/** * Whether the browser should send credentials, such as cookies along with * cross domain requests, to the annotated endpoint. The configured value is * set on the {@code Access-Control-Allow-Credentials} response header of * preflight requests. * <p><strong>NOTE:</strong> Be aware that this option establishes a high * level of trust with the configured domains and also increases the surface * attack of the web application by exposing sensitive user-specific * information such as cookies and CSRF tokens. * <p>By default this is not set in which case the * {@code Access-Control-Allow-Credentials} header is also not set and * credentials are therefore not allowed. */ public CorsRegistration allowCredentials(boolean allowCredentials) { this.config.setAllowCredentials(allowCredentials); return this; }
/** * Whether the browser should send credentials, such as cookies along with * cross domain requests, to the annotated endpoint. The configured value is * set on the {@code Access-Control-Allow-Credentials} response header of * preflight requests. * <p><strong>NOTE:</strong> Be aware that this option establishes a high * level of trust with the configured domains and also increases the surface * attack of the web application by exposing sensitive user-specific * information such as cookies and CSRF tokens. * <p>By default this is not set in which case the * {@code Access-Control-Allow-Credentials} header is also not set and * credentials are therefore not allowed. */ public CorsRegistration allowCredentials(boolean allowCredentials) { this.config.setAllowCredentials(allowCredentials); return this; }
@Override @Nullable public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { if (!this.suppressCors && CorsUtils.isCorsRequest(request)) { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(new ArrayList<>(this.allowedOrigins)); config.addAllowedMethod("*"); config.setAllowCredentials(true); config.setMaxAge(ONE_YEAR); config.addAllowedHeader("*"); return config; } return null; }
@Override public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Override public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Before public void setup() throws Exception { config.setAllowedOrigins(Arrays.asList("http://domain1.com", "http://domain2.com")); config.setAllowedMethods(Arrays.asList("GET", "POST")); config.setAllowedHeaders(Arrays.asList("header1", "header2")); config.setExposedHeaders(Arrays.asList("header3", "header4")); config.setMaxAge(123L); config.setAllowCredentials(false); filter = new CorsWebFilter(r -> config); }
@Before public void setup() throws Exception { config.setAllowedOrigins(Arrays.asList("http://domain1.com", "http://domain2.com")); config.setAllowedMethods(Arrays.asList("GET", "POST")); config.setAllowedHeaders(Arrays.asList("header1", "header2")); config.setExposedHeaders(Arrays.asList("header3", "header4")); config.setMaxAge(123L); config.setAllowCredentials(false); filter = new CorsFilter(r -> config); }
@Test public void checkOriginAllowed() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(Arrays.asList("*")); assertEquals("*", config.checkOrigin("http://domain.com")); config.setAllowCredentials(true); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); config.setAllowedOrigins(Arrays.asList("http://domain.com")); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); config.setAllowCredentials(false); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); }
@Test public void setValues() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); config.addAllowedHeader("*"); assertEquals(Arrays.asList("*"), config.getAllowedHeaders()); config.addAllowedMethod("*"); assertEquals(Arrays.asList("*"), config.getAllowedMethods()); config.addExposedHeader("header1"); config.addExposedHeader("header2"); assertEquals(Arrays.asList("header1", "header2"), config.getExposedHeaders()); config.setAllowCredentials(true); assertTrue(config.getAllowCredentials()); config.setMaxAge(123L); assertEquals(new Long(123), config.getMaxAge()); }
@Test public void combineWithNullProperties() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.addAllowedHeader("header1"); config.addExposedHeader("header3"); config.addAllowedMethod(HttpMethod.GET.name()); config.setMaxAge(123L); config.setAllowCredentials(true); CorsConfiguration other = new CorsConfiguration(); config = config.combine(other); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); assertEquals(Arrays.asList("header1"), config.getAllowedHeaders()); assertEquals(Arrays.asList("header3"), config.getExposedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name()), config.getAllowedMethods()); assertEquals(new Long(123), config.getMaxAge()); assertTrue(config.getAllowCredentials()); }
@Test public void combine() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("http://domain1.com"); config.addAllowedHeader("header1"); config.addExposedHeader("header3"); config.addAllowedMethod(HttpMethod.GET.name()); config.setMaxAge(123L); config.setAllowCredentials(true); CorsConfiguration other = new CorsConfiguration(); other.addAllowedOrigin("http://domain2.com"); other.addAllowedHeader("header2"); other.addExposedHeader("header4"); other.addAllowedMethod(HttpMethod.PUT.name()); other.setMaxAge(456L); other.setAllowCredentials(false); config = config.combine(other); assertEquals(Arrays.asList("http://domain1.com", "http://domain2.com"), config.getAllowedOrigins()); assertEquals(Arrays.asList("header1", "header2"), config.getAllowedHeaders()); assertEquals(Arrays.asList("header3", "header4"), config.getExposedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()), config.getAllowedMethods()); assertEquals(new Long(456), config.getMaxAge()); assertFalse(config.getAllowCredentials()); }
@Test public void actualRequestCredentialsWithOriginWildcard() throws Exception { this.request.setMethod(HttpMethod.GET.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.conf.addAllowedOrigin("*"); this.conf.setAllowCredentials(true); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void preflightRequestCredentialsWithOriginWildcard() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1"); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("*"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.addAllowedHeader("Header1"); this.conf.setAllowCredentials(true); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void actualRequestCredentials() throws Exception { this.request.setMethod(HttpMethod.GET.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("http://domain2.com"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.setAllowCredentials(true); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void actualRequestCredentialsWithOriginWildcard() throws Exception { ServerWebExchange exchange = actualRequest(); this.conf.addAllowedOrigin("*"); this.conf.setAllowCredentials(true); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }
@Test public void preflightRequestCredentialsWithOriginWildcard() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest() .header(ACCESS_CONTROL_REQUEST_METHOD, "GET") .header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1")); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("*"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.addAllowedHeader("Header1"); this.conf.setAllowCredentials(true); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }
@Test public void actualRequestCredentials() throws Exception { ServerWebExchange exchange = actualRequest(); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("http://domain2.com"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.setAllowCredentials(true); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }
@Test public void preflightRequestCredentials() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1"); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("http://domain2.com"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.addAllowedHeader("Header1"); this.conf.setAllowCredentials(true); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void setNullValues() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(null); assertNull(config.getAllowedOrigins()); config.setAllowedHeaders(null); assertNull(config.getAllowedHeaders()); config.setAllowedMethods(null); assertNull(config.getAllowedMethods()); config.setExposedHeaders(null); assertNull(config.getExposedHeaders()); config.setAllowCredentials(null); assertNull(config.getAllowCredentials()); config.setMaxAge(null); assertNull(config.getMaxAge()); }
@Test public void preflightRequestCredentials() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest() .header(ACCESS_CONTROL_REQUEST_METHOD, "GET") .header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1")); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("http://domain2.com"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.addAllowedHeader("Header1"); this.conf.setAllowCredentials(true); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }