Add PreFlightRequestHandler for Spring MVC
This is equivalent of the same contract for WebFlux. It is implemented by HandlerMappingIntrospector, and may be called directly by Spring Security to handle a pre-flight request without delegate to the rest of the filter chain. HandlerMappingIntrospector also has the boolean method allHandlerMappingsUsePathPatternParser that checks whether all handler mappings are configured to use parsed PathPattern's. See gh-31823
This commit is contained in:
@@ -31,6 +31,7 @@ import org.springframework.web.HttpRequestHandler;
|
||||
import org.springframework.web.context.support.StaticWebApplicationContext;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import org.springframework.web.cors.CorsConfigurationSource;
|
||||
import org.springframework.web.cors.PreFlightRequestHandler;
|
||||
import org.springframework.web.servlet.HandlerExecutionChain;
|
||||
import org.springframework.web.servlet.HandlerInterceptor;
|
||||
import org.springframework.web.servlet.support.WebContentGenerator;
|
||||
@@ -72,7 +73,7 @@ class CorsAbstractHandlerMappingTests {
|
||||
|
||||
assertThat(chain).isNotNull();
|
||||
assertThat(chain.getHandler()).isNotNull();
|
||||
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
|
||||
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
|
||||
assertThat(mapping.hasSavedCorsConfig()).isFalse();
|
||||
}
|
||||
|
||||
@@ -103,7 +104,7 @@ class CorsAbstractHandlerMappingTests {
|
||||
|
||||
assertThat(chain).isNotNull();
|
||||
assertThat(chain.getHandler()).isNotNull();
|
||||
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
|
||||
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
|
||||
assertThat(mapping.getRequiredCorsConfig().getAllowedOrigins()).containsExactly("*");
|
||||
}
|
||||
|
||||
@@ -144,7 +145,7 @@ class CorsAbstractHandlerMappingTests {
|
||||
|
||||
assertThat(chain).isNotNull();
|
||||
assertThat(chain.getHandler()).isNotNull();
|
||||
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
|
||||
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
|
||||
assertThat(mapping.getRequiredCorsConfig().getAllowedOrigins()).containsExactly("*");
|
||||
}
|
||||
|
||||
@@ -172,7 +173,7 @@ class CorsAbstractHandlerMappingTests {
|
||||
|
||||
assertThat(chain).isNotNull();
|
||||
assertThat(chain.getHandler()).isNotNull();
|
||||
assertThat(chain.getHandler().getClass().getSimpleName()).isEqualTo("PreFlightHandler");
|
||||
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
|
||||
|
||||
CorsConfiguration config = mapping.getRequiredCorsConfig();
|
||||
assertThat(config).isNotNull();
|
||||
|
||||
@@ -48,6 +48,7 @@ import org.springframework.web.cors.CorsConfiguration;
|
||||
import org.springframework.web.cors.CorsConfigurationSource;
|
||||
import org.springframework.web.servlet.HandlerExecutionChain;
|
||||
import org.springframework.web.servlet.HandlerMapping;
|
||||
import org.springframework.web.servlet.NoHandlerFoundException;
|
||||
import org.springframework.web.servlet.function.RouterFunction;
|
||||
import org.springframework.web.servlet.function.RouterFunctions;
|
||||
import org.springframework.web.servlet.function.ServerResponse;
|
||||
@@ -63,6 +64,7 @@ import org.springframework.web.util.pattern.PatternParseException;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
import static org.springframework.web.servlet.HandlerMapping.BEST_MATCHING_PATTERN_ATTRIBUTE;
|
||||
|
||||
/**
|
||||
@@ -113,6 +115,29 @@ class HandlerMappingIntrospectorTests {
|
||||
assertThat(actual).isEqualTo(expected);
|
||||
}
|
||||
|
||||
@Test
|
||||
void useParsedPatternsOnly() {
|
||||
GenericWebApplicationContext context = new GenericWebApplicationContext();
|
||||
context.registerBean("A", SimpleUrlHandlerMapping.class);
|
||||
context.registerBean("B", SimpleUrlHandlerMapping.class);
|
||||
context.registerBean("C", SimpleUrlHandlerMapping.class);
|
||||
context.refresh();
|
||||
|
||||
