequest​(HttpServer.Request request,
                                                        java.lang.String originTxt,
                                                        java.lang.String reqMethod)
        Does the work for serving pre-flight requests. See the CORS standard for details.
        Parameters:
        request - HTTP request
        originTxt - content of the Origin header
        reqMethod - content of the Access-Control-Request-Method header
        Returns:
        HTTP response

      • createNonLocalErrorResponse

        public static HttpServer.Response createNonLocalErrorResponse​(HttpServer.Request request)
        Returns an HTTP error response complaining about attempted access from a disallowed host.
        Parameters:
        request - offending request
        Returns:
        HTTP 403 response

      • isAuthorized

        private boolean isAuthorized​(java.lang.String originTxt)
        Determines whether a given origin is permitted access. This is done by interrogating this server's OriginAuthorizer policy. Results are cached.
        Parameters:
        originTxt - content of Origin header

      • isPermittedHost

        public boolean isPermittedHost​(java.net.SocketAddress address)
        Indicates whether a network address is known to represent a host permitted to access this server. That generally means the local host, but "extra" hosts may be permitted as well.
        Parameters:
        address - socket address
        Returns:
        true iff address is known to be permitted

      • isLocalHost

        public static boolean isLocalHost​(java.net.SocketAddress address)
        Indicates whether the given socket address is from the local host.
        Parameters:
        address - socket to test
        Returns:
        true if the socket is known to be local

      • getLocalHostAddress

        private static java.net.InetAddress getLocalHostAddress()
        Returns the inet address of the local host, or null if not available.
        Returns:
        local host address or null

      • getExtraHostAddresses

        private static java.net.InetAddress[] getExtraHostAddresses()
        Acquires and returns a list of permitted non-local hosts from the environment.
        Returns:
        list of addresses for non-local hosts permitted to access CORS web servers in this JVM

      • isExtraHost

        public static boolean isExtraHost​(java.net.SocketAddress addr)
        Indicates whether a given address represents one of the "extra" hosts permitted to access this server alongside the localhost.
        Parameters:
        addr - address of non-local host to test
        Returns:
        true iff host is permitted to access this server

      • checkOriginList

        private static void checkOriginList​(java.lang.String originTxt)
        Checks that the content of an Origin header is syntactically legal.
        Parameters:
        originTxt - content of Origin header
        Throws:
        IllegalArgumentExeption - if originTxt does not represent a legal origin or (non-empty) list of origins