();
+ private CorsProcessor corsProcessor = new DefaultCorsProcessor();
+
/**
* Specify the order value for this HandlerMapping bean.
@@ -184,6 +194,13 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
this.interceptors.addAll(Arrays.asList(interceptors));
}
+ /**
+ * @since 4.2
+ */
+ public void setCorsProcessor(CorsProcessor corsProcessor) {
+ Assert.notNull(corsProcessor, "CorsProcessor must not be null");
+ this.corsProcessor = corsProcessor;
+ }
/**
* Initializes the interceptors.
@@ -308,16 +325,29 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
String handlerName = (String) handler;
handler = getApplicationContext().getBean(handlerName);
}
- return getHandlerExecutionChain(handler, request);
+ HandlerExecutionChain executionChain = getHandlerExecutionChain(handler, request);
+ if (CorsUtils.isCorsRequest(request)) {
+ CorsConfiguration config = getCorsConfiguration(handler, request);
+ executionChain = getCorsHandlerExecutionChain(request, executionChain, config);
+ }
+ return executionChain;
}
/**
* Look up a handler for the given request, returning {@code null} if no
* specific one is found. This method is called by {@link #getHandler};
* a {@code null} return value will lead to the default handler, if one is set.
+ *
+ * On CORS pre-flight requests this method should return a match not for
+ * the pre-flight request but for the expected actual request based on the URL
+ * path, the HTTP methods from the "Access-Control-Request-Method" header, and
+ * the headers from the "Access-Control-Request-Headers" header thus allowing
+ * the CORS configuration to be obtained via {@link #getCorsConfiguration},
+ *
*
Note: This method may also return a pre-built {@link HandlerExecutionChain},
* combining a handler object with dynamically determined interceptors.
* Statically specified interceptors will get merged into such an existing chain.
+ *
* @param request current HTTP request
* @return the corresponding handler instance, or {@code null} if none found
* @throws Exception if there is an internal error
@@ -358,4 +388,72 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
return chain;
}
+ /**
+ * Retrieve the CORS configuration for the given handler.
+ */
+ protected CorsConfiguration getCorsConfiguration(Object handler, HttpServletRequest request) {
+ handler = (handler instanceof HandlerExecutionChain) ? ((HandlerExecutionChain) handler).getHandler() : handler;
+ if (handler != null && handler instanceof CorsConfigurationSource) {
+ return ((CorsConfigurationSource) handler).getCorsConfiguration(request);
+ }
+ return null;
+ }
+
+ /**
+ * Update the HandlerExecutionChain for CORS-related handling.
+ *
+ *
For pre-flight requests, the default implementation replaces the selected
+ * handler with a simple HttpRequestHandler that invokes the configured
+ * {@link #setCorsProcessor}.
+ *
+ *
For actual requests, the default implementation inserts a
+ * HandlerInterceptor that makes CORS-related checks and adds CORS headers.
+ */
+ protected HandlerExecutionChain getCorsHandlerExecutionChain(HttpServletRequest request,
+ HandlerExecutionChain chain, CorsConfiguration config) {
+
+ if (config != null) {
+ if (CorsUtils.isPreFlightRequest(request)) {
+ HandlerInterceptor[] interceptors = chain.getInterceptors();
+ chain = new HandlerExecutionChain(new PreFlightHandler(config), interceptors);
+ }
+ else {
+ chain.addInterceptor(new CorsInterceptor(config));
+ }
+ }
+ return chain;
+ }
+
+
+ private class PreFlightHandler implements HttpRequestHandler {
+
+ private final CorsConfiguration config;
+
+
+ public PreFlightHandler(CorsConfiguration config) {
+ this.config = config;
+ }
+
+ @Override
+ public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+ corsProcessor.processPreFlightRequest(this.config, request, response);
+ }
+ }
+
+ private class CorsInterceptor extends HandlerInterceptorAdapter {
+
+ private final CorsConfiguration config;
+
+
+ public CorsInterceptor(CorsConfiguration config) {
+ this.config = config;
+ }
+
+ @Override
+ public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+ return corsProcessor.processActualRequest(this.config, request, response);
+ }
+
+ }
+
}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/handler/AbstractHandlerMethodMapping.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/handler/AbstractHandlerMethodMapping.java
index 7055d3038c..9a36308ce0 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/handler/AbstractHandlerMethodMapping.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/handler/AbstractHandlerMethodMapping.java
@@ -35,6 +35,8 @@ import org.springframework.util.ClassUtils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.ReflectionUtils.MethodFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsUtils;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.method.HandlerMethodSelector;
import org.springframework.web.servlet.HandlerMapping;
@@ -67,6 +69,9 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
*/
private static final String SCOPED_TARGET_NAME_PREFIX = "scopedTarget.";
+ private static final HandlerMethod PREFLIGHT_MULTI_MATCH_HANDLER_METHOD =
+ new HandlerMethod(new EmptyHandler(), ClassUtils.getMethod(EmptyHandler.class, "handle"));
+
private boolean detectHandlerMethodsInAncestorContexts = false;
@@ -78,6 +83,8 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
private final MultiValueMap nameMap = new LinkedMultiValueMap();
+ private final Map corsConfigurations = new LinkedHashMap();
+
/**
* Whether to detect handler methods in beans in ancestor ApplicationContexts.
@@ -106,6 +113,20 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
return Collections.unmodifiableMap(this.handlerMethods);
}
+ protected Map getCorsConfigurations() {
+ return corsConfigurations;
+ }
+
+ @Override
+ protected CorsConfiguration getCorsConfiguration(Object handler, HttpServletRequest request) {
+ CorsConfiguration config = super.getCorsConfiguration(handler, request);
+ if (config == null && handler instanceof HandlerMethod) {
+ HandlerMethod handlerMethod = (HandlerMethod)handler;
+ config = this.getCorsConfigurations().get(handlerMethod.getMethod());
+ }
+ return config;
+ }
+
/**
* Return the handler methods mapped to the mapping with the given name.
