org.springframework.web.util.WebUtils Maven / Gradle / Ivy
/*
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.web.util;
import java.io.File;
import java.io.FileNotFoundException;
import java.util.Collection;
import java.util.Enumeration;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.TreeMap;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestWrapper;
import javax.servlet.ServletResponse;
import javax.servlet.ServletResponseWrapper;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpRequest;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
/**
* Miscellaneous utilities for web applications.
* Used by various framework classes.
*
* @author Rod Johnson
* @author Juergen Hoeller
* @author Sebastien Deleuze
*/
public abstract class WebUtils {
/**
* Standard Servlet 2.3+ spec request attributes for include URI and paths.
* If included via a RequestDispatcher, the current resource will see the
* originating request. Its own URI and paths are exposed as request attributes.
*/
public static final String INCLUDE_REQUEST_URI_ATTRIBUTE = "javax.servlet.include.request_uri";
public static final String INCLUDE_CONTEXT_PATH_ATTRIBUTE = "javax.servlet.include.context_path";
public static final String INCLUDE_SERVLET_PATH_ATTRIBUTE = "javax.servlet.include.servlet_path";
public static final String INCLUDE_PATH_INFO_ATTRIBUTE = "javax.servlet.include.path_info";
public static final String INCLUDE_QUERY_STRING_ATTRIBUTE = "javax.servlet.include.query_string";
/**
* Standard Servlet 2.4+ spec request attributes for forward URI and paths.
*
If forwarded to via a RequestDispatcher, the current resource will see its
* own URI and paths. The originating URI and paths are exposed as request attributes.
*/
public static final String FORWARD_REQUEST_URI_ATTRIBUTE = "javax.servlet.forward.request_uri";
public static final String FORWARD_CONTEXT_PATH_ATTRIBUTE = "javax.servlet.forward.context_path";
public static final String FORWARD_SERVLET_PATH_ATTRIBUTE = "javax.servlet.forward.servlet_path";
public static final String FORWARD_PATH_INFO_ATTRIBUTE = "javax.servlet.forward.path_info";
public static final String FORWARD_QUERY_STRING_ATTRIBUTE = "javax.servlet.forward.query_string";
/**
* Standard Servlet 2.3+ spec request attributes for error pages.
*
To be exposed to JSPs that are marked as error pages, when forwarding
* to them directly rather than through the servlet container's error page
* resolution mechanism.
*/
public static final String ERROR_STATUS_CODE_ATTRIBUTE = "javax.servlet.error.status_code";
public static final String ERROR_EXCEPTION_TYPE_ATTRIBUTE = "javax.servlet.error.exception_type";
public static final String ERROR_MESSAGE_ATTRIBUTE = "javax.servlet.error.message";
public static final String ERROR_EXCEPTION_ATTRIBUTE = "javax.servlet.error.exception";
public static final String ERROR_REQUEST_URI_ATTRIBUTE = "javax.servlet.error.request_uri";
public static final String ERROR_SERVLET_NAME_ATTRIBUTE = "javax.servlet.error.servlet_name";
/**
* Prefix of the charset clause in a content type String: ";charset="
*/
public static final String CONTENT_TYPE_CHARSET_PREFIX = ";charset=";
/**
* Default character encoding to use when {@code request.getCharacterEncoding}
* returns {@code null}, according to the Servlet spec.
* @see ServletRequest#getCharacterEncoding
*/
public static final String DEFAULT_CHARACTER_ENCODING = "ISO-8859-1";
/**
* Standard Servlet spec context attribute that specifies a temporary
* directory for the current web application, of type {@code java.io.File}.
*/
public static final String TEMP_DIR_CONTEXT_ATTRIBUTE = "javax.servlet.context.tempdir";
/**
* HTML escape parameter at the servlet context level
* (i.e. a context-param in {@code web.xml}): "defaultHtmlEscape".
