Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect scheme specified within Origin header during WebSocket Handshake #2215

Open
cgdrake opened this issue Oct 30, 2024 · 2 comments
Open

Incorrect scheme specified within Origin header during WebSocket Handshake #2215

cgdrake opened this issue Oct 30, 2024 · 2 comments

Comments

@cgdrake
Copy link
Contributor

cgdrake commented Oct 30, 2024
edited
Loading

Establishing a non-SSL WebSocket connection results in an Origin header being sent by the client which erroneously specifies the scheme as wss. In addition, a call to Handshake.isSecure() reports true when in fact the connection is insecure.

The following test demonstrates the issue when run again all current versions of Grizzly:

package org.glassfish.grizzly.websockets;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.logging.Logger;

import org.glassfish.grizzly.websockets.rfc6455.RFC6455HandShake;
import org.junit.Test;

public class HandShakeTest {
    private static final Logger LOGGER = Logger.getLogger("HandShakeTest");
    private static String SSL = "wss://localhost:8443";
    private static String NON_SSL = "ws://localhost:8080";
    private static String RESOURCE_PATH = "/websocket";

    @Test
    public void testOrigin() throws URISyntaxException {
        // non-ssl
        HandShake handshake = new RFC6455HandShake(new URI(NON_SSL + RESOURCE_PATH));
        LOGGER.info("Handshake: isSecure=" + handshake.isSecure() + ", headers: " + handshake.composeHeaders().getHttpHeader());
        assertEquals(handshake.getOrigin(), NON_SSL);
        assertFalse(handshake.isSecure());
        assertEquals(handshake.getLocation(), NON_SSL + RESOURCE_PATH);

        // ssl
        handshake = new RFC6455HandShake(new URI(SSL + RESOURCE_PATH));
        LOGGER.info("Handshake: isSecure=" + handshake.isSecure() + ", headers: " + handshake.composeHeaders().getHttpHeader());
        assertEquals(handshake.getOrigin(), SSL);
        assertTrue(handshake.isSecure());
        assertEquals(handshake.getLocation(), SSL + RESOURCE_PATH);


    }
}

Result:

Oct. 30, 2024 4:02:13 P.M. org.glassfish.grizzly.websockets.HandShakeTest testOrigin
INFO: Handshake: isSecure=false, headers: HttpRequestPacket (
   method=GET
   url=/websocket
   query=null
   protocol=HTTP/1.1
   content-length=-1
   headers=[
      Connection=Upgrade
      Host=localhost:8080
      Sec-WebSocket-Key=jSG8Izr6S3AtVXcAbIcHgg==
      Sec-WebSocket-Version=13
      Origin=wss://localhost:8080]
)

org.junit.ComparisonFailure: 
Expected :ws://localhost:8080
Actual   :wss://localhost:8080
@cgdrake
Copy link
Contributor Author

cgdrake commented Oct 30, 2024
edited
Loading

The attached diff contains a fix for the issue along with the associated tests.

cgdrake added a commit to cgdrake/grizzly that referenced this issue Oct 30, 2024
@cgdrake
Issue eclipse-ee4j#2215 Fix invalid Origin header sent by client for …
a037ed5 
…non-SSL WebSocket connections
cgdrake added a commit to cgdrake/grizzly that referenced this issue Oct 30, 2024
@cgdrake
Issue eclipse-ee4j#2215 Fix invalid Origin header sent by client for …
f40b3ff 
…non-SSL WebSocket connections
cgdrake added a commit to cgdrake/grizzly that referenced this issue Oct 30, 2024
@cgdrake
Issue eclipse-ee4j#2215 Fix invalid Origin header sent by client for …
661418d 
…non-SSL WebSocket connections
@cgdrake cgdrake mentioned this issue Oct 30, 2024
Merged
cgdrake added a commit to cgdrake/grizzly that referenced this issue Oct 30, 2024
@cgdrake
Issue eclipse-ee4j#2215 Fix invalid Origin header sent by client for …
6399a95 
…non-SSL WebSocket connections
@carryel
Copy link
Contributor

carryel commented Jan 3, 2025

It seems like a bug. I'll take a look and review your PR.

cgdrake added a commit to cgdrake/grizzly that referenced this issue Jan 7, 2025
@cgdrake
Issue eclipse-ee4j#2215 Fix invalid Origin header sent by client for …
2aee7c0 
…non-SSL WebSocket connections
cgdrake added a commit to cgdrake/grizzly that referenced this issue Jan 7, 2025
@cgdrake
Issue eclipse-ee4j#2215 Fix invalid Origin header sent by client for …
a0d6f8a 
…non-SSL WebSocket connections
carryel added a commit that referenced this issue Jan 8, 2025
@carryel
Merge pull request #2216 from cgdrake/bugfix/issue_2215
a5327b8 
Issue #2215 Fix invalid Origin header sent by client for non-SSL WebSocket connections
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carryel @cgdrake