CORS-related refinements

After this change CorsProcessor has a single processRequest method and
it also explicitly deals with a null CorsConfiguration, which for
pre-flight requests results in a rejection while for simple requests
results in no CORS headers added.

The AbstractHandlerMapping now uses a LinkedHashMap to preserve the
order in which global patterns are provided.
This commit is contained in:
Rossen Stoyanchev
2015-05-18 12:17:42 -04:00
parent 0b84f137cc
commit 5e8d838334
8 changed files with 228 additions and 195 deletions

View File

@@ -21,35 +21,31 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Contract for handling CORS preflight requests and intercepting CORS simple
* and actual requests.
* A strategy that takes a request and a {@link CorsConfiguration} and updates
* the response.
*
* <p>This component is not concerned with how a {@code CorsConfiguration} is
* selected but rather takes follow-up actions such as applying CORS validation
* checks and either rejecting the response or adding CORS headers to the
* response.
*
* @author Sebastien Deleuze
* @author Rossen Stoyanchev
* @since 4.2
* @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
* @see org.springframework.web.servlet.handler.AbstractHandlerMapping#setCorsProcessor
*/
public interface CorsProcessor {
/**
* Process a preflight CORS request given a {@link CorsConfiguration}.
* If the request is not a valid CORS pre-flight request or if it does not
* comply with the configuration it should be rejected.
* If the request is valid and complies with the configuration, CORS headers
* should be added to the response.
* Process a request given a {@code CorsConfiguration}.
*
* @param configuration the applicable CORS configuration, possibly {@code null}
* @param request the current request
* @param response the current response
* @return {@code false} if the request is rejected, else {@code true}.
*/
boolean processPreFlightRequest(CorsConfiguration conf, HttpServletRequest request,
HttpServletResponse response) throws IOException;
/**
* Process a simple or actual CORS request given a {@link CorsConfiguration}.
* If the request is not a valid CORS simple or actual request or if it does
* not comply with the configuration, it should be rejected.
* If the request is valid and comply with the configuration, this method adds the related
* CORS headers to the response.
* @return {@code false} if the request is rejected, else {@code true}.
*/
boolean processActualRequest(CorsConfiguration conf, HttpServletRequest request,
boolean processRequest(CorsConfiguration configuration, HttpServletRequest request,
HttpServletResponse response) throws IOException;
}

View File

@@ -34,17 +34,14 @@ public class CorsUtils {
* Returns {@code true} if the request is a valid CORS one.
*/
public static boolean isCorsRequest(HttpServletRequest request) {
return request.getHeader(HttpHeaders.ORIGIN) != null;
return (request.getHeader(HttpHeaders.ORIGIN) != null);
}
/**
* Returns {@code true} if the request is a valid CORS pre-flight one.
*/
public static boolean isPreFlightRequest(HttpServletRequest request) {
if (!isCorsRequest(request)) {
return false;
}
return request.getMethod().equals(HttpMethod.OPTIONS.name());
return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name()));
}
}

