Updates to CORS patterns contribution
Closes gh-25016
This commit is contained in:
@@ -40,6 +40,8 @@ public class CorsConfigurationTests {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.setAllowedOrigins(null);
|
||||
assertThat(config.getAllowedOrigins()).isNull();
|
||||
config.setAllowedOriginPatterns(null);
|
||||
assertThat(config.getAllowedOriginPatterns()).isNull();
|
||||
config.setAllowedHeaders(null);
|
||||
assertThat(config.getAllowedHeaders()).isNull();
|
||||
config.setAllowedMethods(null);
|
||||
@@ -50,42 +52,39 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.getAllowCredentials()).isNull();
|
||||
config.setMaxAge((Long) null);
|
||||
assertThat(config.getMaxAge()).isNull();
|
||||
config.setAllowedOriginPatterns(null);
|
||||
assertThat(config.getAllowedOriginPatterns()).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setValues() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOrigin("*");
|
||||
assertThat(config.getAllowedOrigins()).containsExactly("*");
|
||||
config.addAllowedOriginPattern("http://*.example.com");
|
||||
config.addAllowedHeader("*");
|
||||
assertThat(config.getAllowedHeaders()).containsExactly("*");
|
||||
config.addAllowedMethod("*");
|
||||
assertThat(config.getAllowedMethods()).containsExactly("*");
|
||||
config.addExposedHeader("header1");
|
||||
config.addExposedHeader("header2");
|
||||
assertThat(config.getExposedHeaders()).containsExactly("header1", "header2");
|
||||
config.setAllowCredentials(true);
|
||||
assertThat(config.getAllowCredentials()).isTrue();
|
||||
config.setMaxAge(123L);
|
||||
|
||||
assertThat(config.getAllowedOrigins()).containsExactly("*");
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly("http://*.example.com");
|
||||
assertThat(config.getAllowedHeaders()).containsExactly("*");
|
||||
assertThat(config.getAllowedMethods()).containsExactly("*");
|
||||
assertThat(config.getExposedHeaders()).containsExactly("header1", "header2");
|
||||
assertThat(config.getAllowCredentials()).isTrue();
|
||||
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
|
||||
config.addAllowedOriginPattern(".*\\.example\\.com");
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly(".*\\.example\\.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void asteriskWildCardOnAddExposedHeader() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
config.addExposedHeader("*"));
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new CorsConfiguration().addExposedHeader("*"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void asteriskWildCardOnSetExposedHeaders() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> config.setExposedHeaders(Collections.singletonList("*")));
|
||||
.isThrownBy(() -> new CorsConfiguration().setExposedHeaders(Collections.singletonList("*")));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -94,28 +93,31 @@ public class CorsConfigurationTests {
|
||||
config.setAllowedOrigins(Collections.singletonList("*"));
|
||||
config.combine(null);
|
||||
assertThat(config.getAllowedOrigins()).containsExactly("*");
|
||||
assertThat(config.getAllowedOriginPatterns()).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void combineWithNullProperties() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOrigin("*");
|
||||
config.setAllowedOriginPatterns(Collections.singletonList("http://*.example.com"));
|
||||
config.addAllowedHeader("header1");
|
||||
config.addExposedHeader("header3");
|
||||
config.addAllowedMethod(HttpMethod.GET.name());
|
||||
config.setMaxAge(123L);
|
||||
config.setAllowCredentials(true);
|
||||
config.setAllowedOriginPatterns(Collections.singletonList(".*\\.example\\.com"));
|
||||
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
config = config.combine(other);
|
||||
|
||||
assertThat(config).isNotNull();
|
||||
assertThat(config.getAllowedOrigins()).containsExactly("*");
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly("http://*.example.com");
|
||||
assertThat(config.getAllowedHeaders()).containsExactly("header1");
|
||||
assertThat(config.getExposedHeaders()).containsExactly("header3");
|
||||
assertThat(config.getAllowedMethods()).containsExactly(HttpMethod.GET.name());
|
||||
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
|
||||
assertThat(config.getAllowCredentials()).isTrue();
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly(".*\\.example\\.com");
|
||||
}
|
||||
|
||||
@Test // SPR-15772
|
||||
@@ -157,35 +159,36 @@ public class CorsConfigurationTests {
|
||||
public void combinePatternWithDefaultPermitValues() {
|
||||
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOriginPattern(".*\\.com");
|
||||
other.addAllowedOriginPattern("http://*.com");
|
||||
|
||||
CorsConfiguration combinedConfig = other.combine(config);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isNull();
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*\\.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("http://*.com");
|
||||
|
||||
combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isNull();