*/
public static final String HTML_ESCAPE_CONTEXT_PARAM = "defaultHtmlEscape";
/**
* Use of response encoding for HTML escaping parameter at the servlet context level
* (i.e. a context-param in {@code web.xml}): "responseEncodedHtmlEscape".
* @since 4.1.2
*/
public static final String RESPONSE_ENCODED_HTML_ESCAPE_CONTEXT_PARAM = "responseEncodedHtmlEscape";
/**
* Web app root key parameter at the servlet context level
* (i.e. a context-param in {@code web.xml}): "webAppRootKey".
*/
public static final String WEB_APP_ROOT_KEY_PARAM = "webAppRootKey";
/** Default web app root key: "webapp.root" */
public static final String DEFAULT_WEB_APP_ROOT_KEY = "webapp.root";
/** Name suffixes in case of image buttons */
public static final String[] SUBMIT_IMAGE_SUFFIXES = {".x", ".y"};
/** Key for the mutex session attribute */
public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX";
private static final Set FORWARDED_HEADER_NAMES = new LinkedHashSet<>(5);
static {
FORWARDED_HEADER_NAMES.add("Forwarded");
FORWARDED_HEADER_NAMES.add("X-Forwarded-Host");
FORWARDED_HEADER_NAMES.add("X-Forwarded-Port");
FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
}
/**
* Set a system property to the web application root directory.
* The key of the system property can be defined with the "webAppRootKey"
* context-param in {@code web.xml}. Default is "webapp.root".
* Can be used for tools that support substitution with {@code System.getProperty}
* values, like log4j's "${key}" syntax within log file locations.
* @param servletContext the servlet context of the web application
* @throws IllegalStateException if the system property is already set,
* or if the WAR file is not expanded
* @see #WEB_APP_ROOT_KEY_PARAM
* @see #DEFAULT_WEB_APP_ROOT_KEY
* @see WebAppRootListener
*/
public static void setWebAppRootSystemProperty(ServletContext servletContext) throws IllegalStateException {
Assert.notNull(servletContext, "ServletContext must not be null");
String root = servletContext.getRealPath("/");
if (root == null) {
throw new IllegalStateException(
"Cannot set web app root system property when WAR file is not expanded");
}
String param = servletContext.getInitParameter(WEB_APP_ROOT_KEY_PARAM);
String key = (param != null ? param : DEFAULT_WEB_APP_ROOT_KEY);
String oldValue = System.getProperty(key);
if (oldValue != null && !StringUtils.pathEquals(oldValue, root)) {
throw new IllegalStateException("Web app root system property already set to different value: '" +
key + "' = [" + oldValue + "] instead of [" + root + "] - " +
"Choose unique values for the 'webAppRootKey' context-param in your web.xml files!");
}
System.setProperty(key, root);
servletContext.log("Set web app root system property: '" + key + "' = [" + root + "]");
}
/**
* Remove the system property that points to the web app root directory.
* To be called on shutdown of the web application.
* @param servletContext the servlet context of the web application
* @see #setWebAppRootSystemProperty
*/
public static void removeWebAppRootSystemProperty(ServletContext servletContext) {
Assert.notNull(servletContext, "ServletContext must not be null");
String param = servletContext.getInitParameter(WEB_APP_ROOT_KEY_PARAM);
String key = (param != null ? param : DEFAULT_WEB_APP_ROOT_KEY);
System.getProperties().remove(key);
}
/**
* Return whether default HTML escaping is enabled for the web application,
* i.e. the value of the "defaultHtmlEscape" context-param in {@code web.xml}
* (if any).
*
This method differentiates between no param specified at all and
* an actual boolean value specified, allowing to have a context-specific
* default in case of no setting at the global level.
* @param servletContext the servlet context of the web application
* @return whether default HTML escaping is enabled for the given application
* ({@code null} = no explicit default)
*/
@Nullable
public static Boolean getDefaultHtmlEscape(@Nullable ServletContext servletContext) {
if (servletContext == null) {
return null;
}
String param = servletContext.getInitParameter(HTML_ESCAPE_CONTEXT_PARAM);
return (StringUtils.hasText(param) ? Boolean.valueOf(param) : null);
}
/**
* Return whether response encoding should be used when HTML escaping characters,
* thus only escaping XML markup significant characters with UTF-* encodings.
