Commit Graph

368 Commits

Author SHA1 Message Date
Sebastien Deleuze
cd9b3903a7 Introduce CorsFilter and CorsConfigurationMapping
This commit introduces the following changes:
 - The new CorsConfigurationMapping class allows to share the mapped
   CorsConfiguration logic between AbstractHandlerMapping and CorsFilter
 - In AbstractHandlerMapping, the Map<String, CorsConfiguration>
   corsConfiguration property has been renamed to corsConfigurations
 - CorsFilter allows to process CORS requests at filter level, using any
   CorsConfigurationSource implementation (for example
   CorsConfigurationMapping)

Issue: SPR-13192
2015-07-09 22:19:46 +02:00
Sebastien Deleuze
8ee0e78980 Add Access-Control-Request-Method check for CORS preflight requests
Issue: SPR-13193
2015-07-07 09:34:39 +02:00
Sebastien Deleuze
aea23e42c7 Polish 2015-07-07 09:26:06 +02:00
Rossen Stoyanchev
0d1b7fd14f Fix RequestPartServletServerHttpRequest encoding issue
When using Appache Commons FileUpload, multi parts with binary data
(i.e. that are not actual files) are saved and then accessed as
String request parameters.

Before this change however the RequestPartServletServerHttpRequest
used a fixed encoding (UTF-8) while the parsing code in
CommonsFileUploadSupport/Resolver used the encoding from the
content-type header, or the request, or the FileUpload component.

This change does a best effort to determine the encoding of the
request parameter using a similar algorithm as the parsing side
that should work the same unless the encoding comes from the
FileUpload component which is not accessible.

Issue: SPR-13096
2015-07-07 00:47:06 -04:00
Sam Brannen
0f7fc12569 Clean up warnings in spring-web 2015-07-06 18:30:20 +02:00
Rossen Stoyanchev
749bee4d58 Polish tests 2015-06-30 12:16:22 -04:00
Juergen Hoeller
0411435bac XML parsing tests pass on non-English locales now, plus a revised exception message and some minor polishing
Issue: SPR-13136
(cherry picked from commit 38b8262e1e)
2015-06-30 17:16:45 +02:00
Rossen Stoyanchev
d79ec68db4 Disable DTD when parsing untrusted XML input
Issue: SPR-13136
2015-06-30 07:50:21 -04:00
Juergen Hoeller
4facb2fc22 ContentCachingResponseWrapper defensively applies content length in case of sendError/sendRedirect
Issue: SPR-13004
2015-06-30 12:45:43 +02:00
Juergen Hoeller
dc1f921f5c Split between basic MethodParameter and SynthesizingMethodParameter
This split avoids a package tangle (between core and core.annotation) and also allows for selective use of raw annotation exposure versus synthesized annotations, with the latter primarily applicable to web and message handler processing at this point.

Issue: SPR-13153
2015-06-30 00:02:02 +02:00
Brian Clozel
39d689da0c Fix conditional requests support for HttpEntity
Prior to this commit, `HttpEntityMethodProcessor` would rely on
`ServletWebRequest` to process conditional requests and with incoming
`"If-Modified-Since"` / `"If-None-Match"` request headers.

This approach is problematic since in that class:

* response is wrapped in a `ServletServerHttpResponse`
* this wrapped response does not write response headers right away
* `ServletWebRequest.checkNotModified` methods can't apply their
logic with incomplete response headers

This solution adds some minimal code duplication and applies
the conditional request logic within the Processor.

A possible alternative would be to improve the
`ServletServerHttpResponse$ServletResponseHttpHeaders` implementation
with write methods - but this solution would only work for Servlet 3.x
applications.

Issue: SPR-13090
2015-06-29 16:47:27 +02:00
Sam Brannen
89e504c2f1 Uses Charset instead of String in MimeType.equals()
Prior to this commit, Spring's MimeType checked for equality between
two MIME types based on the equality of their properties maps; however,
the properties maps contain string representations of the "charset"
values. Thus, "UTF-8" is never equal to "utf-8" which breaks the
contract for character set names which must be compared in a
case-insensitive manner.

