[ZEPPELIN-2288] Fix Cross-Site WebSocket check

Change-Id: Iad87ebe0b5dd6bd67a12e47fe83fbd0e1e71bda9
This commit is contained in:
Elek, Márton 2017-03-20 15:23:51 +01:00
parent 641863d563
commit 74b37a441e

View file

@ -19,18 +19,31 @@ package org.apache.zeppelin.socket;
import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;
import org.eclipse.jetty.websocket.servlet.ServletUpgradeResponse;
import org.eclipse.jetty.websocket.servlet.WebSocketCreator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.apache.zeppelin.conf.ZeppelinConfiguration.ConfVars.ZEPPELIN_ALLOWED_ORIGINS;
/**
* Responsible to create the WebSockets for the NotebookServer.
*/
public class NotebookWebSocketCreator implements WebSocketCreator {
private static final Logger LOG = LoggerFactory.getLogger(NotebookWebSocketCreator.class);
private NotebookServer notebookServer;
public NotebookWebSocketCreator(NotebookServer notebookServer) {
this.notebookServer = notebookServer;
}
public Object createWebSocket(ServletUpgradeRequest request, ServletUpgradeResponse response) {
return new NotebookSocket(request.getHttpServletRequest(), "", notebookServer);
String origin = request.getHeader("Origin");
if (notebookServer.checkOrigin(request.getHttpServletRequest(), origin)) {
return new NotebookSocket(request.getHttpServletRequest(), "", notebookServer);
} else {
LOG.error("Websocket request is not allowed by {} settings. Origin: {}",
ZEPPELIN_ALLOWED_ORIGINS, origin);
return null;
}
}
}