From 876b1bd12cd6790e5bd738a7f513dc60c27c59dc Mon Sep 17 00:00:00 2001 From: yasasrangika Date: Wed, 7 Jun 2023 10:54:02 +0530 Subject: [PATCH 1/3] fix https://github.com/wso2/api-manager/issues/1876 --- .../wso2/carbon/apimgt/impl/internal/APIManagerComponent.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/internal/APIManagerComponent.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/internal/APIManagerComponent.java index 9b9b0d01fe55..d43fc8a39596 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/internal/APIManagerComponent.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/internal/APIManagerComponent.java @@ -22,6 +22,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.http.conn.ssl.DefaultHostnameVerifier; import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.ssl.SSLContexts; import org.osgi.framework.BundleContext; import org.osgi.framework.ServiceRegistration; @@ -1059,7 +1060,8 @@ void populateHttpClientConfiguration() { final String[] localhosts = { "::1", "127.0.0.1", "localhost", "localhost.localdomain" }; @Override public boolean verify(String urlHostName, SSLSession session) { - return Arrays.asList(localhosts).contains(urlHostName); + return SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER.verify(urlHostName, session) + || Arrays.asList(localhosts).contains(urlHostName); } }; break; From 5c5a0f02a1877aad2af1544ad53b6f91fc46bf94 Mon Sep 17 00:00:00 2001 From: pasant9 Date: Thu, 8 Jun 2023 15:48:04 +0530 Subject: [PATCH 2/3] Introduce system property for CORS request blocking with 403 error --- .../org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java | 1 + .../apimgt/gateway/handlers/security/CORSRequestHandler.java | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java index b1cec3bd8588..62e294a3b0ab 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java @@ -132,6 +132,7 @@ public class APIMgtGatewayConstants { public static final String THROTTLE_HANDLER_ERROR = "Error in Throttle Handler"; public static final String API_THROTTLE_HANDLER_ERROR = "Error in API Throttle Handler"; public static final String CORS_REQUEST_HANDLER_ERROR = "Error in CORS_Request Handler"; + public static final String CORS_FORBID_BLOCKED_REQUESTS = "corsForbidBlockedRequests"; public static final String GOOGLE_ANALYTICS_ERROR = "Error in Google Analytics Handler"; public static final String CUSTOM_ANALYTICS_REQUEST_PROPERTIES = "apim.analytics.request.properties"; public static final String CUSTOM_ANALYTICS_RESPONSE_PROPERTIES = "apim.analytics.response.properties"; diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java index 006b9d36cfac..0b803e75a418 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java @@ -334,7 +334,8 @@ public void setCORSHeaders(MessageContext messageContext, Resource selectedResou messageContext.setProperty(APIConstants.CORSHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, allowedOrigin); //If the request origin is not allowed, set the HTTP status code to 403 - if (allowedOrigin == null) { + if (Boolean.parseBoolean(System.getProperty(APIMgtGatewayConstants.CORS_FORBID_BLOCKED_REQUESTS)) + && allowedOrigin == null) { messageContext.setProperty(APIMgtGatewayConstants.HTTP_SC, HttpStatus.SC_FORBIDDEN); } String allowedMethods; From 76d8525a5e3731dd9a9a6f1f42d81ffb626e1b33 Mon Sep 17 00:00:00 2001 From: pasant9 Date: Fri, 9 Jun 2023 11:30:06 +0530 Subject: [PATCH 3/3] Change the response status code through the message context property HTTP_SC --- .../carbon/apimgt/gateway/APIMgtGatewayConstants.java | 1 + .../gateway/handlers/security/CORSRequestHandler.java | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java index 62e294a3b0ab..dd5d15fc1adc 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/APIMgtGatewayConstants.java @@ -133,6 +133,7 @@ public class APIMgtGatewayConstants { public static final String API_THROTTLE_HANDLER_ERROR = "Error in API Throttle Handler"; public static final String CORS_REQUEST_HANDLER_ERROR = "Error in CORS_Request Handler"; public static final String CORS_FORBID_BLOCKED_REQUESTS = "corsForbidBlockedRequests"; + public static final String CORS_SET_STATUS_CODE_FROM_MSG_CONTEXT = "corsSetStatusCodeFromMsgContext"; public static final String GOOGLE_ANALYTICS_ERROR = "Error in Google Analytics Handler"; public static final String CUSTOM_ANALYTICS_REQUEST_PROPERTIES = "apim.analytics.request.properties"; public static final String CUSTOM_ANALYTICS_RESPONSE_PROPERTIES = "apim.analytics.response.properties"; diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java index 0b803e75a418..1838a79ac779 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/CORSRequestHandler.java @@ -227,9 +227,11 @@ public boolean handleRequest(MessageContext messageContext) { if (corsSequence != null) { corsSequence.mediate(messageContext); } - if (messageContext.getProperty(APIMgtGatewayConstants.HTTP_SC) != null) { - Utils.send(messageContext, Integer.parseInt( - messageContext.getProperty(APIMgtGatewayConstants.HTTP_SC).toString())); + if (Boolean.parseBoolean( + System.getProperty(APIMgtGatewayConstants.CORS_SET_STATUS_CODE_FROM_MSG_CONTEXT)) + && messageContext.getProperty(APIMgtGatewayConstants.HTTP_SC) != null) { + Utils.send(messageContext, + Integer.parseInt(messageContext.getProperty(APIMgtGatewayConstants.HTTP_SC).toString())); } else { Utils.send(messageContext, HttpStatus.SC_OK); }