* @param mappingName the mapping name
@@ -144,9 +165,19 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
detectHandlerMethods(beanName);
}
}
+ registerMultiMatchCorsConfiguration();
handlerMethodsInitialized(getHandlerMethods());
}
+ private void registerMultiMatchCorsConfiguration() {
+ CorsConfiguration config = new CorsConfiguration();
+ config.addAllowedOrigin("*");
+ config.addAllowedMethod("*");
+ config.addAllowedHeader("*");
+ config.setAllowCredentials(true);
+ this.corsConfigurations.put(PREFLIGHT_MULTI_MATCH_HANDLER_METHOD.getMethod(), config);
+ }
+
/**
* Whether the given type is a handler with handler methods.
* @param beanType the type of the bean being checked
@@ -228,6 +259,15 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
String name = this.namingStrategy.getName(newHandlerMethod, mapping);
updateNameMap(name, newHandlerMethod);
}
+
+ CorsConfiguration config = initCorsConfiguration(handler, method, mapping);
+ if (config != null) {
+ this.corsConfigurations.put(method, config);
+ }
+ }
+
+ protected CorsConfiguration initCorsConfiguration(Object handler, Method method, T mappingInfo) {
+ return null;
}
private void updateNameMap(String name, HandlerMethod newHandlerMethod) {
@@ -333,6 +373,9 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
}
Match bestMatch = matches.get(0);
if (matches.size() > 1) {
+ if (CorsUtils.isPreFlightRequest(request)) {
+ return PREFLIGHT_MULTI_MATCH_HANDLER_METHOD;
+ }
Match secondBestMatch = matches.get(1);
if (comparator.compare(bestMatch, secondBestMatch) == 0) {
Method m1 = bestMatch.handlerMethod.getMethod();
@@ -436,4 +479,13 @@ public abstract class AbstractHandlerMethodMapping extends AbstractHandlerMap
}
}
+
+ private static class EmptyHandler {
+
+ public void handle() {
+ throw new UnsupportedOperationException("not implemented");
+ }
+
+ }
+
}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfo.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfo.java
index eba39776ed..3839553300 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfo.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfo.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -19,6 +19,8 @@ package org.springframework.web.servlet.mvc.method;
import javax.servlet.http.HttpServletRequest;
import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.cors.CorsUtils;
import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
import org.springframework.web.servlet.mvc.condition.HeadersRequestCondition;
import org.springframework.web.servlet.mvc.condition.ParamsRequestCondition;
@@ -208,7 +210,15 @@ public final class RequestMappingInfo implements RequestCondition headerExpression : mappingInfo.getHeadersCondition().getExpressions()) {
+ if (!headerExpression.isNegated()) {
+ config.addAllowedHeader(headerExpression.getName());
+ }
+ }
+ }
+ return config;
+ }
+
+ private void applyAnnotation(CorsConfiguration config, CrossOrigin annotation) {
+ if (annotation == null) {
+ return;
+ }
+ for (String origin : annotation.origin()) {
+ config.addAllowedOrigin(origin);
+ }
+ for (RequestMethod method : annotation.method()) {
+ config.addAllowedMethod(method.name());
+ }
+ for (String header : annotation.allowedHeaders()) {
+ config.addAllowedHeader(header);
+ }
+ for (String header : annotation.exposedHeaders()) {
+ config.addExposedHeader(header);
+ }
+ if (annotation.allowCredentials().equalsIgnoreCase("true")) {
+ config.setAllowCredentials(true);
+ }
+ else if (annotation.allowCredentials().equalsIgnoreCase("false")) {
+ config.setAllowCredentials(false);
+ }
+ else if (!annotation.allowCredentials().isEmpty()) {
+ throw new IllegalStateException("AllowCredentials value must be \"true\", \"false\" or \"\" (empty string), current value is " + annotation.allowCredentials());
+ }
+ if (annotation.maxAge() != -1 && config.getMaxAge() == null) {
+ config.setMaxAge(annotation.maxAge());
+ }
+ }
+
}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
index 4de612ee91..8d6783976e 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
@@ -38,7 +38,9 @@ import org.springframework.core.io.Resource;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpRange;
import org.springframework.http.MediaType;
+import org.springframework.web.cors.CorsConfiguration;
import org.springframework.http.server.ServletServerHttpRequest;
+import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.CollectionUtils;
@@ -88,7 +90,7 @@ import org.springframework.web.servlet.support.WebContentGenerator;
* @author Arjen Poutsma
* @since 3.0.4
*/
-public class ResourceHttpRequestHandler extends WebContentGenerator implements HttpRequestHandler, InitializingBean {
+public class ResourceHttpRequestHandler extends WebContentGenerator implements HttpRequestHandler, InitializingBean, CorsConfigurationSource {
private static final String CONTENT_ENCODING = "Content-Encoding";
@@ -104,6 +106,8 @@ public class ResourceHttpRequestHandler extends WebContentGenerator implements H
private final List resourceTransformers = new ArrayList(4);
+ private CorsConfiguration corsConfiguration;
+
public ResourceHttpRequestHandler() {
super(METHOD_GET, METHOD_HEAD);
@@ -162,6 +166,9 @@ public class ResourceHttpRequestHandler extends WebContentGenerator implements H
return this.resourceTransformers;
}
+ public void setCorsConfiguration(CorsConfiguration corsConfiguration) {
+ this.corsConfiguration = corsConfiguration;
+ }
@Override
public void afterPropertiesSet() throws Exception {
@@ -172,6 +179,11 @@ public class ResourceHttpRequestHandler extends WebContentGenerator implements H
initAllowedLocations();
}
+ @Override
+ public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+ return corsConfiguration;
+ }
+
/**
* Look for a {@link org.springframework.web.servlet.resource.PathResourceResolver}
* among the {@link #getResourceResolvers() resource resolvers} and configure
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/handler/CorsAbstractHandlerMappingTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/handler/CorsAbstractHandlerMappingTests.java
new file mode 100644
index 0000000000..705909163c
--- /dev/null
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/handler/CorsAbstractHandlerMappingTests.java
@@ -0,0 +1,168 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.servlet.handler;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static org.junit.Assert.*;
+import org.junit.Before;
+import org.junit.Test;
+
+import org.springframework.beans.DirectFieldAccessor;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.mock.web.test.MockHttpServletRequest;
+import org.springframework.mock.web.test.MockHttpServletResponse;
+import org.springframework.web.HttpRequestHandler;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.context.support.StaticWebApplicationContext;
+import org.springframework.web.cors.CorsUtils;
