Commit 420009d9 authored by Daryl Herzmann's avatar Daryl Herzmann Committed by akrherz

Add CORS headers to HTTP-Binding/BOSH OF-342


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@13274 b35dd754-fafc-0310-a699-88a17e54d16e
parent 465ee07d
...@@ -23,6 +23,7 @@ package org.jivesoftware.openfire.http; ...@@ -23,6 +23,7 @@ package org.jivesoftware.openfire.http;
import java.io.File; import java.io.File;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
...@@ -67,6 +68,24 @@ public final class HttpBindManager { ...@@ -67,6 +68,24 @@ public final class HttpBindManager {
public static final String HTTP_BIND_SECURE_PORT = "httpbind.port.secure"; public static final String HTTP_BIND_SECURE_PORT = "httpbind.port.secure";
public static final int HTTP_BIND_SECURE_PORT_DEFAULT = 7443; public static final int HTTP_BIND_SECURE_PORT_DEFAULT = 7443;
// http binding CORS default properties
public static final String HTTP_BIND_CORS_ENABLED = "httpbind.CORS.enabled";
public static final boolean HTTP_BIND_CORS_ENABLED_DEFAULT = true;
public static final String HTTP_BIND_CORS_ALLOW_ORIGIN = "httpbind.CORS.domains";
public static final String HTTP_BIND_CORS_ALLOW_ORIGIN_DEFAULT = "*";
public static final String HTTP_BIND_CORS_ALLOW_METHODS_DEFAULT = "GET, POST, OPTIONS";
public static final String HTTP_BIND_CORS_ALLOW_HEADERS_DEFAULT = "Content-Type";
public static final String HTTP_BIND_CORS_MAX_AGE_DEFAULT = "86400";
public static Map<String, Boolean> HTTP_BIND_ALLOWED_ORIGINS = new HashMap<String, Boolean>();
private static HttpBindManager instance = new HttpBindManager(); private static HttpBindManager instance = new HttpBindManager();
...@@ -85,6 +104,9 @@ public final class HttpBindManager { ...@@ -85,6 +104,9 @@ public final class HttpBindManager {
private ContextHandlerCollection contexts; private ContextHandlerCollection contexts;
// is all orgin allowed flag
private boolean allowAllOrigins;
public static HttpBindManager getInstance() { public static HttpBindManager getInstance() {
return instance; return instance;
} }
...@@ -96,6 +118,9 @@ public final class HttpBindManager { ...@@ -96,6 +118,9 @@ public final class HttpBindManager {
PropertyEventDispatcher.addListener(new HttpServerPropertyListener()); PropertyEventDispatcher.addListener(new HttpServerPropertyListener());
this.httpSessionManager = new HttpSessionManager(); this.httpSessionManager = new HttpSessionManager();
contexts = new ContextHandlerCollection(); contexts = new ContextHandlerCollection();
// setup the cache for the allowed origins
this.setupAllowedOriginsMap();
} }
public void start() { public void start() {
...@@ -242,7 +267,57 @@ public final class HttpBindManager { ...@@ -242,7 +267,57 @@ public final class HttpBindManager {
public String getJavaScriptUrl() { public String getJavaScriptUrl() {
return "http://" + XMPPServer.getInstance().getServerInfo().getXMPPDomain() + ":" + return "http://" + XMPPServer.getInstance().getServerInfo().getXMPPDomain() + ":" +
bindPort + "/scripts/"; bindPort + "/scripts/";
}
// http binding CORS support start
private void setupAllowedOriginsMap() {
String originString = getCORSAllowOrigin();
if (originString.equals(HTTP_BIND_CORS_ALLOW_ORIGIN_DEFAULT)) {
allowAllOrigins = true;
} else {
allowAllOrigins = false;
String[] origins = originString.split(",");
// reset the cache
HTTP_BIND_ALLOWED_ORIGINS.clear();
for (String str : origins) {
HTTP_BIND_ALLOWED_ORIGINS.put(str, true);
}
}
}
public boolean isCORSEnabled() {
return JiveGlobals.getBooleanProperty(HTTP_BIND_CORS_ENABLED, HTTP_BIND_CORS_ENABLED_DEFAULT);
}
public void setCORSEnabled(Boolean value) {
if (value != null)
JiveGlobals.setProperty(HTTP_BIND_CORS_ENABLED, String.valueOf(value));
}
public String getCORSAllowOrigin() {
return JiveGlobals.getProperty(HTTP_BIND_CORS_ALLOW_ORIGIN , HTTP_BIND_CORS_ALLOW_ORIGIN_DEFAULT);
}
public void setCORSAllowOrigin(String origins) {
if (origins == null || origins.trim().isEmpty())
origins = HTTP_BIND_CORS_ALLOW_ORIGIN_DEFAULT;
else {
origins = origins.replaceAll("\\s+", "");
}
JiveGlobals.setProperty(HTTP_BIND_CORS_ALLOW_ORIGIN, origins);
setupAllowedOriginsMap();
}
public boolean isAllOriginsAllowed() {
return allowAllOrigins;
}
public boolean isThisOriginAllowed(String origin) {
return HTTP_BIND_ALLOWED_ORIGINS.get(origin) != null;
} }
// http binding CORS support end
public void setHttpBindEnabled(boolean isEnabled) { public void setHttpBindEnabled(boolean isEnabled) {
JiveGlobals.setProperty(HTTP_BIND_ENABLED, String.valueOf(isEnabled)); JiveGlobals.setProperty(HTTP_BIND_ENABLED, String.valueOf(isEnabled));
......
