Commit Graph

712 Commits

Author SHA1 Message Date
Rossen Stoyanchev
5e8d838334 CORS-related refinements
After this change CorsProcessor has a single processRequest method and
it also explicitly deals with a null CorsConfiguration, which for
pre-flight requests results in a rejection while for simple requests
results in no CORS headers added.

The AbstractHandlerMapping now uses a LinkedHashMap to preserve the
order in which global patterns are provided.
2015-05-18 12:20:54 -04:00
Arjen Poutsma
441ed801d9 Javadoc 2015-05-18 13:48:07 +02:00
Arjen Poutsma
a76bbae51d Javadoc 2015-05-18 10:46:38 +02:00
Sebastien Deleuze
49fff7513d Add global CORS configuration capabilities
This commit adds JavaConfig based global CORS configuration
capabilities to Spring MVC. It is now possible to specify
multiple CORS configurations, each mapped on a path pattern,
by overriding
WebMvcConfigurerAdapter#configureCrossOrigin(CrossOriginConfigurer).

It is also possible to combine global and @CrossOrigin based
CORS configuration.

Issue: SPR-12933
2015-05-16 00:52:51 +02:00
Rossen Stoyanchev
ca410fea53 Add component-neutral encode option in UriUtils
Issue: SPR-12750, SPR-12942
2015-05-14 14:51:13 -04:00
Rossen Stoyanchev
3e59c244f9 Add UriTemplateHandler
This change introduces a strategy for expanding a URI template into a
URI and makes it a property of the RestTemplate and AsyncRestTemplate
so that they can be pre-configured with such a strategy.

The DefaultUriTemplateHandler relies on UriComponentsBuilder internally
and provides functionality equivalent to using the UriTemplate.
A DefaultUriTemplateHandler can also be configured to parse the path
of a URI template into path segments in order to allow expanding URI
variables according to path segment encoding rules.

Issue: SPR-12750
2015-05-14 14:50:00 -04:00
Rossen Stoyanchev
2c408b7069 Revert change to support {/...} var syntax
Issue: SPR-12750
2015-05-14 10:06:33 -04:00
Juergen Hoeller
00147379f9 Polishing
(cherry picked from commit 9e925aa)
2015-05-11 22:22:23 +02:00
Juergen Hoeller
0d2859c99b Javadoc fixes
(cherry picked from commit a8f7539)
2015-05-11 22:01:23 +02:00
Juergen Hoeller
64a01d64c5 Polishing 2015-05-11 14:42:45 +02:00
Juergen Hoeller
cf0a916793 Consistent non-public AsyncRequestInterceptor classes
Issue: SPR-11694
2015-05-09 18:05:31 +02:00
Juergen Hoeller
1cc042d4c7 Polishing 2015-05-07 16:03:15 +02:00
Sebastien Deleuze
5465506fdd Register automatically Jackson's JDK 8 module when available
Issue: SPR-12983
2015-05-07 14:43:06 +02:00
Rossen Stoyanchev
8853107f76 Find CORS config by HandlerMethod
Before this change AbstractHandlerMethodMapping used a map from Method
to CorsConfiguration. That works for regular @RequestMapping methods.
However frameworks like Spring Boot and Spring Integration may
programmatically register the same Method under multiple mappings,
i.e. adapter/gateway type classes.

This change ensures that CorsConfiguraiton is indexed by HandlerMethod
so that we can store CorsConfiguration for different handler instances
even when the method is the same.

In order for to make this work, HandlerMethod now provides an
additional field called resolvedFromHandlerMethod that returns the
original HandlerMethod (with the String bean name). This makes it
possible to  perform reliable lookups.

Issue: SPR-11541
2015-05-05 12:56:07 -04:00
Sam Brannen
572cbb0821 Consistently supply test name to @Parameters 2015-05-05 14:07:00 +02:00
Rossen Stoyanchev
e306098155 Encapsulate CORS checking within CorsConfiguration
CorsConfiguration now provides methods to check and determine the
allowed origin, method, and headers according to its own configuration.

This simplifies significantly the work that needs to be done from
DefaultCorsProcessor. However an alternative CorsProcessor can still
access the raw CorsConfiguration and perform its own checks.