* This option is enabled for the web application with a ServletContext param,
* i.e. the value of the "responseEncodedHtmlEscape" context-param in {@code web.xml}
* (if any).
*
This method differentiates between no param specified at all and
* an actual boolean value specified, allowing to have a context-specific
* default in case of no setting at the global level.
* @param servletContext the servlet context of the web application
* @return whether response encoding is to be used for HTML escaping
* ({@code null} = no explicit default)
* @since 4.1.2
*/
@Nullable
public static Boolean getResponseEncodedHtmlEscape(@Nullable ServletContext servletContext) {
if (servletContext == null) {
return null;
}
String param = servletContext.getInitParameter(RESPONSE_ENCODED_HTML_ESCAPE_CONTEXT_PARAM);
return (StringUtils.hasText(param) ? Boolean.valueOf(param) : null);
}
/**
* Return the temporary directory for the current web application,
* as provided by the servlet container.
* @param servletContext the servlet context of the web application
* @return the File representing the temporary directory
*/
public static File getTempDir(ServletContext servletContext) {
Assert.notNull(servletContext, "ServletContext must not be null");
return (File) servletContext.getAttribute(TEMP_DIR_CONTEXT_ATTRIBUTE);
}
/**
* Return the real path of the given path within the web application,
* as provided by the servlet container.
*
Prepends a slash if the path does not already start with a slash,
* and throws a FileNotFoundException if the path cannot be resolved to
* a resource (in contrast to ServletContext's {@code getRealPath},
* which returns null).
* @param servletContext the servlet context of the web application
* @param path the path within the web application
* @return the corresponding real path
* @throws FileNotFoundException if the path cannot be resolved to a resource
* @see javax.servlet.ServletContext#getRealPath
*/
public static String getRealPath(ServletContext servletContext, String path) throws FileNotFoundException {
Assert.notNull(servletContext, "ServletContext must not be null");
// Interpret location as relative to the web application root directory.
if (!path.startsWith("/")) {
path = "/" + path;
}
String realPath = servletContext.getRealPath(path);
if (realPath == null) {
throw new FileNotFoundException(
"ServletContext resource [" + path + "] cannot be resolved to absolute file path - " +
"web application archive not expanded?");
}
return realPath;
}
/**
* Determine the session id of the given request, if any.
* @param request current HTTP request
* @return the session id, or {@code null} if none
*/
@Nullable
public static String getSessionId(HttpServletRequest request) {
Assert.notNull(request, "Request must not be null");
HttpSession session = request.getSession(false);
return (session != null ? session.getId() : null);
}
/**
* Check the given request for a session attribute of the given name.
* Returns null if there is no session or if the session has no such attribute.
* Does not create a new session if none has existed before!
* @param request current HTTP request
* @param name the name of the session attribute
* @return the value of the session attribute, or {@code null} if not found
*/
@Nullable
public static Object getSessionAttribute(HttpServletRequest request, String name) {
Assert.notNull(request, "Request must not be null");
HttpSession session = request.getSession(false);
return (session != null ? session.getAttribute(name) : null);
}
/**
* Check the given request for a session attribute of the given name.
* Throws an exception if there is no session or if the session has no such
* attribute. Does not create a new session if none has existed before!
* @param request current HTTP request
* @param name the name of the session attribute
* @return the value of the session attribute, or {@code null} if not found
* @throws IllegalStateException if the session attribute could not be found
*/
public static Object getRequiredSessionAttribute(HttpServletRequest request, String name)
throws IllegalStateException {
Object attr = getSessionAttribute(request, name);
if (attr == null) {
throw new IllegalStateException("No session attribute '" + name + "' found");
}
return attr;
}
/**
* Set the session attribute with the given name to the given value.
