Introduce CorsFilter and CorsConfigurationMapping

This commit introduces the following changes:
 - The new CorsConfigurationMapping class allows to share the mapped
   CorsConfiguration logic between AbstractHandlerMapping and CorsFilter
 - In AbstractHandlerMapping, the Map<String, CorsConfiguration>
   corsConfiguration property has been renamed to corsConfigurations
 - CorsFilter allows to process CORS requests at filter level, using any
   CorsConfigurationSource implementation (for example
   CorsConfigurationMapping)

Issue: SPR-13192

Author: sdeleuze

spring-web/src/main/java/org/springframework/web/cors/CorsConfigurationMapping.java

@@ -0,0 +1,134 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.cors;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.Assert;
+import org.springframework.util.PathMatcher;
+import org.springframework.web.util.UrlPathHelper;
+
+/**
+ * Provide a per request {@link CorsConfiguration} instance based on a collection of
+ * {@link CorsConfiguration} mapped on path patterns.
+ *
+ * <p>Exact path mapping URIs (such as {@code "/admin"}) are supported as
+ * well as Ant-style path patterns (such as {@code "/admin/**"}).
+ *
+ * @author Sebastien Deleuze
+ * @since 4.2
+ */
+public class CorsConfigurationMapping implements CorsConfigurationSource {
+
+	private final Map<String, CorsConfiguration> corsConfigurations =
+			new LinkedHashMap<String, CorsConfiguration>();
+
+	private PathMatcher pathMatcher = new AntPathMatcher();
+
+	private UrlPathHelper urlPathHelper = new UrlPathHelper();
+
+
+	/**
+	 * Set the PathMatcher implementation to use for matching URL paths
+	 * against registered URL patterns. Default is AntPathMatcher.
+	 * @see org.springframework.util.AntPathMatcher
+	 */
+	public void setPathMatcher(PathMatcher pathMatcher) {
+		Assert.notNull(pathMatcher, "PathMatcher must not be null");
+		this.pathMatcher = pathMatcher;
+	}
+
+	/**
+	 * Set if URL lookup should always use the full path within the current servlet
+	 * context. Else, the path within the current servlet mapping is used if applicable
+	 * (that is, in the case of a ".../*" servlet mapping in web.xml).
+	 * <p>Default is "false".
+	 * @see org.springframework.web.util.UrlPathHelper#setAlwaysUseFullPath
+	 */
+	public void setAlwaysUseFullPath(boolean alwaysUseFullPath) {
+		this.urlPathHelper.setAlwaysUseFullPath(alwaysUseFullPath);
+	}
+
+	/**
+	 * Set if context path and request URI should be URL-decoded. Both are returned
+	 * <i>undecoded</i> by the Servlet API, in contrast to the servlet path.
+	 * <p>Uses either the request encoding or the default encoding according
+	 * to the Servlet spec (ISO-8859-1).
+	 * @see org.springframework.web.util.UrlPathHelper#setUrlDecode
+	 */
+	public void setUrlDecode(boolean urlDecode) {
+		this.urlPathHelper.setUrlDecode(urlDecode);
+	}
+
+	/**
+	 * Set if ";" (semicolon) content should be stripped from the request URI.
+	 * <p>The default value is {@code true}.
+	 * @see org.springframework.web.util.UrlPathHelper#setRemoveSemicolonContent(boolean)
+	 */
+	public void setRemoveSemicolonContent(boolean removeSemicolonContent) {
+		this.urlPathHelper.setRemoveSemicolonContent(removeSemicolonContent);
+	}
+
+	/**
+	 * Set the UrlPathHelper to use for resolution of lookup paths.
+	 * <p>Use this to override the default UrlPathHelper with a custom subclass.
+	 */
+	public void setUrlPathHelper(UrlPathHelper urlPathHelper) {
+		Assert.notNull(urlPathHelper, "UrlPathHelper must not be null");
+		this.urlPathHelper = urlPathHelper;
+	}
+
+	/**
+	 * Set CORS configuration based on URL patterns.
+	 */
+	public void setCorsConfigurations(Map<String, CorsConfiguration> corsConfigurations) {
+		this.corsConfigurations.clear();
+		if (corsConfigurations != null) {
+			this.corsConfigurations.putAll(corsConfigurations);
+		}
+	}
+
+	/**
+	 * Get the CORS configuration.
+	 */
+	public Map<String, CorsConfiguration> getCorsConfigurations() {
+		return Collections.unmodifiableMap(this.corsConfigurations);
+	}
+
+	/**
+	 * Register a {@link CorsConfiguration} for the specified path pattern.
+	 */
+	public void registerCorsConfiguration(String path, CorsConfiguration config) {
+		this.corsConfigurations.put(path, config);
+	}
+
+	@Override
+	public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+		String lookupPath = this.urlPathHelper.getLookupPathForRequest(request);
+		for(Map.Entry<String, CorsConfiguration> entry : this.corsConfigurations.entrySet()) {
+			if (this.pathMatcher.match(entry.getKey(), lookupPath)) {
+				return entry.getValue();
+			}
+		}
+		return null;
+	}
+
+}

