- 19 2月, 2015 2 次提交
-
-
由 Sebastien Deleuze 提交于
This commit adds support for a same origin check that compares Origin header to Host header. It also changes the default setting from all origins allowed to only same origin allowed. Issues: SPR-12697, SPR-12685 (cherry picked from commit 6062e155)
-
由 Sebastien Deleuze 提交于
This commit introduces the following changes: - Requests without Origin header are not rejected anymore - Disable Iframe when allowedOrigins is not empty and not equals to * - The Iframe is not cached anymore in order to have a reliable origin check - allowedOrigins must not be null or empty - allowedOrigins format is now validated (should be * or start by http(s)://) Issue: SPR-12660 (cherry picked from commit 9b3319b3)
-
- 27 10月, 2014 2 次提交
-
-
由 Rossen Stoyanchev 提交于
-
由 Sebastien Deleuze 提交于
This commit introduces a new OriginHandshakeInterceptor. It filters Origin header value against a list of allowed origins. AbstractSockJsService as been modified to: - Reject CORS requests with forbidden origins - Disable transport types that does not support CORS when an origin check is required - Use the Origin request header value instead of "*" for Access-Control-Allow-Origin response header value (mandatory when Access-Control-Allow-Credentials=true) - Return CORS header only if the request contains an Origin header It is possible to configure easily this behavior thanks to JavaConfig API WebSocketHandlerRegistration#addAllowedOrigins(String...) and StompWebSocketEndpointRegistration#addAllowedOrigins(String...). It is also possible to configure it using the websocket XML namespace. Please notice that this commit does not change the default behavior: cross origin requests are still enabled by default. Issues: SPR-12226
-
- 21 10月, 2014 1 次提交
-
-
由 Juergen Hoeller 提交于
-
- 16 7月, 2014 1 次提交
-
-
由 Rossen Stoyanchev 提交于
Issue: SPR-11845
-
- 08 12月, 2013 1 次提交
-
-
由 Juergen Hoeller 提交于
Introduced SockJsSession interface and moved SockJsSessionFactory and SockJsServiceConfig to sockjs.transport; added initialize(SockJsServiceConfig) method to TransportHandler interface; extracted TransportHandlingSockJsService from DefaultSockJsService; moved sockjs.support.frame to sockjs.frame and extracted (Default)SockJsFrameFormat from SockJsFrame; moved SockJsHttpRequestHandler to sockjs.support; removed Jackson 1.x support
-
- 03 12月, 2013 2 次提交
-
-
由 Juergen Hoeller 提交于
Merged web.socket.messaging.config into web.socket.config and introduced web.socket.config.annotation
-
由 Juergen Hoeller 提交于
-
- 27 11月, 2013 1 次提交
-
-
由 Phillip Webb 提交于
Apply consistent styling to new classes introduced in Spring 4.0. - Javadoc line wrapping, whitespace and formatting - General code whitespace - Consistent Assert.notNull messages
-
- 26 11月, 2013 1 次提交
-
-
由 Rossen Stoyanchev 提交于
The addition of SubProtocolCapable simplifies configuration since it is no longer necessary to explicitly configure DefaultHandshakeHandler with a list of supported sub-protocols. We will not also check if the WebSocketHandler to use for the WebSocket request is an instance of SubProtocolCapable and obtain the list of sub-protocols that way. The provided SubProtocolWebSocketHandler does implement this interface. Issue: SPR-11111
-
- 24 11月, 2013 1 次提交
-
-
由 Rossen Stoyanchev 提交于
Before this change spring-messaging contained a few WebSocket-related classes including WebSocket sub-protocol support for STOMP as well as @EnableWebSocketMessageBroker and related configuration classes. After this change those classes are located in the spring-websocket module under org.springframework.web.socket.messaging. This means the following classes in application configuration must have their packages updated: org.springframework.web.socket.messaging.config.EnableWebSocketMessageBroker org.springframework.web.socket.messaging.config.StompEndpointRegistry org.springframework.web.socket.messaging.config.WebSocketMessageBrokerConfigurer MessageBrokerConfigurer has been renamed to MessageBrokerRegistry and is also located in the above package.
-