Class OriginValidator
java.lang.Object
org.codelibs.fess.api.v2.handlers.OriginValidator
Baseline same-origin / allow-listed-origin decision for the v2 CSRF Origin
check. Registered as a Lasta DI component (
originValidator) so the
policy is replaceable; the trusted self-origin set is resolved through the
injected TargetOriginResolver and the CORS allow list is consulted via
ComponentUtil.-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected TargetOriginResolverResolves the canonical self-origin set used for the same-origin comparison. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbooleanisAllowed(jakarta.servlet.http.HttpServletRequest request) Validates the source origin of a state-changing request.
-
Field Details
-
targetOriginResolver
Resolves the canonical self-origin set used for the same-origin comparison.
-
-
Constructor Details
-
OriginValidator
public OriginValidator()Default constructor. The validator is stateless and intended to be instantiated once by the DI container and shared across concurrent requests.
-
-
Method Details
-
isAllowed
public boolean isAllowed(jakarta.servlet.http.HttpServletRequest request) Validates the source origin of a state-changing request.Algorithm:
- Resolve the trusted self-origin set via
TargetOriginResolver.resolve(jakarta.servlet.http.HttpServletRequest). - Read the
Originheader. If non-blank, it is the source — theRefereris NOT consulted as a fallback (a same-origin Referer must not rescue a cross-site Origin). IfOriginis blank/absent, readRefereras the source. - Canonicalize the source via
OriginUtil.canonicalize(java.lang.String). If the result isnull(both headers absent or unparseable) → allow (non-browser API client compatibility; browser-driven cross-site state changes always carry an Origin). - If the trusted self-origin set contains the canonical source → allow.
- If the CORS allow list resolves the source to an
CorsMatchType.EXACTmatch → allow.resolve()is used (neverget()) so a"*"wildcard fallback is never silently trusted. - Otherwise (cross-site,
Origin: null, malformed value) → reject.
- Parameters:
request- the request; only theOrigin/Refererheaders are read- Returns:
trueif the request may proceed,falseif it is blocked as cross-site
- Resolve the trusted self-origin set via
-