public class OriginHandshakeInterceptor extends Object implements HandshakeInterceptor
Origin
header value against a
collection of allowed origins.Constructor and Description |
---|
OriginHandshakeInterceptor()
Default constructor with only same origin requests allowed.
|
OriginHandshakeInterceptor(Collection<String> allowedOrigins)
Constructor using the specified allowed origin values.
|
Modifier and Type | Method and Description |
---|---|
void |
afterHandshake(ServerHttpRequest request,
ServerHttpResponse response,
WebSocketHandler wsHandler,
Exception exception)
Invoked after the handshake is done.
|
boolean |
beforeHandshake(ServerHttpRequest request,
ServerHttpResponse response,
WebSocketHandler wsHandler,
Map<String,Object> attributes)
Invoked before the handshake is processed.
|
Collection<String> |
getAllowedOriginPatterns()
Return the allowed
Origin pattern header values. |
Collection<String> |
getAllowedOrigins()
Return the allowed
Origin header values. |
void |
setAllowedOriginPatterns(Collection<String> allowedOriginPatterns)
A variant of
setAllowedOrigins(Collection) that accepts flexible
domain patterns, e.g. |
void |
setAllowedOrigins(Collection<String> allowedOrigins)
Configure allowed
Origin header values. |
protected final Log logger
public OriginHandshakeInterceptor()
public OriginHandshakeInterceptor(Collection<String> allowedOrigins)
setAllowedOrigins(Collection)
public void setAllowedOrigins(Collection<String> allowedOrigins)
Origin
header values. This check is mostly
designed for browsers. There is nothing preventing other types of client
to modify the Origin
header value.
Each provided allowed origin must have a scheme, and optionally a port (e.g. "https://example.org", "https://example.org:9090"). An allowed origin string may also be "*" in which case all origins are allowed.
public Collection<String> getAllowedOrigins()
Origin
header values.public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns)
setAllowedOrigins(Collection)
that accepts flexible
domain patterns, e.g. "https://*.domain1.com"
. Furthermore it
always sets the Access-Control-Allow-Origin
response header to
the matched origin and never to "*"
, nor to any other pattern.CorsConfiguration.setAllowedOriginPatterns(List)
public Collection<String> getAllowedOriginPatterns()
Origin
pattern header values.CorsConfiguration.getAllowedOriginPatterns()
public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String,Object> attributes) throws Exception
HandshakeInterceptor
beforeHandshake
in interface HandshakeInterceptor
request
- the current requestresponse
- the current responsewsHandler
- the target WebSocket handlerattributes
- the attributes from the HTTP handshake to associate with the WebSocket
session; the provided attributes are copied, the original map is not used.true
) or abort (false
)Exception
public void afterHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, @Nullable Exception exception)
HandshakeInterceptor
afterHandshake
in interface HandshakeInterceptor
request
- the current requestresponse
- the current responsewsHandler
- the target WebSocket handlerexception
- an exception raised during the handshake, or null
if none