Polishing contribution

See gh-26108
2020-11-18 20:25:39 +00:00 · 2020-11-18 20:25:39 +00:00 · 9beca06404
parent ae75db2657
commit 9beca06404
5 changed files with 30 additions and 26 deletions
--- a/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/SockJsServiceRegistration.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/SockJsServiceRegistration.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/StompWebSocketEndpointRegistration.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/StompWebSocketEndpointRegistration.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -62,9 +62,11 @@ public interface StompWebSocketEndpointRegistration {
 	StompWebSocketEndpointRegistration setAllowedOrigins(String... origins);

 	/**
-	 * Configure allowed {@code Origin} header values.
-	 *
-	 * @see org.springframework.web.cors.CorsConfiguration#setAllowedOriginPatterns(java.util.List)
+	 * A variant of {@link #setAllowedOrigins(String...)} that accepts flexible
+	 * domain patterns, e.g. {@code "https://*.domain1.com"}. Furthermore it
+	 * always sets the {@code Access-Control-Allow-Origin} response header to
+	 * the matched origin and never to {@code "*"}, nor to any other pattern.
+	 * @since 5.3.2
 	 */
 	StompWebSocketEndpointRegistration setAllowedOriginPatterns(String... originPatterns);

--- a/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/WebMvcStompWebSocketEndpointRegistration.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/WebMvcStompWebSocketEndpointRegistration.java
@ -132,13 +132,11 @@ public class WebMvcStompWebSocketEndpointRegistration implements StompWebSocketE
 	protected HandshakeInterceptor[] getInterceptors() {
 		List<HandshakeInterceptor> interceptors = new ArrayList<>(this.interceptors.size() + 1);
 		interceptors.addAll(this.interceptors);
-		OriginHandshakeInterceptor originHandshakeInterceptor = new OriginHandshakeInterceptor(this.allowedOrigins);
-		interceptors.add(originHandshakeInterceptor);
-
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(this.allowedOrigins);
+		interceptors.add(interceptor);
 		if (!ObjectUtils.isEmpty(this.allowedOriginPatterns)) {
-			originHandshakeInterceptor.setAllowedOriginPatterns(this.allowedOriginPatterns);
+			interceptor.setAllowedOriginPatterns(this.allowedOriginPatterns);
 		}
-
 		return interceptors.toArray(new HandshakeInterceptor[0]);
 	}

--- a/spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -82,18 +82,19 @@ public class OriginHandshakeInterceptor implements HandshakeInterceptor {
 	/**
 	 * Return the allowed {@code Origin} header values.
 	 * @since 4.1.5
-	 * @see #setAllowedOrigins
 	 */
 	public Collection<String> getAllowedOrigins() {
-		if (this.corsConfiguration.getAllowedOrigins() == null) {
-			return Collections.emptyList();
-		}
-		return Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOrigins()));
+		return (this.corsConfiguration.getAllowedOrigins() != null ?
+				Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOrigins())) :
+				Collections.emptyList());
 	}

 	/**
-	 * Configure allowed {@code Origin} pattern header values.
-	 *
+	 * A variant of {@link #setAllowedOrigins(Collection)} that accepts flexible
+	 * domain patterns, e.g. {@code "https://*.domain1.com"}. Furthermore it
+	 * always sets the {@code Access-Control-Allow-Origin} response header to
+	 * the matched origin and never to {@code "*"}, nor to any other pattern.
+	 * @since 5.3.2
 	 * @see CorsConfiguration#setAllowedOriginPatterns(List)
 	 */
 	public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns) {
@ -108,10 +109,9 @@ public class OriginHandshakeInterceptor implements HandshakeInterceptor {
 	 * @see CorsConfiguration#getAllowedOriginPatterns()
 	 */
 	public Collection<String> getAllowedOriginPatterns() {
-		if (this.corsConfiguration.getAllowedOriginPatterns() == null) {
-			return Collections.emptyList();
-		}
-		return Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOriginPatterns()));
+		return (this.corsConfiguration.getAllowedOriginPatterns() != null ?
+				Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOriginPatterns())) :
+				Collections.emptyList());
 	}


@ -119,7 +119,8 @@ public class OriginHandshakeInterceptor implements HandshakeInterceptor {
 	public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response,
 			WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception {

-		if (!WebUtils.isSameOrigin(request) && this.corsConfiguration.checkOrigin(request.getHeaders().getOrigin()) == null) {
+		if (!WebUtils.isSameOrigin(request) &&
+				this.corsConfiguration.checkOrigin(request.getHeaders().getOrigin()) == null) {
 			response.setStatusCode(HttpStatus.FORBIDDEN);
 			if (logger.isDebugEnabled()) {
 				logger.debug("Handshake request rejected, Origin header value " +
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
@ -322,9 +322,12 @@ public abstract class AbstractSockJsService implements SockJsService, CorsConfig
 	}

 	/**
-	 * Configure allowed {@code Origin} header values.
-	 *
-	 * @see org.springframework.web.cors.CorsConfiguration#setAllowedOriginPatterns(java.util.List)
+	 * A variant of {@link #setAllowedOrigins(Collection)} that accepts flexible
+	 * domain patterns, e.g. {@code "https://*.domain1.com"}. Furthermore it
+	 * always sets the {@code Access-Control-Allow-Origin} response header to
+	 * the matched origin and never to {@code "*"}, nor to any other pattern.
+	 * <p>By default this is not set.
+	 * @since 5.2.3
 	 */
 	public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns) {
 		Assert.notNull(allowedOriginPatterns, "Allowed origin patterns Collection must not be null");