Set Vary: Origin on CORS unauthorized response

Issue: SPR-16224
This commit is contained in:
sdeleuze
2017-11-22 22:32:12 +01:00
parent 652e5c5584
commit 4a87d3da7b
4 changed files with 47 additions and 6 deletions

View File

@@ -65,6 +65,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
}
@@ -89,6 +90,7 @@ public class DefaultCorsProcessorTests {
assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -106,6 +108,7 @@ public class DefaultCorsProcessorTests {
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -121,6 +124,7 @@ public class DefaultCorsProcessorTests {
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -132,6 +136,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -149,6 +154,7 @@ public class DefaultCorsProcessorTests {
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -160,6 +166,7 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("*");
this.processor.processRequest(this.conf, this.request, this.response);
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -171,6 +178,7 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("*");
this.processor.processRequest(this.conf, this.request, this.response);
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
}
@@ -184,6 +192,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
assertEquals("GET,HEAD", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
}
@Test
@@ -193,6 +202,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
}
@@ -204,6 +214,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
}
@@ -216,6 +227,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
}
@@ -237,6 +249,7 @@ public class DefaultCorsProcessorTests {
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertEquals("GET,PUT", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -257,6 +270,7 @@ public class DefaultCorsProcessorTests {
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -275,6 +289,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -295,6 +310,7 @@ public class DefaultCorsProcessorTests {
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -313,6 +329,7 @@ public class DefaultCorsProcessorTests {
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}
@@ -328,6 +345,7 @@ public class DefaultCorsProcessorTests {
this.processor.processRequest(this.conf, this.request, this.response);
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

View File

@@ -63,6 +63,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
}
@@ -87,6 +88,7 @@ public class DefaultCorsProcessorTests {
assertEquals("*", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -104,6 +106,7 @@ public class DefaultCorsProcessorTests {
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -119,6 +122,7 @@ public class DefaultCorsProcessorTests {
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -130,6 +134,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -147,6 +152,7 @@ public class DefaultCorsProcessorTests {
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
assertTrue(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
assertTrue(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -157,7 +163,9 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("*");
this.processor.process(this.conf, exchange);
assertNull(exchange.getResponse().getStatusCode());
ServerHttpResponse response = exchange.getResponse();
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -168,7 +176,9 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("*");
this.processor.process(this.conf, exchange);
assertEquals(HttpStatus.FORBIDDEN, exchange.getResponse().getStatusCode());
ServerHttpResponse response = exchange.getResponse();
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
}
@Test
@@ -180,6 +190,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertNull(response.getStatusCode());
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertEquals("GET,HEAD", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
}
@@ -190,6 +201,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
}
@@ -201,6 +213,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
}
@@ -214,6 +227,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
}
@@ -237,6 +251,7 @@ public class DefaultCorsProcessorTests {
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertEquals("GET,PUT", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -259,6 +274,7 @@ public class DefaultCorsProcessorTests {
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -279,6 +295,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -301,6 +318,7 @@ public class DefaultCorsProcessorTests {
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -321,6 +339,7 @@ public class DefaultCorsProcessorTests {
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}
@@ -338,6 +357,7 @@ public class DefaultCorsProcessorTests {
ServerHttpResponse response = exchange.getResponse();
assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_HEADERS));
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
assertNull(response.getStatusCode());
}