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*\\.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("http://*.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void combinePatternWithDefaultPermitValuesAndCustomOrigin() {
|
||||
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
|
||||
config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
|
||||
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOriginPattern(".*\\.com");
|
||||
other.addAllowedOriginPattern("http://*.com");
|
||||
|
||||
CorsConfiguration combinedConfig = other.combine(config);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*\\.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("http://*.com");
|
||||
|
||||
combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*\\.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("http://*.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -194,25 +197,28 @@ public class CorsConfigurationTests {
|
||||
config.addAllowedOrigin("*");
|
||||
config.addAllowedHeader("*");
|
||||
config.addAllowedMethod("*");
|
||||
config.addAllowedOriginPattern(".*");
|
||||
config.addAllowedOriginPattern("*");
|
||||
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOrigin("https://domain.com");
|
||||
other.addAllowedOriginPattern("http://*.company.com");
|
||||
other.addAllowedHeader("header1");
|
||||
other.addExposedHeader("header2");
|
||||
other.addAllowedOriginPattern(".*\\.company\\.com");
|
||||
other.addAllowedMethod(HttpMethod.PUT.name());
|
||||
|
||||
CorsConfiguration combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedMethods()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*");
|
||||
|
||||
combinedConfig = other.combine(config);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedMethods()).containsExactly("*");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*");
|
||||
}
|
||||
|
||||
@Test // SPR-14792
|
||||
@@ -226,41 +232,45 @@ public class CorsConfigurationTests {
|
||||
config.addExposedHeader("header4");
|
||||
config.addAllowedMethod(HttpMethod.GET.name());
|
||||
config.addAllowedMethod(HttpMethod.PUT.name());
|
||||
config.addAllowedOriginPattern(".*\\.domain1\\.com");
|
||||
config.addAllowedOriginPattern(".*\\.domain2\\.com");
|
||||
config.addAllowedOriginPattern("http://*.domain1.com");
|
||||
config.addAllowedOriginPattern("http://*.domain2.com");
|
||||
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOrigin("https://domain1.com");
|
||||
other.addAllowedOriginPattern("http://*.domain1.com");
|
||||
other.addAllowedHeader("header1");
|
||||
other.addExposedHeader("header3");
|
||||
other.addAllowedMethod(HttpMethod.GET.name());
|
||||
other.addAllowedOriginPattern(".*\\.domain1\\.com");
|
||||
|
||||
CorsConfiguration combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig).isNotNull();
|
||||
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain1.com", "https://domain2.com");
|
||||
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("header1", "header2");
|
||||
assertThat(combinedConfig.getExposedHeaders()).containsExactly("header3", "header4");
|
||||
assertThat(combinedConfig.getAllowedMethods()).containsExactly(HttpMethod.GET.name(), HttpMethod.PUT.name());
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly(".*\\.domain1\\.com", ".*\\.domain2\\.com");
|
||||
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("http://*.domain1.com", "http://*.domain2.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void combine() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOrigin("https://domain1.com");
|
||||
config.addAllowedOriginPattern("http://*.domain1.com");
|
||||
config.addAllowedHeader("header1");
|
||||
config.addExposedHeader("header3");
|
||||
config.addAllowedMethod(HttpMethod.GET.name());
|
||||
config.setMaxAge(123L);
|
||||
config.setAllowCredentials(true);
|
||||
config.addAllowedOriginPattern(".*\\.domain1\\.com");
|
||||
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOrigin("https://domain2.com");
|
||||
other.addAllowedOriginPattern("http://*.domain2.com");
|
||||
other.addAllowedHeader("header2");
|
||||
other.addExposedHeader("header4");
|
||||
other.addAllowedMethod(HttpMethod.PUT.name());
|
||||
other.setMaxAge(456L);
|
||||
other.setAllowCredentials(false);
|
||||
other.addAllowedOriginPattern(".*\\.domain2\\.com");
|
||||
|
||||
config = config.combine(other);
|
||||
assertThat(config).isNotNull();
|
||||
assertThat(config.getAllowedOrigins()).containsExactly("https://domain1.com", "https://domain2.com");
|
||||
@@ -270,18 +280,21 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.getMaxAge()).isEqualTo(new Long(456));
|
||||
assertThat(config).isNotNull();
|
||||
assertThat(config.getAllowCredentials()).isFalse();
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly(".*\\.domain1\\.com", ".*\\.domain2\\.com");
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly("http://*.domain1.com", "http://*.domain2.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkOriginAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.setAllowedOrigins(Collections.singletonList("*"));
|
||||
config.addAllowedOrigin("*");
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("*");
|
||||
|
||||
config.setAllowCredentials(true);
