Package org.pentaho.platform.web.servlet.matchers

Class UserNavigationSecFetchRequestMatcher

java.lang.Object
org.pentaho.platform.web.servlet.matchers.UserNavigationSecFetchRequestMatcher
All Implemented Interfaces:
org.springframework.security.web.util.matcher.RequestMatcher
public class UserNavigationSecFetchRequestMatcher extends Object implements org.springframework.security.web.util.matcher.RequestMatcher
The UserNavigationSecFetchRequestMatcher determines if a request can be considered a user navigation request, based on the presence of the `sec-fetch-user` HTTP request header, or on other related headers, such as `sec-fetch-dest`, `sec-fetch-mode` and `sec-fetch-site`.

If the `sec-fetch-user` header is set to `?1`, it indicates that the request was initiated by a user and has user activation, and is considered a user navigation request.

Otherwise, other navigation request headers are checked to determine if it is a safe navigation request. Specifically, the following headers are considered to also indicate safe user navigation requests:

  • sec-fetch-dest: document / embed / frame / iframe / object
  • sec-fetch-mode: navigate
  • sec-fetch-site: same-origin / none

These header combinations can happen due to either meta refreshes or 302-redirects: 

  •
  • HTTP 302 redirects with a Location header.

In Pentaho, this can happen when the user navigates to localhost:8080. The response is meta-redirected to localhost:8080/pentaho. Then, the server 302-redirects to localhost:8080/pentaho/. Finally, the response is meta-redirected to localhost:8080/pentaho/Home.

Unfortunately, the sec-fetch-* headers are not always present in requests a web browser considers insecure. Examples of such requests include the server being accessed via an IP address, of public or private range, without HTTPS, or without a valid SSL certificate. For the case of private IP addresses, there are also special protections as determined by the Private Network Access (PNA) specification. For these cases, consider using the UserNavigationAcceptRequestMatcher as a fallback matcher.

  • Nested Class Summary

    Nested classes/interfaces inherited from interface org.springframework.security.web.util.matcher.RequestMatcher

    org.springframework.security.web.util.matcher.RequestMatcher.MatchResult

  • Constructor Summary

    Constructors
    Constructor
    Description
    UserNavigationSecFetchRequestMatcher()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected boolean
    contains(List<String> list, String value)
     
    boolean
    matches(jakarta.servlet.http.HttpServletRequest request)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.springframework.security.web.util.matcher.RequestMatcher

    matcher

  • Constructor Details

    • UserNavigationSecFetchRequestMatcher

      public UserNavigationSecFetchRequestMatcher()

  • Method Details

    • matches

      public boolean matches(@NonNull jakarta.servlet.http.HttpServletRequest request)
      Specified by:
      matches in interface org.springframework.security.web.util.matcher.RequestMatcher

    • contains

      protected boolean contains(@NonNull List<String> list, @Nullable String value)