Updates to CORS patterns contribution

Closes gh-25016
This commit is contained in:
Rossen Stoyanchev
2020-07-08 13:18:11 +03:00
parent 1181bb1852
commit 0e4e25d227
24 changed files with 488 additions and 256 deletions

View File

@@ -914,7 +914,7 @@ public class MvcNamespaceTests {
}
@Test
public void testCors() throws Exception {
public void testCors() {
loadBeanDefinitions("mvc-config-cors.xml");
String[] beanNames = appContext.getBeanNamesForType(AbstractHandlerMapping.class);
@@ -930,6 +930,7 @@ public class MvcNamespaceTests {
CorsConfiguration config = configs.get("/api/**");
assertThat(config).isNotNull();
assertThat(config.getAllowedOrigins().toArray()).isEqualTo(new String[]{"https://domain1.com", "https://domain2.com"});
assertThat(config.getAllowedOriginPatterns().toArray()).isEqualTo(new String[]{"http://*.domain.com"});
assertThat(config.getAllowedMethods().toArray()).isEqualTo(new String[]{"GET", "PUT"});
assertThat(config.getAllowedHeaders().toArray()).isEqualTo(new String[]{"header1", "header2", "header3"});
assertThat(config.getExposedHeaders().toArray()).isEqualTo(new String[]{"header1", "header2"});

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
package org.springframework.web.servlet.config.annotation;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import org.junit.jupiter.api.BeforeEach;
@@ -61,11 +62,19 @@ public class CorsRegistryTests {
assertThat(configs.size()).isEqualTo(1);
CorsConfiguration config = configs.get("/foo");
assertThat(config.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain2.com", "https://domain2.com"));
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList("DELETE"));
assertThat(config.getAllowedMethods()).isEqualTo(Collections.singletonList("DELETE"));
assertThat(config.getAllowedHeaders()).isEqualTo(Arrays.asList("header1", "header2"));
assertThat(config.getExposedHeaders()).isEqualTo(Arrays.asList("header3", "header4"));
assertThat(config.getAllowCredentials()).isEqualTo(false);
assertThat(config.getMaxAge()).isEqualTo(Long.valueOf(3600));
}
@Test
public void allowCredentials() {
this.registry.addMapping("/foo").allowCredentials(true);
CorsConfiguration config = this.registry.getCorsConfigurations().get("/foo");
assertThat(config.getAllowedOrigins())
.as("Globally origins=\"*\" and allowCredentials=true should be possible")
.containsExactly("*");
}
}

View File

@@ -123,14 +123,14 @@ class CorsAbstractHandlerMappingTests {
@PathPatternsParameterizedTest
void actualRequestWithMappedPatternCorsConfiguration(TestHandlerMapping mapping) throws Exception {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOriginPattern(".*\\.domain2\\.com");
config.addAllowedOriginPattern("http://*.domain2.com");
mapping.setCorsConfigurations(Collections.singletonMap("/foo", config));
MockHttpServletRequest request = getCorsRequest("/foo");
HandlerExecutionChain chain = mapping.getHandler(request);
assertThat(chain).isNotNull();
assertThat(chain.getHandler()).isInstanceOf(SimpleHandler.class);
assertThat(mapping.getRequiredCorsConfig().getAllowedOriginPatterns()).containsExactly(".*\\.domain2\\.com");
assertThat(mapping.getRequiredCorsConfig().getAllowedOriginPatterns()).containsExactly("http://*.domain2.com");
}
@PathPatternsParameterizedTest
@@ -158,7 +158,8 @@ class CorsAbstractHandlerMappingTests {
CorsConfiguration config = mapping.getRequiredCorsConfig();
assertThat(config).isNotNull();
assertThat(config.getAllowedOrigins()).containsExactly("*");
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).containsExactly("*");
assertThat(config.getAllowCredentials()).isTrue();
}
@@ -174,7 +175,8 @@ class CorsAbstractHandlerMappingTests {
CorsConfiguration config = mapping.getRequiredCorsConfig();
assertThat(config).isNotNull();
assertThat(config.getAllowedOrigins()).containsExactly("*");
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).containsExactly("*");
assertThat(config.getAllowCredentials()).isTrue();
}
@@ -283,7 +285,7 @@ class CorsAbstractHandlerMappingTests {
@Override
public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.addAllowedOriginPattern("*");
config.setAllowCredentials(true);
return config;
}

