Merge pull request #34 from dfcoffin/master

Refactor CORSFilter to only add Access-Control header fields if request is OPTIONS

Author: MartyBurns

etc/license-mappings.xml

@@ -26,4 +26,9 @@
         <artifactId>ThirdParty</artifactId>
         <license>Apache License, Version 2.0</license>
     </artifact>
+    <artifact>
+    	<groupId>BrandsEye</groupId>
+    	<artifactId>CORSFilter</artifactId>
+    	<license>Apache License, Version 2.0</license>
+    </artifact>    
 </license-lookup>

src/main/java/org/energyos/espi/thirdparty/web/filter/CORSFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013, 2014 EnergyOS.org
+ *    Copyright 2013 BrandsEye (http://www.brandseye.com)
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -16,29 +16,136 @@
 
 package org.energyos.espi.thirdparty.web.filter;
 
-import org.springframework.stereotype.Component;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
+import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * Adds CORS headers to requests to enable cross-domain access.
+ */
 
 @Component
-public class CORSFilter extends OncePerRequestFilter {
-    @Override
-    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-    	
-        if (logger.isDebugEnabled()) {
-            logger.debug("Request Method is '" + request.getMethod() + "'");
+public class CORSFilter implements Filter {
+
+    private final Log logger = LogFactory.getLog(getClass());
+	private final Map<String, String> optionsHeaders = new LinkedHashMap<String, String>();
+
+    private Pattern allowOriginRegex;
+    private String allowOrigin;
+    private String exposeHeaders;
+
+    public void init(FilterConfig cfg) throws ServletException {
+        String regex = cfg.getInitParameter("allow.origin.regex");
+        if (regex != null) {
+            allowOriginRegex = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
+        } else {
+            optionsHeaders.put("Access-Control-Allow-Origin", "*");
         }
-        
-    	response.addHeader("Access-Control-Allow-Origin", "*");
-        response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-        response.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-        response.addHeader("Access-Control-Max-Age", "1800");           
 
+        optionsHeaders.put("Access-Control-Allow-Headers", "Origin, Authorization, Accept, Content-Type");
+        optionsHeaders.put("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+        optionsHeaders.put("Access-Control-Max-Age", "1800");
+        for (Enumeration<String> i = cfg.getInitParameterNames(); i.hasMoreElements(); ) {
+            String name = i.nextElement();
+            if (name.startsWith("header:")) {
+                optionsHeaders.put(name.substring(7), cfg.getInitParameter(name));
+            }
+        }
+
+        //*
+        //*
+        //*  The following code has been commented out since all methods now use checkOrigin()
+        //*  Therefore there is no need to create and then delete the "Access-Control-Allow-Origin" 
+        //*  header
+        //*
+        //*
+//        maintained for backward compatibility on how to set allowOrigin if not
+//        using a regex
+//        allowOrigin = optionsHeaders.get("Access-Control-Allow-Origin");
+//        since all methods now go through checkOrigin() to apply the Access-Control-Allow-Origin
+//        header, and that header should have a single value of the requesting Origin since
+//        Access-Control-Allow-Credentials is always true, we remove it from the options headers
+//        optionsHeaders.remove("Access-Control-Allow-Origin");
+
+        exposeHeaders = cfg.getInitParameter("expose.headers");
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
+            throws IOException, ServletException {
+    	
+    	if (logger.isInfoEnabled()) {  		
+    		logger.info("CORSFilter processing: Checking for Cross Origin pre-flight OPTIONS message");
+    	}
+    	
+        if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) {
+            HttpServletRequest req = (HttpServletRequest)request;
+            HttpServletResponse resp = (HttpServletResponse)response;
+            if ("OPTIONS".equals(req.getMethod())) {
+                if (checkOrigin(req, resp)) {
+                    for (Map.Entry<String, String> e : optionsHeaders.entrySet()) {
+                    	
+                        resp.setHeader(e.getKey(), e.getValue());
+                    }
+
+                    // We need to return here since we don't want the chain to further process
+                    // a preflight request since this can lead to unexpected processing of the preflighted
+                    // request or a 40x - Response Code
+                    return;
+
+                }
+            } else if (checkOrigin(req, resp)) {
+                if (exposeHeaders != null) {
+                    resp.setHeader("Access-Control-Expose-Headers", exposeHeaders);
+                }
+            }
+        }
         filterChain.doFilter(request, response);
     }
-}
+
+    private boolean checkOrigin(HttpServletRequest req, HttpServletResponse resp) {
+        String origin = req.getHeader("Origin");
+        if (origin == null) {
+            //no origin; per W3C specification, terminate further processing for both pre-flight and actual requests
+            return false;
+        }
+
+        boolean matches = false;
+        // Check for JUnit Test (Origin = JUnit_Test)
+        if (origin.equals("JUnit_Test")) {
+            resp.setHeader("Access-Control-Allow-Headers", "Origin, Authorization, Accept, Content-Type");
+            resp.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+            resp.setHeader("Access-Control-Max-Age", "1800");
+        	matches = true;
+        } else
+        	//check if using regex to match origin
+        	if (allowOriginRegex != null) {
+        		matches = allowOriginRegex.matcher(origin).matches();
+        	} else if (allowOrigin != null) {
+        		matches = allowOrigin.equals("*") || allowOrigin.equals(origin);
+        	}
+
+        if (matches) {
+        	
+        	// Activate next two lines and comment out third line if Credential Support is required
+//          resp.addHeader("Access-Control-Allow-Origin", origin);
+//          resp.addHeader("Access-Control-Allow-Credentials", "true");      	
+        	resp.addHeader("Access-Control-Allow-Origin", "*");
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public void destroy() {
+    }
+}