* Removes the session attribute if value is null, if a session existed at all.
* Does not create a new session if not necessary!
* @param request current HTTP request
* @param name the name of the session attribute
* @param value the value of the session attribute
*/
public static void setSessionAttribute(HttpServletRequest request, String name, @Nullable Object value) {
Assert.notNull(request, "Request must not be null");
if (value != null) {
request.getSession().setAttribute(name, value);
}
else {
HttpSession session = request.getSession(false);
if (session != null) {
session.removeAttribute(name);
}
}
}
/**
* Return the best available mutex for the given session:
* that is, an object to synchronize on for the given session.
*
Returns the session mutex attribute if available; usually,
* this means that the HttpSessionMutexListener needs to be defined
* in {@code web.xml}. Falls back to the HttpSession itself
* if no mutex attribute found.
*
The session mutex is guaranteed to be the same object during
* the entire lifetime of the session, available under the key defined
* by the {@code SESSION_MUTEX_ATTRIBUTE} constant. It serves as a
* safe reference to synchronize on for locking on the current session.
*
In many cases, the HttpSession reference itself is a safe mutex
* as well, since it will always be the same object reference for the
* same active logical session. However, this is not guaranteed across
* different servlet containers; the only 100% safe way is a session mutex.
* @param session the HttpSession to find a mutex for
* @return the mutex object (never {@code null})
* @see #SESSION_MUTEX_ATTRIBUTE
* @see HttpSessionMutexListener
*/
public static Object getSessionMutex(HttpSession session) {
Assert.notNull(session, "Session must not be null");
Object mutex = session.getAttribute(SESSION_MUTEX_ATTRIBUTE);
if (mutex == null) {
mutex = session;
}
return mutex;
}
/**
* Return an appropriate request object of the specified type, if available,
* unwrapping the given request as far as necessary.
* @param request the servlet request to introspect
* @param requiredType the desired type of request object
* @return the matching request object, or {@code null} if none
* of that type is available
*/
@SuppressWarnings("unchecked")
@Nullable
public static T getNativeRequest(ServletRequest request, @Nullable Class requiredType) {
if (requiredType != null) {
if (requiredType.isInstance(request)) {
return (T) request;
}
else if (request instanceof ServletRequestWrapper) {
return getNativeRequest(((ServletRequestWrapper) request).getRequest(), requiredType);
}
}
return null;
}
/**
* Return an appropriate response object of the specified type, if available,
* unwrapping the given response as far as necessary.
* @param response the servlet response to introspect
* @param requiredType the desired type of response object
* @return the matching response object, or {@code null} if none
* of that type is available
*/
@SuppressWarnings("unchecked")
@Nullable
public static T getNativeResponse(ServletResponse response, @Nullable Class requiredType) {
if (requiredType != null) {
if (requiredType.isInstance(response)) {
return (T) response;
}
else if (response instanceof ServletResponseWrapper) {
return getNativeResponse(((ServletResponseWrapper) response).getResponse(), requiredType);
}
}
return null;
}
/**
* Determine whether the given request is an include request,
* that is, not a top-level HTTP request coming in from the outside.
* Checks the presence of the "javax.servlet.include.request_uri"
* request attribute. Could check any request attribute that is only
* present in an include request.
* @param request current servlet request
* @return whether the given request is an include request
*/
public static boolean isIncludeRequest(ServletRequest request) {
return (request.getAttribute(INCLUDE_REQUEST_URI_ATTRIBUTE) != null);
}
/**
* Expose the Servlet spec's error attributes as {@link javax.servlet.http.HttpServletRequest}
* attributes under the keys defined in the Servlet 2.3 specification, for error pages that
* are rendered directly rather than through the Servlet container's error page resolution:
* {@code javax.servlet.error.status_code},
* {@code javax.servlet.error.exception_type},
* {@code javax.servlet.error.message},
* {@code javax.servlet.error.exception},
* {@code javax.servlet.error.request_uri},
* {@code javax.servlet.error.servlet_name}.
