You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Fogetti <gi...@git.apache.org> on 2015/03/20 01:59:54 UTC
[GitHub] wicket pull request: Cross-Site Websocket Hijacking Protection
GitHub user Fogetti opened a pull request:
https://github.com/apache/wicket/pull/111
Cross-Site Websocket Hijacking Protection
This pull request is to replace my previous attempt:
https://github.com/apache/wicket/pull/110
Now I rebased my changes in my feature branch to master.
This pull request introduces a few new things in wicket-native-websocket-core. The basic idea is to prevent hijacking the websocket connections when the request arrives from an invalid origin. The valid origin domains can be configured by the new websocketsettings or can be completely turned off if protection is not necessary.
New classes:
```java
ConnectionRejectedException
IWebSocketConnectionFilter
WebSocketConnectionOriginFilter
WebSocketAbortedPayload
AbortedMessage
WebSocketTesterProcessorTest
```
New websocket settings:
```java
isHijackingProtectionEnabled
getAllowedDomains
```
And finally new methods on `WebSocketBehavior` and `WebSocketResource`:
```java
onAbort()
```
The easiest way to understand what's going on is to run the test class:
```java
WebSocketTesterProcessorTest
```
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/Fogetti/wicket master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/wicket/pull/111.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #111
----
commit 46fd9c475e66eaa03b5c216881351af83a90a6ae
Author: Martijn Dashorst <da...@apache.org>
Date: 2015-01-26T09:12:41Z
Changes to notice files and quickstart archetype
commit 713e904d5f859ce1f4e9bce3cbdbc6c527d9dcb9
Author: Martijn Dashorst <da...@apache.org>
Date: 2015-01-26T09:12:51Z
[maven-release-plugin] prepare release wicket-7.0.0-M5
commit eaa4edc1a5e2a6373674c6b63ed5cb44d13ae16d
Author: admin <ge...@mail.rakuten.com>
Date: 2015-03-18T11:26:33Z
Cross-Site WebSocket Hijacking protection added
commit 32151b7d45fd25455b5de2e40627d92264e3200c
Author: admin <ge...@mail.rakuten.com>
Date: 2015-03-19T01:39:06Z
WebsocketSettings extended with allowedDomains
commit 74ac63e6b9b8c6eee3d0d8cd9c27c0f48ed2bd1a
Author: admin <ge...@mail.rakuten.com>
Date: 2015-03-19T02:38:19Z
Hijacking protection flag added to websocket settings
commit 380b8dabe80f29fe897c38abdef5075f684a5236
Author: admin <ge...@mail.rakuten.com>
Date: 2015-03-19T04:42:27Z
WebSocketBehavior and WebSocketResource got new methods called
onAbort(). New broadcast message type: AbortedMessage introduced. New
payload type: WebSocketAbortedPayload introduced.
AbstractWebSocketProcessor closes connection when protection check
fails.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] wicket pull request: Cross-Site Websocket Hijacking Protection
Posted by Fogetti <gi...@git.apache.org>.
Github user Fogetti closed the pull request at:
https://github.com/apache/wicket/pull/111
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---