DATAREST-573 - Add support for new CORS configuration mechanisms introduced in Spring 4.2.

We now support CORS configuration mechanisms introduced in Spring 4.2. CORS can be configured on multiple levels: Repository interface, Repository REST controller and global level. Spring Data REST CORS configuration is isolated so Spring Web MVC'S CORS configuration does not apply to Spring Data REST resources.

 Multiple configuration sources are merged so different aspects of CORS can be configured in separate locations.

@CrossOrigin
interface PersonRepository extends CrudRepository<Person, Long> {}

@RepositoryRestController
@RequestMapping("/person")
public class PersonController {

	@CrossOrigin(maxAge = 3600)
	@RequestMapping(method = RequestMethod.GET, "/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE)
	public Person retrieve(@PathVariable Long id) {
		// ...
	}
}

@Component
public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter {

  @Override
  public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {

    config.addCorsMapping("/person/**")
        .allowedOrigins("http://domain2.com")
        .allowedMethods("PUT", "DELETE")
        .allowedHeaders("header1", "header2", "header3")
        .exposedHeaders("header1", "header2")
        .allowCredentials(false).maxAge(3600);
  }
}
This commit is contained in:
Mark Paluch
2016-10-10 16:45:42 +02:00
committed by Oliver Gierke
parent 19aa41926a
commit a3870ca528
11 changed files with 698 additions and 10 deletions

View File

@@ -0,0 +1,39 @@
/*
* Copyright 2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.data.rest.core.config;
import java.util.Map;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
/**
* Spring Data REST specific {@code CorsRegistry} implementation exposing {@link #getCorsConfigurations()}. Assists with
* the registration of {@link CorsConfiguration} mapped to a path pattern.
*
* @author Mark Paluch
* @since 2.6
*/
public class RepositoryCorsRegistry extends CorsRegistry {
/* (non-Javadoc)
* @see org.springframework.web.servlet.config.annotation.CorsRegistry#getCorsConfigurations()
*/
@Override
public Map<String, CorsConfiguration> getCorsConfigurations() {
return super.getCorsConfigurations();
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2012-2015 the original author or authors.
* Copyright 2012-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@ import org.springframework.hateoas.MediaTypes;
import org.springframework.http.MediaType;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.servlet.config.annotation.CorsRegistration;
/**
* Spring Data REST configuration options.
@@ -36,6 +38,7 @@ import org.springframework.util.StringUtils;
* @author Oliver Gierke
* @author Jeremy Rickard
* @author Greg Turnquist
* @author Mark Paluch
*/
@SuppressWarnings("deprecation")
public class RepositoryRestConfiguration {
@@ -58,6 +61,7 @@ public class RepositoryRestConfiguration {
private ResourceMappingConfiguration repoMappings = new ResourceMappingConfiguration();
private RepositoryDetectionStrategy repositoryDetectionStrategy = RepositoryDetectionStrategies.DEFAULT;
private final RepositoryCorsRegistry corsRegistry = new RepositoryCorsRegistry();
private final ProjectionDefinitionConfiguration projectionConfiguration;
private final MetadataConfiguration metadataConfiguration;
private final EntityLookupConfiguration entityLookupConfiguration;
@@ -549,6 +553,34 @@ public class RepositoryRestConfiguration {
: repositoryDetectionStrategy;
}
/**
* Returns the {@link RepositoryCorsRegistry} to configure Cross-origin resource sharing.
*
* @return the {@link RepositoryCorsRegistry}.
* @since 2.6
* @see RepositoryCorsRegistry
* @see CorsRegistration
*/
public RepositoryCorsRegistry getCorsRegistry() {
return corsRegistry;
}
/**
* Configures Cross-origin resource sharing given a {@code path}.
*
* @param path path or path pattern, must not be {@literal null} or empty.
* @return the {@link CorsRegistration} to build a CORS configuration.
* @since 2.6
* @see CorsConfiguration
*/
public CorsRegistration addCorsMapping(String path) {
Assert.notNull(path, "Path must not be null!");
Assert.hasText(path, "Path must not be empty!");
return corsRegistry.addMapping(path);
}
/**
* Returns the {@link EntityLookupRegistrar} to create custom {@link EntityLookup} instances registered in the
* configuration.