*
Does not override values if already present, to respect attribute values
* that have been exposed explicitly before.
*
Exposes status code 200 by default. Set the "javax.servlet.error.status_code"
* attribute explicitly (before or after) in order to expose a different status code.
* @param request current servlet request
* @param ex the exception encountered
* @param servletName the name of the offending servlet
*/
public static void exposeErrorRequestAttributes(HttpServletRequest request, Throwable ex,
@Nullable String servletName) {
exposeRequestAttributeIfNotPresent(request, ERROR_STATUS_CODE_ATTRIBUTE, HttpServletResponse.SC_OK);
exposeRequestAttributeIfNotPresent(request, ERROR_EXCEPTION_TYPE_ATTRIBUTE, ex.getClass());
exposeRequestAttributeIfNotPresent(request, ERROR_MESSAGE_ATTRIBUTE, ex.getMessage());
exposeRequestAttributeIfNotPresent(request, ERROR_EXCEPTION_ATTRIBUTE, ex);
exposeRequestAttributeIfNotPresent(request, ERROR_REQUEST_URI_ATTRIBUTE, request.getRequestURI());
if (servletName != null) {
exposeRequestAttributeIfNotPresent(request, ERROR_SERVLET_NAME_ATTRIBUTE, servletName);
}
}
/**
* Expose the specified request attribute if not already present.
* @param request current servlet request
* @param name the name of the attribute
* @param value the suggested value of the attribute
*/
private static void exposeRequestAttributeIfNotPresent(ServletRequest request, String name, Object value) {
if (request.getAttribute(name) == null) {
request.setAttribute(name, value);
}
}
/**
* Clear the Servlet spec's error attributes as {@link javax.servlet.http.HttpServletRequest}
* attributes under the keys defined in the Servlet 2.3 specification:
* {@code javax.servlet.error.status_code},
* {@code javax.servlet.error.exception_type},
* {@code javax.servlet.error.message},
* {@code javax.servlet.error.exception},
* {@code javax.servlet.error.request_uri},
* {@code javax.servlet.error.servlet_name}.
* @param request current servlet request
*/
public static void clearErrorRequestAttributes(HttpServletRequest request) {
request.removeAttribute(ERROR_STATUS_CODE_ATTRIBUTE);
request.removeAttribute(ERROR_EXCEPTION_TYPE_ATTRIBUTE);
request.removeAttribute(ERROR_MESSAGE_ATTRIBUTE);
request.removeAttribute(ERROR_EXCEPTION_ATTRIBUTE);
request.removeAttribute(ERROR_REQUEST_URI_ATTRIBUTE);
request.removeAttribute(ERROR_SERVLET_NAME_ATTRIBUTE);
}
/**
* Retrieve the first cookie with the given name. Note that multiple
* cookies can have the same name but different paths or domains.
* @param request current servlet request
* @param name cookie name
* @return the first cookie with the given name, or {@code null} if none is found
*/
@Nullable
public static Cookie getCookie(HttpServletRequest request, String name) {
Assert.notNull(request, "Request must not be null");
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (name.equals(cookie.getName())) {
return cookie;
}
}
}
return null;
}
/**
* Check if a specific input type="submit" parameter was sent in the request,
* either via a button (directly with name) or via an image (name + ".x" or
* name + ".y").
* @param request current HTTP request
* @param name name of the parameter
* @return if the parameter was sent
* @see #SUBMIT_IMAGE_SUFFIXES
*/
public static boolean hasSubmitParameter(ServletRequest request, String name) {
Assert.notNull(request, "Request must not be null");
if (request.getParameter(name) != null) {
return true;
}
for (String suffix : SUBMIT_IMAGE_SUFFIXES) {
if (request.getParameter(name + suffix) != null) {
return true;
}
}
return false;
}
/**
* Obtain a named parameter from the given request parameters.
