MNT-22428: configurable unsecure jsonp callback CMIS operation (#698) (#704)

* MNT-22428: configurable unsecure jsonp callback CMIS operation

(cherry picked from commit 5807e756bd)

remote-api/src/main/java/org/alfresco/opencmis/CMISServletDispatcher.java

@@ -27,17 +27,14 @@ package org.alfresco.opencmis;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.PrintWriter;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.EventListener;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
@@ -48,19 +45,17 @@ import javax.servlet.Servlet;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
-import javax.servlet.ServletOutputStream;
 import javax.servlet.ServletRegistration;
 import javax.servlet.SessionCookieConfig;
 import javax.servlet.SessionTrackingMode;
 import javax.servlet.descriptor.JspConfigDescriptor;
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletResponse;
 
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.opencmis.CMISDispatcherRegistry.Binding;
 import org.alfresco.opencmis.CMISDispatcherRegistry.Endpoint;
 import org.alfresco.repo.tenant.TenantAdminService;
+import org.alfresco.rest.framework.core.exceptions.JsonpCallbackNotAllowedException;
 import org.alfresco.service.descriptor.Descriptor;
 import org.alfresco.service.descriptor.DescriptorService;
 import org.apache.chemistry.opencmis.commons.enums.CmisVersion;
@@ -69,7 +64,6 @@ import org.apache.chemistry.opencmis.server.impl.CmisRepositoryContextListener;
 import org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet;
 import org.springframework.extensions.webscripts.WebScriptRequest;
 import org.springframework.extensions.webscripts.WebScriptResponse;
-import org.springframework.extensions.webscripts.servlet.WebScriptServletRuntime;
 
 /**
  * Dispatches OpenCMIS requests to a servlet e.g. the OpenCMIS AtomPub servlet.
@@ -90,6 +84,8 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
 	protected CmisVersion cmisVersion;
 	protected TenantAdminService tenantAdminService;
 
+	private boolean allowUnsecureCallbackJSONP;
+
     private Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
 
 	public void setTenantAdminService(TenantAdminService tenantAdminService)
@@ -151,7 +147,17 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
 
 		return this.currentDescriptor;
 	}
-	
+
+	public void setAllowUnsecureCallbackJSONP(boolean allowUnsecureCallbackJSONP)
+	{
+		this.allowUnsecureCallbackJSONP = allowUnsecureCallbackJSONP;
+	}
+
+	public boolean isAllowUnsecureCallbackJSONP()
+	{
+		return allowUnsecureCallbackJSONP;
+	}
+
 	public void init()
 	{
 		Endpoint endpoint = new Endpoint(getBinding(), version);
@@ -219,12 +225,22 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
 			CMISHttpServletResponse httpResWrapper = getHttpResponse(res);
 	    	CMISHttpServletRequest httpReqWrapper = getHttpRequest(req);
 
-	    	servlet.service(httpReqWrapper, httpResWrapper);
+			// check for "callback" query param
+			if (!allowUnsecureCallbackJSONP && httpReqWrapper.getParameter("callback") != null)
+			{
+				throw new JsonpCallbackNotAllowedException();
+			}
+			servlet.service(httpReqWrapper, httpResWrapper);
 		}
 		catch(ServletException e)
 		{
 			throw new AlfrescoRuntimeException("", e);
 		}
+		catch (JsonpCallbackNotAllowedException e)
+		{
+			res.setStatus(403);
+			res.getWriter().append(e.getMessage());
+		}
 	}
 
     /**