Polishing

spring-web/src/main/java/org/springframework/http/HttpHeaders.java

@@ -548,8 +548,8 @@ public class HttpHeaders implements MultiValueMap<String, String>, Serializable
 	/**
 	 * Set the (new) value of the {@code Access-Control-Request-Method} request header.
 	 */
-	public void setAccessControlRequestMethod(HttpMethod requestedMethod) {
-		set(ACCESS_CONTROL_REQUEST_METHOD, requestedMethod.name());
+	public void setAccessControlRequestMethod(HttpMethod requestMethod) {
+		set(ACCESS_CONTROL_REQUEST_METHOD, requestMethod.name());
 	}
 
 	/**

spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java

@@ -1,11 +1,11 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,6 +21,7 @@ import java.util.Collections;
 import java.util.List;
 
 import org.springframework.http.HttpMethod;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.ObjectUtils;
 import org.springframework.util.StringUtils;
 
@@ -86,10 +87,10 @@ public class CorsConfiguration {
 			return this;
 		}
 		CorsConfiguration config = new CorsConfiguration(this);
-		config.setAllowedOrigins(combine(this.getAllowedOrigins(), other.getAllowedOrigins()));
-		config.setAllowedMethods(combine(this.getAllowedMethods(), other.getAllowedMethods()));
-		config.setAllowedHeaders(combine(this.getAllowedHeaders(), other.getAllowedHeaders()));
-		config.setExposedHeaders(combine(this.getExposedHeaders(), other.getExposedHeaders()));
+		config.setAllowedOrigins(combine(getAllowedOrigins(), other.getAllowedOrigins()));
+		config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods()));
+		config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders()));
+		config.setExposedHeaders(combine(getExposedHeaders(), other.getExposedHeaders()));
 		Boolean allowCredentials = other.getAllowCredentials();
 		if (allowCredentials != null) {
 			config.setAllowCredentials(allowCredentials);
@@ -137,7 +138,7 @@ public class CorsConfiguration {
 	 */
 	public void addAllowedOrigin(String origin) {
 		if (this.allowedOrigins == null) {
-			this.allowedOrigins = new ArrayList<String>();
+			this.allowedOrigins = new ArrayList<String>(4);
 		}
 		this.allowedOrigins.add(origin);
 	}
@@ -179,7 +180,7 @@ public class CorsConfiguration {
 	public void addAllowedMethod(String method) {
 		if (StringUtils.hasText(method)) {
 			if (this.allowedMethods == null) {
-				this.allowedMethods = new ArrayList<String>();
+				this.allowedMethods = new ArrayList<String>(4);
 			}
 			this.allowedMethods.add(method);
 		}
@@ -213,7 +214,7 @@ public class CorsConfiguration {
 	 */
 	public void addAllowedHeader(String allowedHeader) {
 		if (this.allowedHeaders == null) {
-			this.allowedHeaders = new ArrayList<String>();
+			this.allowedHeaders = new ArrayList<String>(4);
 		}
 		this.allowedHeaders.add(allowedHeader);
 	}
@@ -230,7 +231,7 @@ public class CorsConfiguration {
 		if (exposedHeaders != null && exposedHeaders.contains(ALL)) {
 			throw new IllegalArgumentException("'*' is not a valid exposed header value");
 		}
-		this.exposedHeaders = (exposedHeaders == null ? null : new ArrayList<String>(exposedHeaders));
+		this.exposedHeaders = (exposedHeaders != null ? new ArrayList<String>(exposedHeaders) : null);
 	}
 
 	/**
@@ -251,7 +252,7 @@ public class CorsConfiguration {
 			throw new IllegalArgumentException("'*' is not a valid exposed header value");
 		}
 		if (this.exposedHeaders == null) {
-			this.exposedHeaders = new ArrayList<String>();
+			this.exposedHeaders = new ArrayList<String>(4);
 		}
 		this.exposedHeaders.add(exposedHeader);
 	}
@@ -333,14 +334,18 @@ public class CorsConfiguration {
 		if (requestMethod == null) {
 			return null;
 		}
-		List<String> allowedMethods =
-				(this.allowedMethods != null ? this.allowedMethods : new ArrayList<String>());
-		if (allowedMethods.contains(ALL)) {
-			return Collections.singletonList(requestMethod);
+
+		List<String> allowedMethods = this.allowedMethods;
+		if (!CollectionUtils.isEmpty(allowedMethods)) {
+			if (allowedMethods.contains(ALL)) {
+				return Collections.singletonList(requestMethod);
+			}
 		}
-		if (allowedMethods.isEmpty()) {
+		else {
+			allowedMethods = new ArrayList<String>(1);
 			allowedMethods.add(HttpMethod.GET.name());
 		}
+
 		List<HttpMethod> result = new ArrayList<HttpMethod>(allowedMethods.size());
 		boolean allowed = false;
 		for (String method : allowedMethods) {

spring-web/src/test/java/org/springframework/web/cors/DefaultCorsProcessorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.web.cors;
 