This commit addresses this issue by ensuring that "charset" properties
in MimeType instances are compared as Java Charset instances, thereby
ignoring case when checking for equality between charset names.

Issue: SPR-13157
2015-06-23 22:30:25 +02:00
Sam Brannen
75fe61843a Fix broken (Async)RestTemplate integration tests
Issue: SPR-13157
2015-06-23 15:15:09 +02:00
Sebastien Deleuze
31a5434ea4 Make @ResponseBody method return type available for message converters
This commit adds canWrite() and write() methods to the
GenericHttpMessageConverter interface. These are type aware variants
of the methods available in HttpMessageConverter, in order to keep
parametrized type information when serializing objects.

AbstractMessageConverterMethodProcessor now calls those type aware
methods when the message converter implements GenericHttpMessageConverter.

AbstractJackson2HttpMessageConverter and GsonHttpMessageConverter uses
these new methods to make @ResponseBody method return type available
for type resolution instead of just letting the JSON serializer trying
to guess the type to use from the object to serialize.

Issue: SPR-12811
2015-06-22 17:05:45 +02:00
Sam Brannen
de9f27872e Polish CORS support classes
- Simplified "check" algorithms in CorsConfiguration

- Improved robustness of setter methods in CorsConfiguration in order to
  avoid attempts to modify immutable lists

- Improved CORS documentation and fixed typo

- Introduced constants in CorsConfiguration

- Removed auto-boxing in CorsRegistration
2015-06-20 16:12:18 +02:00
Sam Brannen
078d252d1e Delete trailing whitespace in Java source code 2015-06-19 17:09:52 +02:00
Rossen Stoyanchev
210e10c657 Add AsyncHandlerMethodReturnValueHandler
Before this change HandlerMethodReturnValueHandler's were invoked in a
specific order (type-based, annotation-based, custom). However handlers
that deal with asynchronous return value handling need to always be
considered first. This affects custom handlers in particular since they
are normally ordered last.

This change introduces an AsyncHandlerMethodReturnValueHandler
sub-interface with a single method to determine if the return value is
asynchronous and if it is to look for a matching handler only among
those that are of type AsyncHandlerMethodReturnValueHandler.

Issue: SPR-13083
2015-06-16 08:48:56 -04:00
Sebastien Deleuze
8187833502 Change default JSON prefix from "{} && " to ")]}', "
Issue: SPR-13078
2015-06-16 11:30:07 +02:00
Juergen Hoeller
2bed89340b Supply body for POST/PUT/PATCH tests (for OkHttp 2.4 compatibility) 2015-06-16 00:16:33 +02:00
izeye
bd0ca70a2c Add missing super in test
Closes gh-814
2015-06-15 18:16:10 +02:00
Stephane Nicoll
5236eb6b63 Allow default settings of a custom HttpAsyncClient to apply
This is a rework of 71783c5 for SPR-12540 for the async extension that
was not merging the internal RequestConfig as it should.

Issue: SPR-13125
2015-06-15 18:13:07 +02:00
Brian Clozel
0175068cab Improve Last-Modified & ETag support
Prior to this change, the `"Last-Modified"` and "`Etag`" support had
been improved with SPR-11324: HTTP response headers are now
automatically added for conditional requests and more.

This commit fixes the format of the "`Last-Modified`" and "`ETag`"
values, which were using an epoch timestamp rather than an HTTP-date
format defined in RFC 7231 section 7.1.1.1.

Also, Conditional responses are only applied when the given response
applies, i.e. when it has an compatible HTTP status (2xx).

Issue: SPR-13090
2015-06-11 14:46:14 +02:00
Arjen Poutsma
4611d058c8 Support Forwarded-Header in UriComponentsBuilder
This commit introduces support for RFC 7239: Forwarded HTTP Extension in
the UriComponentsBuilder. Unfortunately, RFC 7239 is not a complete
replacement for the X-Forwarded-* headers: specifically, there is not
direct replacement for X-Forwarded-Port. The JIRA contains more
information.

