@Test public void testUnsecureCorsShouldNotBeAllowed() throws Exception { try { CorsHandler.create("*").allowCredentials(true); fail("Should not be allowed!"); } catch (IllegalStateException e) { // OK } }
/** * Set whether credentials are allowed. Note that user agents will block * requests that use a wildcard as origin and include credentials. * * From the MDN documentation you can read: * * <blockquote> * Important note: when responding to a credentialed request, * server must specify a domain, and cannot use wild carding. * </blockquote> * @param allow true if allowed * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler allowCredentials(boolean allow) { delegate.allowCredentials(allow); return this; }
/** * Set whether credentials are allowed. Note that user agents will block * requests that use a wildcard as origin and include credentials. * * From the MDN documentation you can read: * * <blockquote> * Important note: when responding to a credentialed request, * server must specify a domain, and cannot use wild carding. * </blockquote> * @param allow true if allowed * @return a reference to this, so the API can be used fluently */ public io.vertx.rxjava.ext.web.handler.CorsHandler allowCredentials(boolean allow) { delegate.allowCredentials(allow); return this; }
@Test public void testRealRequestAllowCredentials() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.GET, "/", req -> req.headers().add("origin", "vertx.io"), resp -> checkHeaders(resp, "vertx.io", null, null, null, "true", null), 200, "OK", null); }
@Test public void testRealRequestCredentialsNoWildcardOrigin() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx.*").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.GET, "/", req -> req.headers().add("origin", "vertx.io"), resp -> checkHeaders(resp, "vertx.io", null, null, null, "true", null), 200, "OK", null); }
@Test public void testPreflightAllowCredentialsNoWildcardOrigin() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); // Make sure * isn't returned in access-control-allow-origin for credentials router.route().handler(CorsHandler.create("vertx.*").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null, "true", null), 200, "OK", null); }
@Test public void testPreflightAllowCredentials() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null, "true", null), 200, "OK", null); }
/** * Support CORS */ void mountCorsHandler(Router mainRouter) { if (!TransportConfig.isCorsEnabled()) { return; } CorsHandler corsHandler = getCorsHandler(TransportConfig.getCorsAllowedOrigin()); // Access-Control-Allow-Credentials corsHandler.allowCredentials(TransportConfig.isCorsAllowCredentials()); // Access-Control-Allow-Headers corsHandler.allowedHeaders(TransportConfig.getCorsAllowedHeaders()); // Access-Control-Allow-Methods Set<String> allowedMethods = TransportConfig.getCorsAllowedMethods(); for (String method : allowedMethods) { corsHandler.allowedMethod(HttpMethod.valueOf(method)); } // Access-Control-Expose-Headers corsHandler.exposedHeaders(TransportConfig.getCorsExposedHeaders()); // Access-Control-Max-Age int maxAge = TransportConfig.getCorsMaxAge(); if (maxAge >= 0) { corsHandler.maxAgeSeconds(maxAge); } LOGGER.info("mount CorsHandler"); mainRouter.route().handler(corsHandler); }
/** * Enables CORS * * @param allowedOriginPattern allowed origin * @param allowCredentials allow credentials (true/false) * @param maxAge in seconds * @param allowedHeaders set of allowed headers * @param methods list of methods ... if empty all methods are allowed @return self * @return self */ public RestBuilder enableCors(String allowedOriginPattern, boolean allowCredentials, int maxAge, Set<String> allowedHeaders, HttpMethod... methods) { corsHandler = CorsHandler.create(allowedOriginPattern) .allowCredentials(allowCredentials) .maxAgeSeconds(maxAge); if (methods == null || methods.length == 0) { // if not given than all methods = HttpMethod.values(); } for (HttpMethod method : methods) { corsHandler.allowedMethod(method); } if (allowedHeaders.size() > 0) { corsHandler.allowedHeaders(allowedHeaders); } return this; }
@Test public void testUnsecureCorsShouldNotBeAllowed() throws Exception { try { CorsHandler.create("*").allowCredentials(true); fail("Should not be allowed!"); } catch (IllegalStateException e) { // OK } }
