Added same Origin protection for API calls
This commit is contained in:
@@ -9,6 +9,7 @@ import org.jboss.netty.handler.codec.http.HttpRequest;
|
||||
import java.lang.reflect.Type;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
public class RootUriRequestHandler implements UriRequestHandler {
|
||||
private String _serverContextPath = "/gemp-lotr-server/";
|
||||
@@ -34,8 +35,12 @@ public class RootUriRequestHandler implements UriRequestHandler {
|
||||
private MtgCardsRequestHandler _mtgCardsRequestHandler;
|
||||
private SoloDraftRequestHandler _soloDraftRequestHandler;
|
||||
|
||||
private Pattern originPattern;
|
||||
|
||||
public RootUriRequestHandler(Map<Type, Object> context) {
|
||||
_webRequestHandler = new WebRequestHandler(ApplicationConfiguration.getProperty("web.path"));
|
||||
String originAllowedPattern = ApplicationConfiguration.getProperty("origin.allowed.pattern");
|
||||
originPattern = Pattern.compile(originAllowedPattern);
|
||||
_hallRequestHandler = new HallRequestHandler(context);
|
||||
_deckRequestHandler = new DeckRequestHandler(context);
|
||||
_loginRequestHandler = new LoginRequestHandler(context);
|
||||
@@ -65,44 +70,51 @@ public class RootUriRequestHandler implements UriRequestHandler {
|
||||
_mtgCardsRequestHandler.handleRequest(uri, request, context, responseWriter, e);
|
||||
} else if (uri.equals("/gemp-lotr")) {
|
||||
responseWriter.writeError(301, Collections.singletonMap("Location", "/gemp-lotr/"));
|
||||
} else if (uri.startsWith(_serverContextPath + "hall")) {
|
||||
_hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "deck")) {
|
||||
_deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "login")) {
|
||||
_loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "register")) {
|
||||
_registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "replay")) {
|
||||
_replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "gameHistory")) {
|
||||
_gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "stats")) {
|
||||
_serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "playerStats")) {
|
||||
_playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "admin")) {
|
||||
_adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "chat")) {
|
||||
_chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "collection")) {
|
||||
_collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "delivery")) {
|
||||
_deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "game")) {
|
||||
_gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "league")) {
|
||||
_leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "merchant")) {
|
||||
_merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "tournament")) {
|
||||
_tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "soloDraft")) {
|
||||
_soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e);
|
||||
} else if (uri.equals(_serverContextPath)) {
|
||||
_statusRequestHandler.handleRequest(uri.substring(_serverContextPath.length()), request, context, responseWriter, e);
|
||||
} else {
|
||||
throw new HttpProcessingException(404);
|
||||
String origin = request.getHeader("Origin");
|
||||
if (origin == null || !originPattern.matcher(origin).matches())
|
||||
throw new HttpProcessingException(403);
|
||||
|
||||
// These APIs are protected by same Origin protection
|
||||
if (uri.startsWith(_serverContextPath + "hall")) {
|
||||
_hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "deck")) {
|
||||
_deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "login")) {
|
||||
_loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "register")) {
|
||||
_registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "replay")) {
|
||||
_replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "gameHistory")) {
|
||||
_gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "stats")) {
|
||||
_serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "playerStats")) {
|
||||
_playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "admin")) {
|
||||
_adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "chat")) {
|
||||
_chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "collection")) {
|
||||
_collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "delivery")) {
|
||||
_deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "game")) {
|
||||
_gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "league")) {
|
||||
_leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "merchant")) {
|
||||
_merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "tournament")) {
|
||||
_tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
||||
} else if (uri.startsWith(_serverContextPath + "soloDraft")) {
|
||||
_soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e);
|
||||
} else {
|
||||
throw new HttpProcessingException(404);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10,3 +10,5 @@ db.connection.validateQuery=/* ping */ select 1
|
||||
|
||||
port=80
|
||||
web.path=/env/gemp-lotr/web/
|
||||
|
||||
origin.allowed.pattern=^http://www\\.gempukku\\.com$
|
||||
|
||||
Reference in New Issue
Block a user