Issue: SPR-12885
2015-05-05 09:31:41 +02:00
Sebastien Deleuze
83f269b512 Make DefaultCorsProcessor Servlet 2.5 compliant
This commit adds CORS related headers to HttpHeaders
and update DefaultCorsProcessor implementation to
use ServerHttpRequest and ServerHttpResponse instead
of HttpServletRequest and HttpServletResponse. Usage
of ServerHttpResponse allows to avoid using Servlet 3.0
specific methods in order keep CORS support Servlet 2.5
compliant.

Issue: SPR-12885
2015-05-05 09:31:41 +02:00
Rossen Stoyanchev
a274ede3ef Polish HierarchicalUriComponents 2015-05-04 11:46:29 -04:00
Rossen Stoyanchev
49e90575e9 Disable ShallowEtagHeaderFilter for HTTP streaming
Issue: SPR-12960
2015-05-04 06:08:25 -04:00
Rossen Stoyanchev
68ecb92d1f Allow "ws" and "wss" for isValidCorsOrigin checks
Issue: SPR-12956
2015-05-04 06:08:25 -04:00
Rossen Stoyanchev
8376e1eca1 Support @RequestMapping as meta-annotation
Issue: SPR-12296
2015-04-24 10:33:44 -04:00
Sebastien Deleuze
5b0a0f4db5 Support CompletableFuture as alternative to DeferredResult in MVC
Issue: SPR-12597
2015-04-20 14:19:31 +02:00
Juergen Hoeller
10a51a4f19 InvocableHandlerMethod logs argument resolution exceptions at debug level
Issue: SPR-12925
2015-04-16 20:26:11 +02:00
Juergen Hoeller
fafb823e8d Polishing 2015-04-15 15:13:42 +02:00
Juergen Hoeller
af272c2124 HttpEntity and its subclasses insist on same target type for equality
Issue: SPR-12910
2015-04-15 14:58:16 +02:00
Rossen Stoyanchev
b18053f93a Fix failing test
The onFailure callback and future.get() occur in different threads so
this change adds a latch to ensure we have both before asserting.

Issue: SPR-12887
2015-04-13 15:31:35 -04:00
Rossen Stoyanchev
8ff7cc73bc Try defaulContentType for application/octet-stream
AbstractHttpMessageConverter now tries to call getDefaultContentType
with the actual value to be converted to see if that will result in
a more concrete mediat type than application/octet-stream.

Issue: SPR-12894
2015-04-13 14:31:25 -04:00
Arjen Poutsma
b119a9c82c FutureAdapter should wrap RuntimeExceptions
RuntimeExceptions thrown from FutureAdapter.adapt() should be wrapped in
an ExecutionException, not thrown as is.

Issue: SPR-12887
2015-04-10 12:52:15 +02:00
Rossen Stoyanchev
b6449baaa6 List all unsatisfied request param groups
Issue: SPR-12854
2015-04-06 23:33:56 -04:00
Rossen Stoyanchev
6f5359e40c Enrich TypeMismatchException for controller method args
Issue: SPR-10153
2015-04-06 22:36:54 -04:00
Rossen Stoyanchev
eb8c253499 Fix failing tests 2015-04-03 12:26:17 -04:00
Rossen Stoyanchev
452c3230cc Polishing 2015-04-03 10:56:51 -04:00
Sebastien Deleuze
b0e1e66b7f Add CORS support
This commit introduces support for CORS in Spring Framework.

Cross-origin resource sharing (CORS) is a mechanism that allows
many resources (e.g. fonts, JavaScript, etc.) on a web page to
be requested from another domain outside the domain from which
the resource originated. It is defined by the CORS W3C
recommandation (http://www.w3.org/TR/cors/).

A new annotation @CrossOrigin allows to enable CORS support
on Controller type or method level. By default all origins
("*") are allowed.

@RestController
public class SampleController {

	@CrossOrigin
	@RequestMapping("/foo")
	public String foo() {
		// ...
	}
}

Various @CrossOrigin attributes allow to customize the CORS configuration.

@RestController
public class SampleController {

	@CrossOrigin(origin = { "http://site1.com", "http://site2.com" },
				 allowedHeaders = { "header1", "header2" },
				 exposedHeaders = { "header1", "header2" },
				 method = RequestMethod.DELETE,
				 maxAge = 123, allowCredentials = "true")
	@RequestMapping(value = "/foo", method = { RequestMethod.GET, RequestMethod.POST} )
	public String foo() {
		// ...
	}
}

A CorsConfigurationSource interface can be implemented by HTTP request
handlers that want to support CORS by providing a CorsConfiguration
that will be detected at AbstractHandlerMapping level. See for
example ResourceHttpRequestHandler that implements this interface.

