diff --git a/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java new file mode 100644 index 000000000..fb08dd1e9 --- /dev/null +++ b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java @@ -0,0 +1,39 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.data.rest.core.config; + +import java.util.Map; + +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.servlet.config.annotation.CorsRegistry; + +/** + * Spring Data REST specific {@code CorsRegistry} implementation exposing {@link #getCorsConfigurations()}. Assists with + * the registration of {@link CorsConfiguration} mapped to a path pattern. + * + * @author Mark Paluch + * @since 2.6 + */ +public class RepositoryCorsRegistry extends CorsRegistry { + + /* (non-Javadoc) + * @see org.springframework.web.servlet.config.annotation.CorsRegistry#getCorsConfigurations() + */ + @Override + public Map getCorsConfigurations() { + return super.getCorsConfigurations(); + } +} diff --git a/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java index 406a834fb..d4db3704d 100644 --- a/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java +++ b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2015 the original author or authors. + * Copyright 2012-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,6 +28,8 @@ import org.springframework.hateoas.MediaTypes; import org.springframework.http.MediaType; import org.springframework.util.Assert; import org.springframework.util.StringUtils; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.servlet.config.annotation.CorsRegistration; /** * Spring Data REST configuration options. @@ -36,6 +38,7 @@ import org.springframework.util.StringUtils; * @author Oliver Gierke * @author Jeremy Rickard * @author Greg Turnquist + * @author Mark Paluch */ @SuppressWarnings("deprecation") public class RepositoryRestConfiguration { @@ -58,6 +61,7 @@ public class RepositoryRestConfiguration { private ResourceMappingConfiguration repoMappings = new ResourceMappingConfiguration(); private RepositoryDetectionStrategy repositoryDetectionStrategy = RepositoryDetectionStrategies.DEFAULT; + private final RepositoryCorsRegistry corsRegistry = new RepositoryCorsRegistry(); private final ProjectionDefinitionConfiguration projectionConfiguration; private final MetadataConfiguration metadataConfiguration; private final EntityLookupConfiguration entityLookupConfiguration; @@ -549,6 +553,34 @@ public class RepositoryRestConfiguration { : repositoryDetectionStrategy; } + /** + * Returns the {@link RepositoryCorsRegistry} to configure Cross-origin resource sharing. + * + * @return the {@link RepositoryCorsRegistry}. + * @since 2.6 + * @see RepositoryCorsRegistry + * @see CorsRegistration + */ + public RepositoryCorsRegistry getCorsRegistry() { + return corsRegistry; + } + + /** + * Configures Cross-origin resource sharing given a {@code path}. + * + * @param path path or path pattern, must not be {@literal null} or empty. + * @return the {@link CorsRegistration} to build a CORS configuration. + * @since 2.6 + * @see CorsConfiguration + */ + public CorsRegistration addCorsMapping(String path) { + + Assert.notNull(path, "Path must not be null!"); + Assert.hasText(path, "Path must not be empty!"); + + return corsRegistry.addMapping(path); + } + /** * Returns the {@link EntityLookupRegistrar} to create custom {@link EntityLookup} instances registered in the * configuration. diff --git a/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java b/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java index b0e0b6219..009424997 100644 --- a/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java +++ b/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java @@ -15,10 +15,12 @@ */ package org.springframework.data.rest.core; -import static org.hamcrest.CoreMatchers.*; +import static org.hamcrest.Matchers.*; import static org.junit.Assert.*; import static org.mockito.Mockito.