CORS-related refinements
After this change CorsProcessor has a single processRequest method and it also explicitly deals with a null CorsConfiguration, which for pre-flight requests results in a rejection while for simple requests results in no CORS headers added. The AbstractHandlerMapping now uses a LinkedHashMap to preserve the order in which global patterns are provided.
This commit is contained in:
@@ -32,14 +32,19 @@ import static org.junit.Assert.*;
|
||||
* Test {@link DefaultCorsProcessor} with simple or preflight CORS request.
|
||||
*
|
||||
* @author Sebastien Deleuze
|
||||
* @author Rossen Stoyanchev
|
||||
*/
|
||||
public class DefaultCorsProcessorTests {
|
||||
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
private MockHttpServletResponse response;
|
||||
|
||||
private DefaultCorsProcessor processor;
|
||||
|
||||
private CorsConfiguration conf;
|
||||
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
@@ -51,31 +56,34 @@ public class DefaultCorsProcessorTests {
|
||||
this.processor = new DefaultCorsProcessor();
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void actualRequestWithoutOriginHeader() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithOriginHeader() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestwithOriginHeaderAndAllowedOrigin() throws Exception {
|
||||
public void actualRequestWithOriginHeaderAndNullConfig() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.processor.processRequest(null, request, response);
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithOriginHeaderAndAllowedOrigin() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -87,10 +95,10 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
@@ -101,10 +109,10 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
@@ -114,8 +122,8 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/TEST.html");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -126,12 +134,12 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addExposedHeader("header1");
|
||||
this.conf.addExposedHeader("header2");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
|
||||
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
|
||||
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
|
||||
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
|
||||
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -141,7 +149,7 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -151,7 +159,7 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -161,24 +169,17 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
assertEquals("GET", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void preflightRequestWithoutOriginHeader() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -187,8 +188,8 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -198,8 +199,8 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -214,12 +215,12 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addAllowedMethod("PUT");
|
||||
this.conf.addAllowedHeader("header1");
|
||||
this.conf.addAllowedHeader("header2");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
assertEquals("GET,PUT", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -234,10 +235,10 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
@@ -253,8 +254,8 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
@@ -269,12 +270,12 @@ public class DefaultCorsProcessorTests {
|
||||
this.conf.addAllowedHeader("Header2");
|
||||
this.conf.addAllowedHeader("Header3");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
||||
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
||||
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
||||
assertFalse(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
||||
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
||||
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
||||
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@@ -286,13 +287,24 @@ public class DefaultCorsProcessorTests {
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedHeader("*");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
||||
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
||||
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
||||
assertFalse(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
|
||||
this.processor.processRequest(this.conf, request, response);
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
||||
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
||||
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
||||
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithNullConfig() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processRequest(null, request, response);
|
||||
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user