assertThat(initIntrospector(context).allHandlerMappingsUsePathPatternParser()).isTrue();
|
||||
|
||||
context = new GenericWebApplicationContext();
|
||||
context.registerBean("A", SimpleUrlHandlerMapping.class);
|
||||
context.registerBean("B", SimpleUrlHandlerMapping.class);
|
||||
context.registerBean("C", SimpleUrlHandlerMapping.class, () -> {
|
||||
SimpleUrlHandlerMapping mapping = new SimpleUrlHandlerMapping();
|
||||
mapping.setPatternParser(null);
|
||||
return mapping;
|
||||
});
|
||||
context.refresh();
|
||||
|
||||
assertThat(initIntrospector(context).allHandlerMappingsUsePathPatternParser()).isFalse();
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@ValueSource(booleans = {true, false})
|
||||
void getMatchable(boolean usePathPatterns) throws Exception {
|
||||
@@ -204,6 +229,41 @@ class HandlerMappingIntrospectorTests {
|
||||
assertThat(corsConfig.getAllowedMethods()).isEqualTo(Collections.singletonList("POST"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void handlePreFlight() throws Exception {
|
||||
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
|
||||
context.register(TestConfig.class);
|
||||
context.refresh();
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/path");
|
||||
request.addHeader("Origin", "http://localhost:9000");
|
||||
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
initIntrospector(context).handlePreFlight(request, response);
|
||||
|
||||
assertThat(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("http://localhost:9000");
|
||||
assertThat(response.getHeaders(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)).containsExactly("POST");
|
||||
}
|
||||
|
||||
@Test
|
||||
void handlePreFlightWithNoHandlerFoundException() {
|
||||
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
|
||||
context.register(TestConfig.class);
|
||||
context.refresh();
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/unknownPath");
|
||||
request.addHeader("Origin", "http://localhost:9000");
|
||||
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
assertThatThrownBy(() -> initIntrospector(context).handlePreFlight(request, response))
|
||||
.isInstanceOf(NoHandlerFoundException.class);
|
||||
|
||||
assertThat(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
|
||||
assertThat(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)).isNull();
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@ValueSource(strings = {"/test", "/resource/1234****"}) // gh-31937
|
||||
void cacheFilter(String uri) throws Exception {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -47,6 +47,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.context.support.StaticWebApplicationContext;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import org.springframework.web.cors.PreFlightRequestHandler;
|
||||
import org.springframework.web.servlet.HandlerExecutionChain;
|
||||
import org.springframework.web.servlet.HandlerInterceptor;
|
||||
import org.springframework.web.servlet.handler.PathPatternsParameterizedTest;
|
||||
@@ -127,7 +128,7 @@ class CrossOriginTests {
|
||||
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
HandlerExecutionChain chain = mapping.getHandler(request);
|
||||
assertThat(chain).isNotNull();
|
||||
assertThat(chain.getHandler().getClass().getName()).endsWith("AbstractHandlerMapping$PreFlightHandler");
|
||||
assertThat(chain.getHandler()).isInstanceOf(PreFlightRequestHandler.class);
|
||||
}
|
||||
|
||||
@PathPatternsParameterizedTest // SPR-12931
|
||||
@@ -389,7 +390,7 @@ class CrossOriginTests {
|
||||
assertThat(chain).isNotNull();
|
||||
if (isPreFlightRequest) {
|
||||
Object handler = chain.getHandler();
|
||||
assertThat(handler.getClass().getSimpleName()).isEqualTo("PreFlightHandler");
|
||||
assertThat(handler).isInstanceOf(PreFlightRequestHandler.class);
|
||||
DirectFieldAccessor accessor = new DirectFieldAccessor(handler);
|
||||
return (CorsConfiguration)accessor.getPropertyValue("config");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user