tyrus icon indicating copy to clipboard operation
tyrus copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ee4j

Origin header for WebSocket Upgrade request always starts with "http"

Open hyrth opened this issue 4 years ago • 4 comments
trafficstars

I am getting a 403 Forbidden response during WebSocket Upgrade request when connecting to a server via HTTPS (instead of 101). The reason is a wrong "Origin" header. The header is set in method

org.glassfish.tyrus.core.Handshake.updateHostAndOrigin(final UpgradeRequest upgradeRequest).

The Origin header is always set to scheme "http" no matter which scheme was used originally:

requestHeaders.put(UpgradeRequest.ORIGIN_HEADER, Collections.singletonList("http://" + host));

hyrth avatar Nov 27 '20 15:11 hyrth

I'm also having this issue, is there any way to resolve it?

cstack89 avatar Feb 10 '22 19:02 cstack89

You can set the WebSocketHttpHeaders when calling SockJsClient.doHandshake(WebSocketHandler handler, @Nullable WebSocketHttpHeaders headers, URI url);

Something like this:

var httpHeaders = new WebSocketHttpHeaders();
httpHeaders.add("Origin", "https://your.server.url"); // Origin header of your server
httpHeaders.add(...); // additional headers like auth, token, ... whatever

// during handshake use your custom headers
sockJsClient.doHandshake(yourHandler, httpHeaders, "wss://your.server.url/websocket-resource");
...

I think that was our workaround.

hyrth avatar Feb 11 '22 16:02 hyrth

Thanks, I'm using a Spring WebSocketSompClient, but was able to pass in headers as well to the connect method.

stompClient.connect(finalUrl, header1, this);

cstack89 avatar Feb 14 '22 13:02 cstack89

FYI this bug was fixed by https://github.com/eclipse-ee4j/tyrus/pull/783 and is included in release 1.19

githopper avatar Oct 27 '23 18:10 githopper