fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource

- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.
This commit is contained in:
baezzys
2024-07-21 21:53:57 +09:00
committed by Marcus Hert Da Coregio
parent 0190763a02
commit 3d4bcf1b44
3 changed files with 44 additions and 7 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -362,7 +362,7 @@ public class HttpSecurityConfigurationTests {
}
@Test
public void configureWhenCorsConfigurationSourceThenApplyCors() {
public void configureWhenCorsConfigurationSourceThenApplyCors() throws Exception {
this.spring.register(CorsConfigurationSourceConfig.class, DefaultWithFilterChainConfig.class).autowire();
SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
CorsFilter corsFilter = (CorsFilter) filterChain.getFilters()
@@ -374,6 +374,16 @@ public class HttpSecurityConfigurationTests {
assertThat(configSource).isInstanceOf(UrlBasedCorsConfigurationSource.class);
}
// gh-15378
@Test
public void configureWhenNoUrlBasedCorsConfigThenNoCorsAppliedAndVaryHeaderNotPresent() throws Exception {
this.spring.register(NonUrlBasedCorsConfig.class, DefaultWithFilterChainConfig.class).autowire();
SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
assertThat(filterChain.getFilters()).noneMatch((filter) -> filter instanceof CorsFilter);
this.mockMvc.perform(get("/")).andExpect(header().doesNotExist("Vary"));
}
@Test
public void configureWhenAddingCustomDslUsingWithThenApplied() throws Exception {
this.spring.register(WithCustomDslConfig.class, UserDetailsConfig.class).autowire();
@@ -673,6 +683,33 @@ public class HttpSecurityConfigurationTests {
}
@Configuration
@EnableWebSecurity
static class NonUrlBasedCorsConfig {
@Bean
CorsConfigurationSource corsConfigurationSource() {
return new CustomCorsConfigurationSource();
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.build();
}
}
static class CustomCorsConfigurationSource implements CorsConfigurationSource {
@Override
public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(List.of("http://localhost:8080"));
return configuration;
}
}
static class DefaultConfigurer extends AbstractHttpConfigurer<DefaultConfigurer, HttpSecurity> {
boolean init;