1) Enhance CORSFilter to incorporate grails-cors routine

2) Rename LongToStringFilter to StringToLongFilter to better represent
what the filter does

Author: dfcoffin

src/main/java/org/energyos/espi/thirdparty/web/filter/CORSFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013, 2014 EnergyOS.org
+ *    Copyright 2013 BrandsEye.com (http://www.brandseye.com)
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -16,32 +16,109 @@
 
 package org.energyos.espi.thirdparty.web.filter;
 
-import org.springframework.stereotype.Component;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
+import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * Adds CORS headers to requests to enable cross-domain access.
+ */
 
 @Component
-public class CORSFilter extends OncePerRequestFilter {
-    @Override
-    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-    	
-        if (logger.isDebugEnabled()) {
-            logger.debug("Request Method is '" + request.getMethod() + "'");
+public class CORSFilter implements Filter {
+
+    private final Map<String, String> optionsHeaders = new LinkedHashMap<String, String>();
+
+    private Pattern allowOriginRegex;
+    private String allowOrigin;
+    private String exposeHeaders;
+
+    public void init(FilterConfig cfg) throws ServletException {
+        String regex = cfg.getInitParameter("allow.origin.regex");
+        if (regex != null) {
+            allowOriginRegex = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
+        } else {
+            optionsHeaders.put("Access-Control-Allow-Origin", "*");
         }
-        
-        // Only add Access-Control header fields if request is OPTIONS
-        if (request.getMethod().equals("OPTIONS")) {
-        	response.addHeader("Access-Control-Allow-Origin", "*");
-        	response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-        	response.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-        	response.addHeader("Access-Control-Max-Age", "1800");
+
+        optionsHeaders.put("Access-Control-Allow-Headers", "origin, authorization, accept, content-type");
+        optionsHeaders.put("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+        optionsHeaders.put("Access-Control-Max-Age", "1800");
+        for (Enumeration<String> i = cfg.getInitParameterNames(); i.hasMoreElements(); ) {
+            String name = i.nextElement();
+            if (name.startsWith("header:")) {
+                optionsHeaders.put(name.substring(7), cfg.getInitParameter(name));
+            }
         }
 
+        //maintained for backward compatibility on how to set allowOrigin if not
+        //using a regex
+        allowOrigin = optionsHeaders.get("Access-Control-Allow-Origin");
+        //since all methods now go through checkOrigin() to apply the Access-Control-Allow-Origin
+        //header, and that header should have a single value of the requesting Origin since
+        //Access-Control-Allow-Credentials is always true, we remove it from the options headers
+        optionsHeaders.remove("Access-Control-Allow-Origin");
+
+        exposeHeaders = cfg.getInitParameter("expose.headers");
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
+            throws IOException, ServletException {
+        if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) {
+            HttpServletRequest req = (HttpServletRequest)request;
+            HttpServletResponse resp = (HttpServletResponse)response;
+            if ("OPTIONS".equals(req.getMethod())) {
+                if (checkOrigin(req, resp)) {
+                    for (Map.Entry<String, String> e : optionsHeaders.entrySet()) {
+                        resp.addHeader(e.getKey(), e.getValue());
+                    }
+
+                    // We need to return here since we don't want the chain to further process
+                    // a preflight request since this can lead to unexpected processing of the preflighted
+                    // request or a 405 - method not allowed in Grails 2.3
+                    return;
+
+                }
+            } else if (checkOrigin(req, resp)) {
+                if (exposeHeaders != null) {
+                    resp.addHeader("Access-Control-Expose-Headers", exposeHeaders);
+                }
+            }
+        }
         filterChain.doFilter(request, response);
     }
-}
+
+    private boolean checkOrigin(HttpServletRequest req, HttpServletResponse resp) {
+        String origin = req.getHeader("Origin");
+        if (origin == null) {
+            //no origin; per W3C specification, terminate further processing for both pre-flight and actual requests
+            return false;
+        }
+
+        boolean matches = false;
+        //check if using regex to match origin
+        if (allowOriginRegex != null) {
+            matches = allowOriginRegex.matcher(origin).matches();
+        } else if (allowOrigin != null) {
+            matches = allowOrigin.equals("*") || allowOrigin.equals(origin);
+        }
+
+        if (matches) {
+            resp.addHeader("Access-Control-Allow-Origin", origin);
+            resp.addHeader("Access-Control-Allow-Credentials", "true");
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public void destroy() {
+    }
+}

src/main/webapp/WEB-INF/web.xml

@@ -44,8 +44,8 @@
     </filter>
 
     <filter>
-    	<filter-name>LongToStringFilter</filter-name>
-    	<filter-class>org.energyos.espi.common.utils.LongToStringFilter</filter-class>	
+    	<filter-name>StringToLongFilter</filter-name>
+    	<filter-class>org.energyos.espi.common.utils.StringToLongFilter</filter-class>	
     </filter>
 
     <filter-mapping>
@@ -54,7 +54,7 @@
     </filter-mapping>
 
     <filter-mapping>
-    	<filter-name>LongToStringFilter</filter-name>
+    	<filter-name>StringToLongFilter</filter-name>
     	<url-pattern>/*</url-pattern>
     </filter-mapping>
 

src/test/java/org/energyos/espi/thirdparty/integration/web/filters/CORSFilterTests.java

@@ -41,9 +41,9 @@ public void setup() {
     @Test
     public void optionsRequest_hasCorrectFilters() throws Exception {
         mockMvc.perform(options("/"))
-                .andExpect(header().string("Access-Control-Allow-Origin", is("*")))
-                .andExpect(header().string("Access-Control-Allow-Methods", is("GET, POST, PUT, DELETE")))
-                .andExpect(header().string("Access-Control-Allow-Headers", is("Content-Type, Authorization")))
+                .andExpect(header().string("Access-Control-Allow-Methods", is("GET, POST, PUT, DELETE, OPTIONS")))
+                .andExpect(header().string("Access-Control-Allow-Headers", is("origin, authorization, accept, content-type")))
+                .andExpect(header().string("Access-Control-Allow-Credentials", is("true")))
                 .andExpect(header().string("Access-Control-Max-Age", is("1800")));
     }
 }

src/test/java/org/energyos/espi/thirdparty/web/filter/CORSFilterTests.java

@@ -18,7 +18,7 @@ public void testDoFilterInternal() throws Exception {
         MockHttpServletRequest request = new MockHttpServletRequest();
         MockHttpServletResponse response = new MockHttpServletResponse();
 
-        corsFilter.doFilterInternal(request, response, filterChain);
+        corsFilter.doFilter(request, response, filterChain);
 
         verify(filterChain).doFilter(request, response);
     }