Fix http URLs
See gh-22839
This commit is contained in:
committed by
Stephane Nicoll
parent
b5fba14ab8
commit
fde92793b5
@@ -226,8 +226,8 @@ public class HandlersBeanDefinitionParserTests {
|
||||
List<HandshakeInterceptor> interceptors = transportService.getHandshakeInterceptors();
|
||||
assertThat(interceptors).extracting("class").containsExactly(OriginHandshakeInterceptor.class);
|
||||
assertThat(transportService.shouldSuppressCors()).isTrue();
|
||||
assertThat(transportService.getAllowedOrigins().contains("https://mydomain1.com")).isTrue();
|
||||
assertThat(transportService.getAllowedOrigins().contains("https://mydomain2.com")).isTrue();
|
||||
assertThat(transportService.getAllowedOrigins().contains("https://mydomain1.example")).isTrue();
|
||||
assertThat(transportService.getAllowedOrigins().contains("https://mydomain2.example")).isTrue();
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -115,7 +115,7 @@ public class WebSocketHandlerRegistrationTests {
|
||||
WebSocketHandler handler = new TextWebSocketHandler();
|
||||
HttpSessionHandshakeInterceptor interceptor = new HttpSessionHandshakeInterceptor();
|
||||
|
||||
this.registration.addHandler(handler, "/foo").addInterceptors(interceptor).setAllowedOrigins("https://mydomain1.com");
|
||||
this.registration.addHandler(handler, "/foo").addInterceptors(interceptor).setAllowedOrigins("https://mydomain1.example");
|
||||
|
||||
List<Mapping> mappings = this.registration.getMappings();
|
||||
assertThat(mappings.size()).isEqualTo(1);
|
||||
@@ -136,7 +136,7 @@ public class WebSocketHandlerRegistrationTests {
|
||||
|
||||
this.registration.addHandler(handler, "/foo")
|
||||
.addInterceptors(interceptor)
|
||||
.setAllowedOrigins("https://mydomain1.com")
|
||||
.setAllowedOrigins("https://mydomain1.example")
|
||||
.withSockJS();
|
||||
|
||||
this.registration.getSockJsServiceRegistration().setTaskScheduler(this.taskScheduler);
|
||||
@@ -148,7 +148,7 @@ public class WebSocketHandlerRegistrationTests {
|
||||
assertThat(mapping.webSocketHandler).isEqualTo(handler);
|
||||
assertThat(mapping.path).isEqualTo("/foo/**");
|
||||
assertThat(mapping.sockJsService).isNotNull();
|
||||
assertThat(mapping.sockJsService.getAllowedOrigins().contains("https://mydomain1.com")).isTrue();
|
||||
assertThat(mapping.sockJsService.getAllowedOrigins().contains("https://mydomain1.example")).isTrue();
|
||||
List<HandshakeInterceptor> interceptors = mapping.sockJsService.getHandshakeInterceptors();
|
||||
assertThat(interceptors.get(0)).isEqualTo(interceptor);
|
||||
assertThat(interceptors.get(1).getClass()).isEqualTo(OriginHandshakeInterceptor.class);
|
||||
|
||||
@@ -53,8 +53,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void originValueMatch() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
|
||||
List<String> allowed = Collections.singletonList("https://mydomain1.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
|
||||
List<String> allowed = Collections.singletonList("https://mydomain1.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
|
||||
@@ -62,8 +62,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void originValueNoMatch() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
|
||||
List<String> allowed = Collections.singletonList("https://mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
|
||||
List<String> allowed = Collections.singletonList("https://mydomain2.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
|
||||
@@ -71,8 +71,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void originListMatch() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
|
||||
List<String> allowed = Arrays.asList("https://mydomain1.com", "https://mydomain2.com", "http://mydomain3.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
|
||||
List<String> allowed = Arrays.asList("https://mydomain1.example", "https://mydomain2.example", "http://mydomain3.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
|
||||
@@ -80,8 +80,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void originListNoMatch() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.com/");
|
||||
List<String> allowed = Arrays.asList("https://mydomain1.com", "https://mydomain2.com", "http://mydomain3.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.example/");
|
||||
List<String> allowed = Arrays.asList("https://mydomain1.example", "https://mydomain2.example", "http://mydomain3.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
|
||||
@@ -89,10 +89,10 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void originNoMatchWithNullHostileCollection() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.com/");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.example/");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
|
||||
Set<String> allowedOrigins = new ConcurrentSkipListSet<>();
|
||||
allowedOrigins.add("https://mydomain1.com");
|
||||
allowedOrigins.add("https://mydomain1.example");
|
||||
interceptor.setAllowedOrigins(allowedOrigins);
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
|
||||
@@ -100,7 +100,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void originMatchAll() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
|
||||
interceptor.setAllowedOrigins(Collections.singletonList("*"));
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
|
||||
@@ -109,8 +109,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void sameOriginMatchWithEmptyAllowedOrigins() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Collections.emptyList());
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
|
||||
@@ -118,17 +118,17 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test
|
||||
public void sameOriginMatchWithAllowedOrigins() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.example"));
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sameOriginNoMatch() throws Exception {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.example");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Collections.emptyList());
|
||||
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
|
||||
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
|
||||
|
||||
@@ -105,7 +105,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
body = this.servletResponse.getContentAsString();
|
||||
assertThat(body.substring(body.indexOf(','))).isEqualTo(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}");
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
|
||||
assertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
|
||||
assertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isNull();
|
||||
@@ -114,8 +114,8 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
|
||||
@Test // SPR-12226 and SPR-12660
|
||||
public void handleInfoGetWithOrigin() throws IOException {
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
|
||||
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
|
||||
|
||||
assertThat(this.servletResponse.getContentType()).isEqualTo("application/json;charset=UTF-8");
|
||||
@@ -125,17 +125,17 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