...@@ -96,6 +96,14 @@ public class HttpBindServlet extends HttpServlet { ...@@ -96,6 +96,14 @@ public class HttpBindServlet extends HttpServlet {
sessionManager.stop(); sessionManager.stop();
} }
@Override
protected void doOptions(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Use HttpServlet's implementation to add basic headers ('Allow').
super.doOptions(request, response);
addCORSHeaders(request, response);
}
@Override @Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException throws ServletException, IOException
...@@ -178,7 +186,7 @@ public class HttpBindServlet extends HttpServlet { ...@@ -178,7 +186,7 @@ public class HttpBindServlet extends HttpServlet {
} }
synchronized (session) { synchronized (session) {
try { try {
respond(session, response, session.consumeResponse((HttpConnection) request.getAttribute("connection")), respond(session, request, response, session.consumeResponse((HttpConnection) request.getAttribute("connection")),
request.getMethod()); request.getMethod());
} }
catch (HttpBindException e) { catch (HttpBindException e) {
...@@ -198,7 +206,7 @@ public class HttpBindServlet extends HttpServlet { ...@@ -198,7 +206,7 @@ public class HttpBindServlet extends HttpServlet {
try { try {
if ((session.getMajorVersion() == 1 && session.getMinorVersion() >= 6) || if ((session.getMajorVersion() == 1 && session.getMinorVersion() >= 6) ||
session.getMajorVersion() > 1) { session.getMajorVersion() > 1) {
respond(session, response, createErrorBody(bindingError.getErrorType().getType(), respond(session, request, response, createErrorBody(bindingError.getErrorType().getType(),
bindingError.getCondition()), request.getMethod()); bindingError.getCondition()), request.getMethod());
} }
else { else {
...@@ -261,11 +269,11 @@ public class HttpBindServlet extends HttpServlet { ...@@ -261,11 +269,11 @@ public class HttpBindServlet extends HttpServlet {
if ("terminate".equals(type)) { if ("terminate".equals(type)) {
session.close(); session.close();
respond(session, response, createEmptyBody(), request.getMethod()); respond(session, request, response, createEmptyBody(), request.getMethod());
} }
else if ("true".equals(restartStream) && rootNode.elements().size() == 0) { else if ("true".equals(restartStream) && rootNode.elements().size() == 0) {
try { try {
respond(session, response, createSessionRestartResponse(session), request.getMethod()); respond(session, request, response, createSessionRestartResponse(session), request.getMethod());
} }
catch (DocumentException e) { catch (DocumentException e) {
Log.error("Error sending session restart response to client.", e); Log.error("Error sending session restart response to client.", e);
...@@ -273,7 +281,7 @@ public class HttpBindServlet extends HttpServlet { ...@@ -273,7 +281,7 @@ public class HttpBindServlet extends HttpServlet {
} }
else if (pauseDuration > 0 && pauseDuration <= session.getMaxPause()) { else if (pauseDuration > 0 && pauseDuration <= session.getMaxPause()) {
session.pause(pauseDuration); session.pause(pauseDuration);
respond(session, response, createEmptyBody(), request.getMethod()); respond(session, request, response, createEmptyBody(), request.getMethod());
session.setLastResponseEmpty(true); session.setLastResponseEmpty(true);
} }
else { else {
...@@ -283,7 +291,7 @@ public class HttpBindServlet extends HttpServlet { ...@@ -283,7 +291,7 @@ public class HttpBindServlet extends HttpServlet {
request.setAttribute("request", connection.getRequestId()); request.setAttribute("request", connection.getRequestId());
request.setAttribute("connection", connection); request.setAttribute("connection", connection);
try { try {
respond(session, response, session.consumeResponse(connection), respond(session, request, response, session.consumeResponse(connection),
request.getMethod()); request.getMethod());
} }
catch (HttpBindException e) { catch (HttpBindException e) {
...@@ -325,7 +333,7 @@ public class HttpBindServlet extends HttpServlet { ...@@ -325,7 +333,7 @@ public class HttpBindServlet extends HttpServlet {
if (JiveGlobals.getBooleanProperty("log.httpbind.enabled", false)) { if (JiveGlobals.getBooleanProperty("log.httpbind.enabled", false)) {
System.out.println(new Date()+": HTTP RECV(" + connection.getSession().getStreamID().getID() + "): " + rootNode.asXML()); System.out.println(new Date()+": HTTP RECV(" + connection.getSession().getStreamID().getID() + "): " + rootNode.asXML());
} }
respond(response, connection, request.getMethod()); respond(request, response, connection, request.getMethod());
} }
catch (UnauthorizedException e) { catch (UnauthorizedException e) {
// Server wasn't initialized yet. // Server wasn't initialized yet.
