@Override public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); return config; } }
@Override public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); return config; }
@Override public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Override public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Test // SPR-15772 public void changePermitDefaultValues() { CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues(); config.addAllowedOrigin("http://domain.com"); config.addAllowedHeader("header1"); config.addAllowedMethod("PATCH"); assertEquals(Arrays.asList("*", "http://domain.com"), config.getAllowedOrigins()); assertEquals(Arrays.asList("*", "header1"), config.getAllowedHeaders()); assertEquals(Arrays.asList("GET", "HEAD", "POST", "PATCH"), config.getAllowedMethods()); }
@Test public void actualRequestWithGlobalCorsConfig() throws Exception { CorsConfiguration mappedConfig = new CorsConfiguration(); mappedConfig.addAllowedOrigin("*"); this.handlerMapping.setCorsConfigurations(Collections.singletonMap("/welcome.html", mappedConfig)); String origin = "http://domain2.com"; ServerWebExchange exchange = createExchange(HttpMethod.GET, "/welcome.html", origin); Object actual = this.handlerMapping.getHandler(exchange).block(); assertNotNull(actual); assertSame(this.welcomeController, actual); assertEquals("*", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); }
@Test public void preFlightRequestWithGlobalCorsConfig() throws Exception { CorsConfiguration mappedConfig = new CorsConfiguration(); mappedConfig.addAllowedOrigin("*"); this.handlerMapping.setCorsConfigurations(Collections.singletonMap("/welcome.html", mappedConfig)); String origin = "http://domain2.com"; ServerWebExchange exchange = createExchange(HttpMethod.OPTIONS, "/welcome.html", origin); Object actual = this.handlerMapping.getHandler(exchange).block(); assertNotNull(actual); assertNotSame(this.welcomeController, actual); assertEquals("*", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); }
@Test public void preflightRequestWrongAllowedMethod() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "DELETE"); this.conf.addAllowedOrigin("*"); this.processor.processRequest(this.conf, this.request, this.response); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus()); }
@Test public void preflightRequestAllOriginsAllowed() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.conf.addAllowedOrigin("*"); this.processor.processRequest(this.conf, this.request, this.response); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void checkOriginNotAllowed() { CorsConfiguration config = new CorsConfiguration(); assertNull(config.checkOrigin(null)); assertNull(config.checkOrigin("http://domain.com")); config.addAllowedOrigin("*"); assertNull(config.checkOrigin(null)); config.setAllowedOrigins(Arrays.asList("http://domain1.com")); assertNull(config.checkOrigin("http://domain2.com")); config.setAllowedOrigins(new ArrayList<>()); assertNull(config.checkOrigin("http://domain.com")); }
@Test public void actualRequestCaseInsensitiveOriginMatch() throws Exception { this.request.setMethod(HttpMethod.GET.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.conf.addAllowedOrigin("http://DOMAIN2.com"); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void preflightRequestAllOriginsAllowed() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from( preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET")); this.conf.addAllowedOrigin("*"); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }
@Test public void preflightRequestWrongAllowedMethod() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from( preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "DELETE")); this.conf.addAllowedOrigin("*"); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode()); }
@Test public void actualRequestCaseInsensitiveOriginMatch() throws Exception { ServerWebExchange exchange = actualRequest(); this.conf.addAllowedOrigin("http://DOMAIN2.com"); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }
@Test public void preflightRequestMatchedAllowedMethod() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.conf.addAllowedOrigin("*"); this.processor.processRequest(this.conf, this.request, this.response); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); assertEquals("GET,HEAD", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); }
@Test public void preflightRequestMatchedAllowedMethod() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from( preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET")); this.conf.addAllowedOrigin("*"); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertNull(response.getStatusCode()); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals("GET,HEAD", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)); }
@Test public void preflightRequestWithNullConfig() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.conf.addAllowedOrigin("*"); this.processor.processRequest(null, this.request, this.response); assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus()); }
@Test public void preflightRequestWithNullConfig() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from( preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET")); this.conf.addAllowedOrigin("*"); this.processor.process(null, exchange); ServerHttpResponse response = exchange.getResponse(); assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode()); }
@Test public void actualRequestWithOriginHeaderAndAllowedOrigin() throws Exception { this.request.setMethod(HttpMethod.GET.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.conf.addAllowedOrigin("*"); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE)); assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void actualRequestWithOriginHeaderAndAllowedOrigin() throws Exception { ServerWebExchange exchange = actualRequest(); this.conf.addAllowedOrigin("*"); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("*", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)); assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_MAX_AGE)); assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }