Class TargetOriginResolver

java.lang.Object
org.codelibs.fess.api.v2.handlers.TargetOriginResolver

public class TargetOriginResolver extends Object
Builds the canonical self-origin set (trustedSameOrigins) for the v2 CSRF Origin check. The trust boundary for forwarded headers is enforced here. Registered as a Lasta DI component (targetOriginResolver) so the resolution strategy is replaceable per deployment.

Resolution priority:

  1. If theme.api.csrf.server.origins is configured, canonicalize each value and return that set. This is header-independent and the hardest option — the recommended setting behind reverse proxies.
  2. Otherwise, only when request.getRemoteAddr() is a trusted proxy (rate.limit.trusted.proxies), reconstruct the origin from the X-Forwarded-Proto / X-Forwarded-Host (+ optional X-Forwarded-Port) headers. A comma-separated X-Forwarded-Host uses the first value. Forwarded headers from an untrusted source are never trusted (spoof prevention).
  3. Otherwise, reconstruct from the servlet request (getScheme/getServerName/getServerPort).

The reconstructed origin is always canonicalized so default ports are normalized consistently with the source origin.

  • Constructor Details

    • TargetOriginResolver

      public TargetOriginResolver()
      Default constructor. The resolver is stateless and intended to be instantiated once by the DI container and shared across concurrent requests.
  • Method Details

    • resolve

      public Set<String> resolve(jakarta.servlet.http.HttpServletRequest request)
      Resolves the set of canonical origins that are considered same-origin for this request.
      Parameters:
      request - the current request (forwarded headers consulted only for trusted proxies)
      Returns:
      a non-null set of canonical origins (may be empty if every configured value was invalid)