+import org.springframework.web.servlet.HandlerExecutionChain;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.support.WebContentGenerator;
+
+/**
+ * @author Sebastien Deleuze
+ */
+public class CorsAbstractHandlerMappingTests {
+
+ private MockHttpServletRequest request;
+ private MockHttpServletResponse response;
+ private AbstractHandlerMapping handlerMapping;
+ private StaticWebApplicationContext context;
+
+
+ @Before
+ public void setup() {
+ this.context = new StaticWebApplicationContext();
+ this.handlerMapping = new TestHandlerMapping();
+ this.handlerMapping.setApplicationContext(this.context);
+ this.request = new MockHttpServletRequest();
+ this.request.setRemoteHost("domain1.com");
+ this.response = new MockHttpServletResponse();
+ }
+
+ @Test
+ public void actualRequestWithoutCorsConfigurationProvider() throws Exception {
+ this.request.setMethod(RequestMethod.GET.name());
+ this.request.setRequestURI("/notcors");
+ this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
+ assertTrue(chain.getHandler() instanceof SimpleHandler);
+ }
+
+ @Test
+ public void preflightRequestWithoutCorsConfigurationProvider() throws Exception {
+ this.request.setMethod(RequestMethod.OPTIONS.name());
+ this.request.setRequestURI("/notcors");
+ this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
+ assertTrue(chain.getHandler() instanceof SimpleHandler);
+ }
+
+ @Test
+ public void actualRequestWithCorsConfigurationProvider() throws Exception {
+ this.request.setMethod(RequestMethod.GET.name());
+ this.request.setRequestURI("/cors");
+ this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
+ assertTrue(chain.getHandler() instanceof CorsAwareHandler);
+ CorsConfiguration config = getCorsConfiguration(chain, false);
+ assertNotNull(config);
+ assertArrayEquals(config.getAllowedOrigins().toArray(), new String[]{"*"});
+ }
+
+ @Test
+ public void preflightRequestWithCorsConfigurationProvider() throws Exception {
+ this.request.setMethod(RequestMethod.OPTIONS.name());
+ this.request.setRequestURI("/cors");
+ this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
+ assertNotNull(chain.getHandler());
+ assertTrue(chain.getHandler().getClass().getSimpleName().equals("PreFlightHandler"));
+ CorsConfiguration config = getCorsConfiguration(chain, true);
+ assertNotNull(config);
+ assertArrayEquals(config.getAllowedOrigins().toArray(), new String[]{"*"});
+ }
+
+
+ private CorsConfiguration getCorsConfiguration(HandlerExecutionChain chain, boolean isPreFlightRequest) {
+ if (isPreFlightRequest) {
+ Object handler = chain.getHandler();
+ assertTrue(handler.getClass().getSimpleName().equals("PreFlightHandler"));
+ DirectFieldAccessor accessor = new DirectFieldAccessor(handler);
+ return (CorsConfiguration)accessor.getPropertyValue("config");
+ }
+ else {
+ HandlerInterceptor[] interceptors = chain.getInterceptors();
+ if (interceptors != null) {
+ for (HandlerInterceptor interceptor : interceptors) {
+ if (interceptor.getClass().getSimpleName().equals("CorsInterceptor")) {
+ DirectFieldAccessor accessor = new DirectFieldAccessor(interceptor);
+ return (CorsConfiguration) accessor.getPropertyValue("config");
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+ public class TestHandlerMapping extends AbstractHandlerMapping {
+
+ @Override
+ protected Object getHandlerInternal(HttpServletRequest request) throws Exception {
+ if (request.getRequestURI().equals("/cors")) {
+ return new CorsAwareHandler();
+ }
+ return new SimpleHandler();
+ }
+ }
+
+ public class SimpleHandler extends WebContentGenerator implements HttpRequestHandler {
+
+ public SimpleHandler() {
+ super(METHOD_GET);
+ }
+
+ @Override
+ public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ response.setStatus(HttpStatus.OK.value());
+ }
+
+ }
+
+ public class CorsAwareHandler extends SimpleHandler implements CorsConfigurationSource {
+
+ @Override
+ public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+ CorsConfiguration config = new CorsConfiguration();
+ config.addAllowedOrigin("*");
+ return config;
+ }
+
+ }
+
+}
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoTests.java
index 8f179995a3..0b6bc236eb 100644
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,8 +22,10 @@ import java.util.List;
import org.junit.Test;
+import org.springframework.http.HttpHeaders;
import org.springframework.mock.web.test.MockHttpServletRequest;
import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.cors.CorsUtils;
import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
import org.springframework.web.servlet.mvc.condition.HeadersRequestCondition;
import org.springframework.web.servlet.mvc.condition.ParamsRequestCondition;
@@ -315,4 +317,23 @@ public class RequestMappingInfoTests {
assertNotEquals(info1.hashCode(), info2.hashCode());
}
+ @Test
+ public void preFlightRequest() {
+ MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/foo");
+ request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
+ request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "POST");
+
+ RequestMappingInfo info = new RequestMappingInfo(
+ new PatternsRequestCondition("/foo"), new RequestMethodsRequestCondition(RequestMethod.POST), null,
+ null, null, null, null);
+ RequestMappingInfo match = info.getMatchingCondition(request);
+ assertNotNull(match);
+
+ info = new RequestMappingInfo(
+ new PatternsRequestCondition("/foo"), new RequestMethodsRequestCondition(RequestMethod.OPTIONS), null,
+ null, null, null, null);
+ match = info.getMatchingCondition(request);
+ assertNotNull(match);
+ }
+
}
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
new file mode 100644
index 0000000000..5ff57a9c3d
--- /dev/null
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
@@ -0,0 +1,284 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.servlet.mvc.method.annotation;
+
+import java.lang.reflect.Method;
+
+import static org.junit.Assert.*;
+import org.junit.Before;
+import org.junit.Test;
+
+import org.springframework.beans.DirectFieldAccessor;
+import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.http.HttpHeaders;
+import org.springframework.web.context.support.StaticWebApplicationContext;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.mock.web.test.MockHttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.cors.CorsUtils;
+import org.springframework.web.servlet.HandlerExecutionChain;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
+import org.springframework.web.servlet.mvc.condition.HeadersRequestCondition;
+import org.springframework.web.servlet.mvc.condition.ParamsRequestCondition;
+import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
+import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition;
+import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
+import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
+
+/**
+ * Test fixture for {@link CrossOrigin @CrossOrigin} annotated methods.
