Added same Origin protection for API calls
This commit is contained in:
@@ -9,6 +9,7 @@ import org.jboss.netty.handler.codec.http.HttpRequest;
|
|||||||
import java.lang.reflect.Type;
|
import java.lang.reflect.Type;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
public class RootUriRequestHandler implements UriRequestHandler {
|
public class RootUriRequestHandler implements UriRequestHandler {
|
||||||
private String _serverContextPath = "/gemp-lotr-server/";
|
private String _serverContextPath = "/gemp-lotr-server/";
|
||||||
@@ -34,8 +35,12 @@ public class RootUriRequestHandler implements UriRequestHandler {
|
|||||||
private MtgCardsRequestHandler _mtgCardsRequestHandler;
|
private MtgCardsRequestHandler _mtgCardsRequestHandler;
|
||||||
private SoloDraftRequestHandler _soloDraftRequestHandler;
|
private SoloDraftRequestHandler _soloDraftRequestHandler;
|
||||||
|
|
||||||
|
private Pattern originPattern;
|
||||||
|
|
||||||
public RootUriRequestHandler(Map<Type, Object> context) {
|
public RootUriRequestHandler(Map<Type, Object> context) {
|
||||||
_webRequestHandler = new WebRequestHandler(ApplicationConfiguration.getProperty("web.path"));
|
_webRequestHandler = new WebRequestHandler(ApplicationConfiguration.getProperty("web.path"));
|
||||||
|
String originAllowedPattern = ApplicationConfiguration.getProperty("origin.allowed.pattern");
|
||||||
|
originPattern = Pattern.compile(originAllowedPattern);
|
||||||
_hallRequestHandler = new HallRequestHandler(context);
|
_hallRequestHandler = new HallRequestHandler(context);
|
||||||
_deckRequestHandler = new DeckRequestHandler(context);
|
_deckRequestHandler = new DeckRequestHandler(context);
|
||||||
_loginRequestHandler = new LoginRequestHandler(context);
|
_loginRequestHandler = new LoginRequestHandler(context);
|
||||||
@@ -65,44 +70,51 @@ public class RootUriRequestHandler implements UriRequestHandler {
|
|||||||
_mtgCardsRequestHandler.handleRequest(uri, request, context, responseWriter, e);
|
_mtgCardsRequestHandler.handleRequest(uri, request, context, responseWriter, e);
|
||||||
} else if (uri.equals("/gemp-lotr")) {
|
} else if (uri.equals("/gemp-lotr")) {
|
||||||
responseWriter.writeError(301, Collections.singletonMap("Location", "/gemp-lotr/"));
|
responseWriter.writeError(301, Collections.singletonMap("Location", "/gemp-lotr/"));
|
||||||
} else if (uri.startsWith(_serverContextPath + "hall")) {
|
|
||||||
_hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "deck")) {
|
|
||||||
_deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "login")) {
|
|
||||||
_loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "register")) {
|
|
||||||
_registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "replay")) {
|
|
||||||
_replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "gameHistory")) {
|
|
||||||
_gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "stats")) {
|
|
||||||
_serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "playerStats")) {
|
|
||||||
_playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "admin")) {
|
|
||||||
_adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "chat")) {
|
|
||||||
_chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "collection")) {
|
|
||||||
_collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "delivery")) {
|
|
||||||
_deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "game")) {
|
|
||||||
_gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "league")) {
|
|
||||||
_leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "merchant")) {
|
|
||||||
_merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "tournament")) {
|
|
||||||
_tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
|
||||||
} else if (uri.startsWith(_serverContextPath + "soloDraft")) {
|
|
||||||
_soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e);
|
|
||||||
} else if (uri.equals(_serverContextPath)) {
|
} else if (uri.equals(_serverContextPath)) {
|
||||||
_statusRequestHandler.handleRequest(uri.substring(_serverContextPath.length()), request, context, responseWriter, e);
|
_statusRequestHandler.handleRequest(uri.substring(_serverContextPath.length()), request, context, responseWriter, e);
|
||||||
} else {
|
} else {
|
||||||
throw new HttpProcessingException(404);
|
String origin = request.getHeader("Origin");
|
||||||
|
if (origin == null || !originPattern.matcher(origin).matches())
|
||||||
|
throw new HttpProcessingException(403);
|
||||||
|
|
||||||
|
// These APIs are protected by same Origin protection
|
||||||
|
if (uri.startsWith(_serverContextPath + "hall")) {
|
||||||
|
_hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "deck")) {
|
||||||
|
_deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "login")) {
|
||||||
|
_loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "register")) {
|
||||||
|
_registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "replay")) {
|
||||||
|
_replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "gameHistory")) {
|
||||||
|
_gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "stats")) {
|
||||||
|
_serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "playerStats")) {
|
||||||
|
_playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "admin")) {
|
||||||
|
_adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "chat")) {
|
||||||
|
_chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "collection")) {
|
||||||
|
_collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "delivery")) {
|
||||||
|
_deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "game")) {
|
||||||
|
_gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "league")) {
|
||||||
|
_leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "merchant")) {
|
||||||
|
_merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "tournament")) {
|
||||||
|
_tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e);
|
||||||
|
} else if (uri.startsWith(_serverContextPath + "soloDraft")) {
|
||||||
|
_soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e);
|
||||||
|
} else {
|
||||||
|
throw new HttpProcessingException(404);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -10,3 +10,5 @@ db.connection.validateQuery=/* ping */ select 1
|
|||||||
|
|
||||||
port=80
|
port=80
|
||||||
web.path=/env/gemp-lotr/web/
|
web.path=/env/gemp-lotr/web/
|
||||||
|
|
||||||
|
origin.allowed.pattern=^http://www\\.gempukku\\.com$
|
||||||
|
|||||||
Reference in New Issue
Block a user