Efficient and consistent setAllowedOrigins collection type

Issue: SPR-13761
(cherry picked from commit 3d1ae9c)

Author: jhoeller

spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java

@@ -16,11 +16,11 @@
 
 package org.springframework.web.socket.server.support;
 
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.List;
+import java.util.LinkedHashSet;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -34,8 +34,8 @@
 import org.springframework.web.util.WebUtils;
 
 /**
- * An interceptor to check request {@code Origin} header value against a collection of
- * allowed origins.
+ * An interceptor to check request {@code Origin} header value against a
+ * collection of allowed origins.
  *
  * @author Sebastien Deleuze
  * @since 4.1.2
@@ -44,58 +44,57 @@ public class OriginHandshakeInterceptor implements HandshakeInterceptor {
 
 	protected Log logger = LogFactory.getLog(getClass());
 
-	private final List<String> allowedOrigins;
+	private final Set<String> allowedOrigins = new LinkedHashSet<String>();
 
 
 	/**
 	 * Default constructor with only same origin requests allowed.
 	 */
 	public OriginHandshakeInterceptor() {
-		this.allowedOrigins = new ArrayList<String>();
 	}
 
 	/**
 	 * Constructor using the specified allowed origin values.
-	 *
 	 * @see #setAllowedOrigins(Collection)
 	 */
 	public OriginHandshakeInterceptor(Collection<String> allowedOrigins) {
-		this();
 		setAllowedOrigins(allowedOrigins);
 	}
 
+
 	/**
-	 * Configure allowed {@code Origin} header values. This check is mostly designed for
-	 * browser clients. There is nothing preventing other types of client to modify the
-	 * {@code Origin} header value.
-	 *
-	 * <p>Each provided allowed origin must start by "http://", "https://" or be "*"
-	 * (means that all origins are allowed).
-	 *
+	 * Configure allowed {@code Origin} header values. This check is mostly
+	 * designed for browsers. There is nothing preventing other types of client
+	 * to modify the {@code Origin} header value.
+	 * <p>Each provided allowed origin must have a scheme, and optionally a port
+	 * (e.g. "http://example.org", "http://example.org:9090"). An allowed origin
+	 * string may also be "*" in which case all origins are allowed.
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
 	 */
 	public void setAllowedOrigins(Collection<String> allowedOrigins) {
-		Assert.notNull(allowedOrigins, "Allowed origin Collection must not be null");
+		Assert.notNull(allowedOrigins, "Allowed origins Collection must not be null");
 		this.allowedOrigins.clear();
 		this.allowedOrigins.addAll(allowedOrigins);
 	}
 
 	/**
-	 * @see #setAllowedOrigins(Collection)
 	 * @since 4.1.5
+	 * @see #setAllowedOrigins
 	 */
 	public Collection<String> getAllowedOrigins() {
-		return Collections.unmodifiableList(this.allowedOrigins);
+		return Collections.unmodifiableSet(this.allowedOrigins);
 	}
 
+
 	@Override
 	public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response,
 			WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception {
+
 		if (!WebUtils.isValidOrigin(request, this.allowedOrigins)) {
 			response.setStatusCode(HttpStatus.FORBIDDEN);
 			if (logger.isDebugEnabled()) {
-				logger.debug("Handshake request rejected, Origin header value "
-						+ request.getHeaders().getOrigin() + " not allowed");
+				logger.debug("Handshake request rejected, Origin header value " +
+						request.getHeaders().getOrigin() + " not allowed");
 			}
 			return false;
 		}

spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java

@@ -18,13 +18,15 @@
 
 import java.io.IOException;
 import java.nio.charset.Charset;
-import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Random;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 import org.apache.commons.logging.Log;
@@ -53,7 +55,7 @@
  * path resolution and handling of static SockJS requests (e.g. "/info", "/iframe.html",
  * etc). Sub-classes must handle session URLs (i.e. transport-specific requests).
  *
- * By default, only same origin requests are allowed. Use {@link #setAllowedOrigins(List)}
+ * By default, only same origin requests are allowed. Use {@link #setAllowedOrigins}
  * to specify a list of allowed origins (a list containing "*" will allow all origins).
  *
  * @author Rossen Stoyanchev
@@ -91,10 +93,10 @@ public abstract class AbstractSockJsService implements SockJsService {
 
 	private boolean webSocketEnabled = true;
 
-	private final List<String> allowedOrigins = new ArrayList<String>();
-
 	private boolean suppressCors = false;
 
+	protected final Set<String> allowedOrigins = new LinkedHashSet<String>();
+
 
 	public AbstractSockJsService(TaskScheduler scheduler) {
 		Assert.notNull(scheduler, "TaskScheduler must not be null");
@@ -271,6 +273,24 @@ public boolean isWebSocketEnabled() {
 		return this.webSocketEnabled;
 	}
 
