Package org.astrogrid.samp.web
Class CorsHttpServer
- java.lang.Object
-
- org.astrogrid.samp.httpd.HttpServer
-
- org.astrogrid.samp.web.CorsHttpServer
-
- Direct Known Subclasses:
LoggingCorsHttpServer
public class CorsHttpServer extends HttpServer
HttpServer which allows or rejects cross-origin access according to the W3C Cross-Origin Resource Sharing standard. This standard is used by XMLHttpResource Level 2 and some other web-based platforms, implemented by a number of modern browsers, and works by the browser inserting and interpreting special headers when cross-origin requests are made by sandboxed clients. The effect is that sandboxed clients will under some circumstances be permitted to access resources served by instances of this server, where they wouldn't for an HTTP server which did not take special measures.- Since:
- 2 Feb 2011
- Author:
- Mark Taylor
- See Also:
- Cross-Origin Resource Sharing W3C Standard
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class org.astrogrid.samp.httpd.HttpServer
HttpServer.Handler, HttpServer.Request, HttpServer.Response
-
-
Field Summary
Fields Modifier and Type Field Description private static java.lang.String
ALLOW_HEADERS_KEY
private static java.lang.String
ALLOW_METHOD_KEY
private static java.lang.String
ALLOW_ORIGIN_KEY
private OriginAuthorizer
authorizer_
private static java.util.Set
extraAddrSet_
Set of permitted InetAddrs along side localhost.static java.lang.String
EXTRAHOSTS_PROP
System property ("jsamp.web.extrahosts") which can be used to supply host addresses explicitly permitted to connect via the Web Profile alongside the local host.private static java.util.logging.Logger
logger_
private static java.lang.String
ORIGIN_KEY
private static java.util.regex.Pattern
ORIGIN_REGEX
private static java.lang.String
REQUEST_METHOD_KEY
-
Fields inherited from class org.astrogrid.samp.httpd.HttpServer
HDR_CONTENT_TYPE, STATUS_OK
-
-
Constructor Summary
Constructors Constructor Description CorsHttpServer(java.net.ServerSocket socket, OriginAuthorizer authorizer)
Constructor.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private static void
checkOriginList(java.lang.String originTxt)
Checks that the content of an Origin header is syntactically legal.private HttpServer.Response
createNonLocalErrorResponse(HttpServer.Request request)
private static java.net.InetAddress[]
getExtraHostAddresses()
Acquires and returns a list of permitted non-local hosts from the environment.private boolean
isAuthorized(java.lang.String originTxt)
Determines whether a given origin is permitted access.private static boolean
isExtraHost(java.net.InetAddress iaddr)
Indicates whether a given address represents one of the "extra" hosts permitted to access this server alongside the localhost.boolean
isPermittedHost(java.net.SocketAddress address)
Indicates whether a network address is known to represent a host permitted to access this server.HttpServer.Response
serve(HttpServer.Request request)
Does the work for providing output corresponding to a given HTTP request.private HttpServer.Response
servePreflightOriginRequest(HttpServer.Request request, java.lang.String originTxt, java.lang.String reqMethod)
Does the work for serving pre-flight requests.private HttpServer.Response
serveSimpleOriginRequest(HttpServer.Request request, java.lang.String originTxt)
Does the work for serving simple requests which bear an origin header.-
Methods inherited from class org.astrogrid.samp.httpd.HttpServer
addHandler, create405Response, createErrorResponse, createErrorResponse, getBaseUrl, getHeader, getSocket, isRunning, removeHandler, serveRequest, setDaemon, start, stop
-
-
-
-
Field Detail
-
authorizer_
private final OriginAuthorizer authorizer_
-
ORIGIN_KEY
private static final java.lang.String ORIGIN_KEY
- See Also:
- Constant Field Values
-
ALLOW_ORIGIN_KEY
private static final java.lang.String ALLOW_ORIGIN_KEY
- See Also:
- Constant Field Values
-
REQUEST_METHOD_KEY
private static final java.lang.String REQUEST_METHOD_KEY
- See Also:
- Constant Field Values
-
ALLOW_METHOD_KEY
private static final java.lang.String ALLOW_METHOD_KEY
- See Also:
- Constant Field Values
-
ALLOW_HEADERS_KEY
private static final java.lang.String ALLOW_HEADERS_KEY
- See Also:
- Constant Field Values
-
ORIGIN_REGEX
private static final java.util.regex.Pattern ORIGIN_REGEX
-
logger_
private static final java.util.logging.Logger logger_
-
EXTRAHOSTS_PROP
public static final java.lang.String EXTRAHOSTS_PROP
System property ("jsamp.web.extrahosts") which can be used to supply host addresses explicitly permitted to connect via the Web Profile alongside the local host. Normally any non-local host is blocked from access to the CORS web server for security reasons. However, any host specified by hostname or IP number as one element of a comma-separated list in the value of this system property will also be allowed. This might be used to allow access from a "friendly" near-local host like a tablet.- See Also:
- Constant Field Values
-
extraAddrSet_
private static final java.util.Set extraAddrSet_
Set of permitted InetAddrs along side localhost.