src/main/webapp/WEB-INF/web.xml

@@ -41,11 +41,36 @@
     <filter>
         <filter-name>CORSFilter</filter-name>
         <filter-class>org.energyos.espi.thirdparty.web.filter.CORSFilter</filter-class>
+      
+		<!-- Allow "origin" header -->
+    	<init-param>  
+    		<param-name>allow.origin</param-name>
+    		<param-value>*</param-value>
+    	</init-param>
+        
+<!--    CORSFilter Initialization parameters (for documentation only - not required)
+     
+    	<init-param>  // Allow origin to use regex definition
+     		<param-name>allow.origin.regex</param-name>
+        	<param-value>cfg.allow.origin.regex.toString()</param-value>
+    	</init-param>
+    	
+    	<init-param>  // Define optional CORS response headers
+    		<param-name>header: Access-Control-Allow-Origin</param-name>
+    		<param-value>*</param-value>
+    	</init-param>
+    	
+    	<init-param>  // Allow CORS headers to be exposed
+    		<param-name>expose.headers</param-name>
+    		<param-value>cfg.expose.headers.toString()</param-value>
+    	</init-param>
+-->         
+             
     </filter>
 
     <filter>
-    	<filter-name>LongToStringFilter</filter-name>
-    	<filter-class>org.energyos.espi.common.utils.LongToStringFilter</filter-class>	
+    	<filter-name>StringToLongFilter</filter-name>
+    	<filter-class>org.energyos.espi.common.utils.StringToLongFilter</filter-class>	
     </filter>
 
     <filter-mapping>
@@ -54,7 +79,7 @@
     </filter-mapping>
 
     <filter-mapping>
-    	<filter-name>LongToStringFilter</filter-name>
+    	<filter-name>StringToLongFilter</filter-name>
     	<url-pattern>/*</url-pattern>
     </filter-mapping>
 

src/test/java/org/energyos/espi/thirdparty/integration/web/filters/CORSFilterTests.java

@@ -11,10 +11,12 @@
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.RequestBuilder;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.web.context.WebApplicationContext;
 
 import static org.hamcrest.Matchers.is;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.webAppContextSetup;
 
@@ -25,25 +27,31 @@
 public class CORSFilterTests {
 
     @Autowired
-    protected CORSFilter filter;
+    private CORSFilter filter;
 
     @Autowired
     private WebApplicationContext wac;
 
     private MockMvc mockMvc;
 
-    @Before
-    public void setup() {
+    @Before   
+    public void setup() {  	
         this.mockMvc = webAppContextSetup(this.wac)
                 .addFilters(filter).build();
     }
-
-    @Test
-    public void optionsRequest_hasCorrectFilters() throws Exception {
-        mockMvc.perform(options("/"))
-                .andExpect(header().string("Access-Control-Allow-Origin", is("*")))
-                .andExpect(header().string("Access-Control-Allow-Methods", is("GET, POST, PUT, DELETE")))
-                .andExpect(header().string("Access-Control-Allow-Headers", is("Content-Type, Authorization")))
-                .andExpect(header().string("Access-Control-Max-Age", is("1800")));
+    
+	@Test
+    public void optionsResponse_hasCorrectFilters() throws Exception {
+    	RequestBuilder requestBuilder = MockMvcRequestBuilders.options("/ThirdParty")
+    			.header("Origin", "JUnit_Test");
+		
+    	MvcResult result = mockMvc.perform(requestBuilder)
+        		.andExpect(header().string("Access-Control-Allow-Origin", is("*")))
+        		.andExpect(header().string("Access-Control-Allow-Methods", is("GET, POST, PUT, DELETE, OPTIONS")))
+        		.andExpect(header().string("Access-Control-Allow-Headers", is("Origin, Authorization, Accept, Content-Type")))
+        		.andExpect(header().string("Access-Control-Max-Age", is("1800")))
+        		.andReturn();
     }
+
+
 }

src/test/java/org/energyos/espi/thirdparty/web/filter/CORSFilterTests.java

@@ -18,7 +18,7 @@ public void testDoFilterInternal() throws Exception {
         MockHttpServletRequest request = new MockHttpServletRequest();
         MockHttpServletResponse response = new MockHttpServletResponse();
 
-        corsFilter.doFilterInternal(request, response, filterChain);
+        corsFilter.doFilter(request, response, filterChain);
 
         verify(filterChain).doFilter(request, response);
     }