DefaultCorsProcessor checks for existing CORS response before attempting to compare origin

Issue: SPR-14080
2016-03-24 15:08:19 +01:00 · 2016-03-24 15:08:19 +01:00 · abe7345008
parent 55f1c98c39
commit abe7345008
1 changed files with 12 additions and 13 deletions
--- a/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -67,14 +67,14 @@ public class DefaultCorsProcessor implements CorsProcessor {
 		}
 		ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
-		ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
+		if (responseHasCors(serverResponse)) {
-
+			logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
 		if (WebUtils.isSameOrigin(serverRequest)) {
 			logger.debug("Skip CORS processing, request is a same-origin one");
 			return true;
 		}
-		if (responseHasCors(serverResponse)) {
+
-			logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header");
+		ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
 		if (WebUtils.isSameOrigin(serverRequest)) {
 			logger.debug("Skip CORS processing: request is from same origin");
 			return true;
 		}
@ -93,14 +93,13 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	}
 	private boolean responseHasCors(ServerHttpResponse response) {
 		boolean hasAllowOrigin = false;
 		try {
-			hasAllowOrigin = (response.getHeaders().getAccessControlAllowOrigin() != null);
+			return (response.getHeaders().getAccessControlAllowOrigin() != null);
 		}
 		catch (NullPointerException npe) {
 			// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
 			return false;
 		}
 		return hasAllowOrigin;
 	}
 	/**
@ -164,7 +163,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	/**
 	 * Check the origin and determine the origin for the response. The default
 	 * implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 		return config.checkOrigin(requestOrigin);
@ -173,7 +172,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	/**
 	 * Check the HTTP method and determine the methods for the response of a
 	 * pre-flight request. The default implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) {
 		return config.checkHttpMethod(requestMethod);
@ -186,7 +185,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	/**
 	 * Check the headers and determine the headers for the response of a
 	 * pre-flight request. The default implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {
 		return config.checkHeaders(requestHeaders);