Make DefaultCorsProcessor Servlet 2.5 compliant

This commit adds CORS related headers to HttpHeaders
and update DefaultCorsProcessor implementation to
use ServerHttpRequest and ServerHttpResponse instead
of HttpServletRequest and HttpServletResponse. Usage
of ServerHttpResponse allows to avoid using Servlet 3.0
specific methods in order keep CORS support Servlet 2.5
compliant.

Issue: SPR-12885
This commit is contained in:
Sebastien Deleuze
2015-04-19 18:26:46 +02:00
parent 71683c5f8d
commit 83f269b512
13 changed files with 412 additions and 199 deletions

View File

@@ -32,12 +32,16 @@ import java.util.TimeZone;
import org.hamcrest.Matchers;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import org.junit.Before;
import org.junit.Test;
/**
* Unit tests for {@link org.springframework.http.HttpHeaders}.
* @author Arjen Poutsma
* @author Sebastien Deleuze
*/
public class HttpHeadersTests {
@@ -267,4 +271,70 @@ public class HttpHeadersTests {
assertThat(headers.getAllow(), Matchers.emptyCollectionOf(HttpMethod.class));
}
@Test
public void accessControlAllowCredentials() {
assertFalse(headers.getAccessControlAllowCredentials());
headers.setAccessControlAllowCredentials(false);
assertFalse(headers.getAccessControlAllowCredentials());
headers.setAccessControlAllowCredentials(true);
assertTrue(headers.getAccessControlAllowCredentials());
}
@Test
public void accessControlAllowHeaders() {
List<String> allowedHeaders = headers.getAccessControlAllowHeaders();
assertThat(allowedHeaders, Matchers.emptyCollectionOf(String.class));
headers.setAccessControlAllowHeaders(Arrays.asList("header1", "header2"));
allowedHeaders = headers.getAccessControlAllowHeaders();
assertEquals(allowedHeaders, Arrays.asList("header1", "header2"));
}
@Test
public void accessControlAllowMethods() {
List<HttpMethod> allowedMethods = headers.getAccessControlAllowMethods();
assertThat(allowedMethods, Matchers.emptyCollectionOf(HttpMethod.class));
headers.setAccessControlAllowMethods(Arrays.asList(HttpMethod.GET, HttpMethod.POST));
allowedMethods = headers.getAccessControlAllowMethods();
assertEquals(allowedMethods, Arrays.asList(HttpMethod.GET, HttpMethod.POST));
}
@Test
public void accessControlAllowOrigin() {
assertNull(headers.getAccessControlAllowOrigin());
headers.setAccessControlAllowOrigin("*");
assertEquals("*", headers.getAccessControlAllowOrigin());
}
@Test
public void accessControlExposeHeaders() {
List<String> exposedHeaders = headers.getAccessControlExposeHeaders();
assertThat(exposedHeaders, Matchers.emptyCollectionOf(String.class));
headers.setAccessControlExposeHeaders(Arrays.asList("header1", "header2"));
exposedHeaders = headers.getAccessControlExposeHeaders();
assertEquals(exposedHeaders, Arrays.asList("header1", "header2"));
}
@Test
public void accessControlMaxAge() {
assertEquals(-1, headers.getAccessControlMaxAge());
headers.setAccessControlMaxAge(3600);
assertEquals(3600, headers.getAccessControlMaxAge());
}
@Test
public void accessControlRequestHeaders() {
List<String> requestHeaders = headers.getAccessControlRequestHeaders();
assertThat(requestHeaders, Matchers.emptyCollectionOf(String.class));
headers.setAccessControlRequestHeaders(Arrays.asList("header1", "header2"));
requestHeaders = headers.getAccessControlRequestHeaders();
assertEquals(requestHeaders, Arrays.asList("header1", "header2"));
}
@Test
public void accessControlRequestMethod() {
assertNull(headers.getAccessControlRequestMethod());
headers.setAccessControlRequestMethod(HttpMethod.POST);
assertEquals(HttpMethod.POST, headers.getAccessControlRequestMethod());
}
}

View File

@@ -48,7 +48,7 @@ public class CorsUtilsTests {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("OPTIONS");
request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
assertTrue(CorsUtils.isPreFlightRequest(request));
}
@@ -62,7 +62,7 @@ public class CorsUtilsTests {
assertFalse(CorsUtils.isPreFlightRequest(request));
request = new MockHttpServletRequest();
request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
assertFalse(CorsUtils.isPreFlightRequest(request));
}

View File

@@ -62,7 +62,7 @@ public class DefaultCorsProcessorTests {
this.request.setMethod(HttpMethod.GET.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.processor.processActualRequest(this.conf, request, response);
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
}
@@ -72,10 +72,10 @@ public class DefaultCorsProcessorTests {
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.conf.addAllowedOrigin("*");
this.processor.processActualRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("*", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE));
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -88,10 +88,10 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
this.conf.setAllowCredentials(true);
this.processor.processActualRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -102,10 +102,10 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("*");
this.conf.setAllowCredentials(true);
this.processor.processActualRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -115,7 +115,7 @@ public class DefaultCorsProcessorTests {
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.conf.addAllowedOrigin("http://domain2.com/TEST.html");
this.processor.processActualRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -127,11 +127,11 @@ public class DefaultCorsProcessorTests {
this.conf.addExposedHeader("header2");
this.conf.addAllowedOrigin("http://domain2.com/test.html");
this.processor.processActualRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS));
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -139,7 +139,7 @@ public class DefaultCorsProcessorTests {
public void preflightRequestAllOriginsAllowed() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedOrigin("*");
this.processor.processPreFlightRequest(this.conf, request, response);
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
@@ -149,7 +149,7 @@ public class DefaultCorsProcessorTests {
public void preflightRequestWrongAllowedMethod() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
this.conf.addAllowedOrigin("*");
this.processor.processPreFlightRequest(this.conf, request, response);
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
@@ -159,17 +159,17 @@ public class DefaultCorsProcessorTests {
public void preflightRequestMatchedAllowedMethod() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedOrigin("*");
this.processor.processPreFlightRequest(this.conf, request, response);
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
assertEquals("GET", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
assertEquals("GET", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
}
@Test(expected = IllegalArgumentException.class)
public void preflightRequestWithoutOriginHeader() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.processor.processPreFlightRequest(this.conf, request, response);
}
@@ -178,7 +178,7 @@ public class DefaultCorsProcessorTests {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.processor.processPreFlightRequest(this.conf, request, response);
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
}
@@ -186,9 +186,9 @@ public class DefaultCorsProcessorTests {
public void preflightRequestWithoutRequestMethod() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.processor.processPreFlightRequest(this.conf, request, response);
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
}
@@ -196,10 +196,10 @@ public class DefaultCorsProcessorTests {
public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.processor.processPreFlightRequest(this.conf, request, response);
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
}
@@ -207,19 +207,19 @@ public class DefaultCorsProcessorTests {
public void preflightRequestValidRequestAndConfig() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedOrigin("*");
this.conf.addAllowedMethod("GET");
this.conf.addAllowedMethod("PUT");
this.conf.addAllowedHeader("header1");
this.conf.addAllowedHeader("header2");
this.processor.processPreFlightRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("*", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
assertEquals("GET,PUT", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertEquals("GET,PUT", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -227,18 +227,18 @@ public class DefaultCorsProcessorTests {
public void preflightRequestCrendentials() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedOrigin("http://domain2.com/home.html");
this.conf.addAllowedOrigin("http://domain2.com/test.html");
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
this.conf.addAllowedHeader("Header1");
this.conf.setAllowCredentials(true);
this.processor.processPreFlightRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -246,16 +246,16 @@ public class DefaultCorsProcessorTests {
public void preflightRequestCrendentialsWithOriginWildcard() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedOrigin("http://domain2.com/home.html");
this.conf.addAllowedOrigin("*");
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
this.conf.addAllowedHeader("Header1");
this.conf.setAllowCredentials(true);
this.processor.processPreFlightRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -263,18 +263,18 @@ public class DefaultCorsProcessorTests {
public void preflightRequestAllowedHeaders() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedHeader("Header1");
this.conf.addAllowedHeader("Header2");
this.conf.addAllowedHeader("Header3");
this.conf.addAllowedOrigin("http://domain2.com/test.html");
this.processor.processPreFlightRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS));
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}
@@ -282,16 +282,16 @@ public class DefaultCorsProcessorTests {
public void preflightRequestAllowsAllHeaders() throws Exception {
this.request.setMethod(HttpMethod.OPTIONS.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.conf.addAllowedHeader("*");
this.conf.addAllowedOrigin("http://domain2.com/test.html");
this.processor.processPreFlightRequest(this.conf, request, response);
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS));
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
assertFalse(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
}