projects
/
lgpl
/
argeo-commons.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Make WebSocket rejection less violent
[lgpl/argeo-commons.git]
/
org.argeo.cms
/
src
/
org
/
argeo
/
cms
/
websocket
/
CmsWebSocketConfigurator.java
diff --git
a/org.argeo.cms/src/org/argeo/cms/websocket/CmsWebSocketConfigurator.java
b/org.argeo.cms/src/org/argeo/cms/websocket/CmsWebSocketConfigurator.java
index cd435aa43a0e5a2b5fb715b417399de590195f09..7cfe5748b19a7af3c51bc452f05c53d84f7c6096 100644
(file)
--- a/
org.argeo.cms/src/org/argeo/cms/websocket/CmsWebSocketConfigurator.java
+++ b/
org.argeo.cms/src/org/argeo/cms/websocket/CmsWebSocketConfigurator.java
@@
-1,5
+1,6
@@
package org.argeo.cms.websocket;
package org.argeo.cms.websocket;
+import java.util.ArrayList;
import java.util.List;
import javax.security.auth.login.LoginContext;
import java.util.List;
import javax.security.auth.login.LoginContext;
@@
-16,7
+17,7
@@
import org.apache.commons.logging.LogFactory;
import org.argeo.cms.auth.HttpRequestCallbackHandler;
import org.argeo.node.NodeConstants;
import org.argeo.cms.auth.HttpRequestCallbackHandler;
import org.argeo.node.NodeConstants;
-public
final
class CmsWebSocketConfigurator extends Configurator {
+public class CmsWebSocketConfigurator extends Configurator {
private final static Log log = LogFactory.getLog(CmsWebSocketConfigurator.class);
final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
private final static Log log = LogFactory.getLog(CmsWebSocketConfigurator.class);
final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
@@
-62,6
+63,7
@@
public final class CmsWebSocketConfigurator extends Configurator {
if (httpSession == null) {
rejectResponse(response);
if (httpSession == null) {
rejectResponse(response);
+ return;
}
try {
LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
}
try {
LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
@@
-72,20
+74,17
@@
public final class CmsWebSocketConfigurator extends Configurator {
sec.getUserProperties().put("subject", lc.getSubject());
} catch (LoginException e) {
rejectResponse(response);
sec.getUserProperties().put("subject", lc.getSubject());
} catch (LoginException e) {
rejectResponse(response);
+ return;
}
}
-
-// List<String> authHeaders = request.getHeaders().get(HEADER_WWW_AUTHENTICATE);
-// String authHeader;
-// if (authHeaders != null && authHeaders.size() == 1) {
-// authHeader = authHeaders.get(0);
-// } else {
-// return;
-// }
}
}
- private void rejectResponse(HandshakeResponse response) {
+ protected void rejectResponse(HandshakeResponse response) {
+ List<String> lst = new ArrayList<String>();
+ lst.add("no");
+ response.getHeaders().put(HandshakeResponse.SEC_WEBSOCKET_ACCEPT, lst);
+
// violent implementation, as suggested in
// https://stackoverflow.com/questions/21763829/jsr-356-how-to-abort-a-websocket-connection-during-the-handshake
// violent implementation, as suggested in
// https://stackoverflow.com/questions/21763829/jsr-356-how-to-abort-a-websocket-connection-during-the-handshake
- throw new IllegalStateException("Web socket cannot be authenticated");
+
//
throw new IllegalStateException("Web socket cannot be authenticated");
}
}
}
}