+ *
+ * @author Sebastien Deleuze
+ */
+@SuppressWarnings("unchecked")
+public class CrossOriginTests {
+
+ private TestRequestMappingInfoHandlerMapping handlerMapping;
+ private MockHttpServletRequest request;
+
+ @Before
+ public void setUp() {
+ this.handlerMapping = new TestRequestMappingInfoHandlerMapping();
+ this.handlerMapping.setRemoveSemicolonContent(false);
+ this.handlerMapping.setApplicationContext(new StaticWebApplicationContext());
+ this.handlerMapping.afterPropertiesSet();
+ this.request = new MockHttpServletRequest();
+ this.request.setMethod("GET");
+ this.request.addHeader(HttpHeaders.ORIGIN, "http://domain.com/");
+ }
+
+ @Test
+ public void noAnnotation() throws Exception {
+ this.handlerMapping.registerHandler(new MethodLevelController());
+ MockHttpServletRequest request = new MockHttpServletRequest("GET", "/no");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, false);
+ assertNull(config);
+ }
+
+ @Test
+ public void defaultAnnotation() throws Exception {
+ this.handlerMapping.registerHandler(new MethodLevelController());
+ this.request.setRequestURI("/default");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, false);
+ assertNotNull(config);
+ assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+ assertTrue(config.isAllowCredentials());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+ assertNull(config.getExposedHeaders());
+ assertEquals(new Long(1800), config.getMaxAge());
+ }
+
+ @Test
+ public void customized() throws Exception {
+ this.handlerMapping.registerHandler(new MethodLevelController());
+ this.request.setRequestURI("/customized");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, false);
+ assertNotNull(config);
+ assertArrayEquals(new String[]{"DELETE"}, config.getAllowedMethods().toArray());
+ assertArrayEquals(new String[]{"http://site1.com", "http://site2.com"}, config.getAllowedOrigins().toArray());
+ assertArrayEquals(new String[]{"header1", "header2"}, config.getAllowedHeaders().toArray());
+ assertArrayEquals(new String[]{"header3", "header4"}, config.getExposedHeaders().toArray());
+ assertEquals(new Long(123), config.getMaxAge());
+ assertEquals(false, config.isAllowCredentials());
+ }
+
+ @Test
+ public void classLevel() throws Exception {
+ this.handlerMapping.registerHandler(new ClassLevelController());
+ this.request.setRequestURI("/foo");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, false);
+ assertNotNull(config);
+ assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+ }
+
+ @Test
+ public void preFlightRequest() throws Exception {
+ this.handlerMapping.registerHandler(new MethodLevelController());
+ this.request.setMethod("OPTIONS");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ this.request.setRequestURI("/default");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, true);
+ assertNotNull(config);
+ assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+ assertTrue(config.isAllowCredentials());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+ assertNull(config.getExposedHeaders());
+ assertEquals(new Long(1800), config.getMaxAge());
+ }
+
+ @Test
+ public void ambiguousHeaderPreFlightRequest() throws Exception {
+ this.handlerMapping.registerHandler(new MethodLevelController());
+ this.request.setMethod("OPTIONS");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "header1");
+ this.request.setRequestURI("/ambiguous-header");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, true);
+ assertNotNull(config);
+ assertArrayEquals(new String[]{"*"}, config.getAllowedMethods().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+ assertTrue(config.isAllowCredentials());
+ assertNull(config.getExposedHeaders());
+ assertNull(config.getMaxAge());
+ }
+
+ @Test
+ public void ambiguousProducesPreFlightRequest() throws Exception {
+ this.handlerMapping.registerHandler(new MethodLevelController());
+ this.request.setMethod("OPTIONS");
+ this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ this.request.setRequestURI("/ambiguous-produces");
+ HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+ CorsConfiguration config = getCorsConfiguration(chain, true);
+ assertNotNull(config);
+ assertArrayEquals(new String[]{"*"}, config.getAllowedMethods().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+ assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+ assertTrue(config.isAllowCredentials());
+ assertNull(config.getExposedHeaders());
+ assertNull(config.getMaxAge());
+ }
+
+ @Test
+ public void preFlightRequestWithoutRequestMethodHeader() throws Exception {
+ MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/default");
+ request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
+ assertNull(this.handlerMapping.getHandler(request));
+ }
+
+ private CorsConfiguration getCorsConfiguration(HandlerExecutionChain chain, boolean isPreFlightRequest) {
+ if (isPreFlightRequest) {
+ Object handler = chain.getHandler();
+ assertTrue(handler.getClass().getSimpleName().equals("PreFlightHandler"));
+ DirectFieldAccessor accessor = new DirectFieldAccessor(handler);
+ return (CorsConfiguration)accessor.getPropertyValue("config");
+ }
+ else {
+ HandlerInterceptor[] interceptors = chain.getInterceptors();
+ if (interceptors != null) {