Global CORS configuration should be supported through ControllerAdvice
(with type level @CrossOrigin annotated class or class implementing
CorsConfigurationSource), or with XML namespace and JavaConfig
configuration, but this is not implemented yet.

Issue: SPR-9278
2015-04-02 16:12:11 +02:00
Sebastien Deleuze
35f40ae654 Add @JsonView deserialization support for request bodies
Jackson 2.5.0 or later is required.

Issue: SPR-12501
2015-04-02 12:05:45 +02:00
Sebastien Deleuze
ca06582f2a Support Jackson @JsonFilter
This commit adds a filters property to MappingJacksonValue
and also manages a special FilterProvider class name model key in
order to be able to specify a customized FilterProvider for each
handler method execution, and thus provides a more dynamic
alternative to our existing JsonView support.

A filters property is also now available in Jackson2ObjectMapperBuilder
and Jackson2ObjectMapperFactoryBean in order to set easily a
global FilterProvider.

More details about @JsonFilter at
http://wiki.fasterxml.com/JacksonFeatureJsonFilter.

Issue: SPR-12586
2015-04-02 11:23:18 +02:00
Juergen Hoeller
514eb4281c Polishing 2015-04-01 17:23:45 +02:00
Arjen Poutsma
caee78aee3 Netty4ClientHttpRequest ignores query params
Before this commit, Netty4ClientHttpRequest ignored query parameters
(?foo=bar). This commit fixes that.

Issue: SPR-12779
2015-04-01 13:08:56 +02:00
Rossen Stoyanchev
3a8a28beec Consolidate partialPaths under FullPathComposite 2015-03-31 21:34:39 -04:00
Arjen Poutsma
7668ea1549 Support {/...} patterns in UriComponents(Builder)
This commit introduces support for "Path Segment URI Variable
expansion", see https://tools.ietf.org/html/rfc6570#section-3.2.6.
In practice, this means that URI template variables prefixed with a '/'
are treated like path segments and - as such - will encode any '/'
found. For example: {/foo} expanded with "bar/baz" with result in
"bar%2F".

Issue: SPR-12750
2015-03-31 21:34:39 -04:00
Juergen Hoeller
39bc8b7992 AbstractContextLoaderInitializer and AbstractDispatcherServletInitializer support ApplicationContextInitializers now
Issue: SPR-12430
2015-03-31 17:21:57 +02:00
Juergen Hoeller
d05fc2ed9c CookieGenerator explicitly sets 'secure' and 'httpOnly' flags in removeCookie as well
Issue: SPR-12865
2015-03-31 09:59:55 +02:00
Juergen Hoeller
beae336627 Polishing 2015-03-25 15:22:41 +01:00
Juergen Hoeller
d23893fd25 Consistent javadoc param declarations for type variables 2015-03-25 00:44:01 +01:00
Juergen Hoeller
c8cc8b7cbd Removed outdated references to Servlet 2.3/2.4
(cherry picked from commit 673dac5)
2015-03-24 21:24:12 +01:00
Rossen Stoyanchev
44e8f7b333 Revert "Support {/var} syntax in UriComponentsBuilder"
This reverts commit a57d42829c after the
realization of a weaknesses with the proposed approach.

For example if a path segment contains both a /-prefixed and a regular
URI variable, there is no way to split that into a sequence of path
and path segments. The solution will have to be on the side of
UriComponents at the time of encoding.
2015-03-23 16:44:03 -04:00
Rossen Stoyanchev
95f6e4cc9b Support StreamingResponseBody return value type
Issue: SPR-12831
2015-03-23 15:38:52 -04:00
Brian Clozel
f9ce11eef8 Provide controller level Cache-Control support
Prior to this commit, Cache-Control HTTP headers could be set using
a WebContentInterceptor and configured cache mappings.

This commit adds support for cache-related HTTP headers at the controller
method level, by returning a ResponseEntity instance:

ResponseEntity.status(HttpStatus.OK)
    .cacheControl(CacheControl.maxAge(1, TimeUnit.HOURS).cachePublic())
    .eTag("deadb33f8badf00d")
    .body(entity);

Also, this change now automatically checks the "ETag" and
"Last-Modified" headers in ResponseEntity, in order to respond HTTP
"304 - Not Modified" if necessary.