@Override public void start(final Future<Void> startFuture) { final JsonObject config = config().getJsonObject("webservice"); server = vertx.createHttpServer(); final Router router = Router.router(vertx); router.route().handler(CorsHandler .create(".*") .allowCredentials(true) ); router.route().handler(io.vertx.ext.web.handler.CookieHandler.create()); router.get("/cookie").handler(new CookieHandler(config().getJsonObject("application").copy().put("auth", config().getJsonObject("google-sso")))); router.post("/cookie").handler(new CookiePostHandler(vertx, new JsonObject().put("auth", config().getJsonObject("google-sso")))); router.get("/proxy").handler(new ProxyHandler(vertx, config())); router.get("/write").handler(new WriteHandler(vertx)); router.get("/read").handler(new ReadHandler(vertx)); server.requestHandler(router); server.websocketHandler(new ConnectHandler(vertx)); server.listen(config.getInteger("port", 8022), config.getString("hostname", "localhost"), result -> { if (result.succeeded()) { logger.info("nassh-relay listening on port " + result.result().actualPort()); startFuture.complete(); } else { startFuture.fail(result.cause()); } } ); }
/** * @param router to add handler to * @param allowedOriginPattern origin pattern * @param allowCredentials allowed credentials * @param maxAge in seconds * @param allowedHeaders set of headers or null for none * @param methods list of methods or empty for all */ public void enableCors(Router router, String allowedOriginPattern, boolean allowCredentials, int maxAge, Set<String> allowedHeaders, HttpMethod... methods) { CorsHandler handler = CorsHandler.create(allowedOriginPattern) .allowCredentials(allowCredentials) .maxAgeSeconds(maxAge); if (methods == null || methods.length == 0) { // if not given than all methods = HttpMethod.values(); } for (HttpMethod method : methods) { handler.allowedMethod(method); } handler.allowedHeaders(allowedHeaders); router.route().handler(handler).order(ORDER_CORS_HANDLER); }
@Test public void testRealRequestAllowCredentials() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.GET, "/", req -> req.headers().add("origin", "vertx.io"), resp -> checkHeaders(resp, "vertx.io", null, null, null, "true", null), 200, "OK", null); }
@Test public void testRealRequestCredentialsNoWildcardOrigin() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx.*").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.GET, "/", req -> req.headers().add("origin", "vertx.io"), resp -> checkHeaders(resp, "vertx.io", null, null, null, "true", null), 200, "OK", null); }
@Test public void testPreflightAllowCredentials() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); router.route().handler(CorsHandler.create("vertx\\.io").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null, "true", null), 200, "OK", null); }
@Test public void testPreflightAllowCredentialsNoWildcardOrigin() throws Exception { Set<HttpMethod> allowedMethods = new LinkedHashSet<>(Arrays.asList(HttpMethod.PUT, HttpMethod.DELETE)); // Make sure * isn't returned in access-control-allow-origin for credentials router.route().handler(CorsHandler.create("vertx.*").allowedMethods(allowedMethods).allowCredentials(true)); router.route().handler(context -> context.response().end()); testRequest(HttpMethod.OPTIONS, "/", req -> { req.headers().add("origin", "vertx.io"); req.headers().add("access-control-request-method", "PUT,DELETE"); }, resp -> checkHeaders(resp, "vertx.io", "PUT,DELETE", null, null, "true", null), 200, "OK", null); }
/** * Support CORS */ void mountCorsHandler(Router mainRouter) { if (!TransportConfig.isCorsEnabled()) { return; } CorsHandler corsHandler = getCorsHandler(TransportConfig.getCorsAllowedOrigin()); // Access-Control-Allow-Credentials corsHandler.allowCredentials(TransportConfig.isCorsAllowCredentials()); // Access-Control-Allow-Headers corsHandler.allowedHeaders(TransportConfig.getCorsAllowedHeaders()); // Access-Control-Allow-Methods Set<String> allowedMethods = TransportConfig.getCorsAllowedMethods(); for (String method : allowedMethods) { corsHandler.allowedMethod(HttpMethod.valueOf(method)); } // Access-Control-Expose-Headers corsHandler.exposedHeaders(TransportConfig.getCorsExposedHeaders()); // Access-Control-Max-Age int maxAge = TransportConfig.getCorsMaxAge(); if (maxAge >= 0) { corsHandler.maxAgeSeconds(maxAge); } LOGGER.info("mount CorsHandler"); mainRouter.route().handler(corsHandler); }
corsHandler.allowCredentials(true);
.order(Orders.CORS) .handler(CorsHandler.create("*") .allowCredentials(false) .allowedHeaders(new HashSet<String>() {
.order(Orders.CORS) .handler(CorsHandler.create("*") .allowCredentials(false) .allowedHeaders(new HashSet<String>() {