*
See {@link #findParameterValue(java.util.Map, String)}
* for a description of the lookup algorithm.
* @param request current HTTP request
* @param name the logical name of the request parameter
* @return the value of the parameter, or {@code null}
* if the parameter does not exist in given request
*/
@Nullable
public static String findParameterValue(ServletRequest request, String name) {
return findParameterValue(request.getParameterMap(), name);
}
/**
* Obtain a named parameter from the given request parameters.
*
This method will try to obtain a parameter value using the
* following algorithm:
*
* - Try to get the parameter value using just the given logical name.
* This handles parameters of the form logicalName = value. For normal
* parameters, e.g. submitted using a hidden HTML form field, this will return
* the requested value.
* - Try to obtain the parameter value from the parameter name, where the
* parameter name in the request is of the form logicalName_value = xyz
* with "_" being the configured delimiter. This deals with parameter values
* submitted using an HTML form submit button.
* - If the value obtained in the previous step has a ".x" or ".y" suffix,
* remove that. This handles cases where the value was submitted using an
* HTML form image button. In this case the parameter in the request would
* actually be of the form logicalName_value.x = 123.
*
* @param parameters the available parameter map
* @param name the logical name of the request parameter
* @return the value of the parameter, or {@code null}
* if the parameter does not exist in given request
*/
@Nullable
public static String findParameterValue(Map parameters, String name) {
// First try to get it as a normal name=value parameter
Object value = parameters.get(name);
if (value instanceof String[]) {
String[] values = (String[]) value;
return (values.length > 0 ? values[0] : null);
}
else if (value != null) {
return value.toString();
}
// If no value yet, try to get it as a name_value=xyz parameter
String prefix = name + "_";
for (String paramName : parameters.keySet()) {
if (paramName.startsWith(prefix)) {
// Support images buttons, which would submit parameters as name_value.x=123
for (String suffix : SUBMIT_IMAGE_SUFFIXES) {
if (paramName.endsWith(suffix)) {
return paramName.substring(prefix.length(), paramName.length() - suffix.length());
}
}
return paramName.substring(prefix.length());
}
}
// We couldn't find the parameter value...
return null;
}
/**
* Return a map containing all parameters with the given prefix.
* Maps single values to String and multiple values to String array.
* For example, with a prefix of "spring_", "spring_param1" and
* "spring_param2" result in a Map with "param1" and "param2" as keys.
* @param request HTTP request in which to look for parameters
* @param prefix the beginning of parameter names
* (if this is null or the empty string, all parameters will match)
* @return map containing request parameters without the prefix,
* containing either a String or a String array as values
* @see javax.servlet.ServletRequest#getParameterNames
* @see javax.servlet.ServletRequest#getParameterValues
* @see javax.servlet.ServletRequest#getParameterMap
*/
public static Map getParametersStartingWith(ServletRequest request, @Nullable String prefix) {
Assert.notNull(request, "Request must not be null");
Enumeration paramNames = request.getParameterNames();
Map params = new TreeMap<>();
if (prefix == null) {
prefix = "";
}
while (paramNames != null && paramNames.hasMoreElements()) {
String paramName = paramNames.nextElement();
if ("".equals(prefix) || paramName.startsWith(prefix)) {
String unprefixed = paramName.substring(prefix.length());
String[] values = request.getParameterValues(paramName);
if (values == null || values.length == 0) {
// Do nothing, no values found at all.
}
else if (values.length > 1) {
params.put(unprefixed, values);
}
else {
params.put(unprefixed, values[0]);
}
}
}
return params;
}
/**
* Parse the given string with matrix variables. An example string would look
* like this {@code "q1=a;q1=b;q2=a,b,c"}. The resulting map would contain
* keys {@code "q1"} and {@code "q2"} with values {@code ["a","b"]} and
* {@code ["a","b","c"]} respectively.
