Class TargetOriginResolver
java.lang.Object
org.codelibs.fess.api.v2.handlers.TargetOriginResolver
Builds the canonical self-origin set (
trustedSameOrigins) for the v2
CSRF Origin check. The trust boundary for forwarded headers is
enforced here. Registered as a Lasta DI component
(targetOriginResolver) so the resolution strategy is replaceable per
deployment.
Resolution priority:
- If
theme.api.csrf.server.originsis configured, canonicalize each value and return that set. This is header-independent and the hardest option — the recommended setting behind reverse proxies. - Otherwise, only when
request.getRemoteAddr()is a trusted proxy (rate.limit.trusted.proxies), reconstruct the origin from theX-Forwarded-Proto/X-Forwarded-Host(+ optionalX-Forwarded-Port) headers. A comma-separatedX-Forwarded-Hostuses the first value. Forwarded headers from an untrusted source are never trusted (spoof prevention). - Otherwise, reconstruct from the servlet request
(
getScheme/getServerName/getServerPort).
The reconstructed origin is always canonicalized so default ports are normalized consistently with the source origin.
-
Constructor Summary
Constructors -
Method Summary
-
Constructor Details
-
TargetOriginResolver
public TargetOriginResolver()Default constructor. The resolver is stateless and intended to be instantiated once by the DI container and shared across concurrent requests.
-
-
Method Details
-
resolve
Resolves the set of canonical origins that are considered same-origin for this request.- Parameters:
request- the current request (forwarded headers consulted only for trusted proxies)- Returns:
- a non-null set of canonical origins (may be empty if every configured value was invalid)
-