Issue: SPR-8550
2015-03-23 18:05:14 +01:00
Brian Clozel
38f32e3816 Improve HTTP caching flexiblity
This commit improves HTTP caching defaults and flexibility in
Spring MVC.

1) Better default caching headers

The `WebContentGenerator` abstract class has been updated with
better HTTP defaults for HTTP caching, in line with current
browsers and proxies implementation (wide support of HTTP1.1, etc);
depending on the `setCacheSeconds` value:

* sends "Cache-Control: max-age=xxx" for caching responses and
do not send a "must-revalidate" value by default.
* sends "Cache-Control: no-store" or "Cache-Control: no-cache"
in order to prevent caching

Other methods used to set specific header such as
`setUseExpiresHeader` or `setAlwaysMustRevalidate` are now deprecated
in favor of `setCacheControl` for better flexibility.
Using one of the deprecated methods re-enables previous HTTP caching
behavior.

This change is applied in many Handlers, since
`WebContentGenerator` is extended by `AbstractController`,
`WebContentInterceptor`, `ResourceHttpRequestHandler` and others.

2) New CacheControl builder class

This new class brings more flexibility and allows developers
to set custom HTTP caching headers.

Several strategies are provided:

* `CacheControl.maxAge(int)` for caching responses with a
"Cache-Control: max-age=xxx" header
* `CacheControl.noStore()` prevents responses from being cached
with a "Cache-Control: no-store" header
* `CacheControl.noCache()` forces caches to revalidate the cached
response before reusing it, with a "Cache-Control: no-store" header.

From that point, it is possible to chain method calls to craft a
custom CacheControl instance:

```
CacheControl cc = CacheControl.maxAge(1, TimeUnit.HOURS)
    .cachePublic().noTransform();
```

3) Configuring HTTP caching in Resource Handlers

On top of the existing ways of configuring caching mechanisms,
it is now possible to use a custom `CacheControl` to serve
resources:

```
@Configuration
public class MyWebConfig extends WebMvcConfigurerAdapter {

  @Override
  public void addResourceHandlers(ResourceHandlerRegistry registry) {
    CacheControl cc = CacheControl.maxAge(1, TimeUnit.HOURS);
    registry.addResourceHandler("/resources/**)
            .addResourceLocations("classpath:/resources/")
            .setCacheControl(cc);
  }
}
```

or

```
<mvc:resources mapping="/resources/**" location="classpath:/resources/">
  <mvc:cachecontrol max-age="3600" cache-public="true"/>
</mvc:resources>
```

Issue: SPR-2779, SPR-6834, SPR-7129, SPR-9543, SPR-10464
2015-03-23 18:01:04 +01:00
Markus Malkusch
953608ec49 Improve ETag & Last-Modifed support in WebRequest
This change improves the following use cases with
`WebRequest.checkNotModified(String etag)` and
`WebRequest.checkNotModified(long lastModifiedTimeStamp)`:

1) Allow weak comparisons for ETags

Per rfc7232 section-2.3, ETags can be strong or weak;
this change allows comparing weak forms `W/"etagvalue"` but does
not make a difference between strong and weak comparisons.

2) Allow multiple ETags in client requests

HTTP clients can send multiple ETags values in a single header such as:
`If-None-Match: "firstvalue", "secondvalue"`
This change makes sure each value is compared to the one provided by
the application side.

3) Extended support for ETag values

This change adds padding `"` to the ETag value provided by
the application, if not already done:
`etagvalue` => `"etagvalue"`

It also supports wildcard values `*` that can be sent by HTTP clients.

4) Sending validation headers for 304 responses

As defined in https://tools.ietf.org/html/rfc7232#section-4.1
`304 Not Modified` reponses must generate `Etag` and `Last-Modified`
HTTP headers, as they would have for a `200 OK` response.

5) Providing a new method to validate both Etag & Last-Modified

Also, this change adds a new method
`WebRequest.checkNotModified(String etag, long lastModifiedTimeStamp)`
in order to support validation of both `If-None-Match` and
`Last-Modified` headers sent by HTTP clients, if both values are
supported by the application code.

Even though this approach is recommended by the HTTP rfc (setting both
Etag and Last-Modified headers in the response), this requires more
application logic and may not apply to all resources produced by the
application.

Issue: SPR-11324
2015-03-23 17:36:06 +01:00
Juergen Hoeller
56273a8ff3 Polishing 2015-03-21 01:19:01 +01:00