-
-
Constructor Detail
-
CorsHttpServer
public CorsHttpServer(java.net.ServerSocket socket, OriginAuthorizer authorizer) throws java.io.IOException
Constructor.- Parameters:
socket
- socket hosting the serviceauthorizer
- defines which domains requests will be permitted from- Throws:
java.io.IOException
-
-
Method Detail
-
serve
public HttpServer.Response serve(HttpServer.Request request)
Description copied from class:HttpServer
Does the work for providing output corresponding to a given HTTP request. This implementation calls each Handler in turn and the first one to provide a non-null response is used.- Overrides:
serve
in classHttpServer
- Parameters:
request
- represents an HTTP request that has been received- Returns:
- represents the content of an HTTP response that should be sent
-
serveSimpleOriginRequest
private HttpServer.Response serveSimpleOriginRequest(HttpServer.Request request, java.lang.String originTxt)
Does the work for serving simple requests which bear an origin header. Simple requests are effectively ones which do not require pre-flight requests - see the CORS standard for details.- Parameters:
request
- HTTP requestoriginTxt
- content of the Origin header- Returns:
- HTTP response
-
servePreflightOriginRequest
private HttpServer.Response servePreflightOriginRequest(HttpServer.Request request, java.lang.String originTxt, java.lang.String reqMethod)
Does the work for serving pre-flight requests. See the CORS standard for details.- Parameters:
request
- HTTP requestoriginTxt
- content of the Origin headerreqMethod
- content of the Access-Control-Request-Method header- Returns:
- HTTP response
-
createNonLocalErrorResponse
private HttpServer.Response createNonLocalErrorResponse(HttpServer.Request request)
-
isAuthorized
private boolean isAuthorized(java.lang.String originTxt)
Determines whether a given origin is permitted access. This is done by interrogating this server's OriginAuthorizer policy. Results are cached.- Parameters:
originTxt
- content of Origin header
-
isPermittedHost
public boolean isPermittedHost(java.net.SocketAddress address)
Indicates whether a network address is known to represent a host permitted to access this server. That generally means the local host, but "extra" hosts may be permitted as well.- Parameters:
address
- socket address- Returns:
- true iff address is known to be permitted
-
getExtraHostAddresses
private static java.net.InetAddress[] getExtraHostAddresses()
Acquires and returns a list of permitted non-local hosts from the environment.- Returns:
- list of addresses for non-local hosts permitted to access CORS web servers in this JVM
-
isExtraHost
private static boolean isExtraHost(java.net.InetAddress iaddr)
Indicates whether a given address represents one of the "extra" hosts permitted to access this server alongside the localhost.- Parameters:
iaddr
- address of non-local host to test- Returns:
- true iff host is permitted to access this server
-
checkOriginList
private static void checkOriginList(java.lang.String originTxt)
Checks that the content of an Origin header is syntactically legal.- Parameters:
originTxt
- content of Origin header- Throws:
IllegalArgumentExeption
- if originTxt does not represent a legal origin or (non-empty) list of origins
-
-