Fix http URLs

See gh-22839
This commit is contained in:
Rob Winch
2019-04-23 16:35:28 -05:00
committed by Stephane Nicoll
parent b5fba14ab8
commit fde92793b5
36 changed files with 215 additions and 207 deletions

View File

@@ -226,8 +226,8 @@ public class HandlersBeanDefinitionParserTests {
List<HandshakeInterceptor> interceptors = transportService.getHandshakeInterceptors();
assertThat(interceptors).extracting("class").containsExactly(OriginHandshakeInterceptor.class);
assertThat(transportService.shouldSuppressCors()).isTrue();
assertThat(transportService.getAllowedOrigins().contains("https://mydomain1.com")).isTrue();
assertThat(transportService.getAllowedOrigins().contains("https://mydomain2.com")).isTrue();
assertThat(transportService.getAllowedOrigins().contains("https://mydomain1.example")).isTrue();
assertThat(transportService.getAllowedOrigins().contains("https://mydomain2.example")).isTrue();
}

View File

@@ -115,7 +115,7 @@ public class WebSocketHandlerRegistrationTests {
WebSocketHandler handler = new TextWebSocketHandler();
HttpSessionHandshakeInterceptor interceptor = new HttpSessionHandshakeInterceptor();
this.registration.addHandler(handler, "/foo").addInterceptors(interceptor).setAllowedOrigins("https://mydomain1.com");
this.registration.addHandler(handler, "/foo").addInterceptors(interceptor).setAllowedOrigins("https://mydomain1.example");
List<Mapping> mappings = this.registration.getMappings();
assertThat(mappings.size()).isEqualTo(1);
@@ -136,7 +136,7 @@ public class WebSocketHandlerRegistrationTests {
this.registration.addHandler(handler, "/foo")
.addInterceptors(interceptor)
.setAllowedOrigins("https://mydomain1.com")
.setAllowedOrigins("https://mydomain1.example")
.withSockJS();
this.registration.getSockJsServiceRegistration().setTaskScheduler(this.taskScheduler);
@@ -148,7 +148,7 @@ public class WebSocketHandlerRegistrationTests {
assertThat(mapping.webSocketHandler).isEqualTo(handler);
assertThat(mapping.path).isEqualTo("/foo/**");
assertThat(mapping.sockJsService).isNotNull();
assertThat(mapping.sockJsService.getAllowedOrigins().contains("https://mydomain1.com")).isTrue();
assertThat(mapping.sockJsService.getAllowedOrigins().contains("https://mydomain1.example")).isTrue();
List<HandshakeInterceptor> interceptors = mapping.sockJsService.getHandshakeInterceptors();
assertThat(interceptors.get(0)).isEqualTo(interceptor);
assertThat(interceptors.get(1).getClass()).isEqualTo(OriginHandshakeInterceptor.class);

View File

@@ -53,8 +53,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void originValueMatch() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
List<String> allowed = Collections.singletonList("https://mydomain1.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
List<String> allowed = Collections.singletonList("https://mydomain1.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
@@ -62,8 +62,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void originValueNoMatch() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
List<String> allowed = Collections.singletonList("https://mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
List<String> allowed = Collections.singletonList("https://mydomain2.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
@@ -71,8 +71,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void originListMatch() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
List<String> allowed = Arrays.asList("https://mydomain1.com", "https://mydomain2.com", "http://mydomain3.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
List<String> allowed = Arrays.asList("https://mydomain1.example", "https://mydomain2.example", "http://mydomain3.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
@@ -80,8 +80,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void originListNoMatch() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.com/");
List<String> allowed = Arrays.asList("https://mydomain1.com", "https://mydomain2.com", "http://mydomain3.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.example/");
List<String> allowed = Arrays.asList("https://mydomain1.example", "https://mydomain2.example", "http://mydomain3.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
@@ -89,10 +89,10 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void originNoMatchWithNullHostileCollection() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.com/");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://www.mydomain4.example/");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
Set<String> allowedOrigins = new ConcurrentSkipListSet<>();
allowedOrigins.add("https://mydomain1.com");
allowedOrigins.add("https://mydomain1.example");
interceptor.setAllowedOrigins(allowedOrigins);
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());
@@ -100,7 +100,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void originMatchAll() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor();
interceptor.setAllowedOrigins(Collections.singletonList("*"));
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
@@ -109,8 +109,8 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void sameOriginMatchWithEmptyAllowedOrigins() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
this.servletRequest.setServerName("mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
this.servletRequest.setServerName("mydomain2.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Collections.emptyList());
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
@@ -118,17 +118,17 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
@Test
public void sameOriginMatchWithAllowedOrigins() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
this.servletRequest.setServerName("mydomain2.com");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.com"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
this.servletRequest.setServerName("mydomain2.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Arrays.asList("http://mydomain1.example"));
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isTrue();
assertThat(HttpStatus.FORBIDDEN.value()).isNotEqualTo((long) servletResponse.getStatus());
}
@Test
public void sameOriginNoMatch() throws Exception {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
this.servletRequest.setServerName("mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.example");
this.servletRequest.setServerName("mydomain2.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(Collections.emptyList());
assertThat(interceptor.beforeHandshake(request, response, wsHandler, attributes)).isFalse();
assertThat(HttpStatus.FORBIDDEN.value()).isEqualTo(servletResponse.getStatus());