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> config.checkOrigin("https://domain.com"));
|
||||
|
||||
config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
|
||||
config.setAllowCredentials(false);
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
}
|
||||
@@ -291,10 +304,13 @@ public class CorsConfigurationTests {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkOrigin(null)).isNull();
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
|
||||
config.addAllowedOrigin("*");
|
||||
assertThat(config.checkOrigin(null)).isNull();
|
||||
|
||||
config.setAllowedOrigins(Collections.singletonList("https://domain1.com"));
|
||||
assertThat(config.checkOrigin("https://domain2.com")).isNull();
|
||||
|
||||
config.setAllowedOrigins(new ArrayList<>());
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
}
|
||||
@@ -302,12 +318,17 @@ public class CorsConfigurationTests {
|
||||
@Test
|
||||
public void checkOriginPatternAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.setAllowedOriginPatterns(Collections.singletonList(".*"));
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
|
||||
config.applyPermitDefaultValues();
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("*");
|
||||
|
||||
config.setAllowCredentials(true);
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
config.setAllowedOriginPatterns(Collections.singletonList(".*\\.domain\\.com"));
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> config.checkOrigin("https://domain.com"));
|
||||
|
||||
config.addAllowedOriginPattern("https://*.domain.com");
|
||||
assertThat(config.checkOrigin("https://example.domain.com")).isEqualTo("https://example.domain.com");
|
||||
|
||||
config.setAllowCredentials(false);
|
||||
assertThat(config.checkOrigin("https://example.domain.com")).isEqualTo("https://example.domain.com");
|
||||
}
|
||||
@@ -317,10 +338,12 @@ public class CorsConfigurationTests {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkOrigin(null)).isNull();
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
config.addAllowedOriginPattern(".*");
|
||||
config.addAllowedOriginPattern("*");
|
||||
assertThat(config.checkOrigin(null)).isNull();
|
||||
config.setAllowedOriginPatterns(Collections.singletonList(".*\\.domain1\\.com"));
|
||||
|
||||
config.setAllowedOriginPatterns(Collections.singletonList("http://*.domain1.com"));
|
||||
assertThat(config.checkOrigin("https://domain2.com")).isNull();
|
||||
|
||||
config.setAllowedOriginPatterns(new ArrayList<>());
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
}
|
||||
@@ -329,8 +352,10 @@ public class CorsConfigurationTests {
|
||||
public void checkMethodAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkHttpMethod(HttpMethod.GET)).containsExactly(HttpMethod.GET, HttpMethod.HEAD);
|
||||
|
||||
config.addAllowedMethod("GET");
|
||||
assertThat(config.checkHttpMethod(HttpMethod.GET)).containsExactly(HttpMethod.GET);
|
||||
|
||||
config.addAllowedMethod("POST");
|
||||
assertThat(config.checkHttpMethod(HttpMethod.GET)).containsExactly(HttpMethod.GET, HttpMethod.POST);
|
||||
assertThat(config.checkHttpMethod(HttpMethod.POST)).containsExactly(HttpMethod.GET, HttpMethod.POST);
|
||||
@@ -341,6 +366,7 @@ public class CorsConfigurationTests {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkHttpMethod(null)).isNull();
|
||||
assertThat(config.checkHttpMethod(HttpMethod.DELETE)).isNull();
|
||||
|
||||
config.setAllowedMethods(new ArrayList<>());
|
||||
assertThat(config.checkHttpMethod(HttpMethod.POST)).isNull();
|
||||
}
|
||||
@@ -349,8 +375,10 @@ public class CorsConfigurationTests {
|
||||
public void checkHeadersAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkHeaders(Collections.emptyList())).isEqualTo(Collections.emptyList());
|
||||
|
||||
config.addAllowedHeader("header1");
|
||||
config.addAllowedHeader("header2");
|
||||
|
||||
assertThat(config.checkHeaders(Collections.singletonList("header1"))).containsExactly("header1");
|
||||
assertThat(config.checkHeaders(Arrays.asList("header1", "header2"))).containsExactly("header1", "header2");
|
||||
assertThat(config.checkHeaders(Arrays.asList("header1", "header2", "header3"))).containsExactly("header1", "header2");
|
||||
@@ -361,8 +389,10 @@ public class CorsConfigurationTests {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkHeaders(null)).isNull();
|
||||
assertThat(config.checkHeaders(Collections.singletonList("header1"))).isNull();
|
||||
|
||||
config.setAllowedHeaders(Collections.emptyList());
|
||||
assertThat(config.checkHeaders(Collections.singletonList("header1"))).isNull();
|
||||
|
||||
config.addAllowedHeader("header2");
|
||||
config.addAllowedHeader("header3");
|
||||
assertThat(config.checkHeaders(Collections.singletonList("header1"))).isNull();
|
||||
@@ -374,6 +404,7 @@ public class CorsConfigurationTests {
|
||||
config.addAllowedOrigin("https://domain.com");
|
||||
config.addAllowedHeader("header1");
|
||||
config.addAllowedMethod("PATCH");
|
||||
|
||||
assertThat(config.getAllowedOrigins()).containsExactly("*", "https://domain.com");
|
||||
assertThat(config.getAllowedHeaders()).containsExactly("*", "header1");
