DefaultCorsProcessor checks for existing CORS response before attempting to compare origin

Issue: SPR-14080
This commit is contained in:
Juergen Hoeller 2016-03-24 15:08:19 +01:00
parent 55f1c98c39
commit abe7345008
1 changed files with 12 additions and 13 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2015 the original author or authors. * Copyright 2002-2016 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -67,14 +67,14 @@ public class DefaultCorsProcessor implements CorsProcessor {
} }
ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response); ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request); if (responseHasCors(serverResponse)) {
logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
if (WebUtils.isSameOrigin(serverRequest)) {
logger.debug("Skip CORS processing, request is a same-origin one");
return true; return true;
} }
if (responseHasCors(serverResponse)) {
logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header"); ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
if (WebUtils.isSameOrigin(serverRequest)) {
logger.debug("Skip CORS processing: request is from same origin");
return true; return true;
} }
@ -93,14 +93,13 @@ public class DefaultCorsProcessor implements CorsProcessor {
} }
private boolean responseHasCors(ServerHttpResponse response) { private boolean responseHasCors(ServerHttpResponse response) {
boolean hasAllowOrigin = false;
try { try {
hasAllowOrigin = (response.getHeaders().getAccessControlAllowOrigin() != null); return (response.getHeaders().getAccessControlAllowOrigin() != null);
} }
catch (NullPointerException npe) { catch (NullPointerException npe) {
// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474 // SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
return false;
} }
return hasAllowOrigin;
} }
/** /**
@ -164,7 +163,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
/** /**
* Check the origin and determine the origin for the response. The default * Check the origin and determine the origin for the response. The default
* implementation simply delegates to * implementation simply delegates to
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)} * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
*/ */
protected String checkOrigin(CorsConfiguration config, String requestOrigin) { protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
return config.checkOrigin(requestOrigin); return config.checkOrigin(requestOrigin);
@ -173,7 +172,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
/** /**
* Check the HTTP method and determine the methods for the response of a * Check the HTTP method and determine the methods for the response of a
* pre-flight request. The default implementation simply delegates to * pre-flight request. The default implementation simply delegates to
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)} * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
*/ */
protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) { protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) {
return config.checkHttpMethod(requestMethod); return config.checkHttpMethod(requestMethod);
@ -186,7 +185,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
/** /**
* Check the headers and determine the headers for the response of a * Check the headers and determine the headers for the response of a
* pre-flight request. The default implementation simply delegates to * pre-flight request. The default implementation simply delegates to
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)} * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
*/ */
protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) { protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {
return config.checkHeaders(requestHeaders); return config.checkHeaders(requestHeaders);