View File

@@ -15,10 +15,12 @@
*/
package org.springframework.data.rest.core;
import static org.hamcrest.CoreMatchers.*;
import static org.hamcrest.Matchers.*;
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import java.util.Map;
import org.junit.Before;
import org.junit.Test;
import org.springframework.data.rest.core.config.EnumTranslationConfiguration;
@@ -28,11 +30,13 @@ import org.springframework.data.rest.core.config.RepositoryRestConfiguration;
import org.springframework.data.rest.core.domain.Profile;
import org.springframework.data.rest.core.domain.ProfileRepository;
import org.springframework.http.MediaType;
import org.springframework.web.cors.CorsConfiguration;
/**
* Unit tests for {@link RepositoryRestConfiguration}.
*
* @author Oliver Gierke
* @author Mark Paluch
* @soundtrack Adam F - Circles (Colors)
*/
public class RepositoryRestConfigurationUnitTests {
@@ -132,10 +136,25 @@ public class RepositoryRestConfigurationUnitTests {
* @see DATAREST-776
*/
@Test
public void consideresDomainTypeOfValueRepositoryLookupTypes() {
public void considersDomainTypeOfValueRepositoryLookupTypes() {
configuration.withEntityLookup().forLookupRepository(ProfileRepository.class);
assertThat(configuration.isLookupType(Profile.class), is(true));
}
/**
* @see DATAREST-573
*/
@Test
public void configuresCorsProcessing() {
configuration.addCorsMapping("/hello").maxAge(1234);
Map<String, CorsConfiguration> corsConfigurations = configuration.getCorsRegistry().getCorsConfigurations();
assertThat(corsConfigurations, hasKey("/hello"));
CorsConfiguration corsConfiguration = corsConfigurations.get("/hello");
assertThat(corsConfiguration.getMaxAge(), is(1234L));
}
}

View File

@@ -16,10 +16,13 @@
package org.springframework.data.rest.webmvc.jpa;
import org.springframework.data.repository.CrudRepository;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestMethod;
/**
* @author Oliver Gierke
* @author Mark Paluch
*/
public interface AuthorRepository extends CrudRepository<Author, Long> {
}
@CrossOrigin(origins = "http://not.so.far.away", allowCredentials = "true",
methods = { RequestMethod.GET, RequestMethod.PATCH }, maxAge = 1234)
public interface AuthorRepository extends CrudRepository<Author, Long> {}

View File

@@ -16,10 +16,13 @@
package org.springframework.data.rest.webmvc.jpa;
import org.springframework.data.repository.CrudRepository;
import org.springframework.web.bind.annotation.CrossOrigin;
/**
* @author Greg Turnquist
* @author Oliver Gierke
* @author Mark Paluch
* @see DATAREST-463
*/
@CrossOrigin
public interface ItemRepository extends CrudRepository<Item, Long> {}

