CorsConfiguration now supports pattern based origins.
Closes gh-24763
This commit is contained in:
committed by
Rossen Stoyanchev
parent
a1bab14140
commit
8632118e8d
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -50,6 +50,8 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.getAllowCredentials()).isNull();
|
||||
config.setMaxAge((Long) null);
|
||||
assertThat(config.getMaxAge()).isNull();
|
||||
config.setAllowedOriginsPatterns(null);
|
||||
assertThat(config.getAllowedOriginsPatterns()).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -68,6 +70,8 @@ public class CorsConfigurationTests {
|
||||
assertThat((boolean) config.getAllowCredentials()).isTrue();
|
||||
config.setMaxAge(123L);
|
||||
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
|
||||
config.addAllowedOriginPattern(".*\\.example\\.com");
|
||||
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.example\\.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -101,6 +105,7 @@ public class CorsConfigurationTests {
|
||||
config.addAllowedMethod(HttpMethod.GET.name());
|
||||
config.setMaxAge(123L);
|
||||
config.setAllowCredentials(true);
|
||||
config.setAllowedOriginsPatterns(Arrays.asList(".*\\.example\\.com"));
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
config = config.combine(other);
|
||||
assertThat(config.getAllowedOrigins()).isEqualTo(Arrays.asList("*"));
|
||||
@@ -109,6 +114,7 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList(HttpMethod.GET.name()));
|
||||
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
|
||||
assertThat((boolean) config.getAllowCredentials()).isTrue();
|
||||
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.example\\.com"));
|
||||
}
|
||||
|
||||
@Test // SPR-15772
|
||||
@@ -142,25 +148,60 @@ public class CorsConfigurationTests {
|
||||
HttpMethod.POST.name()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void combinePatternWithDefaultPermitValues() {
|
||||
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOriginPattern(".*\\.com");
|
||||
|
||||
CorsConfiguration combinedConfig = other.combine(config);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isNull();
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
|
||||
|
||||
combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isNull();
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void combinePatternWithDefaultPermitValuesAndCustomOrigin() {
|
||||
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
|
||||
config.setAllowedOrigins(Arrays.asList("https://domain.com"));
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOriginPattern(".*\\.com");
|
||||
|
||||
CorsConfiguration combinedConfig = other.combine(config);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain.com"));
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
|
||||
|
||||
combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain.com"));
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void combineWithAsteriskWildCard() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOrigin("*");
|
||||
config.addAllowedHeader("*");
|
||||
config.addAllowedMethod("*");
|
||||
config.addAllowedOriginPattern(".*");
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOrigin("https://domain.com");
|
||||
other.addAllowedHeader("header1");
|
||||
other.addExposedHeader("header2");
|
||||
other.addAllowedOriginPattern(".*\\.company\\.com");
|
||||
other.addAllowedMethod(HttpMethod.PUT.name());
|
||||
CorsConfiguration combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("*"));
|
||||
assertThat(combinedConfig.getAllowedHeaders()).isEqualTo(Arrays.asList("*"));
|
||||
assertThat(combinedConfig.getAllowedMethods()).isEqualTo(Arrays.asList("*"));
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*"));
|
||||
combinedConfig = other.combine(config);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("*"));
|
||||
assertThat(combinedConfig.getAllowedHeaders()).isEqualTo(Arrays.asList("*"));
|
||||
assertThat(combinedConfig.getAllowedMethods()).isEqualTo(Arrays.asList("*"));
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*"));
|
||||
}
|
||||
|
||||
@Test // SPR-14792
|
||||
@@ -174,16 +215,20 @@ public class CorsConfigurationTests {
|
||||
config.addExposedHeader("header4");
|
||||
config.addAllowedMethod(HttpMethod.GET.name());