View File

@@ -55,6 +55,7 @@ import org.springframework.web.util.ServletRequestPathUtils;
import org.springframework.web.util.pattern.PathPatternParser;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
/**
@@ -72,7 +73,7 @@ class CrossOriginTests {
StaticWebApplicationContext wac = new StaticWebApplicationContext();
Properties props = new Properties();
props.setProperty("myOrigin", "https://example.com");
props.setProperty("myDomainPattern", ".*\\.example\\.com");
props.setProperty("myDomainPattern", "http://*.example.com");
wac.getEnvironment().getPropertySources().addFirst(new PropertiesPropertySource("ps", props));
wac.registerSingleton("ppc", PropertySourcesPlaceholderConfigurer.class);
wac.refresh();
@@ -206,7 +207,7 @@ class CrossOriginTests {
CorsConfiguration config = getCorsConfiguration(chain, false);
assertThat(config).isNotNull();
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).isEqualTo(Collections.singletonList(".*\\.example\\.com"));
assertThat(config.getAllowedOriginPatterns()).isEqualTo(Collections.singletonList("http://*.example.com"));
assertThat(config.getAllowCredentials()).isNull();
}
@@ -218,16 +219,30 @@ class CrossOriginTests {
CorsConfiguration config = getCorsConfiguration(chain, false);
assertThat(config).isNotNull();
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).isEqualTo(Collections.singletonList(".*\\.example\\.com"));
assertThat(config.getAllowedOriginPatterns()).isEqualTo(Collections.singletonList("http://*.example.com"));
assertThat(config.getAllowCredentials()).isNull();
}
@PathPatternsParameterizedTest
void bogusAllowCredentialsValue(TestRequestMappingInfoHandlerMapping mapping) {
assertThatIllegalStateException().isThrownBy(() ->
mapping.registerHandler(new MethodLevelControllerWithBogusAllowCredentialsValue()))
.withMessageContaining("@CrossOrigin's allowCredentials")
.withMessageContaining("current value is [bogus]");
assertThatIllegalStateException()
.isThrownBy(() -> mapping.registerHandler(new MethodLevelControllerWithBogusAllowCredentialsValue()))
.withMessageContaining("@CrossOrigin's allowCredentials")
.withMessageContaining("current value is [bogus]");
}
@PathPatternsParameterizedTest
void allowCredentialsWithDefaultOrigin(TestRequestMappingInfoHandlerMapping mapping) {
assertThatIllegalArgumentException()
.isThrownBy(() -> mapping.registerHandler(new CredentialsWithDefaultOriginController()))
.withMessageContaining("When allowCredentials is true, allowedOrigins cannot contain");
}
@PathPatternsParameterizedTest
void allowCredentialsWithWildcardOrigin(TestRequestMappingInfoHandlerMapping mapping) {
assertThatIllegalArgumentException()
.isThrownBy(() -> mapping.registerHandler(new CredentialsWithWildcardOriginController()))
.withMessageContaining("When allowCredentials is true, allowedOrigins cannot contain");
}
@PathPatternsParameterizedTest
@@ -255,7 +270,8 @@ class CrossOriginTests {
config = getCorsConfiguration(chain, false);
assertThat(config).isNotNull();
assertThat(config.getAllowedMethods()).containsExactly("GET");
assertThat(config.getAllowedOrigins()).containsExactly("*");
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).containsExactly("*");
assertThat(config.getAllowCredentials()).isTrue();
}
@@ -313,7 +329,8 @@ class CrossOriginTests {
CorsConfiguration config = getCorsConfiguration(chain, true);
assertThat(config).isNotNull();
assertThat(config.getAllowedMethods()).containsExactly("*");
assertThat(config.getAllowedOrigins()).containsExactly("*");
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).containsExactly("*");
assertThat(config.getAllowedHeaders()).containsExactly("*");
assertThat(config.getAllowCredentials()).isTrue();
assertThat(CollectionUtils.isEmpty(config.getExposedHeaders())).isTrue();
@@ -330,7 +347,8 @@ class CrossOriginTests {
CorsConfiguration config = getCorsConfiguration(chain, true);
assertThat(config).isNotNull();
assertThat(config.getAllowedMethods()).containsExactly("*");
assertThat(config.getAllowedOrigins()).containsExactly("*");
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginPatterns()).containsExactly("*");
assertThat(config.getAllowedHeaders()).containsExactly("*");
assertThat(config.getAllowCredentials()).isTrue();
assertThat(CollectionUtils.isEmpty(config.getExposedHeaders())).isTrue();
@@ -433,7 +451,7 @@ class CrossOriginTests {
public void customOriginDefinedViaPlaceholder() {
}
@CrossOrigin(originPatterns = ".*\\.example\\.com")
@CrossOrigin(originPatterns = "http://*.example.com")
@RequestMapping("/customOriginPattern")
public void customOriginPatternDefinedViaValueAttribute() {
}
@@ -469,11 +487,31 @@ class CrossOriginTests {
public void bar() {
}
@CrossOrigin(allowCredentials = "true")
@CrossOrigin(originPatterns = "*", allowCredentials = "true")
@RequestMapping(path = "/baz", method = RequestMethod.GET)
public void baz() {
}
}
@Controller
@CrossOrigin(allowCredentials = "true")
private static class CredentialsWithDefaultOriginController {
@GetMapping(path = "/no-origin")
public void noOrigin() {
}
}
@Controller
@CrossOrigin(allowCredentials = "true")
private static class CredentialsWithWildcardOriginController {
@GetMapping(path = "/no-origin")
@CrossOrigin(origins = "*")
public void wildcardOrigin() {
}
}
@@ -495,6 +533,8 @@ class CrossOriginTests {
@RequestMapping(path = "/foo", method = RequestMethod.GET)
public void foo() {
}
}