+ for (HandlerInterceptor interceptor : interceptors) {
+ if (interceptor.getClass().getSimpleName().equals("CorsInterceptor")) {
+ DirectFieldAccessor accessor = new DirectFieldAccessor(interceptor);
+ return (CorsConfiguration) accessor.getPropertyValue("config");
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+
+ @Controller
+ private static class MethodLevelController {
+
+ @RequestMapping(value = "/no", method = RequestMethod.GET)
+ public void noAnnotation() {
+ }
+
+ @CrossOrigin
+ @RequestMapping(value = "/default", method = RequestMethod.GET)
+ public void defaultAnnotation() {
+ }
+
+ @CrossOrigin
+ @RequestMapping(value = "/default", method = RequestMethod.GET, params = "q")
+ public void defaultAnnotationWithParams() {
+ }
+
+ @CrossOrigin
+ @RequestMapping(value = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=a")
+ public void ambigousHeader1a() {
+ }
+
+ @CrossOrigin
+ @RequestMapping(value = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=b")
+ public void ambigousHeader1b() {
+ }
+
+ @CrossOrigin
+ @RequestMapping(value = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/xml")
+ public String ambigousProducesXml() {
+ return "";
+ }
+
+ @CrossOrigin
+ @RequestMapping(value = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/json")
+ public String ambigousProducesJson() {
+ return "{}";
+ }
+
+ @CrossOrigin(origin = { "http://site1.com", "http://site2.com" }, allowedHeaders = { "header1", "header2" },
+ exposedHeaders = { "header3", "header4" }, method = RequestMethod.DELETE, maxAge = 123, allowCredentials = "false")
+ @RequestMapping(value = "/customized", method = { RequestMethod.GET, RequestMethod.POST } )
+ public void customized() {
+ }
+
+ }
+
+ @Controller
+ @CrossOrigin
+ private static class ClassLevelController {
+
+ @RequestMapping(value = "/foo", method = RequestMethod.GET)
+ public void foo() {
+ }
+ }
+
+ private static class TestRequestMappingInfoHandlerMapping extends RequestMappingHandlerMapping {
+
+ public void registerHandler(Object handler) {
+ super.detectHandlerMethods(handler);
+ }
+
+ @Override
+ protected boolean isHandler(Class> beanType) {
+ return AnnotationUtils.findAnnotation(beanType, Controller.class) != null;
+ }
+
+ @Override
+ protected RequestMappingInfo getMappingForMethod(Method method, Class> handlerType) {
+ RequestMapping annotation = AnnotationUtils.findAnnotation(method, RequestMapping.class);
+ if (annotation != null) {
+ return new RequestMappingInfo(
+ new PatternsRequestCondition(annotation.value(), getUrlPathHelper(), getPathMatcher(), true, true),
+ new RequestMethodsRequestCondition(annotation.method()),
+ new ParamsRequestCondition(annotation.params()),
+ new HeadersRequestCondition(annotation.headers()),
+ new ConsumesRequestCondition(annotation.consumes(), annotation.headers()),
+ new ProducesRequestCondition(annotation.produces(), annotation.headers()), null);
+ }
+ else {
+ return null;
+ }
+ }
+ }
+
+}
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
index 9ed0cb0b14..2e7532c947 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
@@ -27,10 +27,11 @@ import java.util.List;
import java.util.Random;
import java.util.concurrent.TimeUnit;
+import javax.servlet.http.HttpServletRequest;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.InvalidMediaTypeException;
@@ -43,6 +44,9 @@ import org.springframework.util.CollectionUtils;
import org.springframework.util.DigestUtils;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.CorsUtils;
import org.springframework.web.socket.WebSocketHandler;
import org.springframework.web.socket.sockjs.SockJsException;
import org.springframework.web.socket.sockjs.SockJsService;
@@ -60,7 +64,7 @@ import org.springframework.web.util.WebUtils;
* @author Sebastien Deleuze
* @since 4.0
*/
-public abstract class AbstractSockJsService implements SockJsService {
+public abstract class AbstractSockJsService implements SockJsService, CorsConfigurationSource {
private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
@@ -447,16 +451,8 @@ public abstract class AbstractSockJsService implements SockJsService {
protected abstract void handleTransportRequest(ServerHttpRequest request, ServerHttpResponse response,
WebSocketHandler webSocketHandler, String sessionId, String transport) throws SockJsException;
- /**
- * Check the {@code Origin} header value and eventually call {@link #addCorsHeaders(ServerHttpRequest, ServerHttpResponse, HttpMethod...)}.
- * If the request origin is not allowed, the request is rejected.
- * @return false if the request is rejected, else true
- * @since 4.1.2
- */
- protected boolean checkAndAddCorsHeaders(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) {
- HttpHeaders requestHeaders = request.getHeaders();
- HttpHeaders responseHeaders = response.getHeaders();
- String origin = requestHeaders.getOrigin();
+ protected boolean checkOrigin(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) throws IOException {
+ String origin = request.getHeaders().getOrigin();
if (origin == null) {
return true;
@@ -468,46 +464,26 @@ public abstract class AbstractSockJsService implements SockJsService {
return false;
}
- boolean hasCorsResponseHeaders = false;
- try {
- // Perhaps a CORS Filter has already added this?