View File

@@ -0,0 +1,204 @@
/*
* Copyright 2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.data.rest.webmvc.jpa;
import static org.hamcrest.Matchers.containsString;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.Test;
import org.springframework.context.annotation.Bean;
import org.springframework.data.rest.core.config.RepositoryRestConfiguration;
import org.springframework.data.rest.tests.AbstractWebIntegrationTests;
import org.springframework.data.rest.webmvc.BasePathAwareController;
import org.springframework.data.rest.webmvc.RepositoryRestController;
import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer;
import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurerAdapter;
import org.springframework.hateoas.Link;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
/**
* Web integration tests specific to Cross-origin resource sharing.
*
* @author Mark Paluch
* @soundtrack 2 Unlimited - No Limit
*/
@ContextConfiguration
public class CorsIntegrationTests extends AbstractWebIntegrationTests {
static class CorsConfig extends JpaRepositoryConfig {
@Bean
RepositoryRestConfigurer repositoryRestConfigurer() {
return new RepositoryRestConfigurerAdapter() {
@Override
public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
config.addCorsMapping("/books/**") //
.allowedMethods("GET", "PUT", "POST") //
.allowedOrigins("http://far.far.away");
}
};
}
}
/**
* @see DATAREST-573
*/
@Test
public void appliesSelectiveDefaultCorsConfiguration() throws Exception {
Link findItems = client.discoverUnique("items");
// Preflight request
mvc.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) //
.andExpect(status().isOk()) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS,TRACE"));
}
/**
* @see DATAREST-573
*/
@Test
public void appliesGlobalCorsConfiguration() throws Exception {
Link findBooks = client.discoverUnique("books");
// Preflight request
mvc.perform(options(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
.andExpect(status().isOk()) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PUT,POST"));
// CORS request
mvc.perform(get(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")) //
.andExpect(status().isOk()) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away"));
}
/**
* @see DATAREST-573
* @see BooksXmlController
*/
@Test
public void appliesCorsConfigurationOnCustomControllers() throws Exception {
// Preflight request
mvc.perform(options("/books/xml/1234") //
.header(HttpHeaders.ORIGIN, "http://far.far.away") //
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
.andExpect(status().isOk()) //
.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 77123)) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
// See https://jira.spring.io/browse/SPR-14792
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST")));
// CORS request
mvc.perform(get("/books/xml/1234") //
.header(HttpHeaders.ORIGIN, "http://far.far.away") //
.accept(MediaType.APPLICATION_XML)) //
.andExpect(status().isOk()) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away"));
}
/**
* @see DATAREST-573
* @see BooksPdfController
*/
@Test
public void appliesCorsConfigurationOnCustomControllerMethod() throws Exception {
// Preflight request
mvc.perform(options("/books/pdf/1234").header(HttpHeaders.ORIGIN, "http://far.far.away")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
.andExpect(status().isOk()) //
.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 4711)) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
// See https://jira.spring.io/browse/SPR-14792
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST")));
}
/**
* @see DATAREST-573
*/
@Test
public void appliesCorsConfigurationOnRepository() throws Exception {
Link authorsLink = client.discoverUnique("authors");
// Preflight request
mvc.perform(options(authorsLink.expand().getHref()).header(HttpHeaders.ORIGIN, "http://not.so.far.away")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
.andExpect(status().isOk()) //
.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH"));
}
/**
* @see DATAREST-573
*/
@Test
public void appliesCorsConfigurationOnRepositoryToCustomControllers() throws Exception {
// Preflight request
mvc.perform(options("/authors/pdf/1234").header(HttpHeaders.ORIGIN, "http://not.so.far.away")
.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
.andExpect(status().isOk()) //
.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) //
.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH"));
}
@RepositoryRestController
static class AuthorsPdfController {