spring-web/src/main/java/org/springframework/web/filter/CorsFilter.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.filter;
+
+import java.io.IOException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.util.Assert;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationMapping;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.CorsProcessor;
+import org.springframework.web.cors.CorsUtils;
+import org.springframework.web.cors.DefaultCorsProcessor;
+
+/**
+ * {@link javax.servlet.Filter} that handles CORS preflight requests and intercepts CORS
+ * simple and actual requests thanks to a {@link CorsProcessor} implementation
+ * ({@link DefaultCorsProcessor} by default) in order to add the relevant CORS response
+ * headers (like {@code Access-Control-Allow-Origin}) using the provided
+ * {@link CorsConfigurationSource} (for example a {@link CorsConfigurationMapping} instance.
+ *
+ * <p>This filter could be used in conjunction with {@link DelegatingFilterProxy} in order
+ * to help with its initialization.
+ *
+ * @author Sebastien Deleuze
+ * @since 4.2
+ * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommendation</a>
+ */
+public class CorsFilter extends OncePerRequestFilter {
+
+	private CorsProcessor processor = new DefaultCorsProcessor();
+
+	private final CorsConfigurationSource source;
+
+
+	/**
+	 * Constructor accepting a {@link CorsConfigurationSource}, this source will be used
+	 * by the filter to find the {@link CorsConfiguration} to use for each incoming request.
+	 * @see CorsConfigurationMapping
+	 */
+	public CorsFilter(CorsConfigurationSource source) {
+		this.source = source;
+	}
+
+	/**
+	 * Configure a custom {@link CorsProcessor} to use to apply the matched
+	 * {@link CorsConfiguration} for a request.
+	 * <p>By default {@link DefaultCorsProcessor} is used.
+	 */
+	public void setCorsProcessor(CorsProcessor processor) {
+		Assert.notNull(processor, "CorsProcessor must not be null");
+		this.processor = processor;
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+			FilterChain filterChain) throws ServletException, IOException {
+
+		if (CorsUtils.isCorsRequest(request)) {
+			CorsConfiguration corsConfiguration = this.source.getCorsConfiguration(request);
+			if (corsConfiguration != null) {
+				boolean isValid = this.processor.processRequest(corsConfiguration, request, response);
+				if (!isValid || CorsUtils.isPreFlightRequest(request)) {
+					return;
+				}
+			}
+		}
+		filterChain.doFilter(request, response);
+	}
+
+}

spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationMappingTests.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.cors;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.mock.web.test.MockHttpServletRequest;
+
+/**
+ * Unit tests for {@link CorsConfigurationMapping}.
+ * @author Sebastien Deleuze
+ */
+public class CorsConfigurationMappingTests {
+
+	private final CorsConfigurationMapping mapping = new CorsConfigurationMapping();
+
+	@Test
+	public void empty() {
+		assertNull(this.mapping.getCorsConfiguration(new MockHttpServletRequest(HttpMethod.GET.name(), "/bar/test.html")));
+	}
+
+	@Test
+	public void registerAndMatch() {
+		CorsConfiguration config = new CorsConfiguration();
+		this.mapping.registerCorsConfiguration("/bar/**", config);
+		assertNull(this.mapping.getCorsConfiguration(new MockHttpServletRequest(HttpMethod.GET.name(), "/foo/test.html")));
+		assertEquals(config, this.mapping.getCorsConfiguration(new MockHttpServletRequest(HttpMethod.GET.name(), "/bar/test.html")));
+	}
+
+	@Test(expected = UnsupportedOperationException.class)
+	public void unmodifiableConfigurationsMap() {
+		this.mapping.getCorsConfigurations().put("/**", new CorsConfiguration());
+	}
+
+}

spring-web/src/test/java/org/springframework/web/filter/CorsFilterTests.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.filter;
+
+import java.io.IOException;
+import java.util.Arrays;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+
+import static org.junit.Assert.*;
+import org.junit.Before;
+import org.junit.Test;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.mock.web.test.MockHttpServletRequest;
+import org.springframework.mock.web.test.MockHttpServletResponse;
+import org.springframework.web.cors.CorsConfiguration;
+
+/**
+ * Unit tests for {@link CorsFilter}.
+ * @author Sebastien Deleuze
+ */
+public class CorsFilterTests {
+
+	private CorsFilter filter;
+
+	private final CorsConfiguration config = new CorsConfiguration();
+
+	@Before
+	public void setup() throws Exception {
+		config.setAllowedOrigins(Arrays.asList("http://domain1.com", "http://domain2.com"));
+		config.setAllowedMethods(Arrays.asList("GET", "POST"));
+		config.setAllowedHeaders(Arrays.asList("header1", "header2"));
+		config.setExposedHeaders(Arrays.asList("header3", "header4"));
+		config.setMaxAge(123L);
+		config.setAllowCredentials(false);
+		filter = new CorsFilter(r -> config);
+	}
+
+	@Test
+	public void validActualRequest() throws ServletException, IOException {
+
+		MockHttpServletRequest request = new MockHttpServletRequest(HttpMethod.GET.name(), "/test.html");
+		request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
+		request.addHeader("header2", "foo");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		FilterChain filterChain = (filterRequest, filterResponse) -> {
+			assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+			assertEquals("header3, header4", response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
+		};
+		filter.doFilter(request, response, filterChain);
+	}
+
+	@Test
+	public void invalidActualRequest() throws ServletException, IOException {
+
+		MockHttpServletRequest request = new MockHttpServletRequest(HttpMethod.DELETE.name(), "/test.html");
+		request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
+		request.addHeader("header2", "foo");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		FilterChain filterChain = (filterRequest, filterResponse) -> {
+			fail("Invalid requests must not be forwarded to the filter chain");
+		};
+		filter.doFilter(request, response, filterChain);
+		assertNull(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+	}
+
+	@Test
+	public void validPreFlightRequest() throws ServletException, IOException {
+
+		MockHttpServletRequest request = new MockHttpServletRequest(HttpMethod.OPTIONS.name(), "/test.html");
+		request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpMethod.GET.name());
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "header1, header2");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		FilterChain filterChain = (filterRequest, filterResponse) ->
+				fail("Preflight requests must not be forwarded to the filter chain");
+		filter.doFilter(request, response, filterChain);
+
+		assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("header1, header2", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
+		assertEquals("header3, header4", response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
+		assertEquals(123L, Long.parseLong(response.getHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE)));
+	}
+
+	@Test
+	public void invalidPreFlightRequest() throws ServletException, IOException {
+
+		MockHttpServletRequest request = new MockHttpServletRequest(HttpMethod.OPTIONS.name(), "/test.html");
+		request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpMethod.DELETE.name());
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "header1, header2");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		FilterChain filterChain = (filterRequest, filterResponse) ->
+				fail("Preflight requests must not be forwarded to the filter chain");
+		filter.doFilter(request, response, filterChain);
+
+		assertNull(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+	}
+
+}