- hasCorsResponseHeaders = !CollectionUtils.isEmpty(responseHeaders.get("Access-Control-Allow-Origin"));
- }
- catch (NullPointerException npe) {
- // See SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
- }
-
- if (!this.suppressCors && !hasCorsResponseHeaders) {
- addCorsHeaders(request, response, httpMethods);
- }
return true;
}
- protected void addCorsHeaders(ServerHttpRequest request, ServerHttpResponse response, HttpMethod... httpMethods) {
- HttpHeaders requestHeaders = request.getHeaders();
- HttpHeaders responseHeaders = response.getHeaders();
-
- responseHeaders.add("Access-Control-Allow-Origin", requestHeaders.getFirst("Origin"));
- responseHeaders.add("Access-Control-Allow-Credentials", "true");
-
- List accessControllerHeaders = requestHeaders.get("Access-Control-Request-Headers");
- if (accessControllerHeaders != null) {
- for (String header : accessControllerHeaders) {
- responseHeaders.add("Access-Control-Allow-Headers", header);
- }
+ @Override
+ public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+ if (!this.suppressCors && CorsUtils.isCorsRequest(request)) {
+ CorsConfiguration config = new CorsConfiguration();
+ config.addAllowedOrigin("*");
+ config.addAllowedMethod("*");
+ config.setAllowCredentials(true);
+ config.setMaxAge(ONE_YEAR);
+ config.addAllowedHeader("*");
+ return config;
}
-
- if (!ObjectUtils.isEmpty(httpMethods)) {
- responseHeaders.add("Access-Control-Allow-Methods", StringUtils.arrayToDelimitedString(httpMethods, ", "));
- responseHeaders.add("Access-Control-Max-Age", String.valueOf(ONE_YEAR));
- }
- responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
+ return null;
}
protected void addCacheHeaders(ServerHttpResponse response) {
response.getHeaders().setCacheControl("public, max-age=" + ONE_YEAR);
response.getHeaders().setExpires(new Date().getTime() + ONE_YEAR * 1000);
- response.getHeaders().add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
}
protected void addNoCacheHeaders(ServerHttpResponse response) {
@@ -536,15 +512,15 @@ public abstract class AbstractSockJsService implements SockJsService {
public void handle(ServerHttpRequest request, ServerHttpResponse response) throws IOException {
if (HttpMethod.GET.equals(request.getMethod())) {
addNoCacheHeaders(response);
- if (checkAndAddCorsHeaders(request, response)) {
+ if (checkOrigin(request, response)) {
response.getHeaders().setContentType(new MediaType("application", "json", UTF8_CHARSET));
String content = String.format(INFO_CONTENT, random.nextInt(), isSessionCookieNeeded(), isWebSocketEnabled());
response.getBody().write(content.getBytes());
}
+
}
else if (HttpMethod.OPTIONS.equals(request.getMethod())) {
- if (checkAndAddCorsHeaders(request, response, HttpMethod.OPTIONS,
- HttpMethod.GET)) {
+ if (checkOrigin(request, response)) {
addCacheHeaders(response);
response.setStatusCode(HttpStatus.NO_CONTENT);
}
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/SockJsHttpRequestHandler.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/SockJsHttpRequestHandler.java
index 01ab07449b..454f2ee38a 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/SockJsHttpRequestHandler.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/SockJsHttpRequestHandler.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -27,6 +27,8 @@ import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.util.Assert;
import org.springframework.web.HttpRequestHandler;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.socket.WebSocketHandler;
import org.springframework.web.socket.handler.ExceptionWebSocketHandlerDecorator;
@@ -39,9 +41,10 @@ import org.springframework.web.socket.sockjs.SockJsService;
* in a Servlet container.
*
* @author Rossen Stoyanchev
+ * @author Sebastien Deleuze
* @since 4.0
*/
-public class SockJsHttpRequestHandler implements HttpRequestHandler {
+public class SockJsHttpRequestHandler implements HttpRequestHandler, CorsConfigurationSource {
// No logging: HTTP transports too verbose and we don't know enough to log anything of value
@@ -100,4 +103,12 @@ public class SockJsHttpRequestHandler implements HttpRequestHandler {
return ((path.length() > 0) && (path.charAt(0) != '/')) ? "/" + path : path;
}
+ @Override
+ public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+ if (sockJsService instanceof CorsConfigurationSource) {
+ return ((CorsConfigurationSource)sockJsService).getCorsConfiguration(request);
+ }
+ return null;
+ }
+
}
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
index a033d7d611..a260639cf9 100644
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
@@ -56,6 +56,7 @@ import org.springframework.web.socket.sockjs.support.AbstractSockJsService;
*
* @author Rossen Stoyanchev
* @author Juergen Hoeller
+ * @author Sebastien Deleuze
* @since 4.0
*/
public class TransportHandlingSockJsService extends AbstractSockJsService implements SockJsServiceConfig {
@@ -208,27 +209,27 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem
return;
}
- HttpMethod supportedMethod = transportType.getHttpMethod();
- if (!supportedMethod.equals(request.getMethod())) {
- if (HttpMethod.OPTIONS.equals(request.getMethod()) && transportType.supportsCors()) {
- if (checkAndAddCorsHeaders(request, response, HttpMethod.OPTIONS, supportedMethod)) {
- response.setStatusCode(HttpStatus.NO_CONTENT);
- addCacheHeaders(response);
- }
- }
- else if (transportType.supportsCors()) {
- sendMethodNotAllowed(response, supportedMethod, HttpMethod.OPTIONS);
- }
- else {
- sendMethodNotAllowed(response, supportedMethod);
- }
- return;
- }
-
- HandshakeInterceptorChain chain = new HandshakeInterceptorChain(this.interceptors, handler);
SockJsException failure = null;
+ HandshakeInterceptorChain chain = new HandshakeInterceptorChain(this.interceptors, handler);
try {
+ HttpMethod supportedMethod = transportType.getHttpMethod();
+ if (!supportedMethod.equals(request.getMethod())) {
+ if (HttpMethod.OPTIONS.equals(request.getMethod()) && transportType.supportsCors()) {
+ if (checkOrigin(request, response, HttpMethod.OPTIONS, supportedMethod)) {
+ response.setStatusCode(HttpStatus.NO_CONTENT);
+ addCacheHeaders(response);
+ }
+ }
+ else if (transportType.supportsCors()) {
+ sendMethodNotAllowed(response, supportedMethod, HttpMethod.OPTIONS);
+ }
+ else {
+ sendMethodNotAllowed(response, supportedMethod);
+ }
+ return;
+ }
+
SockJsSession session = this.sessions.get(sessionId);
if (session == null) {
if (transportHandler instanceof SockJsSessionFactory) {
@@ -264,7 +265,7 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem
}
if (transportType.supportsCors()) {
- if (!checkAndAddCorsHeaders(request, response)) {
+ if (!checkOrigin(request, response)) {
return;
}
}
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/AbstractHttpRequestTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/AbstractHttpRequestTests.java
index 62f51b7501..2580b10997 100644
--- a/spring-websocket/src/test/java/org/springframework/web/socket/AbstractHttpRequestTests.java
+++ b/spring-websocket/src/test/java/org/springframework/web/socket/AbstractHttpRequestTests.java
@@ -18,7 +18,6 @@ package org.springframework.web.socket;
import org.junit.Before;
-import org.springframework.http.HttpHeaders;
import org.springframework.http.server.ServerHttpAsyncRequestControl;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
@@ -55,10 +54,6 @@ public abstract class AbstractHttpRequestTests {
this.servletRequest.setRequestURI(requestUri);