@RequestMapping(method = RequestMethod.GET, path = "/authors/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE)
void authorToPdf() {}
}
@RepositoryRestController
static class BooksPdfController {
@RequestMapping(method = RequestMethod.GET, path = "/books/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE)
@CrossOrigin(maxAge = 4711)
void bookToPdf() {}
}
@BasePathAwareController
static class BooksXmlController {
@GetMapping(value = "/books/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE)
@CrossOrigin(maxAge = 77123)
void bookToXml(@PathVariable String id) {}
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2012-2015 the original author or authors.
* Copyright 2012-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
*/
package org.springframework.data.rest.webmvc;
import java.util.Arrays;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
@@ -23,15 +24,24 @@ import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.springframework.core.annotation.AnnotatedElementUtils;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.data.repository.support.Repositories;
import org.springframework.data.rest.core.config.RepositoryRestConfiguration;
import org.springframework.data.rest.core.mapping.ResourceMappings;
import org.springframework.data.rest.core.mapping.ResourceMetadata;
import org.springframework.data.rest.webmvc.support.JpaHelper;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter;
import org.springframework.orm.jpa.support.OpenEntityManagerInViewInterceptor;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.util.StringValueResolver;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
@@ -45,6 +55,7 @@ import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandl
*
* @author Jon Brisbin
* @author Oliver Gierke
* @author Mark Paluch
*/
public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
@@ -53,7 +64,9 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
private final ResourceMappings mappings;
private final RepositoryRestConfiguration configuration;
private final Repositories repositories;
private StringValueResolver embeddedValueResolver;
private JpaHelper jpaHelper;
/**
@@ -64,6 +77,19 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
* @param config must not be {@literal null}.
*/
public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestConfiguration config) {
this(mappings, config, null);
}
/**
* Creates a new {@link RepositoryRestHandlerMapping} for the given {@link ResourceMappings}
* {@link RepositoryRestConfiguration} and {@link Repositories}.
*
* @param mappings must not be {@literal null}.
* @param config must not be {@literal null}.
* @param repositories can be {@literal null} if {@link CrossOrigin} resolution is not required.
*/
public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestConfiguration config,
Repositories repositories) {
super(config);
@@ -72,6 +98,7 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
this.mappings = mappings;
this.configuration = config;
this.repositories = repositories;
}
/**
@@ -81,7 +108,17 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
this.jpaHelper = jpaHelper;
}
/*
/* (non-Javadoc)
* @see org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping#setEmbeddedValueResolver(org.springframework.util.StringValueResolver)
*/
@Override
public void setEmbeddedValueResolver(StringValueResolver resolver) {
embeddedValueResolver = resolver;
super.setEmbeddedValueResolver(resolver);
}
/*
* (non-Javadoc)
* @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod(java.lang.String, javax.servlet.http.HttpServletRequest)
*/
@@ -155,6 +192,32 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
return new ProducesRequestCondition(mediaTypes.toArray(new String[mediaTypes.size()]));
}
/* (non-Javadoc)
* @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#getCorsConfiguration(java.lang.Object, javax.servlet.http.HttpServletRequest)
*/
@Override
protected CorsConfiguration getCorsConfiguration(Object handler, HttpServletRequest request) {
CorsConfiguration corsConfiguration = super.getCorsConfiguration(handler, request);
String lookupPath = getUrlPathHelper().getLookupPathForRequest(request);
String repositoryLookupPath = new BaseUri(configuration.getBaseUri()).getRepositoryLookupPath(lookupPath);
if (!StringUtils.hasText(repositoryLookupPath) || repositories == null) {
return corsConfiguration;
}
// Repository root resource
CorsConfiguration repositoryConfiguration = new CorsConfigurationAccessor(mappings, repositories,
embeddedValueResolver).findCorsConfiguration(lookupPath);