assertThat(body.substring(0, body.indexOf(':'))).isEqualTo("{\"entropy\"");
|
||||
assertThat(body.substring(body.indexOf(','))).isEqualTo(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}");
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
|
||||
|
||||
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
|
||||
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.example", "http://mydomain2.example", "http://mydomain3.example"));
|
||||
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("*"));
|
||||
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
|
||||
|
||||
this.servletRequest.setServerName("mydomain3.com");
|
||||
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.FORBIDDEN);
|
||||
}
|
||||
|
||||
@@ -168,25 +168,25 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
|
||||
}
|
||||
|
||||
@Test // SPR-12226 and SPR-12660
|
||||
public void handleInfoOptionsWithAllowedOrigin() {
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
|
||||
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNotNull();
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNotNull();
|
||||
|
||||
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
|
||||
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.example", "http://mydomain2.example", "http://mydomain3.example"));
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNotNull();
|
||||
|
||||
@@ -198,22 +198,22 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
@Test // SPR-16304
|
||||
public void handleInfoOptionsWithForbiddenOrigin() {
|
||||
this.servletRequest.setServerName("mydomain3.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
|
||||
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
|
||||
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
|
||||
CorsConfiguration corsConfiguration = this.service.getCorsConfiguration(this.servletRequest);
|
||||
assertThat(corsConfiguration.getAllowedOrigins().isEmpty()).isTrue();
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
|
||||
corsConfiguration = this.service.getCorsConfiguration(this.servletRequest);
|
||||
assertThat(corsConfiguration.getAllowedOrigins()).isEqualTo(Collections.singletonList("https://mydomain1.com"));
|
||||
assertThat(corsConfiguration.getAllowedOrigins()).isEqualTo(Collections.singletonList("https://mydomain1.example"));
|
||||
}
|
||||
|
||||
@Test // SPR-12283
|
||||
public void handleInfoOptionsWithOriginAndCorsHeadersDisabled() {
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
|
||||
this.service.setAllowedOrigins(Collections.singletonList("*"));
|
||||
this.service.setSuppressCors(true);
|
||||
|
||||
@@ -221,11 +221,11 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
|
||||
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
|
||||
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com", "https://mydomain2.com", "http://mydomain3.com"));
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example", "https://mydomain2.example", "http://mydomain3.example"));
|
||||
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
|
||||
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
|
||||
}
|
||||
|
||||
@@ -164,8 +164,8 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
|
||||
public void handleTransportRequestXhrAllowedOriginsMatch() throws Exception {
|
||||
String sockJsPath = sessionUrlPrefix + "xhr";
|
||||
setRequest("POST", sockJsPrefix + sockJsPath);
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com", "https://mydomain2.com"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example", "https://mydomain2.example"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
|
||||
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
|
||||
assertThat(this.servletResponse.getStatus()).isEqualTo(200);
|
||||
@@ -175,8 +175,8 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
|
||||
public void handleTransportRequestXhrAllowedOriginsNoMatch() throws Exception {
|
||||
String sockJsPath = sessionUrlPrefix + "xhr";
|
||||
setRequest("POST", sockJsPrefix + sockJsPath);
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com", "https://mydomain2.com"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example", "https://mydomain2.example"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.example");
|
||||
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
|
||||
assertThat(this.servletResponse.getStatus()).isEqualTo(403);
|
||||
@@ -186,9 +186,9 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
|
||||
public void handleTransportRequestXhrSameOrigin() throws Exception {
|
||||
String sockJsPath = sessionUrlPrefix + "xhr";
|
||||
setRequest("POST", sockJsPrefix + sockJsPath);
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
|
||||
assertThat(this.servletResponse.getStatus()).isEqualTo(200);
|
||||
@@ -198,9 +198,9 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
|
||||
public void handleInvalidTransportType() throws Exception {
|
||||
String sockJsPath = sessionUrlPrefix + "invalid";
|
||||
setRequest("POST", sockJsPrefix + sockJsPath);
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
|
||||
this.servletRequest.setServerName("mydomain2.com");
|
||||
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example"));
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
|
||||
this.servletRequest.setServerName("mydomain2.example");
|
||||
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
|
||||
assertThat(this.servletResponse.getStatus()).isEqualTo(404);
|
||||
@@ -289,17 +289,17 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
|
||||
assertThat(this.servletResponse.getStatus()).isNotEqualTo((long) 403);
|
||||
|
||||
resetRequestAndResponse();
|
||||
List<String> allowed = Collections.singletonList("https://mydomain1.com");
|
||||
List<String> allowed = Collections.singletonList("https://mydomain1.example");
|
||||
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
|
||||
wsService.setHandshakeInterceptors(Collections.singletonList(interceptor));
|
||||
setRequest("GET", sockJsPrefix + sockJsPath);
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
|
||||
wsService.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
assertThat(this.servletResponse.getStatus()).isNotEqualTo((long) 403);
|
||||
|
||||
resetRequestAndResponse();
|
||||
setRequest("GET", sockJsPrefix + sockJsPath);
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
|
||||
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
|
||||
wsService.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
assertThat(this.servletResponse.getStatus()).isEqualTo(403);
|
||||
}
|
||||
@@ -314,7 +314,7 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
|
||||
|
||||
resetRequestAndResponse();
|
||||
setRequest("GET", sockJsPrefix + sockJsPath);
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
|
||||
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
|
||||
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
|
||||
assertThat(this.servletResponse.getStatus()).isEqualTo(404);
|
||||
assertThat(this.servletResponse.getHeader("X-Frame-Options")).isNull();
|
||||
|
||||
Reference in New Issue
Block a user