*; +import java.util.Map; + import org.junit.Before; import org.junit.Test; import org.springframework.data.rest.core.config.EnumTranslationConfiguration; @@ -28,11 +30,13 @@ import org.springframework.data.rest.core.config.RepositoryRestConfiguration; import org.springframework.data.rest.core.domain.Profile; import org.springframework.data.rest.core.domain.ProfileRepository; import org.springframework.http.MediaType; +import org.springframework.web.cors.CorsConfiguration; /** * Unit tests for {@link RepositoryRestConfiguration}. * * @author Oliver Gierke + * @author Mark Paluch * @soundtrack Adam F - Circles (Colors) */ public class RepositoryRestConfigurationUnitTests { @@ -132,10 +136,25 @@ public class RepositoryRestConfigurationUnitTests { * @see DATAREST-776 */ @Test - public void consideresDomainTypeOfValueRepositoryLookupTypes() { + public void considersDomainTypeOfValueRepositoryLookupTypes() { configuration.withEntityLookup().forLookupRepository(ProfileRepository.class); assertThat(configuration.isLookupType(Profile.class), is(true)); } + + /** + * @see DATAREST-573 + */ + @Test + public void configuresCorsProcessing() { + + configuration.addCorsMapping("/hello").maxAge(1234); + + Map corsConfigurations = configuration.getCorsRegistry().getCorsConfigurations(); + assertThat(corsConfigurations, hasKey("/hello")); + + CorsConfiguration corsConfiguration = corsConfigurations.get("/hello"); + assertThat(corsConfiguration.getMaxAge(), is(1234L)); + } } diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java index 3be066136..d2c57c4c2 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java @@ -16,10 +16,13 @@ package org.springframework.data.rest.webmvc.jpa; import org.springframework.data.repository.CrudRepository; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.RequestMethod; /** * @author Oliver Gierke + * @author Mark Paluch */ -public interface AuthorRepository extends CrudRepository { - -} +@CrossOrigin(origins = "http://not.so.far.away", allowCredentials = "true", + methods = { RequestMethod.GET, RequestMethod.PATCH }, maxAge = 1234) +public interface AuthorRepository extends CrudRepository {} diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java index 15dbc9676..59eb9dc90 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java @@ -16,10 +16,13 @@ package org.springframework.data.rest.webmvc.jpa; import org.springframework.data.repository.CrudRepository; +import org.springframework.web.bind.annotation.CrossOrigin; /** * @author Greg Turnquist * @author Oliver Gierke + * @author Mark Paluch * @see DATAREST-463 */ +@CrossOrigin public interface ItemRepository extends CrudRepository {} diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java new file mode 100644 index 000000000..a8f5788ec --- /dev/null +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java @@ -0,0 +1,204 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.data.rest.webmvc.jpa; + +import static org.hamcrest.Matchers.containsString; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import org.junit.Test; +import org.springframework.context.annotation.Bean; +import org.springframework.data.rest.core.config.RepositoryRestConfiguration; +import org.springframework.data.rest.tests.AbstractWebIntegrationTests; +import org.springframework.data.rest.webmvc.BasePathAwareController; +import org.springframework.data.rest.webmvc.RepositoryRestController; +import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer; +import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurerAdapter; +import org.springframework.hateoas.Link; +import org.springframework.http.HttpHeaders; +import org.springframework.http.MediaType; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +/** + * Web integration tests specific to Cross-origin resource sharing. + * + * @author Mark Paluch + * @soundtrack 2 Unlimited - No Limit + */ +@ContextConfiguration +public class CorsIntegrationTests extends AbstractWebIntegrationTests { + + static class CorsConfig extends JpaRepositoryConfig { + + @Bean + RepositoryRestConfigurer repositoryRestConfigurer() { + + return new RepositoryRestConfigurerAdapter() { + + @Override + public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) { + + config.addCorsMapping("/books/**") // + .allowedMethods("GET", "PUT", "POST") // + .allowedOrigins("http://far.far.away"); + } + }; + } + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesSelectiveDefaultCorsConfiguration() throws Exception { + + Link findItems = client.discoverUnique("items"); + + // Preflight request + mvc.