/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.websocket;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Queue;
import java.util.concurrent.ConcurrentLinkedQueue;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestWrapper;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.util.Base64;
import org.apache.tomcat.util.buf.B2CConverter;
import org.apache.tomcat.util.res.StringManager;
/**
* Provides the base implementation of a Servlet for processing WebSocket
* connections as per RFC6455. It is expected that applications will extend this
* implementation and provide application specific functionality.
*
* @deprecated Replaced by the JSR356 WebSocket 1.1 implementation and will be
* removed in Tomcat 8.0.x.
*/
@Deprecated
public abstract class WebSocketServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
private static final byte[] WS_ACCEPT =
"258EAFA5-E914-47DA-95CA-C5AB0DC85B11".getBytes(
B2CConverter.ISO_8859_1);
private static final StringManager sm =
StringManager.getManager(Constants.Package);
private final Queue<MessageDigest> sha1Helpers =
new ConcurrentLinkedQueue<MessageDigest>();
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
// Information required to send the server handshake message
String key;
String subProtocol = null;
List<String> extensions = Collections.emptyList();
if (!headerContainsToken(req, "upgrade", "websocket")) {
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
if (!headerContainsToken(req, "connection", "upgrade")) {
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
if (!headerContainsToken(req, "sec-websocket-version", "13")) {
resp.setStatus(426);
resp.setHeader("Sec-WebSocket-Version", "13");
return;
}
key = req.getHeader("Sec-WebSocket-Key");
if (key == null) {
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
String origin = req.getHeader("Origin");
if (!verifyOrigin(origin)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
List<String> subProtocols = getTokensFromHeader(req,
"Sec-WebSocket-Protocol");
if (!subProtocols.isEmpty()) {
subProtocol = selectSubProtocol(subProtocols);
}
// TODO Read client handshake - Sec-WebSocket-Extensions
// TODO Extensions require the ability to specify something (API TBD)
// that can be passed to the Tomcat internals and process extension
// data present when the frame is fragmented.
// If we got this far, all is good. Accept the connection.
resp.setHeader("Upgrade", "websocket");
resp.setHeader("Connection", "upgrade");
resp.setHeader("Sec-WebSocket-Accept", getWebSocketAccept(key));
if (subProtocol != null) {
resp.setHeader("Sec-WebSocket-Protocol", subProtocol);
}
if (!extensions.isEmpty()) {
// TODO
}
WsHttpServletRequestWrapper wrapper = new WsHttpServletRequestWrapper(req);
StreamInbound inbound = createWebSocketInbound(subProtocol, wrapper);
wrapper.invalidate();
// Small hack until the Servlet API provides a way to do this.
ServletRequest inner = req;
// Unwrap the request
while (inner instanceof ServletRequestWrapper) {
inner = ((ServletRequestWrapper) inner).getRequest();
}
if (inner instanceof RequestFacade) {
((RequestFacade) inner).doUpgrade(inbound);
} else {
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
sm.getString("servlet.reqUpgradeFail"));
}
}
/*
* This only works for tokens. Quoted strings need more sophisticated
* parsing.
*/
private boolean headerContainsToken(HttpServletRequest req,
String headerName, String target) {
Enumeration<String> headers = req.getHeaders(headerName);
while (headers.hasMoreElements()) {
String header = headers.nextElement();
String[] tokens = header.split(",");
for (String token : tokens) {
if (target.equalsIgnoreCase(token.trim())) {
return true;
}
}
}
return false;
}
/*
* This only works for tokens. Quoted strings need more sophisticated
* parsing.
*/
private List<String> getTokensFromHeader(HttpServletRequest req,
String headerName) {
List<String> result = new ArrayList<String>();
Enumeration<String> headers = req.getHeaders(headerName);
while (headers.hasMoreElements()) {
String header = headers.nextElement();
String[] tokens = header.split(",");
for (String token : tokens) {
result.add(token.trim());
}
}
return result;
}
private String getWebSocketAccept(String key) throws ServletException {
MessageDigest sha1Helper = sha1Helpers.poll();
if (sha1Helper == null) {
try {
sha1Helper = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException e) {
throw new ServletException(e);
}
}
sha1Helper.reset();
sha1Helper.update(key.getBytes(B2CConverter.ISO_8859_1));
String result = Base64.encode(sha1Helper.digest(WS_ACCEPT));
sha1Helpers.add(sha1Helper);
return result;
}
/**
* Intended to be overridden by sub-classes that wish to verify the origin
* of a WebSocket request before processing it.
*
* @param origin The value of the origin header from the request which
* may be <code>null</code>
*
* @return <code>true</code> to accept the request. <code>false</code> to
* reject it. This default implementation always returns
* <code>true</code>.
*/
protected boolean verifyOrigin(String origin) {
return true;
}
/**
* Intended to be overridden by sub-classes that wish to select a
* sub-protocol if the client provides a list of supported protocols.
*
* @param subProtocols The list of sub-protocols supported by the client
* in client preference order. The server is under no
* obligation to respect the declared preference
* @return <code>null</code> if no sub-protocol is selected or the name of
* the protocol which <b>must</b> be one of the protocols listed by
* the client. This default implementation always returns
* <code>null</code>.
*/
protected String selectSubProtocol(List<String> subProtocols) {
return null;
}
/**
* Create the instance that will process this inbound connection.
* Applications must provide a new instance for each connection.
*
* @param subProtocol The sub-protocol agreed between the client and
* server or <code>null</code> if none was agreed
* @param request The HTTP request that initiated this WebSocket
* connection. Note that this object is <b>only</b>
* valid inside this method. You must not retain a
* reference to it outside the execution of this
* method. If Tomcat detects such access, it will throw
* an IllegalStateException
*/
protected abstract StreamInbound createWebSocketInbound(String subProtocol,
HttpServletRequest request);
}