Add an option to disable automatic addition of CORS header

Issues: SPR-12283
This commit is contained in:
Sebastien Deleuze
2014-10-26 00:36:41 +02:00
parent 743356fa21
commit 58f4014b17
10 changed files with 110 additions and 3 deletions

View File

@@ -178,6 +178,7 @@ public class HandlersBeanDefinitionParserTests {
assertThat(sockJsService, instanceOf(DefaultSockJsService.class));
DefaultSockJsService defaultSockJsService = (DefaultSockJsService) sockJsService;
assertThat(defaultSockJsService.getTaskScheduler(), instanceOf(ThreadPoolTaskScheduler.class));
assertFalse(defaultSockJsService.shouldSuppressCors());
Map<TransportType, TransportHandler> transportHandlers = defaultSockJsService.getTransportHandlers();
assertThat(transportHandlers.values(),
@@ -232,6 +233,7 @@ public class HandlersBeanDefinitionParserTests {
List<HandshakeInterceptor> interceptors = transportService.getHandshakeInterceptors();
assertThat(interceptors, contains(instanceOf(OriginHandshakeInterceptor.class)));
assertEquals(Arrays.asList("http://mydomain1.com", "http://mydomain2.com"), transportService.getAllowedOrigins());
assertTrue(transportService.shouldSuppressCors());
}
private void loadBeanDefinitions(String fileName) {

View File

@@ -154,6 +154,7 @@ public class MessageBrokerBeanDefinitionParserTests {
.getTransportHandlers().get(TransportType.WEBSOCKET);
assertNotNull(wsTransportHandler.getHandshakeHandler());
assertThat(wsTransportHandler.getHandshakeHandler(), Matchers.instanceOf(TestHandshakeHandler.class));
assertFalse(defaultSockJsService.shouldSuppressCors());
ThreadPoolTaskScheduler scheduler = (ThreadPoolTaskScheduler) defaultSockJsService.getTaskScheduler();
assertEquals(Runtime.getRuntime().availableProcessors(), scheduler.getScheduledThreadPoolExecutor().getCorePoolSize());

View File

@@ -104,6 +104,7 @@ public class WebMvcStompWebSocketEndpointRegistrationTests {
assertNotNull(requestHandler.getSockJsService());
DefaultSockJsService sockJsService = (DefaultSockJsService)requestHandler.getSockJsService();
assertEquals(Arrays.asList(origin), sockJsService.getAllowedOrigins());
assertFalse(sockJsService.shouldSuppressCors());
registration =
new WebMvcStompWebSocketEndpointRegistration(new String[] {"/foo"}, this.handler, this.scheduler);
@@ -114,6 +115,22 @@ public class WebMvcStompWebSocketEndpointRegistrationTests {
assertNotNull(requestHandler.getSockJsService());
sockJsService = (DefaultSockJsService)requestHandler.getSockJsService();
assertEquals(Arrays.asList(origin), sockJsService.getAllowedOrigins());
assertFalse(sockJsService.shouldSuppressCors());
}
@Test // SPR-12283
public void disableCorsWithSockJsService() {
WebMvcStompWebSocketEndpointRegistration registration =
new WebMvcStompWebSocketEndpointRegistration(new String[] {"/foo"}, this.handler, this.scheduler);
registration.withSockJS().setSupressCors(true);
MultiValueMap<HttpRequestHandler, String> mappings = registration.getMappings();
assertEquals(1, mappings.size());
SockJsHttpRequestHandler requestHandler = (SockJsHttpRequestHandler)mappings.entrySet().iterator().next().getKey();
assertNotNull(requestHandler.getSockJsService());
DefaultSockJsService sockJsService = (DefaultSockJsService)requestHandler.getSockJsService();
assertTrue(sockJsService.shouldSuppressCors());
}
@Test

View File

@@ -237,6 +237,42 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
}
@Test // SPR-12283
public void handleInfoOptionsWithOriginAndCorsDisabled() throws Exception {
setOrigin("http://mydomain2.com");
this.service.setSuppressCors(true);
this.servletRequest.addHeader("Access-Control-Request-Headers", "Last-Modified");
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
this.response.flush();
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
this.response.flush();
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
assertNull(this.servletResponse.getHeader("Vary"));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
this.response.flush();
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
assertEquals("Origin", this.servletResponse.getHeader("Vary"));
}
@Test
public void handleIframeRequest() throws Exception {
resetResponseAndHandleRequest("GET", "/echo/iframe.html", HttpStatus.OK);