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS,TRACE")); + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesGlobalCorsConfiguration() throws Exception { + + Link findBooks = client.discoverUnique("books"); + + // Preflight request + mvc.perform(options(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PUT,POST")); + + // CORS request + mvc.perform(get(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")); + } + + /** + * @see DATAREST-573 + * @see BooksXmlController + */ + @Test + public void appliesCorsConfigurationOnCustomControllers() throws Exception { + + // Preflight request + mvc.perform(options("/books/xml/1234") // + .header(HttpHeaders.ORIGIN, "http://far.far.away") // + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 77123)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + // See https://jira.spring.io/browse/SPR-14792 + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST"))); + + // CORS request + mvc.perform(get("/books/xml/1234") // + .header(HttpHeaders.ORIGIN, "http://far.far.away") // + .accept(MediaType.APPLICATION_XML)) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")); + } + + /** + * @see DATAREST-573 + * @see BooksPdfController + */ + @Test + public void appliesCorsConfigurationOnCustomControllerMethod() throws Exception { + + // Preflight request + mvc.perform(options("/books/pdf/1234").header(HttpHeaders.ORIGIN, "http://far.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 4711)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + // See https://jira.spring.io/browse/SPR-14792 + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST"))); + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesCorsConfigurationOnRepository() throws Exception { + + Link authorsLink = client.discoverUnique("authors"); + + // Preflight request + mvc.perform(options(authorsLink.expand().getHref()).header(HttpHeaders.ORIGIN, "http://not.so.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH")); + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesCorsConfigurationOnRepositoryToCustomControllers() throws Exception { + + // Preflight request + mvc.perform(options("/authors/pdf/1234").header(HttpHeaders.ORIGIN, "http://not.so.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH")); + } + + @RepositoryRestController + static class AuthorsPdfController { + + @RequestMapping(method = RequestMethod.GET, path = "/authors/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE) + void authorToPdf() {} + } + + @RepositoryRestController + static class BooksPdfController { + + @RequestMapping(method = RequestMethod.GET, path = "/books/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE) + @CrossOrigin(maxAge = 4711) + void bookToPdf() {} + } + + @BasePathAwareController + static class BooksXmlController { + + @GetMapping(value = "/books/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE) + @CrossOrigin(maxAge = 77123) + void bookToXml(@PathVariable String id) {} + } +} diff --git a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java index 7e669eaa6..f9fa7f3c4 100644 --- a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java +++ b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2015 the original author or authors. + * Copyright 2012-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,6 +15,7 @@ */ package org.springframework.data.rest.webmvc; +import java.util.Arrays; import java.util.HashSet; import java.util.LinkedHashSet; import java.util.List; @@ -23,15 +24,24 @@ import java.util.Set; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; +import org.springframework.core.annotation.AnnotatedElementUtils; import org.springframework.core.annotation.AnnotationUtils; +import org.springframework.data.repository.support.Repositories; import org.springframework.data.rest.core.config.RepositoryRestConfiguration; import org.springframework.data.rest.core.mapping.ResourceMappings; +import org.springframework.data.rest.core.mapping.ResourceMetadata; import org.springframework.data.rest.webmvc.support.JpaHelper; +import org.springframework.http.HttpMethod; import org.springframework.http.MediaType; import org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter; import org.springframework.orm.jpa.support.OpenEntityManagerInViewInterceptor; import org.springframework.util.Assert; +import org.springframework.util.CollectionUtils; import org.springframework.util.StringUtils; +import org.springframework.util.StringValueResolver; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition; import org.springframework.web.servlet.mvc.method.RequestMappingInfo; @@ -45,6 +55,7 @@ import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandl * * @author Jon Brisbin * @author Oliver Gierke + * @author Mark Paluch */ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { @@ -53,7 +64,9 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { private final ResourceMappings mappings; private final RepositoryRestConfiguration configuration; + private final Repositories repositories; + private StringValueResolver embeddedValueResolver; private JpaHelper jpaHelper; /** @@ -64,6 +77,19 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { * @param config must not be {@literal null}. */ public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestConfiguration config) { + this(mappings, config, null); + } + + /** + * Creates a new {@link RepositoryRestHandlerMapping} for the given {@link ResourceMappings} + * {@link RepositoryRestConfiguration} and {@link Repositories}. + * + * @param mappings must not be {@literal null}. + * @param config must not be {@literal null}. + * @param repositories can be {@literal null} if {@link CrossOrigin} resolution is not required. + */ + public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestConfiguration config, + Repositories repositories) { super(config); @@ -72,6 +98,7 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { this.mappings = mappings; this.configuration = config; + this.repositories = repositories; } /** @@ -81,7 +108,17 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { this.jpaHelper = jpaHelper; } - /* + /* (non-Javadoc) + * @see org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping#setEmbeddedValueResolver(org.springframework.util.StringValueResolver) + */ + @Override + public void setEmbeddedValueResolver(StringValueResolver resolver) { + + embeddedValueResolver = resolver; + super.setEmbeddedValueResolver(resolver); + } + + /* * (non-Javadoc) * @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod(java.lang.String, javax.servlet.http.HttpServletRequest) */ @@ -155,6 +192,32 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { return new ProducesRequestCondition(mediaTypes.toArray(new String[mediaTypes.size()])); } + /* (non-Javadoc) + * @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#getCorsConfiguration(java.lang.Object, javax.servlet.http.HttpServletRequest) + */ + @Override + protected CorsConfiguration getCorsConfiguration(Object handler, HttpServletRequest request) { + + CorsConfiguration corsConfiguration = super.getCorsConfiguration(handler, request); + String lookupPath = getUrlPathHelper().getLookupPathForRequest(request); + + String repositoryLookupPath = new BaseUri(configuration.getBaseUri()).getRepositoryLookupPath(lookupPath); + + if (!StringUtils.hasText(repositoryLookupPath) || repositories == null) { + return corsConfiguration; + } + + // Repository root resource + CorsConfiguration repositoryConfiguration = new CorsConfigurationAccessor(mappings, repositories, + embeddedValueResolver).findCorsConfiguration(lookupPath); + + if (repositoryConfiguration != null) { + return corsConfiguration != null ? corsConfiguration.combine(repositoryConfiguration) : repositoryConfiguration; + } + + return corsConfiguration; + } + /** * Returns the first segment of the given repository lookup path. * @@ -166,4 +229,140 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { int secondSlashIndex = repositoryLookupPath.indexOf('/', repositoryLookupPath.startsWith("/") ? 1 : 0); return secondSlashIndex == -1 ? repositoryLookupPath : repositoryLookupPath.substring(0, secondSlashIndex); } + + /** + * Accessor to obtain {@link CorsConfiguration} for exposed repositories. + *

+ * Exported Repository classes can be annotated with {@link CrossOrigin} to configure CORS for a specific repository. + * + * @author Mark Paluch + * @since 2.6 + */ + static class CorsConfigurationAccessor { + + private final ResourceMappings mappings; + private final Repositories repositories; + private final StringValueResolver embeddedValueResolver; + + /** + * Creates a new {@link CorsConfigurationAccessor} given {@link ResourceMappings}, {@link Repositories} and + * {@link StringValueResolver}. + * + * @param mappings must not be {@literal null}. + * @param repositories must not be {@literal null}. + * @param embeddedValueResolver may be {@literal null} if not present. + */ + CorsConfigurationAccessor(ResourceMappings mappings, Repositories repositories, + StringValueResolver embeddedValueResolver) { + + Assert.notNull(mappings, "ResourceMappings must not be null!"); + Assert.notNull(repositories, "Repositories must