checkSameOrigin
Description
Checks that request comes from the same origin. Extracts the Origin
header value and verifies that allowed range contains the obtained value. In the case of absent of the Origin
header rejects with a MissingHeaderRejection
. If the origin value is not in the allowed range rejects with an InvalidOriginHeaderRejection
and StatusCodes.FORBIDDEN
status.
Example
Checking the Origin
header:
final HttpOrigin validOriginHeader =
HttpOrigin.create("http://localhost", Host.create("8080"));
final HttpOriginRange validOriginRange = HttpOriginRange.create(validOriginHeader);
final TestRoute route = testRoute(
checkSameOrigin(validOriginRange,
() -> complete("Result")));
route
.run(HttpRequest.create().addHeader(Origin.create(validOriginHeader)))
.assertStatusCode(StatusCodes.OK)
.assertEntity("Result");
route
.run(HttpRequest.create())
.assertStatusCode(StatusCodes.BAD_REQUEST);
final HttpOrigin invalidOriginHeader =
HttpOrigin.create("http://invalid.com", Host.create("8080"));
route
.run(HttpRequest.create().addHeader(Origin.create(invalidOriginHeader)))
.assertStatusCode(StatusCodes.FORBIDDEN);