[GitHub] wicket pull request: Cross-Site Websocket Hijacking Protection

[Fogetti]

GitHub user Fogetti opened a pull request:

    https://github.com/apache/wicket/pull/112

    Cross-Site Websocket Hijacking Protection

    This pull request is to replace my previous attempt:
    https://github.com/apache/wicket/pull/110
    
    Now I rebased my changes in my feature branch to master.
    
    This pull request introduces a few new things in 
wicket-native-websocket-core. The basic idea is to prevent hijacking the 
websocket connections when the request arrives from an invalid origin. The 
valid origin domains can be configured by the new websocketsettings or can be 
completely turned off if protection is not necessary.
    
    New classes:
    ```java
    ConnectionRejectedException
    IWebSocketConnectionFilter
    WebSocketConnectionOriginFilter
    WebSocketAbortedPayload
    AbortedMessage
    WebSocketTesterProcessorTest
    ```
    
    New websocket settings:
    ```java
    isHijackingProtectionEnabled
    getAllowedDomains
    ```
    
    And finally new methods on `WebSocketBehavior` and `WebSocketResource`:
    ```java
    onAbort()
    ```
    
    The easiest way to understand what's going on is to run the test class:
    ```java
    WebSocketTesterProcessorTest
    ```

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Fogetti/wicket master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/wicket/pull/112.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #112
    
----
commit 91240a49615ec7993ca54af9fced86bee36e9b44
Author: admin <gergely.n...@mail.rakuten.com>
Date:   2015-03-18T11:26:33Z

    Cross-Site WebSocket Hijacking protection added

commit 0495c096329021fa5ce4d756bfed02698f55acb2
Author: admin <gergely.n...@mail.rakuten.com>
Date:   2015-03-19T01:39:06Z

    WebsocketSettings extended with allowedDomains

commit f687147d897aaa4ef39405331ba5b4385f5e8420
Author: admin <gergely.n...@mail.rakuten.com>
Date:   2015-03-19T02:38:19Z

    Hijacking protection flag added to websocket settings

commit dd6fb1aefa24020fde30fc021b92932459a2ff66
Author: admin <gergely.n...@mail.rakuten.com>
Date:   2015-03-19T04:42:27Z

    WebSocketBehavior and WebSocketResource got new methods called
    onAbort(). New broadcast message type: AbortedMessage introduced. New
    payload type: WebSocketAbortedPayload introduced.
    AbstractWebSocketProcessor closes connection when protection check
    fails.

commit c9d1b22a82948b7ef4aa180d51474c25f2cf7d78
Author: admin <gergely.n...@mail.rakuten.com>
Date:   2015-03-20T02:00:27Z

    WebSocketTesterProcessorTest fixed and cleaned up

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---