not be null!"); + + this.mappings = mappings; + this.repositories = repositories; + this.embeddedValueResolver = embeddedValueResolver; + } + + CorsConfiguration findCorsConfiguration(String lookupPath) { + + ResourceMetadata resource = getResourceMetadata(getRepositoryBasePath(lookupPath)); + + return resource != null ? createConfiguration( + repositories.getRepositoryInformationFor(resource.getDomainType()).getRepositoryInterface()) : null; + } + + private ResourceMetadata getResourceMetadata(String basePath) { + + if (mappings.exportsTopLevelResourceFor(basePath)) { + + for (ResourceMetadata metadata : mappings) { + if (metadata.getPath().matches(basePath) && metadata.isExported()) { + return metadata; + } + } + } + + return null; + } + + /** + * Creates {@link CorsConfiguration} from a repository interface. + * + * @param repositoryInterface the repository interface + * @return {@link CorsConfiguration} or {@literal null}. + */ + protected CorsConfiguration createConfiguration(Class repositoryInterface) { + + CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(repositoryInterface, CrossOrigin.class); + + if (typeAnnotation == null) { + return null; + } + + CorsConfiguration config = new CorsConfiguration(); + updateCorsConfig(config, typeAnnotation); + + if (CollectionUtils.isEmpty(config.getAllowedOrigins())) { + config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS)); + } + + if (CollectionUtils.isEmpty(config.getAllowedMethods())) { + for (HttpMethod httpMethod : HttpMethod.values()) { + config.addAllowedMethod(httpMethod); + } + } + + if (CollectionUtils.isEmpty(config.getAllowedHeaders())) { + config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS)); + } + + if (config.getAllowCredentials() == null) { + config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS); + } + + if (config.getMaxAge() == null) { + config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE); + } + + return config; + } + + private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation) { + + for (String origin : annotation.origins()) { + config.addAllowedOrigin(resolveCorsAnnotationValue(origin)); + } + + for (RequestMethod method : annotation.methods()) { + config.addAllowedMethod(method.name()); + } + + for (String header : annotation.allowedHeaders()) { + config.addAllowedHeader(resolveCorsAnnotationValue(header)); + } + + for (String header : annotation.exposedHeaders()) { + config.addExposedHeader(resolveCorsAnnotationValue(header)); + } + + String allowCredentials = resolveCorsAnnotationValue(annotation.allowCredentials()); + + if ("true".equalsIgnoreCase(allowCredentials)) { + config.setAllowCredentials(true); + } else if ("false".equalsIgnoreCase(allowCredentials)) { + config.setAllowCredentials(false); + } else if (!allowCredentials.isEmpty()) { + throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", " + + "or an empty string (\"\"): current value is [" + allowCredentials + "]"); + } + + if (annotation.maxAge() >= 0 && config.getMaxAge() == null) { + config.setMaxAge(annotation.maxAge()); + } + } + + private String resolveCorsAnnotationValue(String value) { + return (this.embeddedValueResolver != null ? this.embeddedValueResolver.resolveStringValue(value) : value); + } + } } diff --git a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java index d861ddbdc..28a8955ca 100644 --- a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java +++ b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java @@ -21,6 +21,7 @@ import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; import org.springframework.beans.factory.BeanCreationException; @@ -139,9 +140,11 @@ import org.springframework.plugin.core.OrderAwarePluginRegistry; import org.springframework.plugin.core.PluginRegistry; import org.springframework.util.ClassUtils; import org.springframework.web.bind.support.ConfigurableWebBindingInitializer; +import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.method.support.HandlerMethodArgumentResolver; import org.springframework.web.servlet.HandlerMapping; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; +import org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter; import org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver; import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter; import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice; @@ -570,6 +573,16 @@ public class