Issue: SPR-11856
2015-06-10 11:48:12 -04:00
Sam Brannen
9ce7485237 Introduce alias for 'value' attribute in @SessionAttributes
Issue: SPR-11393
2015-05-31 17:21:03 +02:00
Sam Brannen
034e0e2cf4 Introduce alias for 'value' attribute in @RequestParam
Issue: SPR-11393
2015-05-31 16:20:38 +02:00
Sam Brannen
25a5d9d759 Introduce alias for 'value' attribute in @RequestHeader
Issue: SPR-11393
2015-05-31 16:20:33 +02:00
Sam Brannen
c4c3ce796a Introduce alias for 'value' attribute in @CookieValue
Issue: SPR-11393
2015-05-31 16:07:27 +02:00
Sam Brannen
7018747cec Remove trailing whitespace in Java source code 2015-05-29 02:03:44 +02:00
Stephane Nicoll
3d86f15a84 Merge BeanWrapperImpl and DirectFieldAccessor
`BeanWrapperImpl` and `DirectFieldAccessor` are two
`ConfigurablePropertyAccessor` implementations with different features
set.

This commit harmonizes the two implementations to use a common base class
that delegates the actual property handling to the sub-classes:

* `BeanWrapperImpl`:  `PropertyDescriptor` and introspection utilities
* `DirectFieldAccessor`: reflection on `java.lang.Field`

Issues: SPR-12206 - SPR-12805
2015-05-21 13:49:55 +02:00
Rossen Stoyanchev
1ba0625cd9 Add baseUrl to DefaultUriTemplateHandler
Issue: SPR-13035
2015-05-20 15:12:32 -04:00
Stephane Nicoll
cf391f5ce1 polish
Remove unused imports
2015-05-19 08:49:01 +02:00
Rossen Stoyanchev
6468aa775c Polish
Issue: SPR-12893
2015-05-18 16:48:05 -04:00
Luciano Leggieri
69fc2a8ab2 Support OkHttp as (Async)ClientHttpRequestFactory
This commit introduces support for OkHttp
(http://square.github.io/okhttp/) as a backing implementation for
ClientHttpRequestFactory and AsyncClientHttpRequestFactory.

Issue: SPR-12893
2015-05-18 16:48:05 -04:00
Rossen Stoyanchev
5e8d838334 CORS-related refinements
After this change CorsProcessor has a single processRequest method and
it also explicitly deals with a null CorsConfiguration, which for
pre-flight requests results in a rejection while for simple requests
results in no CORS headers added.

The AbstractHandlerMapping now uses a LinkedHashMap to preserve the
order in which global patterns are provided.
2015-05-18 12:20:54 -04:00
Sebastien Deleuze
49fff7513d Add global CORS configuration capabilities
This commit adds JavaConfig based global CORS configuration
capabilities to Spring MVC. It is now possible to specify
multiple CORS configurations, each mapped on a path pattern,
by overriding
WebMvcConfigurerAdapter#configureCrossOrigin(CrossOriginConfigurer).

It is also possible to combine global and @CrossOrigin based
CORS configuration.

Issue: SPR-12933
2015-05-16 00:52:51 +02:00
Rossen Stoyanchev
3e59c244f9 Add UriTemplateHandler
This change introduces a strategy for expanding a URI template into a
URI and makes it a property of the RestTemplate and AsyncRestTemplate
so that they can be pre-configured with such a strategy.

The DefaultUriTemplateHandler relies on UriComponentsBuilder internally
and provides functionality equivalent to using the UriTemplate.
A DefaultUriTemplateHandler can also be configured to parse the path
of a URI template into path segments in order to allow expanding URI
variables according to path segment encoding rules.

Issue: SPR-12750
2015-05-14 14:50:00 -04:00
Rossen Stoyanchev
2c408b7069 Revert change to support {/...} var syntax
Issue: SPR-12750
2015-05-14 10:06:33 -04:00
Juergen Hoeller
00147379f9 Polishing
(cherry picked from commit 9e925aa)
2015-05-11 22:22:23 +02:00
Juergen Hoeller
64a01d64c5 Polishing 2015-05-11 14:42:45 +02:00
Sebastien Deleuze
5465506fdd Register automatically Jackson's JDK 8 module when available
Issue: SPR-12983
2015-05-07 14:43:06 +02:00
Sam Brannen
572cbb0821 Consistently supply test name to @Parameters 2015-05-05 14:07:00 +02:00
Rossen Stoyanchev
e306098155 Encapsulate CORS checking within CorsConfiguration
CorsConfiguration now provides methods to check and determine the
allowed origin, method, and headers according to its own configuration.

