Add PreFlightRequestHandler for Spring MVC

This is equivalent of the same contract for WebFlux. It is implemented
by HandlerMappingIntrospector, and may be called directly by Spring
Security to handle a pre-flight request without delegate to the rest
of the filter chain.

HandlerMappingIntrospector also has the boolean method
allHandlerMappingsUsePathPatternParser that checks whether all handler
mappings are configured to use parsed PathPattern's.

See gh-31823
This commit is contained in:
rstoyanchev
2024-04-23 18:57:37 +01:00
parent 3991cae875
commit 75a5409c97
6 changed files with 182 additions and 18 deletions

View File

@@ -31,6 +31,7 @@ import org.springframework.web.HttpRequestHandler;
import org.springframework.web.context.support.StaticWebApplicationContext;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.PreFlightRequestHandler;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.support.WebContentGenerator;
@@ -72,7 +73,7 @@ class CorsAbstractHandlerMappingTests {
assertThat(chain).isNotNull();
assertThat(chain.getHandler()).isNotNull();
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
assertThat(mapping.hasSavedCorsConfig()).isFalse();
}
@@ -103,7 +104,7 @@ class CorsAbstractHandlerMappingTests {
assertThat(chain).isNotNull();
assertThat(chain.getHandler()).isNotNull();
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
assertThat(mapping.getRequiredCorsConfig().getAllowedOrigins()).containsExactly("*");
}
@@ -144,7 +145,7 @@ class CorsAbstractHandlerMappingTests {
assertThat(chain).isNotNull();
assertThat(chain.getHandler()).isNotNull();
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
assertThat(mapping.getRequiredCorsConfig().getAllowedOrigins()).containsExactly("*");
}
@@ -172,7 +173,7 @@ class CorsAbstractHandlerMappingTests {
assertThat(chain).isNotNull();
assertThat(chain.getHandler()).isNotNull();
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
CorsConfiguration config = mapping.getRequiredCorsConfig();
assertThat(config).isNotNull();

View File

@@ -48,6 +48,7 @@ import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.servlet.NoHandlerFoundException;
import org.springframework.web.servlet.function.RouterFunction;
import org.springframework.web.servlet.function.RouterFunctions;
import org.springframework.web.servlet.function.ServerResponse;
@@ -63,6 +64,7 @@ import org.springframework.web.util.pattern.PatternParseException;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.springframework.web.servlet.HandlerMapping.BEST_MATCHING_PATTERN_ATTRIBUTE;
/**
@@ -113,6 +115,29 @@ class HandlerMappingIntrospectorTests {
assertThat(actual).isEqualTo(expected);
}
@Test
void useParsedPatternsOnly() {
GenericWebApplicationContext context = new GenericWebApplicationContext();
context.registerBean("A", SimpleUrlHandlerMapping.class);
context.registerBean("B", SimpleUrlHandlerMapping.class);
context.registerBean("C", SimpleUrlHandlerMapping.class);
context.refresh();
assertThat(initIntrospector(context).allHandlerMappingsUsePathPatternParser()).isTrue();
context = new GenericWebApplicationContext();
context.registerBean("A", SimpleUrlHandlerMapping.class);
context.registerBean("B", SimpleUrlHandlerMapping.class);
context.registerBean("C", SimpleUrlHandlerMapping.class, () -> {
SimpleUrlHandlerMapping mapping = new SimpleUrlHandlerMapping();
mapping.setPatternParser(null);
return mapping;
});
context.refresh();
assertThat(initIntrospector(context).allHandlerMappingsUsePathPatternParser()).isFalse();
}
@ParameterizedTest
@ValueSource(booleans = {true, false})
void getMatchable(boolean usePathPatterns) throws Exception {
@@ -204,6 +229,41 @@ class HandlerMappingIntrospectorTests {
assertThat(corsConfig.getAllowedMethods()).isEqualTo(Collections.singletonList("POST"));
}
@Test
void handlePreFlight() throws Exception {
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
context.register(TestConfig.class);
context.refresh();
MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/path");
request.addHeader("Origin", "http://localhost:9000");
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST");
MockHttpServletResponse response = new MockHttpServletResponse();
initIntrospector(context).handlePreFlight(request, response);
assertThat(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("http://localhost:9000");
assertThat(response.getHeaders(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)).containsExactly("POST");
}
@Test
void handlePreFlightWithNoHandlerFoundException() {
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
context.register(TestConfig.class);
context.refresh();
MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/unknownPath");
request.addHeader("Origin", "http://localhost:9000");
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST");
MockHttpServletResponse response = new MockHttpServletResponse();
assertThatThrownBy(() -> initIntrospector(context).handlePreFlight(request, response))
.isInstanceOf(NoHandlerFoundException.class);
assertThat(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
assertThat(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)).isNull();
}
@ParameterizedTest
@ValueSource(strings = {"/test", "/resource/1234****"}) // gh-31937
void cacheFilter(String uri) throws Exception {

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -47,6 +47,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.support.StaticWebApplicationContext;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.PreFlightRequestHandler;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.handler.PathPatternsParameterizedTest;
@@ -127,7 +128,7 @@ class CrossOriginTests {
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
HandlerExecutionChain chain = mapping.getHandler(request);
assertThat(chain).isNotNull();
assertThat(chain.getHandler().getClass().getName()).endsWith("AbstractHandlerMapping$PreFlightHandler");
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
}
@PathPatternsParameterizedTest // SPR-12931
@@ -389,7 +390,7 @@ class CrossOriginTests {
assertThat(chain).isNotNull();
if (isPreFlightRequest) {
Object handler = chain.getHandler();
assertThat(handler.getClass().getSimpleName()).isEqualTo("PreFlightHandler");
assertThat(handler).isInstanceOf(PreFlightRequestHandler.class);
DirectFieldAccessor accessor = new DirectFieldAccessor(handler);
return (CorsConfiguration)accessor.getPropertyValue("config");
}