DATAREST-1581 - Fixed CORS defaults to include all HTTP methods exposed by Spring Data REST.

The fix for DATAREST-1535 has changed the default allowed methods for CORS requests to a smaller set than we originally returned. This commit reinstantiates the default to be set to all HTTP methods, Spring Data repositories support by default.

Related tickets: DATAREST-1535.
This commit is contained in:
Oliver Drotbohm
2020-12-01 22:21:22 +01:00
parent 328ea26244
commit 38f2bc4598
4 changed files with 52 additions and 8 deletions

View File

@@ -15,6 +15,7 @@
*/
package org.springframework.data.rest.webmvc.jpa;
import static org.assertj.core.api.Assertions.*;
import static org.hamcrest.Matchers.*;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@@ -25,10 +26,12 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.data.rest.tests.AbstractWebIntegrationTests;
import org.springframework.data.rest.webmvc.BasePathAwareController;
import org.springframework.data.rest.webmvc.RepositoryRestController;
import org.springframework.data.rest.webmvc.RepositoryRestHandlerMapping;
import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer;
import org.springframework.hateoas.Link;
import org.springframework.hateoas.LinkRelation;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.web.bind.annotation.CrossOrigin;
@@ -83,10 +86,15 @@ public class CorsIntegrationTests extends AbstractWebIntegrationTests {
Link findItems = client.discoverUnique(LinkRelation.of("items"));
// Preflight request
mvc.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.example")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) //
String header = mvc
.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.example")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) //
.andExpect(status().isOk()) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST"));
.andReturn().getResponse().getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS);
assertThat(header.split(","))
.containsExactlyInAnyOrderElementsOf(
RepositoryRestHandlerMapping.DEFAULT_ALLOWED_METHODS.map(HttpMethod::name));
}
@Test // DATAREST-573

View File

@@ -15,16 +15,19 @@
*/
package org.springframework.data.rest.webmvc.jpa;
import static org.assertj.core.api.Assertions.*;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import org.junit.Test;
import org.springframework.context.annotation.Bean;
import org.springframework.data.rest.tests.AbstractWebIntegrationTests;
import org.springframework.data.rest.webmvc.RepositoryRestHandlerMapping;
import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer;
import org.springframework.hateoas.Link;
import org.springframework.hateoas.LinkRelation;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.test.context.ContextConfiguration;
/**
@@ -53,9 +56,14 @@ public class LocalConfigCorsIntegrationTests extends AbstractWebIntegrationTests
Link findItems = client.discoverUnique(LinkRelation.of("items"));
// Preflight request
mvc.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.example")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) //
String header = mvc
.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.example")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) //
.andExpect(status().isOk()) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST"));
.andReturn().getResponse().getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS);
assertThat(header.split(","))
.containsExactlyInAnyOrderElementsOf(
RepositoryRestHandlerMapping.DEFAULT_ALLOWED_METHODS.map(HttpMethod::name));
}
}