View File

@@ -39,7 +39,11 @@ import org.springframework.util.CollectionUtils;
/**
* Default implementation of {@link CorsProcessor}, as defined by the
* <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>.
* <a href="http://www.w3.org/TR/cors/">CORS W3C recommendation</a>.
*
* <p>Note that when input {@link CorsConfiguration} is {@code null}, this
* implementation does not reject simple or actual requests outright but simply
* avoid adding CORS headers to the response.
*
* @author Sebastien Deleuze
* @author Rossen Stoyanhcev
@@ -49,48 +53,37 @@ public class DefaultCorsProcessor implements CorsProcessor {
private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
protected final Log logger = LogFactory.getLog(getClass());
private static final Log logger = LogFactory.getLog(DefaultCorsProcessor.class);
@Override
public boolean processPreFlightRequest(CorsConfiguration config, HttpServletRequest request,
public boolean processRequest(CorsConfiguration config, HttpServletRequest request,
HttpServletResponse response) throws IOException {
Assert.isTrue(CorsUtils.isPreFlightRequest(request));
ServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
if (responseHasCors(serverResponse)) {
if (!CorsUtils.isCorsRequest(request)) {
return true;
}
ServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
if (handleInternal(serverRequest, serverResponse, config, true)) {
serverResponse.flush();
return true;
}
return false;
}
@Override
public boolean processActualRequest(CorsConfiguration config, HttpServletRequest request,
HttpServletResponse response) throws IOException {
Assert.isTrue(CorsUtils.isCorsRequest(request) && !CorsUtils.isPreFlightRequest(request));
ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
if (responseHasCors(serverResponse)) {
return true;
}
ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
if (handleInternal(serverRequest, serverResponse, config, false)) {
serverResponse.flush();
return true;
boolean preFlightRequest = CorsUtils.isPreFlightRequest(request);
if (config == null) {
if (preFlightRequest) {
rejectRequest(serverResponse);
return false;
}
else {
return true;
}
}
return false;
return handleInternal(serverRequest, serverResponse, config, preFlightRequest);
}
private boolean responseHasCors(ServerHttpResponse response) {
@@ -107,20 +100,33 @@ public class DefaultCorsProcessor implements CorsProcessor {
return hasAllowOrigin;
}
/**
* Invoked when one of the CORS checks failed.
* The default implementation sets the response status to 403 and writes
* "Invalid CORS request" to the response.
*/
protected void rejectRequest(ServerHttpResponse response) throws IOException {
response.setStatusCode(HttpStatus.FORBIDDEN);
response.getBody().write("Invalid CORS request".getBytes(UTF8_CHARSET));
}
/**
* Handle the given request.
*/
protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse response,
CorsConfiguration config, boolean isPreFlight) throws IOException {
CorsConfiguration config, boolean preFlightRequest) throws IOException {
String requestOrigin = request.getHeaders().getOrigin();
String allowOrigin = checkOrigin(config, requestOrigin);
HttpMethod requestMethod = getMethodToUse(request, isPreFlight);
HttpMethod requestMethod = getMethodToUse(request, preFlightRequest);
List<HttpMethod> allowMethods = checkMethods(config, requestMethod);
List<String> requestHeaders = getHeadersToUse(request, isPreFlight);
List<String> requestHeaders = getHeadersToUse(request, preFlightRequest);
List<String> allowHeaders = checkHeaders(config, requestHeaders);
if (allowOrigin == null || allowMethods == null || (isPreFlight && allowHeaders == null)) {
handleInvalidCorsRequest(response);
if (allowOrigin == null || allowMethods == null || (preFlightRequest && allowHeaders == null)) {
rejectRequest(response);
return false;
}
@@ -128,11 +134,11 @@ public class DefaultCorsProcessor implements CorsProcessor {
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
if (isPreFlight) {
if (preFlightRequest) {
responseHeaders.setAccessControlAllowMethods(allowMethods);
}
if (isPreFlight && !allowHeaders.isEmpty()) {
if (preFlightRequest && !allowHeaders.isEmpty()) {
responseHeaders.setAccessControlAllowHeaders(allowHeaders);
}
@@ -144,10 +150,11 @@ public class DefaultCorsProcessor implements CorsProcessor {
responseHeaders.setAccessControlAllowCredentials(true);
}
if (isPreFlight && config.getMaxAge() != null) {
if (preFlightRequest && config.getMaxAge() != null) {
responseHeaders.setAccessControlMaxAge(config.getMaxAge());
}
response.flush();
return true;
}
@@ -187,14 +194,4 @@ public class DefaultCorsProcessor implements CorsProcessor {
return (isPreFlight ? headers.getAccessControlRequestHeaders() : new ArrayList<String>(headers.keySet()));
}
/**
* Invoked when one of the CORS checks failed.
* The default implementation sets the response status to 403 and writes
* "Invalid CORS request" to the response.
*/
protected void handleInvalidCorsRequest(ServerHttpResponse response) throws IOException {
response.setStatusCode(HttpStatus.FORBIDDEN);
response.getBody().write("Invalid CORS request".getBytes(UTF8_CHARSET));
}
}