Class OriginValidator

java.lang.Object
org.codelibs.fess.api.v2.handlers.OriginValidator

public class OriginValidator extends Object
Baseline same-origin / allow-listed-origin decision for the v2 CSRF Origin check. Registered as a Lasta DI component (originValidator) so the policy is replaceable; the trusted self-origin set is resolved through the injected TargetOriginResolver and the CORS allow list is consulted via ComponentUtil.
  • Field Details

    • targetOriginResolver

      protected TargetOriginResolver targetOriginResolver
      Resolves the canonical self-origin set used for the same-origin comparison.
  • Constructor Details

    • OriginValidator

      public OriginValidator()
      Default constructor. The validator is stateless and intended to be instantiated once by the DI container and shared across concurrent requests.
  • Method Details

    • isAllowed

      public boolean isAllowed(jakarta.servlet.http.HttpServletRequest request)
      Validates the source origin of a state-changing request.

      Algorithm:

      1. Resolve the trusted self-origin set via TargetOriginResolver.resolve(jakarta.servlet.http.HttpServletRequest).
      2. Read the Origin header. If non-blank, it is the source — the Referer is NOT consulted as a fallback (a same-origin Referer must not rescue a cross-site Origin). If Origin is blank/absent, read Referer as the source.
      3. Canonicalize the source via OriginUtil.canonicalize(java.lang.String). If the result is null (both headers absent or unparseable) → allow (non-browser API client compatibility; browser-driven cross-site state changes always carry an Origin).
      4. If the trusted self-origin set contains the canonical source → allow.
      5. If the CORS allow list resolves the source to an CorsMatchType.EXACT match → allow. resolve() is used (never get()) so a "*" wildcard fallback is never silently trusted.
      6. Otherwise (cross-site, Origin: null, malformed value) → reject.
      Parameters:
      request - the request; only the Origin/Referer headers are read
      Returns:
      true if the request may proceed, false if it is blocked as cross-site