@Test public void testRealRequestAllowCredentials() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.GET, "/", req -> req.headers().add("origin", "vertx.io"), resp -> checkHeaders(resp, "vertx.io", null, null, null, "true", null), 200, "OK", null); }
@Test public void testChaining() throws Exception { CorsHandler cors = CorsHandler.create("*"); assertNotNull(cors); assertSame(cors, cors.allowedMethod(HttpMethod.POST)); assertSame(cors, cors.allowedMethod(HttpMethod.DELETE)); assertSame(cors, cors.allowedMethods(new HashSet<>())); assertSame(cors, cors.allowedHeader("X-foo")); assertSame(cors, cors.allowedHeader("X-bar")); assertSame(cors, cors.allowedHeaders(new HashSet<>())); assertSame(cors, cors.exposedHeader("X-wibble")); assertSame(cors, cors.exposedHeader("X-blah")); assertSame(cors, cors.exposedHeaders(new HashSet<>())); }
/** * Support CORS */ void mountCorsHandler(Router mainRouter) { if (!TransportConfig.isCorsEnabled()) { return; } CorsHandler corsHandler = getCorsHandler(TransportConfig.getCorsAllowedOrigin()); // Access-Control-Allow-Credentials corsHandler.allowCredentials(TransportConfig.isCorsAllowCredentials()); // Access-Control-Allow-Headers corsHandler.allowedHeaders(TransportConfig.getCorsAllowedHeaders()); // Access-Control-Allow-Methods Set<String> allowedMethods = TransportConfig.getCorsAllowedMethods(); for (String method : allowedMethods) { corsHandler.allowedMethod(HttpMethod.valueOf(method)); } // Access-Control-Expose-Headers corsHandler.exposedHeaders(TransportConfig.getCorsExposedHeaders()); // Access-Control-Max-Age int maxAge = TransportConfig.getCorsMaxAge(); if (maxAge >= 0) { corsHandler.maxAgeSeconds(maxAge); } LOGGER.info("mount CorsHandler"); mainRouter.route().handler(corsHandler); }
allowedMethods.add(HttpMethod.PUT); router.route().handler(CorsHandler.create("*").allowedHeaders(allowedHeaders).allowedMethods(allowedMethods));
@Test public void testUnsecureCorsShouldNotBeAllowed() throws Exception { try { CorsHandler.create("*").allowCredentials(true); fail("Should not be allowed!"); } catch (IllegalStateException e) { // OK } }
String allowedOrigin = config().getString( ConfigConstants.HTTP_CORS_ALLOW_ORIGIN, "$."); // match nothing by default CorsHandler corsHandler = CorsHandler.create(allowedOrigin); corsHandler.allowCredentials(true); corsHandler.allowedHeader((String)allowHeaders); } else if (allowHeaders instanceof JsonArray) { corsHandler.allowedHeaders(Seq.seq((JsonArray)allowHeaders) .cast(String.class).toSet()); } else if (allowHeaders != null) { corsHandler.allowedMethod(HttpMethod.valueOf((String)allowMethods)); } else if (allowMethods instanceof JsonArray) { corsHandler.allowedMethods(Seq.seq((JsonArray)allowMethods) .cast(String.class).map(HttpMethod::valueOf).toSet()); } else if (allowMethods != null) { corsHandler.exposedHeader((String)exposeHeaders); } else if (exposeHeaders instanceof JsonArray) { corsHandler.exposedHeaders(Seq.seq((JsonArray)exposeHeaders) .cast(String.class).toSet()); } else if (exposeHeaders != null) { corsHandler.maxAgeSeconds(maxAge);
private CorsHandler getCorsHandler(String corsAllowedOrigin) { return CorsHandler.create(corsAllowedOrigin); }
/** * Enables CORS * * @param allowedOriginPattern allowed origin * @param allowCredentials allow credentials (true/false) * @param maxAge in seconds * @param allowedHeaders set of allowed headers * @param methods list of methods ... if empty all methods are allowed @return self * @return self */ public RestBuilder enableCors(String allowedOriginPattern, boolean allowCredentials, int maxAge, Set<String> allowedHeaders, HttpMethod... methods) { corsHandler = CorsHandler.create(allowedOriginPattern) .allowCredentials(allowCredentials) .maxAgeSeconds(maxAge); if (methods == null || methods.length == 0) { // if not given than all methods = HttpMethod.values(); } for (HttpMethod method : methods) { corsHandler.allowedMethod(method); } if (allowedHeaders.size() > 0) { corsHandler.allowedHeaders(allowedHeaders); } return this; }
.handler(CorsHandler.create("*") .allowCredentials(false) .allowedHeaders(new HashSet<String>() { .allowedMethods(new HashSet<HttpMethod>() {