|
||||
config.addAllowedMethod(HttpMethod.PUT.name());
|
||||
config.addAllowedOriginPattern(".*\\.domain1\\.com");
|
||||
config.addAllowedOriginPattern(".*\\.domain2\\.com");
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOrigin("https://domain1.com");
|
||||
other.addAllowedHeader("header1");
|
||||
other.addExposedHeader("header3");
|
||||
other.addAllowedMethod(HttpMethod.GET.name());
|
||||
other.addAllowedOriginPattern(".*\\.domain1\\.com");
|
||||
CorsConfiguration combinedConfig = config.combine(other);
|
||||
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain1.com", "https://domain2.com"));
|
||||
assertThat(combinedConfig.getAllowedHeaders()).isEqualTo(Arrays.asList("header1", "header2"));
|
||||
assertThat(combinedConfig.getExposedHeaders()).isEqualTo(Arrays.asList("header3", "header4"));
|
||||
assertThat(combinedConfig.getAllowedMethods()).isEqualTo(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()));
|
||||
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.domain1\\.com", ".*\\.domain2\\.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -195,6 +240,7 @@ public class CorsConfigurationTests {
|
||||
config.addAllowedMethod(HttpMethod.GET.name());
|
||||
config.setMaxAge(123L);
|
||||
config.setAllowCredentials(true);
|
||||
config.addAllowedOriginPattern(".*\\.domain1\\.com");
|
||||
CorsConfiguration other = new CorsConfiguration();
|
||||
other.addAllowedOrigin("https://domain2.com");
|
||||
other.addAllowedHeader("header2");
|
||||
@@ -202,6 +248,7 @@ public class CorsConfigurationTests {
|
||||
other.addAllowedMethod(HttpMethod.PUT.name());
|
||||
other.setMaxAge(456L);
|
||||
other.setAllowCredentials(false);
|
||||
other.addAllowedOriginPattern(".*\\.domain2\\.com");
|
||||
config = config.combine(other);
|
||||
assertThat(config.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain1.com", "https://domain2.com"));
|
||||
assertThat(config.getAllowedHeaders()).isEqualTo(Arrays.asList("header1", "header2"));
|
||||
@@ -209,6 +256,7 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()));
|
||||
assertThat(config.getMaxAge()).isEqualTo(new Long(456));
|
||||
assertThat((boolean) config.getAllowCredentials()).isFalse();
|
||||
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.domain1\\.com", ".*\\.domain2\\.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -237,6 +285,32 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkOriginPatternAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.setAllowedOriginsPatterns(Arrays.asList(".*"));
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("*");
|
||||
config.setAllowCredentials(true);
|
||||
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
|
||||
config.setAllowedOriginsPatterns(Arrays.asList(".*\\.domain\\.com"));
|
||||
assertThat(config.checkOrigin("https://example.domain.com")).isEqualTo("https://example.domain.com");
|
||||
config.setAllowCredentials(false);
|
||||
assertThat(config.checkOrigin("https://example.domain.com")).isEqualTo("https://example.domain.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkOriginPatternNotAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
assertThat(config.checkOrigin(null)).isNull();
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
config.addAllowedOriginPattern(".*");
|
||||
assertThat(config.checkOrigin(null)).isNull();
|
||||
config.setAllowedOriginsPatterns(Arrays.asList(".*\\.domain1\\.com"));
|
||||
assertThat(config.checkOrigin("https://domain2.com")).isNull();
|
||||
config.setAllowedOriginsPatterns(new ArrayList<>());
|
||||
assertThat(config.checkOrigin("https://domain.com")).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkMethodAllowed() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
@@ -291,4 +365,12 @@ public class CorsConfigurationTests {
|
||||
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList("GET", "HEAD", "POST", "PATCH"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void permitDefaultDoesntSetOriginWhenPatternPresent() {
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.addAllowedOriginPattern(".*\\.com");
|
||||
config = config.applyPermitDefaultValues();
|
||||
assertThat(config.getAllowedOrigins()).isNull();
|
||||
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user