...@@ -338,7 +346,8 @@ public class HttpBindServlet extends HttpServlet { ...@@ -338,7 +346,8 @@ public class HttpBindServlet extends HttpServlet {
} }
private void respond(HttpServletResponse response, HttpConnection connection, String method) // add request argument
private void respond(HttpServletRequest request, HttpServletResponse response, HttpConnection connection, String method)
throws IOException throws IOException
{ {
String content; String content;
...@@ -350,10 +359,11 @@ public class HttpBindServlet extends HttpServlet { ...@@ -350,10 +359,11 @@ public class HttpBindServlet extends HttpServlet {
connection.getSession().setLastResponseEmpty(true); connection.getSession().setLastResponseEmpty(true);
} }
respond(connection.getSession(), response, content, method); respond(connection.getSession(), request, response, content, method);
} }
private void respond(HttpSession session, HttpServletResponse response, String content, String method) // add request argument
private void respond(HttpSession session, HttpServletRequest request, HttpServletResponse response, String content, String method)
throws IOException { throws IOException {
response.setStatus(HttpServletResponse.SC_OK); response.setStatus(HttpServletResponse.SC_OK);
response.setContentType("GET".equals(method) ? "text/javascript" : "text/xml"); response.setContentType("GET".equals(method) ? "text/javascript" : "text/xml");
...@@ -368,6 +378,8 @@ public class HttpBindServlet extends HttpServlet { ...@@ -368,6 +378,8 @@ public class HttpBindServlet extends HttpServlet {
} }
content = "_BOSH_(\"" + StringEscapeUtils.escapeJavaScript(content) + "\")"; content = "_BOSH_(\"" + StringEscapeUtils.escapeJavaScript(content) + "\")";
} }
addCORSHeaders(request, response);
if (JiveGlobals.getBooleanProperty("log.httpbind.enabled", false)) { if (JiveGlobals.getBooleanProperty("log.httpbind.enabled", false)) {
System.out.println(new Date()+": HTTP SENT(" + session.getStreamID().getID() + "): " + content); System.out.println(new Date()+": HTTP SENT(" + session.getStreamID().getID() + "): " + content);
...@@ -378,6 +390,27 @@ public class HttpBindServlet extends HttpServlet { ...@@ -378,6 +390,27 @@ public class HttpBindServlet extends HttpServlet {
response.getOutputStream().close(); response.getOutputStream().close();
} }
private void addCORSHeaders(HttpServletRequest request, HttpServletResponse response)
throws IOException {
// add CORS headers
if (boshManager.isCORSEnabled()) {
if (boshManager.isAllOriginsAllowed())
// set the Access-Control-Allow-Origin header to * to allow all Origin to do the CORS
response.addHeader("Access-Control-Allow-Origin", HttpBindManager.HTTP_BIND_CORS_ALLOW_ORIGIN_DEFAULT);
else {
// get the Origin header from the request and check if it is in the allowed Origin Map.
// if it is allowed write it back to the Access-Control-Allow-Origin header of the respond.
String origin = request.getHeader("Origin");
if (boshManager.isThisOriginAllowed(origin)) {
response.addHeader("Access-Control-Allow-Origin", origin);
}
}
response.addHeader("Access-Control-Allow-Methods", HttpBindManager.HTTP_BIND_CORS_ALLOW_METHODS_DEFAULT);
response.addHeader("Access-Control-Allow-Headers", HttpBindManager.HTTP_BIND_CORS_ALLOW_HEADERS_DEFAULT);
response.addHeader("Access-Control-Max-Age", HttpBindManager.HTTP_BIND_CORS_MAX_AGE_DEFAULT);
}
}
private static String createEmptyBody() { private static String createEmptyBody() {
Element body = DocumentHelper.createElement("body"); Element body = DocumentHelper.createElement("body");
body.addNamespace("", "http://jabber.org/protocol/httpbind"); body.addNamespace("", "http://jabber.org/protocol/httpbind");
......
