CorsConfiguration ignores trailing "/" in pattern

Recent commit dddcc5e ensured a
trailing "/" in the Origin header has no effect. This commit does the
same for a trailing "/" in configured patterns.

See gh-26892

Author: rstoyanchev

spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java

@@ -138,7 +138,12 @@ public CorsConfiguration(CorsConfiguration other) {
 	 * {@code @CrossOrigin}, via {@link #applyPermitDefaultValues()}.
 	 */
 	public void setAllowedOrigins(@Nullable List<String> allowedOrigins) {
-		this.allowedOrigins = (allowedOrigins != null ? new ArrayList<>(allowedOrigins) : null);
+		this.allowedOrigins = (allowedOrigins != null ?
+				allowedOrigins.stream().map(this::trimTrailingSlash).collect(Collectors.toList()) : null);
+	}
+
+	private String trimTrailingSlash(String origin) {
+		return origin.endsWith("/") ? origin.substring(0, origin.length() - 1) : origin;
 	}
 
 	/**
@@ -159,6 +164,7 @@ public void addAllowedOrigin(String origin) {
 		else if (this.allowedOrigins == DEFAULT_PERMIT_ALL && CollectionUtils.isEmpty(this.allowedOriginPatterns)) {
 			setAllowedOrigins(DEFAULT_PERMIT_ALL);
 		}
+		origin = trimTrailingSlash(origin);
 		this.allowedOrigins.add(origin);
 	}
 
@@ -209,6 +215,7 @@ public void addAllowedOriginPattern(String originPattern) {
 		if (this.allowedOriginPatterns == null) {
 			this.allowedOriginPatterns = new ArrayList<>(4);
 		}
+		originPattern = trimTrailingSlash(originPattern);
 		this.allowedOriginPatterns.add(new OriginPattern(originPattern));
 		if (this.allowedOrigins == DEFAULT_PERMIT_ALL) {
 			this.allowedOrigins = null;
@@ -551,9 +558,7 @@ public String checkOrigin(@Nullable String requestOrigin) {
 		if (!StringUtils.hasText(requestOrigin)) {
 			return null;
 		}
-		if (requestOrigin.endsWith("/")) {
-			requestOrigin = requestOrigin.substring(0, requestOrigin.length() - 1);
-		}
+		requestOrigin = trimTrailingSlash(requestOrigin);
 		if (!ObjectUtils.isEmpty(this.allowedOrigins)) {
 			if (this.allowedOrigins.contains(ALL)) {
 				validateAllowCredentials();

spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java

@@ -282,17 +282,25 @@ public void combine() {
 
 	@Test
 	public void checkOriginAllowed() {
+		// "*" matches
 		CorsConfiguration config = new CorsConfiguration();
 		config.addAllowedOrigin("*");
 		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("*");
 
+		// "*" does not match together with allowCredentials
 		config.setAllowCredentials(true);
 		assertThatIllegalArgumentException().isThrownBy(() -> config.checkOrigin("https://domain.com"));
 
+		// specific origin matches Origin header with or without trailing "/"
 		config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
 		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
 		assertThat(config.checkOrigin("https://domain.com/")).isEqualTo("https://domain.com");
 
+		// specific origin with trailing "/" matches Origin header with or without trailing "/"
+		config.setAllowedOrigins(Collections.singletonList("https://domain.com/"));
+		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
+		assertThat(config.checkOrigin("https://domain.com/")).isEqualTo("https://domain.com");
+
 		config.setAllowCredentials(false);
 		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
 	}