Improve CORS handling in AbstractSockJsService

After this change, AbstractSockJsService does not add CORS headers if
the response already contains an "Access-Control-Allow-Origin" header.
Essentially it backs off assuming CORS headers are handled centrally
e.g. through a Filter.

In order to support this, the ServletServerHttpResponse now returns an
instance of HttpHeaders that also provides access to headers already
present in the HttpServletResponse.

Issue: SPR-11443
This commit is contained in:
Rossen Stoyanchev
2014-03-05 21:02:03 -05:00
parent cf3b2b1a4d
commit 49d7bda722
5 changed files with 144 additions and 41 deletions

View File

@@ -54,25 +54,25 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
public void validateRequest() throws Exception {
this.service.setWebSocketEnabled(false);
handleRequest("GET", "/echo/server/session/websocket", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo/server/session/websocket", HttpStatus.NOT_FOUND);
this.service.setWebSocketEnabled(true);
handleRequest("GET", "/echo/server/session/websocket", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo/server/session/websocket", HttpStatus.OK);
handleRequest("GET", "/echo//", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo///", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo/other", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo//service/websocket", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo/server//websocket", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo/server/session/", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo/s.erver/session/websocket", HttpStatus.NOT_FOUND);
handleRequest("GET", "/echo/server/s.ession/websocket", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo//", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo///", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo/other", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo//service/websocket", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo/server//websocket", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo/server/session/", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo/s.erver/session/websocket", HttpStatus.NOT_FOUND);
resetResponseAndHandleRequest("GET", "/echo/server/s.ession/websocket", HttpStatus.NOT_FOUND);
}
@Test
public void handleInfoGet() throws Exception {
handleRequest("GET", "/echo/info", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
assertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
assertEquals("*", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
@@ -86,19 +86,32 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
this.service.setSessionCookieNeeded(false);
this.service.setWebSocketEnabled(false);
handleRequest("GET", "/echo/info", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
body = this.servletResponse.getContentAsString();
assertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}",
body.substring(body.indexOf(',')));
}
// SPR-11443
@Test
public void handleInfoGetCorsFilter() throws Exception {
// Simulate scenario where Filter would have already set CORS headers
this.servletResponse.setHeader("Access-Control-Allow-Origin", "foobar:123");
handleRequest("GET", "/echo/info", HttpStatus.OK);
assertEquals("foobar:123", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
}
@Test
public void handleInfoOptions() throws Exception {
this.servletRequest.addHeader("Access-Control-Request-Headers", "Last-Modified");
handleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
this.response.flush();
assertEquals("*", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
@@ -111,7 +124,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
@Test
public void handleIframeRequest() throws Exception {
handleRequest("GET", "/echo/iframe.html", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo/iframe.html", HttpStatus.OK);
assertEquals("text/html;charset=UTF-8", this.servletResponse.getContentType());
assertTrue(this.servletResponse.getContentAsString().startsWith("<!DOCTYPE html>\n"));
@@ -125,39 +138,42 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
this.servletRequest.addHeader("If-None-Match", "\"0da1ed070012f304e47b83c81c48ad620\"");
handleRequest("GET", "/echo/iframe.html", HttpStatus.NOT_MODIFIED);
resetResponseAndHandleRequest("GET", "/echo/iframe.html", HttpStatus.NOT_MODIFIED);
}
@Test
public void handleRawWebSocketRequest() throws Exception {
handleRequest("GET", "/echo", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo", HttpStatus.OK);
assertEquals("Welcome to SockJS!\n", this.servletResponse.getContentAsString());
handleRequest("GET", "/echo/websocket", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo/websocket", HttpStatus.OK);
assertNull("Raw WebSocket should not open a SockJS session", this.service.sessionId);
assertSame(this.handler, this.service.handler);
}
private void handleRequest(String httpMethod, String uri, HttpStatus httpStatus) throws IOException {
resetResponse();
setRequest(httpMethod, uri);
String sockJsPath = uri.substring("/echo".length());
this.service.handleRequest(this.request, this.response, sockJsPath, this.handler);
assertEquals(httpStatus.value(), this.servletResponse.getStatus());
}
@Test
public void handleEmptyContentType() throws Exception {
servletRequest.setContentType("");
handleRequest("GET", "/echo/info", HttpStatus.OK);
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
assertEquals("Invalid/empty content should have been ignored", 200, this.servletResponse.getStatus());
}
private void resetResponseAndHandleRequest(String httpMethod, String uri, HttpStatus httpStatus) throws IOException {
resetResponse();
handleRequest(httpMethod, uri, httpStatus);
}
private void handleRequest(String httpMethod, String uri, HttpStatus httpStatus) throws IOException {
setRequest(httpMethod, uri);
String sockJsPath = uri.substring("/echo".length());
this.service.handleRequest(this.request, this.response, sockJsPath, this.handler);
assertEquals(httpStatus.value(), this.servletResponse.getStatus());
}
private static class TestSockJsService extends AbstractSockJsService {