View File

@@ -105,7 +105,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
body = this.servletResponse.getContentAsString();
assertThat(body.substring(body.indexOf(','))).isEqualTo(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}");
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
assertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
assertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isNull();
@@ -114,8 +114,8 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
@Test // SPR-12226 and SPR-12660
public void handleInfoGetWithOrigin() throws IOException {
this.servletRequest.setServerName("mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
this.servletRequest.setServerName("mydomain2.example");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
assertThat(this.servletResponse.getContentType()).isEqualTo("application/json;charset=UTF-8");
@@ -125,17 +125,17 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
assertThat(body.substring(0, body.indexOf(':'))).isEqualTo("{\"entropy\"");
assertThat(body.substring(body.indexOf(','))).isEqualTo(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}");
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.example"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.example", "http://mydomain2.example", "http://mydomain3.example"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
this.service.setAllowedOrigins(Collections.singletonList("*"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
this.servletRequest.setServerName("mydomain3.com");
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.example"));
resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.FORBIDDEN);
}
@@ -168,25 +168,25 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
}
@Test // SPR-12226 and SPR-12660
public void handleInfoOptionsWithAllowedOrigin() {
this.servletRequest.setServerName("mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
this.servletRequest.setServerName("mydomain2.example");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.example");
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNotNull();
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.example"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNotNull();
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com", "http://mydomain2.com", "http://mydomain3.com"));
this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.example", "http://mydomain2.example", "http://mydomain3.example"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNotNull();
@@ -198,22 +198,22 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
@Test // SPR-16304
public void handleInfoOptionsWithForbiddenOrigin() {
this.servletRequest.setServerName("mydomain3.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
CorsConfiguration corsConfiguration = this.service.getCorsConfiguration(this.servletRequest);
assertThat(corsConfiguration.getAllowedOrigins().isEmpty()).isTrue();
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
corsConfiguration = this.service.getCorsConfiguration(this.servletRequest);
assertThat(corsConfiguration.getAllowedOrigins()).isEqualTo(Collections.singletonList("https://mydomain1.com"));
assertThat(corsConfiguration.getAllowedOrigins()).isEqualTo(Collections.singletonList("https://mydomain1.example"));
}
@Test // SPR-12283
public void handleInfoOptionsWithOriginAndCorsHeadersDisabled() {
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
this.service.setAllowedOrigins(Collections.singletonList("*"));
this.service.setSuppressCors(true);
@@ -221,11 +221,11 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.FORBIDDEN);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com", "https://mydomain2.com", "http://mydomain3.com"));
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example", "https://mydomain2.example", "http://mydomain3.example"));
resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
assertThat(this.service.getCorsConfiguration(this.servletRequest)).isNull();
}

View File

@@ -164,8 +164,8 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
public void handleTransportRequestXhrAllowedOriginsMatch() throws Exception {
String sockJsPath = sessionUrlPrefix + "xhr";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com", "https://mydomain2.com"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example", "https://mydomain2.example"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isEqualTo(200);
@@ -175,8 +175,8 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
public void handleTransportRequestXhrAllowedOriginsNoMatch() throws Exception {
String sockJsPath = sessionUrlPrefix + "xhr";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com", "https://mydomain2.com"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.com");
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example", "https://mydomain2.example"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain3.example");
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isEqualTo(403);
@@ -186,9 +186,9 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
public void handleTransportRequestXhrSameOrigin() throws Exception {
String sockJsPath = sessionUrlPrefix + "xhr";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
this.servletRequest.setServerName("mydomain2.com");
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
this.servletRequest.setServerName("mydomain2.example");
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isEqualTo(200);
@@ -198,9 +198,9 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
public void handleInvalidTransportType() throws Exception {
String sockJsPath = sessionUrlPrefix + "invalid";
setRequest("POST", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.com"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
this.servletRequest.setServerName("mydomain2.com");
this.service.setAllowedOrigins(Arrays.asList("https://mydomain1.example"));
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
this.servletRequest.setServerName("mydomain2.example");
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isEqualTo(404);
@@ -289,17 +289,17 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
assertThat(this.servletResponse.getStatus()).isNotEqualTo((long) 403);
resetRequestAndResponse();
List<String> allowed = Collections.singletonList("https://mydomain1.com");
List<String> allowed = Collections.singletonList("https://mydomain1.example");
OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(allowed);
wsService.setHandshakeInterceptors(Collections.singletonList(interceptor));
setRequest("GET", sockJsPrefix + sockJsPath);
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain1.example");
wsService.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isNotEqualTo((long) 403);
resetRequestAndResponse();
setRequest("GET", sockJsPrefix + sockJsPath);
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.com");
this.servletRequest.addHeader(HttpHeaders.ORIGIN, "https://mydomain2.example");
wsService.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isEqualTo(403);
}
@@ -314,7 +314,7 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
resetRequestAndResponse();
setRequest("GET", sockJsPrefix + sockJsPath);
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
assertThat(this.servletResponse.getStatus()).isEqualTo(404);
assertThat(this.servletResponse.getHeader("X-Frame-Options")).isNull();