public class OriginHandshakeInterceptor extends Object implements HandshakeInterceptor
Origin
header value against a
collection of allowed origins.Constructor and Description |
---|
OriginHandshakeInterceptor()
Default constructor with only same origin requests allowed.
|
OriginHandshakeInterceptor(Collection<String> allowedOrigins)
Constructor using the specified allowed origin values.
|
Modifier and Type | Method and Description |
---|---|
void |
afterHandshake(ServerHttpRequest request,
ServerHttpResponse response,
WebSocketHandler wsHandler,
Exception exception)
Invoked after the handshake is done.
|
boolean |
beforeHandshake(ServerHttpRequest request,
ServerHttpResponse response,
WebSocketHandler wsHandler,
Map<String,Object> attributes)
Invoked before the handshake is processed.
|
Collection<String> |
getAllowedOriginPatterns()
Return the
configured allowed origin patterns. |
Collection<String> |
getAllowedOrigins()
Return the
configured allowed origins. |
void |
setAllowedOriginPatterns(Collection<String> allowedOriginPatterns)
Alternative to
setAllowedOrigins(Collection) that supports more
flexible patterns for specifying the origins for which cross-origin
requests are allowed from a browser. |
void |
setAllowedOrigins(Collection<String> allowedOrigins)
Set the origins for which cross-origin requests are allowed from a browser.
|
protected final Log logger
public OriginHandshakeInterceptor()
public OriginHandshakeInterceptor(Collection<String> allowedOrigins)
setAllowedOrigins(Collection)
public void setAllowedOrigins(Collection<String> allowedOrigins)
CorsConfiguration.setAllowedOrigins(List)
for
format details and considerations, and keep in mind that the CORS spec
does not allow use of "*"
with allowCredentials=true
.
For more flexible origin patterns use setAllowedOriginPatterns(java.util.Collection<java.lang.String>)
instead.
By default, no origins are allowed. When
allowedOriginPatterns
is also
set, then that takes precedence over this property.
Note when SockJS is enabled and origins are restricted, transport types that do not allow to check request origin (Iframe based transports) are disabled. As a consequence, IE 6 to 9 are not supported when origins are restricted.
public Collection<String> getAllowedOrigins()
configured
allowed origins.public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns)
setAllowedOrigins(Collection)
that supports more
flexible patterns for specifying the origins for which cross-origin
requests are allowed from a browser. Please, refer to
CorsConfiguration.setAllowedOriginPatterns(List)
for format
details and other considerations.
By default this is not set.
public Collection<String> getAllowedOriginPatterns()
configured
allowed origin patterns.public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, Map<String,Object> attributes) throws Exception
HandshakeInterceptor
beforeHandshake
in interface HandshakeInterceptor
request
- the current requestresponse
- the current responsewsHandler
- the target WebSocket handlerattributes
- the attributes from the HTTP handshake to associate with the WebSocket
session; the provided attributes are copied, the original map is not used.true
) or abort (false
)Exception
public void afterHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler, @Nullable Exception exception)
HandshakeInterceptor
afterHandshake
in interface HandshakeInterceptor
request
- the current requestresponse
- the current responsewsHandler
- the target WebSocket handlerexception
- an exception raised during the handshake, or null
if none