root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Introduce test for invalid @CrossOrigin.allowCredentials()

This commit is contained in:
Sam Brannen 2015-05-31 18:16:49 +02:00
parent 891d41c005
commit 72b44af862
2 changed files with 46 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
View File

@ -328,15 +328,17 @@ public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMappi
for (String header : annotation.exposedHeaders()) { for (String header : annotation.exposedHeaders()) {
config.addExposedHeader(header); config.addExposedHeader(header);
} }
if (annotation.allowCredentials().equalsIgnoreCase("true")) {
String allowCredentials = annotation.allowCredentials();
if ("true".equalsIgnoreCase(allowCredentials)) {
config.setAllowCredentials(true); config.setAllowCredentials(true);
} }
else if (annotation.allowCredentials().equalsIgnoreCase("false")) { else if ("false".equalsIgnoreCase(allowCredentials)) {
config.setAllowCredentials(false); config.setAllowCredentials(false);
} }
else if (!annotation.allowCredentials().isEmpty()) { else if (!allowCredentials.isEmpty()) {
throw new IllegalStateException("AllowCredentials value must be \"true\", \"false\" " + throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", "
"or \"\" (empty string), current value is " + annotation.allowCredentials()); + "or an empty string (\"\"); current value is [" + allowCredentials + "].");
} }
if (annotation.maxAge() != -1 && config.getMaxAge() == null) { if (annotation.maxAge() != -1 && config.getMaxAge() == null) {
config.setMaxAge(annotation.maxAge()); config.setMaxAge(annotation.maxAge());

54
spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
View File

@ -18,21 +18,22 @@ package org.springframework.web.servlet.mvc.method.annotation;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import static org.junit.Assert.*;
import org.junit.Before; import org.junit.Before;
import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.springframework.beans.DirectFieldAccessor; import org.springframework.beans.DirectFieldAccessor;
import org.springframework.core.annotation.AnnotationUtils; import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.http.HttpHeaders; import org.springframework.http.HttpHeaders;
import org.springframework.util.CollectionUtils;
import org.springframework.web.context.support.StaticWebApplicationContext;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.mock.web.test.MockHttpServletRequest; import org.springframework.mock.web.test.MockHttpServletRequest;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.util.CollectionUtils;
import org.springframework.web.bind.annotation.CrossOrigin; import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.support.StaticWebApplicationContext;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.servlet.HandlerExecutionChain; import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition; import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
@ -43,17 +44,24 @@ import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition; import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo; import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.*;
/** /**
* Test fixture for {@link CrossOrigin @CrossOrigin} annotated methods. * Test fixture for {@link CrossOrigin @CrossOrigin} annotated methods.
* *
* @author Sebastien Deleuze * @author Sebastien Deleuze
* @author Sam Brannen
*/ */
@SuppressWarnings("unchecked")
public class CrossOriginTests { public class CrossOriginTests {
private TestRequestMappingInfoHandlerMapping handlerMapping; private TestRequestMappingInfoHandlerMapping handlerMapping;
private MockHttpServletRequest request; private MockHttpServletRequest request;
@Rule
public ExpectedException exception = ExpectedException.none();
@Before @Before
public void setUp() { public void setUp() {
this.handlerMapping = new TestRequestMappingInfoHandlerMapping(); this.handlerMapping = new TestRequestMappingInfoHandlerMapping();
@ -123,6 +131,14 @@ public class CrossOriginTests {
assertEquals(false, config.getAllowCredentials()); assertEquals(false, config.getAllowCredentials());
} }
@Test
public void bogusAllowCredentialsValue() throws Exception {
exception.expect(IllegalStateException.class);
exception.expectMessage(containsString("@CrossOrigin's allowCredentials"));
exception.expectMessage(containsString("current value is [bogus]"));
this.handlerMapping.registerHandler(new MethodLevelControllerWithBogusAllowCredentialsValue());
}
@Test @Test
public void classLevel() throws Exception { public void classLevel() throws Exception {
this.handlerMapping.registerHandler(new ClassLevelController()); this.handlerMapping.registerHandler(new ClassLevelController());
@ -218,59 +234,67 @@ public class CrossOriginTests {
@Controller @Controller
private static class MethodLevelController { private static class MethodLevelController {
@RequestMapping(value = "/no", method = RequestMethod.GET) @RequestMapping(path = "/no", method = RequestMethod.GET)
public void noAnnotation() { public void noAnnotation() {
} }
@RequestMapping(value = "/no", method = RequestMethod.POST) @RequestMapping(path = "/no", method = RequestMethod.POST)
public void noAnnotationPost() { public void noAnnotationPost() {
} }
@CrossOrigin @CrossOrigin
@RequestMapping(value = "/default", method = RequestMethod.GET) @RequestMapping(path = "/default", method = RequestMethod.GET)
public void defaultAnnotation() { public void defaultAnnotation() {
} }
@CrossOrigin @CrossOrigin
@RequestMapping(value = "/default", method = RequestMethod.GET, params = "q") @RequestMapping(path = "/default", method = RequestMethod.GET, params = "q")
public void defaultAnnotationWithParams() { public void defaultAnnotationWithParams() {
} }
@CrossOrigin @CrossOrigin
@RequestMapping(value = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=a") @RequestMapping(path = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=a")
public void ambigousHeader1a() { public void ambigousHeader1a() {
} }
@CrossOrigin @CrossOrigin
@RequestMapping(value = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=b") @RequestMapping(path = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=b")
public void ambigousHeader1b() { public void ambigousHeader1b() {
} }
@CrossOrigin @CrossOrigin
@RequestMapping(value = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/xml") @RequestMapping(path = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/xml")
public String ambigousProducesXml() { public String ambigousProducesXml() {
return "<a></a>"; return "<a></a>";
} }
@CrossOrigin @CrossOrigin
@RequestMapping(value = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/json") @RequestMapping(path = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/json")
public String ambigousProducesJson() { public String ambigousProducesJson() {
return "{}"; return "{}";
} }
@CrossOrigin(origin = { "http://site1.com", "http://site2.com" }, allowedHeaders = { "header1", "header2" }, @CrossOrigin(origin = { "http://site1.com", "http://site2.com" }, allowedHeaders = { "header1", "header2" },
exposedHeaders = { "header3", "header4" }, method = RequestMethod.DELETE, maxAge = 123, allowCredentials = "false") exposedHeaders = { "header3", "header4" }, method = RequestMethod.DELETE, maxAge = 123, allowCredentials = "false")
@RequestMapping(value = "/customized", method = { RequestMethod.GET, RequestMethod.POST } ) @RequestMapping(path = "/customized", method = { RequestMethod.GET, RequestMethod.POST })
public void customized() { public void customized() {
} }
}
@Controller
private static class MethodLevelControllerWithBogusAllowCredentialsValue {
@CrossOrigin(allowCredentials = "bogus")
@RequestMapping("/bogus")
public void bogusAllowCredentialsValue() {
}
} }
@Controller @Controller
@CrossOrigin @CrossOrigin
private static class ClassLevelController { private static class ClassLevelController {
@RequestMapping(value = "/foo", method = RequestMethod.GET) @RequestMapping(path = "/foo", method = RequestMethod.GET)
public void foo() { public void foo() {
} }
} }