...@@ -36,13 +36,21 @@ ...@@ -36,13 +36,21 @@
Map<String, String> errorMap = new HashMap<String, String>(); Map<String, String> errorMap = new HashMap<String, String>();
boolean isEnabled = ParamUtils.getBooleanParameter(request, "httpBindEnabled", boolean isEnabled = ParamUtils.getBooleanParameter(request, "httpBindEnabled",
serverManager.isHttpBindEnabled()); serverManager.isHttpBindEnabled());
// CORS
boolean isCORSEnabled = ParamUtils.getBooleanParameter(request, "CORSEnabled",
serverManager.isCORSEnabled());
if (isEnabled) { if (isEnabled) {
int requestedPort = ParamUtils.getIntParameter(request, "port", int requestedPort = ParamUtils.getIntParameter(request, "port",
serverManager.getHttpBindUnsecurePort()); serverManager.getHttpBindUnsecurePort());
int requestedSecurePort = ParamUtils.getIntParameter(request, "securePort", int requestedSecurePort = ParamUtils.getIntParameter(request, "securePort",
serverManager.getHttpBindSecurePort()); serverManager.getHttpBindSecurePort());
// CORS
String CORSDomains = ParamUtils.getParameter(request, "CORSDomains", true);
try { try {
serverManager.setHttpBindPorts(requestedPort, requestedSecurePort); serverManager.setHttpBindPorts(requestedPort, requestedSecurePort);
// CORS
serverManager.setCORSEnabled(isCORSEnabled);
serverManager.setCORSAllowOrigin(CORSDomains);
} }
catch (Exception e) { catch (Exception e) {
Log.error("An error has occured configuring the HTTP binding ports", e); Log.error("An error has occured configuring the HTTP binding ports", e);
...@@ -71,6 +79,8 @@ ...@@ -71,6 +79,8 @@
int port = serverManager.getHttpBindUnsecurePort(); int port = serverManager.getHttpBindUnsecurePort();
int securePort = serverManager.getHttpBindSecurePort(); int securePort = serverManager.getHttpBindSecurePort();
boolean isScriptSyntaxEnabled = serverManager.isScriptSyntaxEnabled(); boolean isScriptSyntaxEnabled = serverManager.isScriptSyntaxEnabled();
// CORS
boolean isCORSEnabled = serverManager.isCORSEnabled();
%> %>
<%@page import="org.jivesoftware.openfire.http.FlashCrossDomainServlet"%><html> <%@page import="org.jivesoftware.openfire.http.FlashCrossDomainServlet"%><html>
...@@ -86,6 +96,9 @@ ...@@ -86,6 +96,9 @@
$("securePort").disabled = !enabled; $("securePort").disabled = !enabled;
$("rb03").disabled = !enabled; $("rb03").disabled = !enabled;
$("rb04").disabled = !enabled; $("rb04").disabled = !enabled;
$("rb05").disabled = !enabled;
$("rb06").disabled = !enabled;
$("CORSDomains").disabled = !enabled;
$("crossdomain").disabled = !enabled; $("crossdomain").disabled = !enabled;
} }
window.onload = setTimeout("setEnabled()", 500); window.onload = setTimeout("setEnabled()", 500);
...@@ -198,6 +211,53 @@ ...@@ -198,6 +211,53 @@
</tbody> </tbody>
</table> </table>
</div> </div>
<!-- CORS -->
<div class="jive-contentBoxHeader">Provides support for CORS (Cross-Origin Resource Sharing)</div>
<div class="jive-contentbox">
<table cellpadding="3" cellspacing="0" border="0">
<tbody>
<tr valign="top">
<td width="1%" nowrap>
<input type="radio" name="CORSEnabled" value="true" id="rb05"
<%= (isCORSEnabled ? "checked" : "") %>>
</td>
<td width="99%">
<label for="rb05">
<b>Enabled</b> - Activate CORS support for cross domain scripting
</label>
<table border="0">
<tr>
<td>
<label for="CORSDomains">
Enter domain list below separated by commas or * to allow any :
</label>
</td>
</tr>
<tr>
<td>
<input id="CORSDomains" type="text" size="80" name="CORSDomains" value="<%= serverManager.getCORSAllowOrigin() %>">
</td>
</tr>
</table>
</td>
</tr>
<tr valign="top">
<td width="1%" nowrap>
<input type="radio" name="CORSEnabled" value="false" id="rb06"
<%= (!isCORSEnabled ? "checked" : "") %>>
</td>
<td width="99%">
<label for="rb06">
<b>Disabled</b> - Disable CORS support
</label>
</td>
</tr>
</tbody>
</table>
</div>
<!-- CORS -->
<div class="jive-contentBoxHeader">Cross-domain policy</div> <div class="jive-contentBoxHeader">Cross-domain policy</div>
<div class="jive-contentbox"> <div class="jive-contentbox">
<p><fmt:message key="httpbind.settings.crossdomain.info.general" /></p> <p><fmt:message key="httpbind.settings.crossdomain.info.general" /></p>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment