private void doCrossFilter(HttpServletRequest req, HttpServletResponse res) { String originsList = encodeHeader(req.getHeader(ORIGIN)); if (!isCrossOrigin(originsList)) { if(LOG.isDebugEnabled()) { LOG.debug("Header origin is null. Returning"); if (!areOriginsAllowed(originsList)) { if(LOG.isDebugEnabled()) { LOG.debug("Header origins '" + originsList + "' not allowed. Returning"); if (!isMethodAllowed(accessControlRequestMethod)) { if(LOG.isDebugEnabled()) { LOG.debug("Access control method '" + accessControlRequestMethod + if (!areHeadersAllowed(accessControlRequestHeaders)) { if(LOG.isDebugEnabled()) { LOG.debug("Access control headers '" + accessControlRequestHeaders + res.setHeader(ACCESS_CONTROL_ALLOW_METHODS, getAllowedMethodsHeader()); res.setHeader(ACCESS_CONTROL_ALLOW_HEADERS, getAllowedHeadersHeader()); res.setHeader(ACCESS_CONTROL_MAX_AGE, maxAge);
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { doCrossFilter((HttpServletRequest) req, (HttpServletResponse) res); chain.doFilter(req, res); }
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }
CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.getAllowedHeadersHeader() .compareTo("X-Requested-With,Accept") == 0); Assert.assertTrue("Allowed methods do not match", filter.getAllowedMethodsHeader() .compareTo("GET,POST") == 0); Assert.assertTrue(filter.areOriginsAllowed("example.com")); filter.destroy(); conf.clear(); filter.init(filterConfig); filter.getAllowedHeadersHeader() .compareTo("Content-Type,Origin") == 0); Assert.assertTrue("Allowed methods do not match", filter.getAllowedMethodsHeader() .compareTo("GET,HEAD") == 0); Assert.assertTrue(filter.areOriginsAllowed("newexample.com")); filter.destroy();
CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Boolean.TRUE.toString()); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_METHODS, filter.getAllowedMethodsHeader()); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_HEADERS, filter.getAllowedHeadersHeader()); Mockito.verify(mockChain).doFilter(mockReq, mockRes);
@Test public void testAllowAllOrigins() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*"); FilterConfig filterConfig = new FilterConfigTest(conf); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); Assert.assertTrue(filter.areOriginsAllowed("example.com")); }
private void initializeAllowedHeaders(FilterConfig filterConfig) { String allowedHeadersConfig = filterConfig.getInitParameter(ALLOWED_HEADERS); if (allowedHeadersConfig == null) { allowedHeadersConfig = ALLOWED_HEADERS_DEFAULT; } allowedHeaders.addAll( Arrays.asList(allowedHeadersConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Headers: " + getAllowedHeadersHeader()); }
private void initializeAllowedMethods(FilterConfig filterConfig) { String allowedMethodsConfig = filterConfig.getInitParameter(ALLOWED_METHODS); if (allowedMethodsConfig == null) { allowedMethodsConfig = ALLOWED_METHODS_DEFAULT; } allowedMethods.addAll( Arrays.asList(allowedMethodsConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Methods: " + getAllowedMethodsHeader()); }
@Test public void testEncodeHeaders() { String validOrigin = "http://localhost:12345"; String encodedValidOrigin = CrossOriginFilter.encodeHeader(validOrigin); Assert.assertEquals("Valid origin encoding should match exactly", validOrigin, encodedValidOrigin); String httpResponseSplitOrigin = validOrigin + " \nSecondHeader: value"; String encodedResponseSplitOrigin = CrossOriginFilter.encodeHeader(httpResponseSplitOrigin); Assert.assertEquals("Http response split origin should be protected against", validOrigin, encodedResponseSplitOrigin); // Test Origin List String validOriginList = "http://foo.example.com:12345 http://bar.example.com:12345"; String encodedValidOriginList = CrossOriginFilter .encodeHeader(validOriginList); Assert.assertEquals("Valid origin list encoding should match exactly", validOriginList, encodedValidOriginList); }
CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.getAllowedHeadersHeader() .compareTo("X-Requested-With,Accept") == 0); Assert.assertTrue("Allowed methods do not match", filter.getAllowedMethodsHeader() .compareTo("GET,POST") == 0); Assert.assertTrue(filter.areOriginsAllowed("example.com")); filter.destroy(); conf.clear(); filter.init(filterConfig); filter.getAllowedHeadersHeader() .compareTo("Content-Type,Origin") == 0); Assert.assertTrue("Allowed methods do not match", filter.getAllowedMethodsHeader() .compareTo("GET,HEAD") == 0); Assert.assertTrue(filter.areOriginsAllowed("newexample.com")); filter.destroy();
CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Boolean.TRUE.toString()); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_METHODS, filter.getAllowedMethodsHeader()); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_HEADERS, filter.getAllowedHeadersHeader()); Mockito.verify(mockChain).doFilter(mockReq, mockRes);
@Test public void testAllowAllOrigins() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*"); FilterConfig filterConfig = new FilterConfigTest(conf); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); Assert.assertTrue(filter.areOriginsAllowed("example.com")); }
private void initializeAllowedHeaders(FilterConfig filterConfig) { String allowedHeadersConfig = filterConfig.getInitParameter(ALLOWED_HEADERS); if (allowedHeadersConfig == null) { allowedHeadersConfig = ALLOWED_HEADERS_DEFAULT; } allowedHeaders.addAll( Arrays.asList(allowedHeadersConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Headers: " + getAllowedHeadersHeader()); }
private void initializeAllowedMethods(FilterConfig filterConfig) { String allowedMethodsConfig = filterConfig.getInitParameter(ALLOWED_METHODS); if (allowedMethodsConfig == null) { allowedMethodsConfig = ALLOWED_METHODS_DEFAULT; } allowedMethods.addAll( Arrays.asList(allowedMethodsConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Methods: " + getAllowedMethodsHeader()); }
@Test public void testEncodeHeaders() { String validOrigin = "http://localhost:12345"; String encodedValidOrigin = CrossOriginFilter.encodeHeader(validOrigin); Assert.assertEquals("Valid origin encoding should match exactly", validOrigin, encodedValidOrigin); String httpResponseSplitOrigin = validOrigin + " \nSecondHeader: value"; String encodedResponseSplitOrigin = CrossOriginFilter.encodeHeader(httpResponseSplitOrigin); Assert.assertEquals("Http response split origin should be protected against", validOrigin, encodedResponseSplitOrigin); // Test Origin List String validOriginList = "http://foo.example.com:12345 http://bar.example.com:12345"; String encodedValidOriginList = CrossOriginFilter .encodeHeader(validOriginList); Assert.assertEquals("Valid origin list encoding should match exactly", validOriginList, encodedValidOriginList); }
private void doCrossFilter(HttpServletRequest req, HttpServletResponse res) { String originsList = encodeHeader(req.getHeader(ORIGIN)); if (!isCrossOrigin(originsList)) { if(LOG.isDebugEnabled()) { LOG.debug("Header origin is null. Returning"); if (!areOriginsAllowed(originsList)) { if(LOG.isDebugEnabled()) { LOG.debug("Header origins '" + originsList + "' not allowed. Returning"); if (!isMethodAllowed(accessControlRequestMethod)) { if(LOG.isDebugEnabled()) { LOG.debug("Access control method '" + accessControlRequestMethod + if (!areHeadersAllowed(accessControlRequestHeaders)) { if(LOG.isDebugEnabled()) { LOG.debug("Access control headers '" + accessControlRequestHeaders + res.setHeader(ACCESS_CONTROL_ALLOW_METHODS, getAllowedMethodsHeader()); res.setHeader(ACCESS_CONTROL_ALLOW_HEADERS, getAllowedHeadersHeader()); res.setHeader(ACCESS_CONTROL_MAX_AGE, maxAge);
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }
@Test public void testPatternMatchingOrigins() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*.example.com"); FilterConfig filterConfig = new FilterConfigTest(conf); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); // match multiple sub-domains Assert.assertFalse(filter.areOriginsAllowed("example.com")); Assert.assertFalse(filter.areOriginsAllowed("foo:example.com")); Assert.assertTrue(filter.areOriginsAllowed("foo.example.com")); Assert.assertTrue(filter.areOriginsAllowed("foo.bar.example.com")); // First origin is allowed Assert.assertTrue(filter.areOriginsAllowed("foo.example.com foo.nomatch.com")); // Second origin is allowed Assert.assertTrue(filter.areOriginsAllowed("foo.nomatch.com foo.example.com")); // No origin in list is allowed Assert.assertFalse(filter.areOriginsAllowed("foo.nomatch1.com foo.nomatch2.com")); }
private void initializeAllowedHeaders(FilterConfig filterConfig) { String allowedHeadersConfig = filterConfig.getInitParameter(ALLOWED_HEADERS); if (allowedHeadersConfig == null) { allowedHeadersConfig = ALLOWED_HEADERS_DEFAULT; } allowedHeaders.addAll( Arrays.asList(allowedHeadersConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Headers: " + getAllowedHeadersHeader()); }
private void initializeAllowedMethods(FilterConfig filterConfig) { String allowedMethodsConfig = filterConfig.getInitParameter(ALLOWED_METHODS); if (allowedMethodsConfig == null) { allowedMethodsConfig = ALLOWED_METHODS_DEFAULT; } allowedMethods.addAll( Arrays.asList(allowedMethodsConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Methods: " + getAllowedMethodsHeader()); }