Added same Origin protection for API calls

This commit is contained in:
marcin.sciesinski
2020-05-01 09:45:12 -07:00
parent 839398ba38
commit ef4acdde24
2 changed files with 49 additions and 35 deletions

View File

@@ -9,6 +9,7 @@ import org.jboss.netty.handler.codec.http.HttpRequest;
import java.lang.reflect.Type;
import java.util.Collections;
import java.util.Map;
import java.util.regex.Pattern;
public class RootUriRequestHandler implements UriRequestHandler {
private String _serverContextPath = "/gemp-lotr-server/";
@@ -34,8 +35,12 @@ public class RootUriRequestHandler implements UriRequestHandler {
private MtgCardsRequestHandler _mtgCardsRequestHandler;
private SoloDraftRequestHandler _soloDraftRequestHandler;
private Pattern originPattern;
public RootUriRequestHandler(Map<Type, Object> context) {
_webRequestHandler = new WebRequestHandler(ApplicationConfiguration.getProperty("web.path"));
String originAllowedPattern = ApplicationConfiguration.getProperty("origin.allowed.pattern");
originPattern = Pattern.compile(originAllowedPattern);
_hallRequestHandler = new HallRequestHandler(context);
_deckRequestHandler = new DeckRequestHandler(context);
_loginRequestHandler = new LoginRequestHandler(context);
@@ -65,44 +70,51 @@ public class RootUriRequestHandler implements UriRequestHandler {
_mtgCardsRequestHandler.handleRequest(uri, request, context, responseWriter, e);
} else if (uri.equals("/gemp-lotr")) {
responseWriter.writeError(301, Collections.singletonMap("Location", "/gemp-lotr/"));
} else if (uri.startsWith(_serverContextPath + "hall")) {
_hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "deck")) {
_deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "login")) {
_loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "register")) {
_registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "replay")) {
_replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "gameHistory")) {
_gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "stats")) {
_serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "playerStats")) {
_playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "admin")) {
_adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "chat")) {
_chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "collection")) {
_collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "delivery")) {
_deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "game")) {
_gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "league")) {
_leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "merchant")) {
_merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "tournament")) {
_tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "soloDraft")) {
_soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e);
} else if (uri.equals(_serverContextPath)) {
_statusRequestHandler.handleRequest(uri.substring(_serverContextPath.length()), request, context, responseWriter, e);
} else {
throw new HttpProcessingException(404);
String origin = request.getHeader("Origin");
if (origin == null || !originPattern.matcher(origin).matches())
throw new HttpProcessingException(403);
// These APIs are protected by same Origin protection
if (uri.startsWith(_serverContextPath + "hall")) {
_hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "deck")) {
_deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "login")) {
_loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "register")) {
_registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "replay")) {
_replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "gameHistory")) {
_gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "stats")) {
_serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "playerStats")) {
_playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "admin")) {
_adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "chat")) {
_chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "collection")) {
_collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "delivery")) {
_deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "game")) {
_gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "league")) {
_leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "merchant")) {
_merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "tournament")) {
_tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
} else if (uri.startsWith(_serverContextPath + "soloDraft")) {
_soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e);
} else {
throw new HttpProcessingException(404);
}
}
}
}

View File

@@ -10,3 +10,5 @@ db.connection.validateQuery=/* ping */ select 1
port=80
web.path=/env/gemp-lotr/web/
origin.allowed.pattern=^http://www\\.gempukku\\.com$