if (repositoryConfiguration != null) {
return corsConfiguration != null ? corsConfiguration.combine(repositoryConfiguration) : repositoryConfiguration;
}
return corsConfiguration;
}
/**
* Returns the first segment of the given repository lookup path.
*
@@ -166,4 +229,140 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping {
int secondSlashIndex = repositoryLookupPath.indexOf('/', repositoryLookupPath.startsWith("/") ? 1 : 0);
return secondSlashIndex == -1 ? repositoryLookupPath : repositoryLookupPath.substring(0, secondSlashIndex);
}
/**
* Accessor to obtain {@link CorsConfiguration} for exposed repositories.
* <p>
* Exported Repository classes can be annotated with {@link CrossOrigin} to configure CORS for a specific repository.
*
* @author Mark Paluch
* @since 2.6
*/
static class CorsConfigurationAccessor {
private final ResourceMappings mappings;
private final Repositories repositories;
private final StringValueResolver embeddedValueResolver;
/**
* Creates a new {@link CorsConfigurationAccessor} given {@link ResourceMappings}, {@link Repositories} and
* {@link StringValueResolver}.
*
* @param mappings must not be {@literal null}.
* @param repositories must not be {@literal null}.
* @param embeddedValueResolver may be {@literal null} if not present.
*/
CorsConfigurationAccessor(ResourceMappings mappings, Repositories repositories,
StringValueResolver embeddedValueResolver) {
Assert.notNull(mappings, "ResourceMappings must not be null!");
Assert.notNull(repositories, "Repositories must not be null!");
this.mappings = mappings;
this.repositories = repositories;
this.embeddedValueResolver = embeddedValueResolver;
}
CorsConfiguration findCorsConfiguration(String lookupPath) {
ResourceMetadata resource = getResourceMetadata(getRepositoryBasePath(lookupPath));
return resource != null ? createConfiguration(
repositories.getRepositoryInformationFor(resource.getDomainType()).getRepositoryInterface()) : null;
}
private ResourceMetadata getResourceMetadata(String basePath) {
if (mappings.exportsTopLevelResourceFor(basePath)) {
for (ResourceMetadata metadata : mappings) {
if (metadata.getPath().matches(basePath) && metadata.isExported()) {
return metadata;
}
}
}
return null;
}
/**
* Creates {@link CorsConfiguration} from a repository interface.
*
* @param repositoryInterface the repository interface
* @return {@link CorsConfiguration} or {@literal null}.
*/
protected CorsConfiguration createConfiguration(Class<?> repositoryInterface) {
CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(repositoryInterface, CrossOrigin.class);
if (typeAnnotation == null) {
return null;
}
CorsConfiguration config = new CorsConfiguration();
updateCorsConfig(config, typeAnnotation);
if (CollectionUtils.isEmpty(config.getAllowedOrigins())) {
config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS));
}
if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
for (HttpMethod httpMethod : HttpMethod.values()) {
config.addAllowedMethod(httpMethod);
}
}
if (CollectionUtils.isEmpty(config.getAllowedHeaders())) {
config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS));
}
if (config.getAllowCredentials() == null) {
config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS);
}
if (config.getMaxAge() == null) {
config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
}
return config;
}
private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation) {
for (String origin : annotation.origins()) {
config.addAllowedOrigin(resolveCorsAnnotationValue(origin));
}
for (RequestMethod method : annotation.methods()) {
config.addAllowedMethod(method.name());
}
for (String header : annotation.allowedHeaders()) {
config.addAllowedHeader(resolveCorsAnnotationValue(header));
}
for (String header : annotation.exposedHeaders()) {
config.addExposedHeader(resolveCorsAnnotationValue(header));
}
String allowCredentials = resolveCorsAnnotationValue(annotation.allowCredentials());
if ("true".equalsIgnoreCase(allowCredentials)) {
config.setAllowCredentials(true);
} else if ("false".equalsIgnoreCase(allowCredentials)) {
config.setAllowCredentials(false);
} else if (!allowCredentials.isEmpty()) {
throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", "
+ "or an empty string (\"\"): current value is [" + allowCredentials + "]");
}
if (annotation.maxAge() >= 0 && config.getMaxAge() == null) {
config.setMaxAge(annotation.maxAge());
}
}
private String resolveCorsAnnotationValue(String value) {
return (this.embeddedValueResolver != null ? this.embeddedValueResolver.resolveStringValue(value) : value);
}
}
}

