@Test public void test1CorsIsEnabledOnAllDomainsGET() throws IOException { final String shouldAllowOrigin = "http://foo.bar.com"; setCorsFilterFeature(true, ImmutableList.<String>of()); HttpClient client = client(); // preflight request HttpToolResponse response = HttpTool.execAndConsume(client, httpOptionsRequest("server/ha/state", "GET", shouldAllowOrigin)); List<String> accessControlAllowOrigin = response.getHeaderLists().get(HEADER_AC_ALLOW_ORIGIN); assertEquals(accessControlAllowOrigin.size(), 1); assertEquals(accessControlAllowOrigin.get(0), "*", "Should allow GET requests made from " + shouldAllowOrigin); assertEquals(response.getHeaderLists().get(HEADER_AC_ALLOW_HEADERS).size(), 1); assertEquals(response.getHeaderLists().get(HEADER_AC_ALLOW_HEADERS).get(0), "x-csrf-token", "Should have asked and allowed x-csrf-token header from " + shouldAllowOrigin); assertOkayResponse(response, ""); HttpUriRequest httpRequest = RequestBuilder.get(getBaseUriRest() + "server/ha/state") .addHeader("Origin", shouldAllowOrigin) .addHeader(HEADER_AC_REQUEST_METHOD, "GET") .build(); response = HttpTool.execAndConsume(client, httpRequest); accessControlAllowOrigin = response.getHeaderLists().get(HEADER_AC_ALLOW_ORIGIN); assertEquals(accessControlAllowOrigin.size(), 1); assertEquals(accessControlAllowOrigin.get(0), "*", "Should allow GET requests made from " + shouldAllowOrigin); assertOkayResponse(response, "\"MASTER\""); }
@Test public void test2CorsIsDisabled() throws IOException { BrooklynFeatureEnablement.disable(BrooklynFeatureEnablement.FEATURE_CORS_CXF_PROPERTY); final String shouldAllowOrigin = "http://foo.bar.com"; setCorsFilterFeature(false, null); HttpClient client = client(); HttpToolResponse response = HttpTool.execAndConsume(client, httpOptionsRequest("server/ha/state", "GET", shouldAllowOrigin)); assertAcNotAllowOrigin(response); assertOkayResponse(response, ""); response = HttpTool.execAndConsume(client, httpOptionsRequest("script/groovy", shouldAllowOrigin, "POST")); assertAcNotAllowOrigin(response); assertOkayResponse(response, ""); }
HttpClient client = client(); HttpToolResponse response = HttpTool.execAndConsume(client, httpOptionsRequest("script/groovy", "POST", shouldAllowOrigin)); List<String> accessControlAllowOrigin = response.getHeaderLists().get(HEADER_AC_ALLOW_ORIGIN); assertEquals(accessControlAllowOrigin.size(), 1);
HttpClient client = client(); HttpToolResponse response = HttpTool.execAndConsume(client, httpOptionsRequest("script/groovy", "POST", shouldAllowOrigin)); assertAcAllowOrigin(response, shouldAllowOrigin, "POST"); assertOkayResponse(response, ""); response = HttpTool.execAndConsume(client, httpOptionsRequest("script/groovy", "POST", thirdPartyOrigin)); assertAcNotAllowOrigin(response); assertOkayResponse(response, "");
HttpToolResponse response = HttpTool.execAndConsume(client, httpOptionsRequest("server/ha/state", "GET", shouldAllowOrigin)); assertAcAllowOrigin(response, shouldAllowOrigin, "GET"); assertOkayResponse(response, ""); response = HttpTool.execAndConsume(client, httpOptionsRequest("server/ha/state", "GET", thirdPartyOrigin)); assertAcNotAllowOrigin(response); assertOkayResponse(response, "");