@Override public boolean process(@Nullable CorsConfiguration config, ServerWebExchange exchange) { ServerHttpRequest request = exchange.getRequest(); ServerHttpResponse response = exchange.getResponse(); if (!CorsUtils.isCorsRequest(request)) { return true; } if (responseHasCors(response)) { logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\""); return true; } if (CorsUtils.isSameOrigin(request)) { logger.trace("Skip: request is from same origin"); return true; } boolean preFlightRequest = CorsUtils.isPreFlightRequest(request); if (config == null) { if (preFlightRequest) { rejectRequest(response); return false; } else { return true; } } return handleInternal(exchange, config, preFlightRequest); }
/** * Check if the request is a same-origin one, based on {@code Origin}, and * {@code Host} headers. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request is a same-origin one, {@code false} in case * of a cross-origin request */ public static boolean isSameOrigin(ServerHttpRequest request) { String origin = request.getHeaders().getOrigin(); if (origin == null) { return true; } URI uri = request.getURI(); String actualScheme = uri.getScheme(); String actualHost = uri.getHost(); int actualPort = getPort(uri.getScheme(), uri.getPort()); Assert.notNull(actualScheme, "Actual request scheme must not be null"); Assert.notNull(actualHost, "Actual request host must not be null"); Assert.isTrue(actualPort != -1, "Actual request port must not be undefined"); UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build(); return (actualScheme.equals(originUrl.getScheme()) && actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl.getScheme(), originUrl.getPort())); }
@Override public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { ServerHttpRequest request = exchange.getRequest(); if (CorsUtils.isCorsRequest(request)) { CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(exchange); if (corsConfiguration != null) { boolean isValid = this.processor.process(corsConfiguration, exchange); if (!isValid || CorsUtils.isPreFlightRequest(request)) { return Mono.empty(); } } } return chain.filter(exchange); }
/** * Returns {@code true} if the request is a valid CORS pre-flight one. */ public static boolean isPreFlightRequest(ServerHttpRequest request) { return (request.getMethod() == HttpMethod.OPTIONS && isCorsRequest(request) && request.getHeaders().get(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null); }
/** * Returns "this" instance if the request matches all expressions; * or {@code null} otherwise. */ @Override @Nullable public HeadersRequestCondition getMatchingCondition(ServerWebExchange exchange) { if (CorsUtils.isPreFlightRequest(exchange.getRequest())) { return PRE_FLIGHT_MATCH; } for (HeaderExpression expression : this.expressions) { if (!expression.match(exchange)) { return null; } } return this; }
private void testWithForwardedHeader(String serverName, int port, String forwardedHeader, String originHeader) { String url = "http://" + serverName; if (port != -1) { url = url + ":" + port; } MockServerHttpRequest.BaseBuilder<?> builder = get(url) .header("Forwarded", forwardedHeader) .header(HttpHeaders.ORIGIN, originHeader); ServerHttpRequest request = adaptFromForwardedHeaders(builder); assertTrue(CorsUtils.isSameOrigin(request)); }
@Override public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { ServerHttpRequest request = exchange.getRequest(); if (CorsUtils.isCorsRequest(request)) { CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(exchange); if (corsConfiguration != null) { boolean isValid = this.processor.process(corsConfiguration, exchange); if (!isValid || CorsUtils.isPreFlightRequest(request)) { return Mono.empty(); } } } return chain.filter(exchange); }
/** * Returns {@code true} if the request is a valid CORS pre-flight one. */ public static boolean isPreFlightRequest(ServerHttpRequest request) { return (request.getMethod() == HttpMethod.OPTIONS && isCorsRequest(request) && request.getHeaders().get(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null); }
/** * Checks if any of the contained media type expressions match the given * request 'Content-Type' header and returns an instance that is guaranteed * to contain matching expressions only. The match is performed via * {@link MediaType#includes(MediaType)}. * @param exchange the current exchange * @return the same instance if the condition contains no expressions; * or a new condition with matching expressions only; * or {@code null} if no expressions match. */ @Override public ConsumesRequestCondition getMatchingCondition(ServerWebExchange exchange) { if (CorsUtils.isPreFlightRequest(exchange.getRequest())) { return PRE_FLIGHT_MATCH; } if (isEmpty()) { return this; } Set<ConsumeMediaTypeExpression> result = new LinkedHashSet<>(this.expressions); result.removeIf(expression -> !expression.match(exchange)); return (!result.isEmpty() ? new ConsumesRequestCondition(result) : null); }
@Test // SPR-16362 public void isSameOriginWithDifferentSchemes() { MockServerHttpRequest request = MockServerHttpRequest .get("http://mydomain1.com") .header(HttpHeaders.ORIGIN, "https://mydomain1.com") .build(); assertFalse(CorsUtils.isSameOrigin(request)); }