logger.debug("Setting up routes"); router.route().handler(CorsHandler.create("*") .allowedMethod(HttpMethod.PUT) .allowedMethod(HttpMethod.DELETE) .allowedMethod(HttpMethod.GET) .allowedMethod(HttpMethod.POST) .allowedHeader(HttpHeaders.CONTENT_TYPE.toString()) .allowedHeader(XOkapiHeaders.TENANT) .allowedHeader(XOkapiHeaders.TOKEN) .allowedHeader(XOkapiHeaders.AUTHORIZATION) .allowedHeader(XOkapiHeaders.REQUEST_ID) //expose response headers .exposedHeader(HttpHeaders.LOCATION.toString()) .exposedHeader(XOkapiHeaders.TRACE) .exposedHeader(XOkapiHeaders.TOKEN) .exposedHeader(XOkapiHeaders.AUTHORIZATION) .exposedHeader(XOkapiHeaders.REQUEST_ID) );
private io.vertx.ext.web.handler.CorsHandler corsHandler() { return io.vertx.ext.web.handler.CorsHandler .create(environment.getProperty("http.cors.allow-origin", String.class, "*")) .allowedHeaders(getStringPropertiesAsList("http.cors.allow-headers", "Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With, If-Match, x-xsrf-token")) .allowedMethods(getHttpMethodPropertiesAsList("http.cors.allow-methods", "GET, POST")) .maxAgeSeconds(environment.getProperty("http.cors.max-age", Integer.class, 86400)); }
private void addTelemetryApiRoutes(final Router router, final Handler<RoutingContext> authHandler) { router.routeWithRegex("\\/telemetry\\/[^\\/]+\\/.*").handler(CorsHandler.create(getConfig().getCorsAllowedOrigin()) .allowedMethod(HttpMethod.PUT) .allowedHeader(Constants.HEADER_QOS_LEVEL) .allowedHeader(Constants.HEADER_TIME_TIL_DISCONNECT) .allowedHeader(HttpHeaders.AUTHORIZATION.toString()) .allowedHeader(HttpHeaders.CONTENT_TYPE.toString())); router.route("/telemetry").handler(CorsHandler.create(getConfig().getCorsAllowedOrigin()) .allowedMethod(HttpMethod.POST) .allowedHeader(Constants.HEADER_QOS_LEVEL) .allowedHeader(Constants.HEADER_TIME_TIL_DISCONNECT) .allowedHeader(HttpHeaders.AUTHORIZATION.toString()) .allowedHeader(HttpHeaders.CONTENT_TYPE.toString()));
@Test public void testPreflightMaxAge() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); int maxAge = 131233; router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).maxAgeSeconds(maxAge)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null, null, String.valueOf(maxAge)), 200, "OK", null); }
@Test public void testPreflightNoExposeHeaders() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); Set<String> exposeHeaders = new LinkedHashSet<>(Arrays.asList("X-floob", "X-blurp")); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).exposedHeaders(exposeHeaders)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> { // Note expose headers header is never provided in response of pre-flight request checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null); }, 200, "OK", null); }
@Test public void testPreflightSimple() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null), 200, "OK", null); }
/** * Add a set of allowed headers * @param headerNames the allowed header names * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler allowedHeaders(Set<String> headerNames) { delegate.allowedHeaders(headerNames); return this; }
/** * Add an allowed method * @param method the method to add * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler allowedMethod(HttpMethod method) { delegate.allowedMethod(method); return this; }
/** * Set whether credentials are allowed. Note that user agents will block * requests that use a wildcard as origin and include credentials. * * From the MDN documentation you can read: * * <blockquote> * Important note: when responding to a credentialed request, * server must specify a domain, and cannot use wild carding. * </blockquote> * @param allow true if allowed * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler allowCredentials(boolean allow) { delegate.allowCredentials(allow); return this; }
/** * Set how long the browser should cache the information * @param maxAgeSeconds max age in seconds * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler maxAgeSeconds(int maxAgeSeconds) { delegate.maxAgeSeconds(maxAgeSeconds); return this; }
/** * Add an exposed header * @param headerName the exposed header name * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler exposedHeader(String headerName) { delegate.exposedHeader(headerName); return this; }