Add CORS support
This commit introduces support for CORS in Spring Framework. Cross-origin resource sharing (CORS) is a mechanism that allows many resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. It is defined by the CORS W3C recommandation (http://www.w3.org/TR/cors/). A new annotation @CrossOrigin allows to enable CORS support on Controller type or method level. By default all origins ("*") are allowed. @RestController public class SampleController { @CrossOrigin @RequestMapping("/foo") public String foo() { // ... } } Various @CrossOrigin attributes allow to customize the CORS configuration. @RestController public class SampleController { @CrossOrigin(origin = { "http://site1.com", "http://site2.com" }, allowedHeaders = { "header1", "header2" }, exposedHeaders = { "header1", "header2" }, method = RequestMethod.DELETE, maxAge = 123, allowCredentials = "true") @RequestMapping(value = "/foo", method = { RequestMethod.GET, RequestMethod.POST} ) public String foo() { // ... } } A CorsConfigurationSource interface can be implemented by HTTP request handlers that want to support CORS by providing a CorsConfiguration that will be detected at AbstractHandlerMapping level. See for example ResourceHttpRequestHandler that implements this interface. Global CORS configuration should be supported through ControllerAdvice (with type level @CrossOrigin annotated class or class implementing CorsConfigurationSource), or with XML namespace and JavaConfig configuration, but this is not implemented yet. Issue: SPR-9278
This commit is contained in:
@@ -0,0 +1,82 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.web.cors;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.mock.web.test.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.test.MockHttpServletResponse;
|
||||
|
||||
/**
|
||||
* Test case for {@link CorsUtils}.
|
||||
*
|
||||
* @author Sebastien Deleuze
|
||||
*/
|
||||
public class CorsUtilsTests {
|
||||
|
||||
@Test
|
||||
public void isCorsRequest() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
|
||||
assertTrue(CorsUtils.isCorsRequest(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isNotCorsRequest() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
assertFalse(CorsUtils.isCorsRequest(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isPreFlightRequest() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setMethod("OPTIONS");
|
||||
request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
|
||||
request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
assertTrue(CorsUtils.isPreFlightRequest(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isNotPreFlightRequest() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
assertFalse(CorsUtils.isPreFlightRequest(request));
|
||||
|
||||
request = new MockHttpServletRequest();
|
||||
request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
|
||||
assertFalse(CorsUtils.isPreFlightRequest(request));
|
||||
|
||||
request = new MockHttpServletRequest();
|
||||
request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
assertFalse(CorsUtils.isPreFlightRequest(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isCorsResponse() {
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
|
||||
assertTrue(CorsUtils.isCorsResponse(response));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isNotCorsResponse() {
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
assertFalse(CorsUtils.isCorsResponse(response));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,302 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.web.cors;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.mock.web.test.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.test.MockHttpServletResponse;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
/**
|
||||
* Test {@link DefaultCorsProcessor} with simple or preflight CORS request.
|
||||
*
|
||||
* @author Sebastien Deleuze
|
||||
*/
|
||||
public class DefaultCorsProcessorTests {
|
||||
|
||||
private MockHttpServletRequest request;
|
||||
private MockHttpServletResponse response;
|
||||
private DefaultCorsProcessor processor;
|
||||
private CorsConfiguration conf;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest();
|
||||
this.request.setRequestURI("/test.html");
|
||||
this.request.setRemoteHost("domain1.com");
|
||||
this.conf = new CorsConfiguration();
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.response.setStatus(HttpServletResponse.SC_OK);
|
||||
this.processor = new DefaultCorsProcessor();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithoutOriginHeader() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestWithOriginHeader() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestwithOriginHeaderAndAllowedOrigin() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("*", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE));
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCrendentials() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/home.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestCaseInsensitiveOriginMatch() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/TEST.html");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void actualRequestExposedHeaders() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.conf.addExposedHeader("header1");
|
||||
this.conf.addExposedHeader("header2");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.processor.processActualRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS));
|
||||
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
|
||||
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestAllOriginsAllowed() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWrongAllowedMethod() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestMatchedAllowedMethod() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
assertEquals("GET", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithoutOriginHeader() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithoutRequestMethod() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestValidRequestAndConfig() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.addAllowedMethod("GET");
|
||||
this.conf.addAllowedMethod("PUT");
|
||||
this.conf.addAllowedHeader("header1");
|
||||
this.conf.addAllowedHeader("header2");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("*", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
assertEquals("GET,PUT", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
|
||||
assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestCrendentials() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/home.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestCrendentialsWithOriginWildcard() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/home.html");
|
||||
this.conf.addAllowedOrigin("*");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/logout.html");
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.setAllowCredentials(true);
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestAllowedHeaders() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedHeader("Header1");
|
||||
this.conf.addAllowedHeader("Header2");
|
||||
this.conf.addAllowedHeader("Header3");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS));
|
||||
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
||||
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
||||
assertFalse(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preflightRequestAllowsAllHeaders() throws Exception {
|
||||
this.request.setMethod(HttpMethod.OPTIONS.name());
|
||||
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
|
||||
this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.conf.addAllowedHeader("*");
|
||||
this.conf.addAllowedOrigin("http://domain2.com/test.html");
|
||||
this.processor.processPreFlightRequest(this.conf, request, response);
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS));
|
||||
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
||||
assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
||||
assertFalse(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
|
||||
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user