View File

@@ -21,6 +21,7 @@ import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.springframework.beans.factory.BeanCreationException;
@@ -139,9 +140,11 @@ import org.springframework.plugin.core.OrderAwarePluginRegistry;
import org.springframework.plugin.core.PluginRegistry;
import org.springframework.util.ClassUtils;
import org.springframework.web.bind.support.ConfigurableWebBindingInitializer;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter;
import org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
@@ -570,6 +573,16 @@ public class RepositoryRestMvcConfiguration extends HateoasAwareSpringDataWebCon
return handlerAdapter;
}
/**
* {@link HttpRequestHandlerAdapter} to handle CORS preflight requests.
*
* @return
*/
@Bean
public HttpRequestHandlerAdapter httpRequestHandlerAdapter() {
return new HttpRequestHandlerAdapter();
}
/**
* The {@link HandlerMapping} to delegate requests to Spring Data REST controllers. Sets up a
* {@link DelegatingHandlerMapping} to make sure manually implemented {@link BasePathAwareController} instances that
@@ -582,13 +595,18 @@ public class RepositoryRestMvcConfiguration extends HateoasAwareSpringDataWebCon
@Bean
public DelegatingHandlerMapping restHandlerMapping() {
RepositoryRestHandlerMapping repositoryMapping = new RepositoryRestHandlerMapping(resourceMappings(), config());
Map<String, CorsConfiguration> corsConfigurations = config().getCorsRegistry().getCorsConfigurations();
RepositoryRestHandlerMapping repositoryMapping = new RepositoryRestHandlerMapping(resourceMappings(), config(),
repositories());
repositoryMapping.setJpaHelper(jpaHelper());
repositoryMapping.setApplicationContext(applicationContext);
repositoryMapping.setCorsConfigurations(corsConfigurations);
repositoryMapping.afterPropertiesSet();
BasePathAwareHandlerMapping basePathMapping = new BasePathAwareHandlerMapping(config());
basePathMapping.setApplicationContext(applicationContext);
basePathMapping.setCorsConfigurations(corsConfigurations);
basePathMapping.afterPropertiesSet();
List<HandlerMapping> mappings = new ArrayList<HandlerMapping>();
@@ -980,4 +998,5 @@ public class RepositoryRestMvcConfiguration extends HateoasAwareSpringDataWebCon
*/
@Deprecated
protected void configureJacksonObjectMapper(ObjectMapper objectMapper) {}
}

View File

@@ -0,0 +1,96 @@
/*
* Copyright 2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.data.rest.webmvc;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.*;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.data.repository.support.Repositories;
import org.springframework.data.rest.core.mapping.ResourceMappings;
import org.springframework.data.rest.webmvc.RepositoryRestHandlerMapping.CorsConfigurationAccessor;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.cors.CorsConfiguration;
/**
* Unit tests for {@link CorsConfigurationAccessor}.
*
* @author Mark Paluch
* @soundtrack Aso Mamiko - Drive Me Crazy (Club Mix)
*/
@RunWith(MockitoJUnitRunner.class)
public class CorsConfigurationAccessorUnitTests {
CorsConfigurationAccessor accessor;
@Mock ResourceMappings mappings;
@Mock Repositories repositories;
@Before
public void before() throws Exception {
accessor = new CorsConfigurationAccessor(mappings, repositories, null);
}
/**
* @see DATAREST-573
*/
@Test
public void createConfigurationShouldConstructCorsConfiguration() {
CorsConfiguration configuration = accessor.createConfiguration(AnnotatedRepository.class);
assertThat(configuration, is(notNullValue()));
assertThat(configuration.getAllowCredentials(), is(true));
assertThat(configuration.getAllowedHeaders(), hasItem("*"));
assertThat(configuration.getAllowedOrigins(), hasItem("*"));
assertThat(configuration.getAllowedMethods(),
hasItems("OPTIONS", "HEAD", "GET", "PATCH", "POST", "PUT", "DELETE", "TRACE"));
assertThat(configuration.getMaxAge(), is(1800L));
}
/**
* @see DATAREST-573
*/
@Test
public void createConfigurationShouldConstructFullCorsConfiguration() {
CorsConfiguration configuration = accessor.createConfiguration(FullyConfiguredCorsRepository.class);
assertThat(configuration, is(notNullValue()));
assertThat(configuration.getAllowCredentials(), is(true));
assertThat(configuration.getAllowedHeaders(), hasItem("Content-type"));
assertThat(configuration.getExposedHeaders(), hasItem("Accept"));
assertThat(configuration.getAllowedOrigins(), hasItem("http://far.far.away"));
assertThat(configuration.getAllowedMethods(), hasItem("PATCH"));
assertThat(configuration.getAllowedMethods(), not(hasItem("DELETE")));
assertThat(configuration.getAllowCredentials(), is(true));
assertThat(configuration.getMaxAge(), is(1234L));
}
interface PlainRepository {}
@CrossOrigin
interface AnnotatedRepository {}
@CrossOrigin(origins = "http://far.far.away", allowedHeaders = "Content-type", maxAge = 1234,
exposedHeaders = "Accept", methods = RequestMethod.PATCH, allowCredentials = "true")
interface FullyConfiguredCorsRepository {}
}

