Package org.pentaho.platform.web.servlet.matchers

Class WebBrowserSecFetchRequestMatcher

java.lang.Object
org.pentaho.platform.web.servlet.matchers.WebBrowserSecFetchRequestMatcher
All Implemented Interfaces:
org.springframework.security.web.util.matcher.RequestMatcher
public class WebBrowserSecFetchRequestMatcher extends Object implements org.springframework.security.web.util.matcher.RequestMatcher
The WebBrowserSecFetchRequestMatcher determines if a request is made by a web browser, based on the presence of the `sec-fetch-dest` HTTP request header.

The matcher does not distinguish whether the request is a user navigation request or not. The only criterion is whether the request is made by a web browser. To test if a request is a user navigation request, the UserNavigationSecFetchRequestMatcher can be used.

The implementation checks the presence of the `sec-fetch-dest` HTTP request header, which is a header specific to web-browsers.

Unfortunately, the sec-fetch-dest header is not always present in requests a web browser considers insecure. Examples of such requests include the server being accessed via an IP address, of public or private range, without HTTPS, or without a valid SSL certificate. For the case of private IP addresses, there are also special protections as determined by the Private Network Access (PNA) specification. For these cases, consider using the WebBrowserUserAgentRequestMatcher as a fallback matcher.

In Pentaho, this matcher is used to select an appropriate authentication failure response, depending on whether the request is made by a web browser or a tool.

  • Nested Class Summary

    Nested classes/interfaces inherited from interface org.springframework.security.web.util.matcher.RequestMatcher

    org.springframework.security.web.util.matcher.RequestMatcher.MatchResult

  • Constructor Summary

    Constructors
    Constructor
    Description
    WebBrowserSecFetchRequestMatcher()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    matches(jakarta.servlet.http.HttpServletRequest request)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.springframework.security.web.util.matcher.RequestMatcher

    matcher

  • Constructor Details

    • WebBrowserSecFetchRequestMatcher

      public WebBrowserSecFetchRequestMatcher()

  • Method Details

    • matches

      public boolean matches(@NonNull jakarta.servlet.http.HttpServletRequest request)
      Specified by:
      matches in interface org.springframework.security.web.util.matcher.RequestMatcher