@Override public boolean process(@Nullable CorsConfiguration config, ServerWebExchange exchange) { ServerHttpRequest request = exchange.getRequest(); ServerHttpResponse response = exchange.getResponse(); if (!CorsUtils.isCorsRequest(request)) { return true; } if (responseHasCors(response)) { logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\""); return true; } if (CorsUtils.isSameOrigin(request)) { logger.trace("Skip: request is from same origin"); return true; } boolean preFlightRequest = CorsUtils.isPreFlightRequest(request); if (config == null) { if (preFlightRequest) { rejectRequest(response); return false; } else { return true; } } return handleInternal(exchange, config, preFlightRequest); }
@Override public Mono<Object> getHandler(ServerWebExchange exchange) { return getHandlerInternal(exchange).map(handler -> { if (logger.isDebugEnabled()) { logger.debug(exchange.getLogPrefix() + "Mapped to " + handler); } if (CorsUtils.isCorsRequest(exchange.getRequest())) { CorsConfiguration configA = this.corsConfigurationSource.getCorsConfiguration(exchange); CorsConfiguration configB = getCorsConfiguration(handler, exchange); CorsConfiguration config = (configA != null ? configA.combine(configB) : configB); if (!getCorsProcessor().process(config, exchange) || CorsUtils.isPreFlightRequest(exchange.getRequest())) { return REQUEST_HANDLED_HANDLER; } } return handler; }); }
@Test public void isNotCorsRequest() { ServerHttpRequest request = get("/").build(); assertFalse(CorsUtils.isCorsRequest(request)); }
logger.trace(exchange.getLogPrefix() + matches.size() + " matching mappings: " + matches); if (CorsUtils.isPreFlightRequest(exchange.getRequest())) { return PREFLIGHT_AMBIGUOUS_MATCH;
private void testWithXForwardedHeaders(String serverName, int port, String forwardedProto, String forwardedHost, int forwardedPort, String originHeader) { String url = "http://" + serverName; if (port != -1) { url = url + ":" + port; } MockServerHttpRequest.BaseBuilder<?> builder = get(url).header(HttpHeaders.ORIGIN, originHeader); if (forwardedProto != null) { builder.header("X-Forwarded-Proto", forwardedProto); } if (forwardedHost != null) { builder.header("X-Forwarded-Host", forwardedHost); } if (forwardedPort != -1) { builder.header("X-Forwarded-Port", String.valueOf(forwardedPort)); } ServerHttpRequest request = adaptFromForwardedHeaders(builder); assertTrue(CorsUtils.isSameOrigin(request)); }
/** * Check if the request is a same-origin one, based on {@code Origin}, and * {@code Host} headers. * * <p><strong>Note:</strong> as of 5.1 this method ignores * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the * client-originated address. Consider using the {@code ForwardedHeaderFilter} * to extract and use, or to discard such headers. * * @return {@code true} if the request is a same-origin one, {@code false} in case * of a cross-origin request */ public static boolean isSameOrigin(ServerHttpRequest request) { String origin = request.getHeaders().getOrigin(); if (origin == null) { return true; } URI uri = request.getURI(); String actualScheme = uri.getScheme(); String actualHost = uri.getHost(); int actualPort = getPort(uri.getScheme(), uri.getPort()); Assert.notNull(actualScheme, "Actual request scheme must not be null"); Assert.notNull(actualHost, "Actual request host must not be null"); Assert.isTrue(actualPort != -1, "Actual request port must not be undefined"); UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build(); return (actualScheme.equals(originUrl.getScheme()) && actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl.getScheme(), originUrl.getPort())); }
@Override public boolean process(@Nullable CorsConfiguration config, ServerWebExchange exchange) { ServerHttpRequest request = exchange.getRequest(); ServerHttpResponse response = exchange.getResponse(); if (!CorsUtils.isCorsRequest(request)) { return true; } if (responseHasCors(response)) { logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\""); return true; } if (CorsUtils.isSameOrigin(request)) { logger.trace("Skip: request is from same origin"); return true; } boolean preFlightRequest = CorsUtils.isPreFlightRequest(request); if (config == null) { if (preFlightRequest) { rejectRequest(response); return false; } else { return true; } } return handleInternal(exchange, config, preFlightRequest); }
@Override public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { ServerHttpRequest request = exchange.getRequest(); if (CorsUtils.isCorsRequest(request)) { CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(exchange); if (corsConfiguration != null) { boolean isValid = this.processor.process(corsConfiguration, exchange); if (!isValid || CorsUtils.isPreFlightRequest(request)) { return Mono.empty(); } } } return chain.filter(exchange); }
@Test public void isCorsRequest() { ServerHttpRequest request = get("/").header(HttpHeaders.ORIGIN, "http://domain.com").build(); assertTrue(CorsUtils.isCorsRequest(request)); }
@Nullable public ProducesRequestCondition getMatchingCondition(ServerWebExchange exchange) { if (CorsUtils.isPreFlightRequest(exchange.getRequest())) { return PRE_FLIGHT_MATCH;