View File

@@ -0,0 +1,73 @@
[[customizing-sdr.configuring-cors]]
= Configuring CORS
For security reasons, browsers prohibit AJAX calls to resources residing outside the current origin. When working with client-side HTTP requests issued by a browser you want to enable specific HTTP resources to be accessible.
Spring Data REST supports as of 2.6 http://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing] (CORS) through http://docs.spring.io/spring/docs/{version}/spring-framework-reference/html/cors.html[Spring's CORS] support.
== Repository interface CORS configuration
You can add a `@CrossOrigin` annotation to your repository interfaces to enable CORS for the whole repository. By default `@CrossOrigin` allows all origins and HTTP methods:
[source, java]
----
@CrossOrigin
interface PersonRepository extends CrudRepository<Person, Long> {}
----
In the above example CORS support is enabled for the whole `PersonRepository`. `@CrossOrigin` provides attributes to configure CORS support.
[source, java]
----
@CrossOrigin(origins = "http://domain2.com",
methods = { RequestMethod.GET, RequestMethod.POST, RequestMethod.DELETE }, maxAge = 3600)
interface PersonRepository extends CrudRepository<Person, Long> {}
----
This example enables CORS support for the whole `PersonRepository` providing one origin, restricted to `GET`, `POST` and `DELETE` methods with a max age of 3600 seconds.
== Repository REST Controller method CORS configuration
Spring Data REST fully supports http://docs.spring.io/spring/docs/current/spring-framework-reference/html/cors.html#_controller_method_cors_configuration[Spring Web MVC's Controller method configuration] on custom REST Controllers sharing repository base paths.
[source, java]
----
@RepositoryRestController
@RequestMapping("/person")
public class PersonController {
@CrossOrigin(maxAge = 3600)
@RequestMapping(method = RequestMethod.GET, "/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE)
public Person retrieve(@PathVariable Long id) {
// ...
}
}
----
NOTE: Controllers annotated with `@RepositoryRestController` inherit `@CrossOrigin` configuration from their associated repositories.
== Global CORS configuration
In addition to fine-grained, annotation-based configuration youll probably want to define some global CORS configuration as well. This is similar to Spring Web MVC'S CORS configuration but can be declared within Spring Data REST and combined with fine-grained `@CrossOrigin` configuration. By default all origins and `GET`, `HEAD`, and `POST` methods are allowed.
NOTE: Existing Spring Web MVC CORS configuration is not applied to Spring Data REST.
[source, java]
----
@Component
public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter {
@Override
public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
config.addCorsMapping("/person/**")
.allowedOrigins("http://domain2.com")
.allowedMethods("PUT", "DELETE")
.allowedHeaders("header1", "header2", "header3")
.exposedHeaders("header1", "header2")
.allowCredentials(false).maxAge(3600);
}
}
----

View File

@@ -64,4 +64,5 @@ include::configuring-the-rest-url-path.adoc[leveloffset=+1]
include::adding-sdr-to-spring-mvc-app.adoc[leveloffset=+1]
include::overriding-sdr-response-handlers.adoc[leveloffset=+1]
include::customizing-json-output.adoc[leveloffset=+1]
include::custom-jackson-deserialization.adoc[leveloffset=+1]
include::custom-jackson-deserialization.adoc[leveloffset=+1]
include::configuring-cors.adoc[leveloffset=+1]