[pinpoint-apm#3223] extract config from webSocket's allowedOrigins

quickstart/web/src/main/resources/pinpoint-web.properties

@@ -51,3 +51,9 @@ web.servermap.builder.mode=v2
 # only applicable when web.servermap.builder.mode=v2
 web.servermap.appender.mode=serial
 web.servermap.appender.parallel.maxthreads=16
+
+# see RFC 6454: The Web Origin Concept(https://tools.ietf.org/html/rfc6454) for more details
+# 1. Allow only same origin requests (value : websocket.allowedOrigins=)
+# 2. Allow a specified list of origins. (example : websocket.allowedOrigins=http://domain1.com,http://domain2.com)
+# 3. Allow all origins. (value : websocket.allowedOrigins=*)
+websocket.allowedOrigins=

web/src/main/java/com/navercorp/pinpoint/web/config/ConfigProperties.java

@@ -55,6 +55,9 @@ public class ConfigProperties {
     @Value("#{pinpointWebProps['config.show.applicationStat'] ?: false}")
     private boolean showApplicationStat;
 
+    @Value("#{pinpointWebProps['websocket.allowedOrigins']}")
+    private String webSocketAllowedOrigins;
+
     public String getSecurityGuideUrl() {
         return securityGuideUrl;
     }
@@ -95,6 +98,10 @@ public boolean isShowApplicationStat() {
         return this.showApplicationStat;
     }
 
+    public String getWebSocketAllowedOrigins() {
+        return webSocketAllowedOrigins;
+    }
+
     @Override
     public String toString() {
         final StringBuilder sb = new StringBuilder("ConfigProperties{");
@@ -107,7 +114,10 @@ public String toString() {
         sb.append(", enableServerMapRealTime=").append(enableServerMapRealTime);
         sb.append(", openSource=").append(openSource);
         sb.append(", securityGuideUrl='").append(securityGuideUrl).append('\'');
+        sb.append(", showApplicationStat=").append(showApplicationStat);
+        sb.append(", webSocketAllowedOrigins=").append(webSocketAllowedOrigins);
         sb.append('}');
         return sb.toString();
     }
+
 }

web/src/main/java/com/navercorp/pinpoint/web/config/WebSocketConfig.java

@@ -17,16 +17,22 @@
 package com.navercorp.pinpoint.web.config;
 
 
+import com.navercorp.pinpoint.common.util.ArrayUtils;
+import com.navercorp.pinpoint.common.util.CollectionUtils;
 import com.navercorp.pinpoint.web.websocket.PinpointWebSocketHandler;
 import com.navercorp.pinpoint.web.websocket.PinpointWebSocketHandlerManager;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
 import org.springframework.web.socket.config.annotation.EnableWebSocket;
 import org.springframework.web.socket.config.annotation.WebSocketConfigurer;
 import org.springframework.web.socket.config.annotation.WebSocketHandlerRegistry;
 import org.springframework.web.socket.server.support.HttpSessionHandshakeInterceptor;
 
+import java.util.Arrays;
+import java.util.List;
+
 /**
  * @author Taejin Koo
  */
@@ -35,15 +41,39 @@
 @Component
 public class WebSocketConfig implements WebSocketConfigurer {
 
+    private static final String[] DEFAULT_ALLOWED_ORIGIN = new String[0];
+
     private static final String WEBSOCKET_SUFFIX = ".pinpointws";
 
     @Autowired
     private PinpointWebSocketHandlerManager handlerRepository;
 
+    @Autowired
+    private ConfigProperties configProperties;
+
     @Override
     public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
+        String[] allowedOriginArray = getAllowedOriginArray(configProperties.getWebSocketAllowedOrigins());
+
         for (PinpointWebSocketHandler handler : handlerRepository.getWebSocketHandlerRepository()) {
-            registry.addHandler(handler, handler.getRequestMapping() + WEBSOCKET_SUFFIX).addInterceptors(new HttpSessionHandshakeInterceptor());
+            registry.addHandler(handler, handler.getRequestMapping() + WEBSOCKET_SUFFIX).addInterceptors(new HttpSessionHandshakeInterceptor()).setAllowedOrigins(allowedOriginArray);
+        }
+    }
+
+    private String[] getAllowedOriginArray(String allowedOrigins) {
+        if (!StringUtils.hasText(allowedOrigins)) {
+            return DEFAULT_ALLOWED_ORIGIN;
+        }
+
+        String[] splitString = StringUtils.split(allowedOrigins, ",");
+        if (ArrayUtils.isEmpty(splitString)) {
+            return new String[]{StringUtils.trimAllWhitespace(allowedOrigins)};
+        } else {
+            String[] result = new String[splitString.length];
+            for (int i = 0; i < splitString.length; i++) {
+                result[i] = StringUtils.trimAllWhitespace(splitString[i]);
+            }
+            return result;
         }
     }
 

web/src/main/resources/pinpoint-web.properties

@@ -52,4 +52,10 @@ web.servermap.creator.parallel.maxthreads=16
 
 # server map appender mode = serial or parallel (default = serial)
 web.servermap.appender.mode=parallel
-web.servermap.appender.parallel.maxthreads=16
+web.servermap.appender.parallel.maxthreads=16
+
+# see RFC 6454: The Web Origin Concept(https://tools.ietf.org/html/rfc6454) for more details
+# 1. Allow only same origin requests (value : websocket.allowedOrigins=)
+# 2. Allow a specified list of origins. (example : websocket.allowedOrigins=http://domain1.com,http://domain2.com)
+# 3. Allow all origins. (value : websocket.allowedOrigins=*)
+websocket.allowedOrigins=