* @param matrixVariables the unparsed matrix variables string
* @return a map with matrix variable names and values (never {@code null})
* @since 3.2
*/
public static MultiValueMap parseMatrixVariables(String matrixVariables) {
MultiValueMap result = new LinkedMultiValueMap<>();
if (!StringUtils.hasText(matrixVariables)) {
return result;
}
StringTokenizer pairs = new StringTokenizer(matrixVariables, ";");
while (pairs.hasMoreTokens()) {
String pair = pairs.nextToken();
int index = pair.indexOf('=');
if (index != -1) {
String name = pair.substring(0, index);
String rawValue = pair.substring(index + 1);
for (String value : StringUtils.commaDelimitedListToStringArray(rawValue)) {
result.add(name, value);
}
}
else {
result.add(pair, "");
}
}
return result;
}
/**
* Check the given request origin against a list of allowed origins.
* A list containing "*" means that all origins are allowed.
* An empty list means only same origin is allowed.
* Note: this method may use values from "Forwarded"
* (RFC 7239),
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
* if present, in order to reflect the client-originated address.
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
* central place whether to extract and use, or to discard such headers.
* See the Spring Framework reference for more on this filter.
* @return {@code true} if the request origin is valid, {@code false} otherwise
* @since 4.1.5
* @see RFC 6454: The Web Origin Concept
*/
public static boolean isValidOrigin(HttpRequest request, Collection allowedOrigins) {
Assert.notNull(request, "Request must not be null");
Assert.notNull(allowedOrigins, "Allowed origins must not be null");
String origin = request.getHeaders().getOrigin();
if (origin == null || allowedOrigins.contains("*")) {
return true;
}
else if (CollectionUtils.isEmpty(allowedOrigins)) {
return isSameOrigin(request);
}
else {
return allowedOrigins.contains(origin);
}
}
/**
* Check if the request is a same-origin one, based on {@code Origin}, {@code Host},
* {@code Forwarded}, {@code X-Forwarded-Proto}, {@code X-Forwarded-Host} and
* @code X-Forwarded-Port} headers.
* Note: this method uses values from "Forwarded"
* (RFC 7239),
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
* if present, in order to reflect the client-originated address.
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
* central place whether to extract and use, or to discard such headers.
* See the Spring Framework reference for more on this filter.
* @return {@code true} if the request is a same-origin one, {@code false} in case
* of cross-origin request
* @since 4.2
*/
public static boolean isSameOrigin(HttpRequest request) {
HttpHeaders headers = request.getHeaders();
String origin = headers.getOrigin();
if (origin == null) {
return true;
}
String scheme;
String host;
int port;
if (request instanceof ServletServerHttpRequest) {
// Build more efficiently if we can: we only need scheme, host, port for origin comparison
HttpServletRequest servletRequest = ((ServletServerHttpRequest) request).getServletRequest();
scheme = servletRequest.getScheme();
host = servletRequest.getServerName();
port = servletRequest.getServerPort();
if (containsForwardedHeaders(servletRequest)) {
UriComponents actualUrl = new UriComponentsBuilder()
.scheme(scheme).host(host).port(port)
.adaptFromForwardedHeaders(headers)
.build();
scheme = actualUrl.getScheme();
host = actualUrl.getHost();
port = actualUrl.getPort();
}
}
else {
UriComponents actualUrl = UriComponentsBuilder.fromHttpRequest(request).build();
scheme = actualUrl.getScheme();
host = actualUrl.getHost();
port = actualUrl.getPort();
}
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
getPort(scheme, port) == getPort(originUrl.getScheme(), originUrl.getPort()));
}
private static boolean containsForwardedHeaders(HttpServletRequest request) {
for (String headerName : FORWARDED_HEADER_NAMES) {
if (request.getHeader(headerName) != null) {
return true;
}
}
return false;
}
private static int getPort(@Nullable String scheme, int port) {
if (port == -1) {
if ("http".equals(scheme) || "ws".equals(scheme)) {
port = 80;
}
else if ("https".equals(scheme) || "wss".equals(scheme)) {
port = 443;
}
}
return port;
}
}