RepositoryRestMvcConfiguration extends HateoasAwareSpringDataWebCon return handlerAdapter; } + /** + * {@link HttpRequestHandlerAdapter} to handle CORS preflight requests. + * + * @return + */ + @Bean + public HttpRequestHandlerAdapter httpRequestHandlerAdapter() { + return new HttpRequestHandlerAdapter(); + } + /** * The {@link HandlerMapping} to delegate requests to Spring Data REST controllers. Sets up a * {@link DelegatingHandlerMapping} to make sure manually implemented {@link BasePathAwareController} instances that @@ -582,13 +595,18 @@ public class RepositoryRestMvcConfiguration extends HateoasAwareSpringDataWebCon @Bean public DelegatingHandlerMapping restHandlerMapping() { - RepositoryRestHandlerMapping repositoryMapping = new RepositoryRestHandlerMapping(resourceMappings(), config()); + Map corsConfigurations = config().getCorsRegistry().getCorsConfigurations(); + + RepositoryRestHandlerMapping repositoryMapping = new RepositoryRestHandlerMapping(resourceMappings(), config(), + repositories()); repositoryMapping.setJpaHelper(jpaHelper()); repositoryMapping.setApplicationContext(applicationContext); + repositoryMapping.setCorsConfigurations(corsConfigurations); repositoryMapping.afterPropertiesSet(); BasePathAwareHandlerMapping basePathMapping = new BasePathAwareHandlerMapping(config()); basePathMapping.setApplicationContext(applicationContext); + basePathMapping.setCorsConfigurations(corsConfigurations); basePathMapping.afterPropertiesSet(); List mappings = new ArrayList(); @@ -980,4 +998,5 @@ public class RepositoryRestMvcConfiguration extends HateoasAwareSpringDataWebCon */ @Deprecated protected void configureJacksonObjectMapper(ObjectMapper objectMapper) {} + } diff --git a/spring-data-rest-webmvc/src/test/java/org/springframework/data/rest/webmvc/CorsConfigurationAccessorUnitTests.java b/spring-data-rest-webmvc/src/test/java/org/springframework/data/rest/webmvc/CorsConfigurationAccessorUnitTests.java new file mode 100644 index 000000000..c41f2a34a --- /dev/null +++ b/spring-data-rest-webmvc/src/test/java/org/springframework/data/rest/webmvc/CorsConfigurationAccessorUnitTests.java @@ -0,0 +1,96 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.data.rest.webmvc; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.*; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.data.repository.support.Repositories; +import org.springframework.data.rest.core.mapping.ResourceMappings; +import org.springframework.data.rest.webmvc.RepositoryRestHandlerMapping.CorsConfigurationAccessor; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.cors.CorsConfiguration; + +/** + * Unit tests for {@link CorsConfigurationAccessor}. + * + * @author Mark Paluch + * @soundtrack Aso Mamiko - Drive Me Crazy (Club Mix) + */ +@RunWith(MockitoJUnitRunner.class) +public class CorsConfigurationAccessorUnitTests { + + CorsConfigurationAccessor accessor; + + @Mock ResourceMappings mappings; + @Mock Repositories repositories; + + @Before + public void before() throws Exception { + accessor = new CorsConfigurationAccessor(mappings, repositories, null); + } + + /** + * @see DATAREST-573 + */ + @Test + public void createConfigurationShouldConstructCorsConfiguration() { + + CorsConfiguration configuration = accessor.createConfiguration(AnnotatedRepository.class); + + assertThat(configuration, is(notNullValue())); + assertThat(configuration.getAllowCredentials(), is(true)); + assertThat(configuration.getAllowedHeaders(), hasItem("*")); + assertThat(configuration.getAllowedOrigins(), hasItem("*")); + assertThat(configuration.getAllowedMethods(), + hasItems("OPTIONS", "HEAD", "GET", "PATCH", "POST", "PUT", "DELETE", "TRACE")); + assertThat(configuration.getMaxAge(), is(1800L)); + } + + /** + * @see DATAREST-573 + */ + @Test + public void createConfigurationShouldConstructFullCorsConfiguration() { + + CorsConfiguration configuration = accessor.createConfiguration(FullyConfiguredCorsRepository.class); + + assertThat(configuration, is(notNullValue())); + assertThat(configuration.getAllowCredentials(), is(true)); + assertThat(configuration.getAllowedHeaders(), hasItem("Content-type")); + assertThat(configuration.getExposedHeaders(), hasItem("Accept")); + assertThat(configuration.getAllowedOrigins(), hasItem("http://far.far.away")); + assertThat(configuration.getAllowedMethods(), hasItem("PATCH")); + assertThat(configuration.getAllowedMethods(), not(hasItem("DELETE"))); + assertThat(configuration.getAllowCredentials(), is(true)); + assertThat(configuration.getMaxAge(), is(1234L)); + } + + interface