Improve CORS list properties combination logic

This commit allows CorsConfiguration#combine()
to differentiate permit default values set by
CorsConfiguration#applyPermitDefaultValues()
from values configured explicitly by the user.

Those permit default values will be overridden
by any user-provided ones while user-provided values
will be combined in an additive way, including
when "*" is specified.

Documentation has been improved accordingly.

Issue: SPR-15772
This commit is contained in:
sdeleuze
2017-12-20 11:28:55 +01:00
parent 425a999d5e
commit 0075f13126
5 changed files with 114 additions and 31 deletions

View File

@@ -108,6 +108,37 @@ public class CorsConfigurationTests {
assertTrue(config.getAllowCredentials());
}
@Test // SPR-15772
public void combineWithDefaultPermitValues() {
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
CorsConfiguration other = new CorsConfiguration();
other.addAllowedOrigin("http://domain.com");
other.addAllowedHeader("header1");
other.addAllowedMethod(HttpMethod.PUT.name());
CorsConfiguration combinedConfig = config.combine(other);
assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins());
assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders());
assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
combinedConfig = other.combine(config);
assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins());
assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders());
assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
combinedConfig = config.combine(new CorsConfiguration());
assertEquals(Arrays.asList("*"), config.getAllowedOrigins());
assertEquals(Arrays.asList("*"), config.getAllowedHeaders());
assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(),
HttpMethod.POST.name()), combinedConfig.getAllowedMethods());
combinedConfig = new CorsConfiguration().combine(config);
assertEquals(Arrays.asList("*"), config.getAllowedOrigins());
assertEquals(Arrays.asList("*"), config.getAllowedHeaders());
assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(),
HttpMethod.POST.name()), combinedConfig.getAllowedMethods());
}
@Test
public void combineWithAsteriskWildCard() {
CorsConfiguration config = new CorsConfiguration();
@@ -120,15 +151,13 @@ public class CorsConfigurationTests {
other.addExposedHeader("header2");
other.addAllowedMethod(HttpMethod.PUT.name());
CorsConfiguration combinedConfig = config.combine(other);
assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins());
assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders());
assertEquals(Arrays.asList("header2"), combinedConfig.getExposedHeaders());
assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
assertEquals(Arrays.asList("*"), combinedConfig.getAllowedOrigins());
assertEquals(Arrays.asList("*"), combinedConfig.getAllowedHeaders());
assertEquals(Arrays.asList("*"), combinedConfig.getAllowedMethods());
combinedConfig = other.combine(config);
assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins());
assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders());
assertEquals(Arrays.asList("header2"), combinedConfig.getExposedHeaders());
assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
assertEquals(Arrays.asList("*"), combinedConfig.getAllowedOrigins());
assertEquals(Arrays.asList("*"), combinedConfig.getAllowedHeaders());
assertEquals(Arrays.asList("*"), combinedConfig.getAllowedMethods());
}
@Test // SPR-14792
@@ -250,4 +279,15 @@ public class CorsConfigurationTests {
assertNull(config.checkHeaders(Arrays.asList("header1")));
}
@Test // SPR-15772
public void changePermitDefaultValues() {
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
config.addAllowedOrigin("http://domain.com");
config.addAllowedHeader("header1");
config.addAllowedMethod("PATCH");
assertEquals(Arrays.asList("*", "http://domain.com"), config.getAllowedOrigins());
assertEquals(Arrays.asList("*", "header1"), config.getAllowedHeaders());
assertEquals(Arrays.asList("GET", "HEAD", "POST", "PATCH"), config.getAllowedMethods());
}
}