Enforce Origin checks on authenticated state-changing requests

# We rely on "secure;HttpOnly" cookies to prevent cross-site GET requests, and use
# this Origin header checking to protect against cross-site POST and DELETE. Browsers
# will prevent XHR JSON requests by using a pre-flight check, but form POSTs definitely
# work and can be protected against this way.
# Relevant to isaacphysics/isaac-app#892

Author: jsharkey13

src/main/java/uk/ac/cam/cl/dtg/segue/api/managers/UserAuthenticationManager.java

@@ -334,14 +334,14 @@ public RegisteredUser getUserFromSession(final HttpServletRequest request) {
                 log.warn("Authenticated request had unexpected Referer: '" + referrer + "'. Attempted to access: "
                         + request.getPathInfo());
             }
+            // If the client sends an Origin header, we should afford them better security. If they do not send the header,
+            // we can draw no conclusions and must allow the request through.
             String origin = request.getHeader("Origin");
             boolean expectOriginHeader = ORIGIN_HEADER_REQUEST_METHODS.contains(request.getMethod());
-            if (expectOriginHeader && null == origin) {
-                log.warn("Authenticated request had no 'Origin' information! Attempted to access: "
-                        + request.getPathInfo());
-            } else if (expectOriginHeader && !origin.startsWith("https://" + properties.getProperty(HOST_NAME))) {
-                log.warn("Authenticated request had unexpected Origin: '" + origin + "'. Attempted to access: "
-                        + request.getPathInfo());
+            if (expectOriginHeader && null != origin && !origin.equals("https://" + properties.getProperty(HOST_NAME))) {
+                log.error("Authenticated request had unexpected Origin: '" + origin + "'. Blocked access to: "
+                        + request.getMethod() + " " + request.getPathInfo());
+                return null;
             }
         }