|
||||
assertThat(config.getAllowedMethods()).containsExactly("GET", "HEAD", "POST", "PATCH");
|
||||
@@ -382,9 +413,10 @@ public class CorsConfigurationTests {
|
||||
@Test
|
||||
public void permitDefaultDoesntSetOriginWhenPatternPresent() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOriginPattern(".*\\.com");
|
||||
config.addAllowedOriginPattern("http://*.com");
|
||||
config = config.applyPermitDefaultValues();
|
||||
|
||||
assertThat(config.getAllowedOrigins()).isNull();
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly(".*\\.com");
|
||||
assertThat(config.getAllowedOriginPatterns()).containsExactly("http://*.com");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,6 +16,8 @@
|
||||
|
||||
package org.springframework.web.cors;
|
||||
|
||||
import java.util.Arrays;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
@@ -27,6 +29,7 @@ import org.springframework.web.testfixture.servlet.MockHttpServletRequest;
|
||||
import org.springframework.web.testfixture.servlet.MockHttpServletResponse;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Test {@link DefaultCorsProcessor} with simple or preflight CORS request.
|
||||
@@ -138,11 +141,17 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
|
||||
public void actualRequestCredentialsWithWildcardOrigin() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
|
||||
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.setAllowCredentials(true);
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.processor.processRequest(this.conf, this.request, this.response));
|
||||
|
||||
this.conf.setAllowedOrigins(null);
|
||||
this.conf.addAllowedOriginPattern("*");
|
||||
|
||||
this.processor.processRequest(this.conf, this.request, this.response);
|
||||
assertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
|
||||
@@ -311,17 +320,21 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
|
||||
public void preflightRequestCredentialsWithWildcardOrigin() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.conf.addAllowedOrigin("https://domain1.com");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.addAllowedOrigin("http://domain3.example");
|
||||
this.conf.setAllowedOrigins(Arrays.asList("https://domain1.com", "*", "http://domain3.example"));
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.setAllowCredentials(true);
|
||||
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
this.processor.processRequest(this.conf, this.request, this.response));
|
||||
|
||||
this.conf.setAllowedOrigins(null);
|
||||
this.conf.addAllowedOriginPattern("*");
|
||||
|
||||
this.processor.processRequest(this.conf, this.request, this.response);
|
||||
assertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
|
||||
assertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
|
||||
|
||||
@@ -29,6 +29,7 @@ import org.springframework.web.testfixture.http.server.reactive.MockServerHttpRe
|
||||
import org.springframework.web.testfixture.server.MockServerWebExchange;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.springframework.http.HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS;
|
||||
import static org.springframework.http.HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN;
|
||||
import static org.springframework.http.HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS;
|
||||
@@ -56,7 +57,7 @@ public class DefaultCorsProcessorTests {
|
||||
|
||||
|
||||
@Test
|
||||
public void requestWithoutOriginHeader() throws Exception {
|
||||
public void requestWithoutOriginHeader() {
|
||||
MockServerHttpRequest request = MockServerHttpRequest
|
||||
.method(HttpMethod.GET, "http://domain1.example/test.html")
|
||||
.build();
|
||||
@@ -71,7 +72,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sameOriginRequest() throws Exception {
|
||||
public void sameOriginRequest() {
|
||||
MockServerHttpRequest request = MockServerHttpRequest
|
||||
.method(HttpMethod.GET, "http://domain1.example/test.html")
|
||||
.header(HttpHeaders.ORIGIN, "http://domain1.example")
|
||||
@@ -87,7 +88,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithOriginHeader() throws Exception {
|
||||
public void actualRequestWithOriginHeader() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.processor.process(this.conf, exchange);
|
||||
|
||||
@@ -99,7 +100,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithOriginHeaderAndNullConfig() throws Exception {
|
||||
public void actualRequestWithOriginHeaderAndNullConfig() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.processor.process(null, exchange);
|
||||
|
||||
@@ -109,7 +110,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithOriginHeaderAndAllowedOrigin() throws Exception {
|
||||
public void actualRequestWithOriginHeaderAndAllowedOrigin() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.process(this.conf, exchange);
|
||||
@@ -125,7 +126,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCredentials() throws Exception {
|
||||
public void actualRequestCredentials() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.conf.addAllowedOrigin("https://domain1.com");
|
||||
