Package org.springframework.web.socket.server.support

Class OriginHandshakeInterceptor

java.lang.Object
org.springframework.web.socket.server.support.OriginHandshakeInterceptor
All Implemented Interfaces:
HandshakeInterceptor
public class OriginHandshakeInterceptor extends Object implements HandshakeInterceptor
An interceptor to check request Origin header value against a collection of allowed origins.
Since:
4.1.2
Author:
Sebastien Deleuze

  • Field Details

    • logger

      protected final org.apache.commons.logging.Log logger

  • Constructor Details

    • OriginHandshakeInterceptor

      public OriginHandshakeInterceptor()
      Default constructor with only same origin requests allowed.

    • OriginHandshakeInterceptor

      public OriginHandshakeInterceptor(Collection<String> allowedOrigins)
      Constructor using the specified allowed origin values.
      See Also:

  • Method Details

    • setAllowedOrigins

      public void setAllowedOrigins(Collection<String> allowedOrigins)
      Set the origins for which cross-origin requests are allowed from a browser. Please, refer to CorsConfiguration.setAllowedOrigins(List) for format details and considerations, and keep in mind that the CORS spec does not allow use of "*" with allowCredentials=true. For more flexible origin patterns use setAllowedOriginPatterns(java.util.Collection<java.lang.String>) instead.

      By default, no origins are allowed. When allowedOriginPatterns is also set, then that takes precedence over this property.

      Note when SockJS is enabled and origins are restricted, transport types that do not allow to check request origin (Iframe based transports) are disabled. As a consequence, IE 6 to 9 are not supported when origins are restricted.

      See Also:

    • getAllowedOrigins

      public Collection<String> getAllowedOrigins()
      Return the configured allowed origins.
      Since:
      4.1.5

    • setAllowedOriginPatterns

      public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns)
      Alternative to setAllowedOrigins(Collection) that supports more flexible patterns for specifying the origins for which cross-origin requests are allowed from a browser. Please, refer to CorsConfiguration.setAllowedOriginPatterns(List) for format details and other considerations.

      By default this is not set.

      Since:
      5.3.2

    • getAllowedOriginPatterns

      public Collection<String> getAllowedOriginPatterns()
      Return the configured allowed origin patterns.
      Since:
      5.3.2

    • beforeHandshake

      public boolean beforeHandshake(org.springframework.http.server.ServerHttpRequest request, org.springframework.http.server.ServerHttpResponse response, WebSocketHandler wsHandler, Map<String,Object> attributes) throws Exception
      Description copied from interface: HandshakeInterceptor
      Invoked before the handshake is processed.
      Specified by:
      beforeHandshake in interface HandshakeInterceptor
      Parameters:
      request - the current request
      response - the current response
      wsHandler - the target WebSocket handler
      attributes - the attributes from the HTTP handshake to associate with the WebSocket session; the provided attributes are copied, the original map is not used.
      Returns:
      whether to proceed with the handshake (true) or abort (false)
      Throws:
      Exception

    • afterHandshake

      public void afterHandshake(org.springframework.http.server.ServerHttpRequest request, org.springframework.http.server.ServerHttpResponse response, WebSocketHandler wsHandler, @Nullable Exception exception)
      Description copied from interface: HandshakeInterceptor
      Invoked after the handshake is done. The response status and headers indicate the results of the handshake, i.e. whether it was successful or not.
      Specified by:
      afterHandshake in interface HandshakeInterceptor
      Parameters:
      request - the current request
      response - the current response
      wsHandler - the target WebSocket handler
      exception - an exception raised during the handshake, or null if none