This simplifies significantly the work that needs to be done from
DefaultCorsProcessor. However an alternative CorsProcessor can still
access the raw CorsConfiguration and perform its own checks.

Issue: SPR-12885
2015-05-05 09:31:41 +02:00
Sebastien Deleuze
83f269b512 Make DefaultCorsProcessor Servlet 2.5 compliant
This commit adds CORS related headers to HttpHeaders
and update DefaultCorsProcessor implementation to
use ServerHttpRequest and ServerHttpResponse instead
of HttpServletRequest and HttpServletResponse. Usage
of ServerHttpResponse allows to avoid using Servlet 3.0
specific methods in order keep CORS support Servlet 2.5
compliant.

Issue: SPR-12885
2015-05-05 09:31:41 +02:00
Rossen Stoyanchev
49e90575e9 Disable ShallowEtagHeaderFilter for HTTP streaming
Issue: SPR-12960
2015-05-04 06:08:25 -04:00
Rossen Stoyanchev
68ecb92d1f Allow "ws" and "wss" for isValidCorsOrigin checks
Issue: SPR-12956
2015-05-04 06:08:25 -04:00
Juergen Hoeller
af272c2124 HttpEntity and its subclasses insist on same target type for equality
Issue: SPR-12910
2015-04-15 14:58:16 +02:00
Rossen Stoyanchev
b18053f93a Fix failing test
The onFailure callback and future.get() occur in different threads so
this change adds a latch to ensure we have both before asserting.

Issue: SPR-12887
2015-04-13 15:31:35 -04:00
Arjen Poutsma
b119a9c82c FutureAdapter should wrap RuntimeExceptions
RuntimeExceptions thrown from FutureAdapter.adapt() should be wrapped in
an ExecutionException, not thrown as is.

Issue: SPR-12887
2015-04-10 12:52:15 +02:00
Rossen Stoyanchev
eb8c253499 Fix failing tests 2015-04-03 12:26:17 -04:00
Sebastien Deleuze
b0e1e66b7f Add CORS support
This commit introduces support for CORS in Spring Framework.

Cross-origin resource sharing (CORS) is a mechanism that allows
many resources (e.g. fonts, JavaScript, etc.) on a web page to
be requested from another domain outside the domain from which
the resource originated. It is defined by the CORS W3C
recommandation (http://www.w3.org/TR/cors/).

A new annotation @CrossOrigin allows to enable CORS support
on Controller type or method level. By default all origins
("*") are allowed.

@RestController
public class SampleController {

	@CrossOrigin
	@RequestMapping("/foo")
	public String foo() {
		// ...
	}
}

Various @CrossOrigin attributes allow to customize the CORS configuration.

@RestController
public class SampleController {

	@CrossOrigin(origin = { "http://site1.com", "http://site2.com" },
				 allowedHeaders = { "header1", "header2" },
				 exposedHeaders = { "header1", "header2" },
				 method = RequestMethod.DELETE,
				 maxAge = 123, allowCredentials = "true")
	@RequestMapping(value = "/foo", method = { RequestMethod.GET, RequestMethod.POST} )
	public String foo() {
		// ...
	}
}

A CorsConfigurationSource interface can be implemented by HTTP request
handlers that want to support CORS by providing a CorsConfiguration
that will be detected at AbstractHandlerMapping level. See for
example ResourceHttpRequestHandler that implements this interface.

Global CORS configuration should be supported through ControllerAdvice
(with type level @CrossOrigin annotated class or class implementing
CorsConfigurationSource), or with XML namespace and JavaConfig
configuration, but this is not implemented yet.

Issue: SPR-9278
2015-04-02 16:12:11 +02:00