|
|
|
|
@@ -16,6 +16,8 @@
|
|
|
|
|
|
|
|
|
|
package org.springframework.web.cors;
|
|
|
|
|
|
|
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
|
|
|
|
import org.junit.Before;
|
|
|
|
|
import org.junit.Test;
|
|
|
|
|
|
|
|
|
|
@@ -24,8 +26,6 @@ import org.springframework.http.HttpMethod;
|
|
|
|
|
import org.springframework.mock.web.test.MockHttpServletRequest;
|
|
|
|
|
import org.springframework.mock.web.test.MockHttpServletResponse;
|
|
|
|
|
|
|
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
|
|
|
|
import static org.junit.Assert.*;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@@ -33,6 +33,7 @@ import static org.junit.Assert.*;
|
|
|
|
|
*
|
|
|
|
|
* @author Sebastien Deleuze
|
|
|
|
|
* @author Rossen Stoyanchev
|
|
|
|
|
* @author Juergen Hoeller
|
|
|
|
|
*/
|
|
|
|
|
public class DefaultCorsProcessorTests {
|
|
|
|
|
|
|
|
|
|
@@ -56,22 +57,25 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.processor = new DefaultCorsProcessor();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void actualRequestWithOriginHeader() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.GET.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void actualRequestWithOriginHeaderAndNullConfig() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.GET.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.processor.processRequest(null, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(null, this.request, this.response);
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -79,12 +83,13 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.setMethod(HttpMethod.GET.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -95,12 +100,13 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain2.com");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain3.com");
|
|
|
|
|
this.conf.setAllowCredentials(true);
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -109,12 +115,13 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.conf.setAllowCredentials(true);
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -122,9 +129,10 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.setMethod(HttpMethod.GET.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.conf.addAllowedOrigin("http://DOMAIN2.com");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -134,13 +142,14 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.conf.addExposedHeader("header1");
|
|
|
|
|
this.conf.addExposedHeader("header2");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain2.com");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
|
|
|
|
|
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
|
|
|
|
|
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -149,8 +158,9 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -159,8 +169,9 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -169,18 +180,20 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals("GET,HEAD", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
assertEquals("GET,HEAD", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -188,112 +201,134 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestValidRequestAndConfig() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.conf.addAllowedMethod("GET");
|
|
|
|
|
this.conf.addAllowedMethod("PUT");
|
|
|
|
|
this.conf.addAllowedHeader("header1");
|
|
|
|
|
this.conf.addAllowedHeader("header2");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
|
|
|
|
assertEquals("GET,PUT", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
|
|
|
|
assertEquals("GET,PUT", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestCredentials() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain1.com");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain2.com");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain3.com");
|
|
|
|
|
this.conf.addAllowedHeader("Header1");
|
|
|
|
|
this.conf.setAllowCredentials(true);
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain1.com");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain3.com");
|
|
|
|
|
this.conf.addAllowedHeader("Header1");
|
|
|
|
|
this.conf.setAllowCredentials(true);
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestAllowedHeaders() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
|
|
|
|
|
this.conf.addAllowedHeader("Header1");
|
|
|
|
|
this.conf.addAllowedHeader("Header2");
|
|
|
|
|
this.conf.addAllowedHeader("Header3");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain2.com");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
|
|
|
|
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
|
|
|
|
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
|
|
|
|
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestAllowsAllHeaders() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
|
|
|
|
|
this.conf.addAllowedHeader("*");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain2.com");
|
|
|
|
|
this.processor.processRequest(this.conf, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
|
|
|
|
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
|
|
|
|
|
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
|
|
|
|
|
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void preflightRequestWithEmptyHeaders() throws Exception {
|
|
|
|
|
this.request.setMethod(HttpMethod.OPTIONS.name());
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "");
|
|
|
|
|
this.conf.addAllowedHeader("*");
|
|
|
|
|
this.conf.addAllowedOrigin("http://domain2.com");
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(this.conf, this.request, this.response);
|
|
|
|
|
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
@@ -302,9 +337,10 @@ public class DefaultCorsProcessorTests {
|
|
|
|
|
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
|
|
|
|
|
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
|
|
|
|
this.conf.addAllowedOrigin("*");
|
|
|
|
|
this.processor.processRequest(null, request, response);
|
|
|
|
|
|
|
|
|
|
this.processor.processRequest(null, this.request, this.response);
|
|
|
|
|
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
|
|
|
|
|
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|