+	/**
+	 * This option can be used to disable automatic addition of CORS headers for
+	 * SockJS requests.
+	 * <p>The default value is "false".
+	 * @since 4.1.2
+	 */
+	public void setSuppressCors(boolean suppressCors) {
+		this.suppressCors = suppressCors;
+	}
+
+	/**
+	 * @since 4.1.2
+	 * @see #setSuppressCors(boolean)
+	 */
+	public boolean shouldSuppressCors() {
+		return this.suppressCors;
+	}
+
 	/**
 	 * Configure allowed {@code Origin} header values. This check is mostly
 	 * designed for browsers. There is nothing preventing other types of client
@@ -286,36 +306,18 @@ public boolean isWebSocketEnabled() {
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
 	 * @see <a href="https://github.com/sockjs/sockjs-client#supported-transports-by-browser-html-served-from-http-or-https">SockJS supported transports by browser</a>
 	 */
-	public void setAllowedOrigins(List<String> allowedOrigins) {
-		Assert.notNull(allowedOrigins, "Allowed origin List must not be null");
+	public void setAllowedOrigins(Collection<String> allowedOrigins) {
+		Assert.notNull(allowedOrigins, "Allowed origins Collection must not be null");
 		this.allowedOrigins.clear();
 		this.allowedOrigins.addAll(allowedOrigins);
 	}
 
 	/**
 	 * @since 4.1.2
-	 * @see #setAllowedOrigins(List)
-	 */
-	public List<String> getAllowedOrigins() {
-		return Collections.unmodifiableList(this.allowedOrigins);
-	}
-
-	/**
-	 * This option can be used to disable automatic addition of CORS headers for
-	 * SockJS requests.
-	 * <p>The default value is "false".
-	 * @since 4.1.2
+	 * @see #setAllowedOrigins
 	 */
-	public void setSuppressCors(boolean suppressCors) {
-		this.suppressCors = suppressCors;
-	}
-
-	/**
-	 * @since 4.1.2
-	 * @see #setSuppressCors(boolean)
-	 */
-	public boolean shouldSuppressCors() {
-		return this.suppressCors;
+	public Collection<String> getAllowedOrigins() {
+		return Collections.unmodifiableSet(this.allowedOrigins);
 	}
 
 

spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java

@@ -292,7 +292,7 @@ protected boolean validateRequest(String serverId, String sessionId, String tran
 			return false;
 		}
 
-		if (!getAllowedOrigins().contains("*")) {
+		if (!this.allowedOrigins.contains("*")) {
 			TransportType transportType = TransportType.fromValue(transport);
 			if (transportType == null || !transportType.supportsOrigin()) {
 				if (logger.isWarnEnabled()) {

spring-websocket/src/test/java/org/springframework/web/socket/config/HandlersBeanDefinitionParserTests.java

@@ -18,14 +18,11 @@
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ScheduledFuture;
 
-import static org.junit.Assert.assertEquals;
-import org.junit.Before;
 import org.junit.Test;
 
 import org.springframework.beans.factory.xml.XmlBeanDefinitionReader;
@@ -77,13 +74,7 @@
  */
 public class HandlersBeanDefinitionParserTests {
 
-	private GenericWebApplicationContext appContext;
-
-
-	@Before
-	public void setup() {
-		this.appContext = new GenericWebApplicationContext();
-	}
+	private final GenericWebApplicationContext appContext = new GenericWebApplicationContext();
 
 
 	@Test
@@ -235,10 +226,12 @@ public void sockJsAttributes() {
 
 		List<HandshakeInterceptor> interceptors = transportService.getHandshakeInterceptors();
 		assertThat(interceptors, contains(instanceOf(OriginHandshakeInterceptor.class)));
-		assertEquals(Arrays.asList("http://mydomain1.com", "http://mydomain2.com"), transportService.getAllowedOrigins());
 		assertTrue(transportService.shouldSuppressCors());
+		assertTrue(transportService.getAllowedOrigins().contains("http://mydomain1.com"));
+		assertTrue(transportService.getAllowedOrigins().contains("http://mydomain2.com"));
 	}
 
+
 	private void loadBeanDefinitions(String fileName) {
 		XmlBeanDefinitionReader reader = new XmlBeanDefinitionReader(this.appContext);
 		ClassPathResource resource = new ClassPathResource(fileName, HandlersBeanDefinitionParserTests.class);
@@ -279,9 +272,11 @@ public boolean supportsPartialMessages() {
 	}
 }
 
+
 class FooWebSocketHandler extends TestWebSocketHandler {
 }
 
+
 class TestHandshakeHandler implements HandshakeHandler {
 
 	@Override
@@ -292,9 +287,11 @@ public boolean doHandshake(ServerHttpRequest request, ServerHttpResponse respons
 	}
 }
 
+
 class TestChannelInterceptor extends ChannelInterceptorAdapter {
 }
 
+
 class FooTestInterceptor implements HandshakeInterceptor {
 
 	@Override
@@ -310,9 +307,11 @@ public void afterHandshake(ServerHttpRequest request, ServerHttpResponse respons
 	}
 }
 
+
 class BarTestInterceptor extends FooTestInterceptor {
 }
 
+
 @SuppressWarnings({ "unchecked", "rawtypes" })
 class TestTaskScheduler implements TaskScheduler {
 
@@ -345,9 +344,9 @@ public ScheduledFuture scheduleWithFixedDelay(Runnable task, Date startTime, lon
 	public ScheduledFuture scheduleWithFixedDelay(Runnable task, long delay) {
 		return null;
 	}
-
 }
 
+
 class TestMessageCodec implements SockJsMessageCodec {
 
 	@Override
@@ -364,4 +363,4 @@ public String[] decode(String content) throws IOException {
 	public String[] decodeInputStream(InputStream content) throws IOException {
 		return new String[0];
 	}
-}
+}