this.conf.addAllowedOrigin("https://domain2.com");
|
||||
@@ -144,10 +145,14 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
|
||||
public void actualRequestCredentialsWithWildcardOrigin() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.setAllowCredentials(true);
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.process(this.conf, exchange));
|
||||
|
||||
this.conf.setAllowedOrigins(null);
|
||||
this.conf.addAllowedOriginPattern("*");
|
||||
this.processor.process(this.conf, exchange);
|
||||
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
@@ -161,7 +166,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCaseInsensitiveOriginMatch() throws Exception {
|
||||
public void actualRequestCaseInsensitiveOriginMatch() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.conf.addAllowedOrigin("https://DOMAIN2.com");
|
||||
this.processor.process(this.conf, exchange);
|
||||
@@ -174,7 +179,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestExposedHeaders() throws Exception {
|
||||
public void actualRequestExposedHeaders() {
|
||||
ServerWebExchange exchange = actualRequest();
|
||||
this.conf.addExposedHeader("header1");
|
||||
this.conf.addExposedHeader("header2");
|
||||
@@ -193,7 +198,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestAllOriginsAllowed() throws Exception {
|
||||
public void preflightRequestAllOriginsAllowed() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(
|
||||
preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET"));
|
||||
this.conf.addAllowedOrigin("*");
|
||||
@@ -207,7 +212,7 @@ public class DefaultCorsProcessorTests {
|
||||
|
||||
|
||||
@Test
|
||||
public void preflightRequestWrongAllowedMethod() throws Exception {
|
||||
public void preflightRequestWrongAllowedMethod() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(
|
||||
preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "DELETE"));
|
||||
this.conf.addAllowedOrigin("*");
|
||||
@@ -220,7 +225,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestMatchedAllowedMethod() throws Exception {
|
||||
public void preflightRequestMatchedAllowedMethod() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(
|
||||
preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET"));
|
||||
this.conf.addAllowedOrigin("*");
|
||||
@@ -234,7 +239,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Exception {
|
||||
public void preflightRequestTestWithOriginButWithoutOtherHeaders() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest());
|
||||
this.processor.process(this.conf, exchange);
|
||||
|
||||
@@ -246,7 +251,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithoutRequestMethod() throws Exception {
|
||||
public void preflightRequestWithoutRequestMethod() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(
|
||||
preFlightRequest().header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
|
||||
this.processor.process(this.conf, exchange);
|
||||
@@ -259,7 +264,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Exception {
|
||||
public void preflightRequestWithRequestAndMethodHeaderButNoConfig() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
|
||||
@@ -274,7 +279,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestValidRequestAndConfig() throws Exception {
|
||||
public void preflightRequestValidRequestAndConfig() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
|
||||
@@ -299,7 +304,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestCredentials() throws Exception {
|
||||
public void preflightRequestCredentials() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
|
||||
@@ -323,7 +328,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
|
||||
public void preflightRequestCredentialsWithWildcardOrigin() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
|
||||
@@ -333,7 +338,10 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addAllowedOrigin("http://domain3.example");
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.setAllowCredentials(true);
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.process(this.conf, exchange));
|
||||
|
||||
this.conf.setAllowedOrigins(null);
|
||||
this.conf.addAllowedOriginPattern("*");
|
||||
this.processor.process(this.conf, exchange);
|
||||
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
@@ -345,7 +353,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestAllowedHeaders() throws Exception {
|
||||
public void preflightRequestAllowedHeaders() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2"));
|
||||
@@ -369,7 +377,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestAllowsAllHeaders() throws Exception {
|
||||
public void preflightRequestAllowsAllHeaders() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2"));
|
||||
@@ -391,7 +399,7 @@ public class DefaultCorsProcessorTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithEmptyHeaders() throws Exception {
|
||||
public void preflightRequestWithEmptyHeaders() {
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest()
|
||||
.header(ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
||||
.header(ACCESS_CONTROL_REQUEST_HEADERS, ""));
|
||||
|
||||
Reference in New Issue
Block a user