PlainRepository {} + + @CrossOrigin + interface AnnotatedRepository {} + + @CrossOrigin(origins = "http://far.far.away", allowedHeaders = "Content-type", maxAge = 1234, + exposedHeaders = "Accept", methods = RequestMethod.PATCH, allowCredentials = "true") + interface FullyConfiguredCorsRepository {} +} diff --git a/src/main/asciidoc/configuring-cors.adoc b/src/main/asciidoc/configuring-cors.adoc new file mode 100644 index 000000000..9b18096b4 --- /dev/null +++ b/src/main/asciidoc/configuring-cors.adoc @@ -0,0 +1,73 @@ +[[customizing-sdr.configuring-cors]] += Configuring CORS + +For security reasons, browsers prohibit AJAX calls to resources residing outside the current origin. When working with client-side HTTP requests issued by a browser you want to enable specific HTTP resources to be accessible. + +Spring Data REST supports as of 2.6 http://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing] (CORS) through http://docs.spring.io/spring/docs/{version}/spring-framework-reference/html/cors.html[Spring's CORS] support. + + +== Repository interface CORS configuration + +You can add a `@CrossOrigin` annotation to your repository interfaces to enable CORS for the whole repository. By default `@CrossOrigin` allows all origins and HTTP methods: + +[source, java] +---- +@CrossOrigin +interface PersonRepository extends CrudRepository {} +---- + +In the above example CORS support is enabled for the whole `PersonRepository`. `@CrossOrigin` provides attributes to configure CORS support. + +[source, java] +---- +@CrossOrigin(origins = "http://domain2.com", + methods = { RequestMethod.GET, RequestMethod.POST, RequestMethod.DELETE }, maxAge = 3600) +interface PersonRepository extends CrudRepository {} +---- + +This example enables CORS support for the whole `PersonRepository` providing one origin, restricted to `GET`, `POST` and `DELETE` methods with a max age of 3600 seconds. + +== Repository REST Controller method CORS configuration + +Spring Data REST fully supports http://docs.spring.io/spring/docs/current/spring-framework-reference/html/cors.html#_controller_method_cors_configuration[Spring Web MVC's Controller method configuration] on custom REST Controllers sharing repository base paths. + +[source, java] +---- +@RepositoryRestController +@RequestMapping("/person") +public class PersonController { + + @CrossOrigin(maxAge = 3600) + @RequestMapping(method = RequestMethod.GET, "/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE) + public Person retrieve(@PathVariable Long id) { + // ... + } +} +---- + +NOTE: Controllers annotated with `@RepositoryRestController` inherit `@CrossOrigin` configuration from their associated repositories. + +== Global CORS configuration + +In addition to fine-grained, annotation-based configuration you’ll probably want to define some global CORS configuration as well. This is similar to Spring Web MVC'S CORS configuration but can be declared within Spring Data REST and combined with fine-grained `@CrossOrigin` configuration. By default all origins and `GET`, `HEAD`, and `POST` methods are allowed. + +NOTE: Existing Spring Web MVC CORS configuration is not applied to Spring Data REST. + +[source, java] +---- +@Component +public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter { + + @Override + public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) { + + config.addCorsMapping("/person/**") + .allowedOrigins("http://domain2.com") + .allowedMethods("PUT", "DELETE") + .allowedHeaders("header1", "header2", "header3") + .exposedHeaders("header1", "header2") + .allowCredentials(false).maxAge(3600); + } +} +---- + diff --git a/src/main/asciidoc/customizing-sdr.adoc b/src/main/asciidoc/customizing-sdr.adoc index f376c7569..61b4ff29b 100644 --- a/src/main/asciidoc/customizing-sdr.adoc +++ b/src/main/asciidoc/customizing-sdr.adoc @@ -64,4 +64,5 @@ include::configuring-the-rest-url-path.adoc[leveloffset=+1] include::adding-sdr-to-spring-mvc-app.adoc[leveloffset=+1] include::overriding-sdr-response-handlers.adoc[leveloffset=+1] include::customizing-json-output.adoc[leveloffset=+1] -include::custom-jackson-deserialization.adoc[leveloffset=+1] \ No newline at end of file +include::custom-jackson-deserialization.adoc[leveloffset=+1] +include::configuring-cors.adoc[leveloffset=+1]