}
- protected void setOrigin(String origin) {
- this.request.getHeaders().add(HttpHeaders.ORIGIN, origin);
- }
-
protected void resetRequestAndResponse() {
resetRequest();
resetResponse();
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java
index 866e9569dc..14e132bcf3 100644
--- a/spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java
+++ b/spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java
@@ -26,6 +26,7 @@ import static org.junit.Assert.*;
import org.junit.Test;
import org.mockito.Mockito;
+import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.web.socket.AbstractHttpRequestTests;
import org.springframework.web.socket.WebSocketHandler;
@@ -61,7 +62,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void originValueMatch() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain1.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com"));
assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
assertNotEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
@@ -71,7 +72,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void originValueNoMatch() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain1.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain2.com"));
assertFalse(interceptor.beforeHandshake(request, response, wsHandler, attributes));
assertEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
@@ -81,7 +82,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void originListMatch() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain2.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
assertNotEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
@@ -91,7 +92,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void originListNoMatch() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain4.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain4.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
assertFalse(interceptor.beforeHandshake(request, response, wsHandler, attributes));
assertEquals(servletResponse.getStatus(), HttpStatus.FORBIDDEN.value());
@@ -101,7 +102,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void originNoMatchWithNullHostileCollection() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain4.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain4.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
Set allowedOrigins = new ConcurrentSkipListSet();
allowedOrigins.add("http://mydomain1.com");
@@ -114,7 +115,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void originMatchAll() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain1.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
interceptor.setAllowedOrigins(Arrays.asList("*"));
assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
@@ -125,7 +126,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void sameOriginMatch() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain2.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
this.servletRequest.setServerName("mydomain2.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList());
assertTrue(interceptor.beforeHandshake(request, response, wsHandler, attributes));
@@ -136,7 +137,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
public void sameOriginNoMatch() throws Exception {
Map attributes = new HashMap();
WebSocketHandler wsHandler = Mockito.mock(WebSocketHandler.class);
- setOrigin("http://mydomain3.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
this.servletRequest.setServerName("mydomain2.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList());
assertFalse(interceptor.beforeHandshake(request, response, wsHandler, attributes));
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java
index ee830c6aee..b7b29daa39 100644
--- a/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java
+++ b/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java
@@ -26,12 +26,14 @@ import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.Test;
+import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
+import org.springframework.web.cors.CorsUtils;
import org.springframework.web.socket.AbstractHttpRequestTests;
import org.springframework.web.socket.WebSocketHandler;
import org.springframework.web.socket.sockjs.SockJsException;
@@ -84,10 +86,10 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
assertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
- assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader("Cache-Control"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Vary"));
+ assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL));
+ assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+ assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+ assertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
String body = this.servletResponse.getContentAsString();
assertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
@@ -104,56 +106,42 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Vary"));
+ assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+ assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+ assertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
}
@Test // SPR-12226 and SPR-12660
public void handleInfoGetWithOrigin() throws Exception {
this.servletRequest.setServerName("mydomain2.com");
- setOrigin("http://mydomain2.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
assertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
- assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader("Cache-Control"));
- assertEquals("http://mydomain2.com", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
-
+ assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL));
String body = this.servletResponse.getContentAsString();
assertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
- assertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}",
- body.substring(body.indexOf(',')));
+ assertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}", body.substring(body.indexOf(',')));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.FORBIDDEN);
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Vary"));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
- assertEquals("http://mydomain2.com", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
this.service.setAllowedOrigins(Arrays.asList("*"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
- assertEquals("http://mydomain2.com", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
}
@Test // SPR-11443
public void handleInfoGetCorsFilter() throws Exception {
// Simulate scenario where Filter would have already set CORS headers
- this.servletResponse.setHeader("Access-Control-Allow-Origin", "foobar:123");
+ this.servletResponse.setHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN, "foobar:123");
handleRequest("GET", "/echo/info", HttpStatus.OK);
- assertEquals("foobar:123", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
+ assertEquals("foobar:123", this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
}
@Test // SPR-11919
@@ -161,7 +149,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
public void handleInfoGetWildflyNPE() throws Exception {
HttpServletResponse mockResponse = mock(HttpServletResponse.class);
ServletOutputStream ous = mock(ServletOutputStream.class);
- given(mockResponse.getHeaders("Access-Control-Allow-Origin")).willThrow(NullPointerException.class);
+ given(mockResponse.getHeaders(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN)).willThrow(NullPointerException.class);
