DefaultCorsProcessor checks for existing CORS response before attempting to compare origin
Issue: SPR-14080
This commit is contained in:
parent
55f1c98c39
commit
abe7345008
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2015 the original author or authors.
|
* Copyright 2002-2016 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -67,14 +67,14 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||||
}
|
}
|
||||||
|
|
||||||
ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
|
ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
|
||||||
ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
|
if (responseHasCors(serverResponse)) {
|
||||||
|
logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
|
||||||
if (WebUtils.isSameOrigin(serverRequest)) {
|
|
||||||
logger.debug("Skip CORS processing, request is a same-origin one");
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (responseHasCors(serverResponse)) {
|
|
||||||
logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header");
|
ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
|
||||||
|
if (WebUtils.isSameOrigin(serverRequest)) {
|
||||||
|
logger.debug("Skip CORS processing: request is from same origin");
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -93,14 +93,13 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean responseHasCors(ServerHttpResponse response) {
|
private boolean responseHasCors(ServerHttpResponse response) {
|
||||||
boolean hasAllowOrigin = false;
|
|
||||||
try {
|
try {
|
||||||
hasAllowOrigin = (response.getHeaders().getAccessControlAllowOrigin() != null);
|
return (response.getHeaders().getAccessControlAllowOrigin() != null);
|
||||||
}
|
}
|
||||||
catch (NullPointerException npe) {
|
catch (NullPointerException npe) {
|
||||||
// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
|
// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
return hasAllowOrigin;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -164,7 +163,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||||
/**
|
/**
|
||||||
* Check the origin and determine the origin for the response. The default
|
* Check the origin and determine the origin for the response. The default
|
||||||
* implementation simply delegates to
|
* implementation simply delegates to
|
||||||
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
|
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
|
||||||
*/
|
*/
|
||||||
protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
|
protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
|
||||||
return config.checkOrigin(requestOrigin);
|
return config.checkOrigin(requestOrigin);
|
||||||
|
@ -173,7 +172,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||||
/**
|
/**
|
||||||
* Check the HTTP method and determine the methods for the response of a
|
* Check the HTTP method and determine the methods for the response of a
|
||||||
* pre-flight request. The default implementation simply delegates to
|
* pre-flight request. The default implementation simply delegates to
|
||||||
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
|
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
|
||||||
*/
|
*/
|
||||||
protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) {
|
protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) {
|
||||||
return config.checkHttpMethod(requestMethod);
|
return config.checkHttpMethod(requestMethod);
|
||||||
|
@ -186,7 +185,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||||
/**
|
/**
|
||||||
* Check the headers and determine the headers for the response of a
|
* Check the headers and determine the headers for the response of a
|
||||||
* pre-flight request. The default implementation simply delegates to
|
* pre-flight request. The default implementation simply delegates to
|
||||||
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
|
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
|
||||||
*/
|
*/
|
||||||
protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {
|
protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {
|
||||||
return config.checkHeaders(requestHeaders);
|
return config.checkHeaders(requestHeaders);
|
||||||
|
|
Loading…
Reference in New Issue