given(mockResponse.getOutputStream()).willReturn(ous);
this.response = new ServletServerHttpResponse(mockResponse);
@@ -172,107 +160,53 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
@Test // SPR-12660
public void handleInfoOptions() throws Exception {
- this.servletRequest.addHeader("Access-Control-Request-Headers", "Last-Modified");
+ this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- this.response.flush();
-
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNull(this.service.getCorsConfiguration(this.servletRequest));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNull(this.service.getCorsConfiguration(this.servletRequest));
}
@Test // SPR-12226 and SPR-12660
public void handleInfoOptionsWithOrigin() throws Exception {
this.servletRequest.setServerName("mydomain2.com");
- setOrigin("http://mydomain2.com");
- this.request.getHeaders().add("Access-Control-Request-Headers", "Last-Modified");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
+ this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+ this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- this.response.flush();
- assertEquals("http://mydomain2.com", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertEquals("Last-Modified", this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertEquals("OPTIONS, GET", this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertEquals("31536000", this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNotNull(this.service.getCorsConfiguration(this.servletRequest));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
- this.response.flush();
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertNull(this.servletResponse.getHeader("Vary"));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- this.response.flush();
- assertEquals("http://mydomain2.com", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertEquals("Last-Modified", this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertEquals("OPTIONS, GET", this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertEquals("31536000", this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNotNull(this.service.getCorsConfiguration(this.servletRequest));
this.service.setAllowedOrigins(Arrays.asList("*"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- this.response.flush();
- assertEquals("http://mydomain2.com", this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertEquals("true", this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertEquals("Last-Modified", this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertEquals("OPTIONS, GET", this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertEquals("31536000", this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNotNull(this.service.getCorsConfiguration(this.servletRequest));
}
@Test // SPR-12283
public void handleInfoOptionsWithOriginAndCorsHeadersDisabled() throws Exception {
- setOrigin("http://mydomain2.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
this.service.setAllowedOrigins(Arrays.asList("*"));
this.service.setSuppressCors(true);
- this.servletRequest.addHeader("Access-Control-Request-Headers", "Last-Modified");
+ this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- this.response.flush();
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNull(this.service.getCorsConfiguration(this.servletRequest));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
- this.response.flush();
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertNull(this.servletResponse.getHeader("Vary"));
+ assertNull(this.service.getCorsConfiguration(this.servletRequest));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
- this.response.flush();
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Headers"));
- assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
- assertNull(this.servletResponse.getHeader("Access-Control-Max-Age"));
- assertEquals("Origin", this.servletResponse.getHeader("Vary"));
+ assertNull(this.service.getCorsConfiguration(this.servletRequest));
}
@Test
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
index dc1dce9609..bf2c43cd35 100644
--- a/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
+++ b/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
@@ -26,7 +26,9 @@ import org.junit.Test;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
+import org.springframework.http.HttpHeaders;
import org.springframework.scheduling.TaskScheduler;
+import org.springframework.web.cors.CorsUtils;
import org.springframework.web.socket.AbstractHttpRequestTests;
import org.springframework.web.socket.WebSocketHandler;
import org.springframework.web.socket.handler.TestPrincipal;
@@ -163,8 +165,8 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
verify(taskScheduler).scheduleAtFixedRate(any(Runnable.class), eq(service.getDisconnectDelay()));
assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.response.getHeaders().getCacheControl());
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Origin"));
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
+ assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+ assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}
@Test // SPR-12226
@@ -172,12 +174,10 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
String sockJsPath = sessionUrlPrefix + "xhr";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com"));
- setOrigin("http://mydomain1.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertEquals(200, this.servletResponse.getStatus());
- assertEquals("http://mydomain1.com", this.response.getHeaders().getFirst("Access-Control-Allow-Origin"));
- assertEquals("true", this.response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
}
@Test // SPR-12226
@@ -185,12 +185,10 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
String sockJsPath = sessionUrlPrefix + "xhr";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com"));
- setOrigin("http://mydomain3.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertEquals(403, this.servletResponse.getStatus());
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Origin"));
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
}
@Test
@@ -200,9 +198,9 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertEquals(204, this.servletResponse.getStatus());
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Origin"));
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
- assertNull(this.response.getHeaders().getFirst("Access-Control-Allow-Methods"));
+ assertNull(this.servletResponse.getHeader("Access-Control-Allow-Origin"));
+ assertNull(this.servletResponse.getHeader("Access-Control-Allow-Credentials"));
+ assertNull(this.servletResponse.getHeader("Access-Control-Allow-Methods"));
}
@Test
@@ -294,13 +292,13 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com"));
wsService.setHandshakeInterceptors(Arrays.asList(interceptor));
setRequest("GET", sockJsPrefix + sockJsPath);
- setOrigin("http://mydomain1.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain1.com");
wsService.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertNotEquals(403, this.servletResponse.getStatus());
resetRequestAndResponse();
setRequest("GET", sockJsPrefix + sockJsPath);
- setOrigin("http://mydomain2.com");
+ this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
wsService.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertEquals(403, this.servletResponse.getStatus());
}