+import javax.servlet.http.HttpServletResponse;
+
 import org.junit.Before;
 import org.junit.Test;
 
@@ -24,8 +26,6 @@ import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.test.MockHttpServletRequest;
 import org.springframework.mock.web.test.MockHttpServletResponse;
 
-import javax.servlet.http.HttpServletResponse;
-
 import static org.junit.Assert.*;
 
 /**
@@ -33,6 +33,7 @@ import static org.junit.Assert.*;
  *
  * @author Sebastien Deleuze
  * @author Rossen Stoyanchev
+ * @author Juergen Hoeller
  */
 public class DefaultCorsProcessorTests {
 
@@ -56,22 +57,25 @@ public class DefaultCorsProcessorTests {
 		this.processor = new DefaultCorsProcessor();
 	}
 
+
 	@Test
 	public void actualRequestWithOriginHeader() throws Exception {
 		this.request.setMethod(HttpMethod.GET.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+		assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
 	}
 
 	@Test
 	public void actualRequestWithOriginHeaderAndNullConfig() throws Exception {
 		this.request.setMethod(HttpMethod.GET.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.processor.processRequest(null, request, response);
+
+		this.processor.processRequest(null, this.request, this.response);
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -79,12 +83,13 @@ public class DefaultCorsProcessorTests {
 		this.request.setMethod(HttpMethod.GET.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.conf.addAllowedOrigin("*");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -95,12 +100,13 @@ public class DefaultCorsProcessorTests {
 		this.conf.addAllowedOrigin("http://domain2.com");
 		this.conf.addAllowedOrigin("http://domain3.com");
 		this.conf.setAllowCredentials(true);
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -109,12 +115,13 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.conf.addAllowedOrigin("*");
 		this.conf.setAllowCredentials(true);
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -122,9 +129,10 @@ public class DefaultCorsProcessorTests {
 		this.request.setMethod(HttpMethod.GET.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.conf.addAllowedOrigin("http://DOMAIN2.com");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -134,13 +142,14 @@ public class DefaultCorsProcessorTests {
 		this.conf.addExposedHeader("header1");
 		this.conf.addExposedHeader("header2");
 		this.conf.addAllowedOrigin("http://domain2.com");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
 		assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
 		assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -149,8 +158,9 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("*");
-		this.processor.processRequest(this.conf, request, response);
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+
+		this.processor.processRequest(this.conf, this.request, this.response);
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -159,8 +169,9 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
 		this.conf.addAllowedOrigin("*");
-		this.processor.processRequest(this.conf, request, response);
-		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+
+		this.processor.processRequest(this.conf, this.request, this.response);
+		assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
 	}
 
 	@Test
@@ -169,18 +180,20 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("*");
-		this.processor.processRequest(this.conf, request, response);
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
-		assertEquals("GET", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
+
+		this.processor.processRequest(this.conf, this.request, this.response);
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
+		assertEquals("GET", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
 	}
 
 	@Test
 	public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+		assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
 	}
 
 	@Test
@@ -188,112 +201,119 @@ public class DefaultCorsProcessorTests {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+		assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
 	}
 
 	@Test
 	public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
-		this.processor.processRequest(this.conf, request, response);
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+		assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
 	}
 
 	@Test
 	public void preflightRequestValidRequestAndConfig() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.conf.addAllowedOrigin("*");
 		this.conf.addAllowedMethod("GET");
 		this.conf.addAllowedMethod("PUT");
 		this.conf.addAllowedHeader("header1");
 		this.conf.addAllowedHeader("header2");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
-		assertEquals("GET,PUT", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
+		assertEquals("GET,PUT", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
 	public void preflightRequestCredentials() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.conf.addAllowedOrigin("http://domain1.com");
 		this.conf.addAllowedOrigin("http://domain2.com");
 		this.conf.addAllowedOrigin("http://domain3.com");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.setAllowCredentials(true);
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
 	public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.conf.addAllowedOrigin("http://domain1.com");
 		this.conf.addAllowedOrigin("*");
 		this.conf.addAllowedOrigin("http://domain3.com");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.setAllowCredentials(true);
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
 	public void preflightRequestAllowedHeaders() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.addAllowedHeader("Header2");
 		this.conf.addAllowedHeader("Header3");
 		this.conf.addAllowedOrigin("http://domain2.com");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
 		assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
 		assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
 		assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
 	public void preflightRequestAllowsAllHeaders() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
-		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
 		this.conf.addAllowedHeader("*");
 		this.conf.addAllowedOrigin("http://domain2.com");
-		this.processor.processRequest(this.conf, request, response);
+
+		this.processor.processRequest(this.conf, this.request, this.response);
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
 		assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
 		assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
 		assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
-		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+		assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
 	}
 
 	@Test
@@ -302,9 +322,10 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
 		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("*");
-		this.processor.processRequest(null, request, response);
+
+		this.processor.processRequest(null, this.request, this.response);
 		assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+		assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
 	}
 
-}
+}

spring-webmvc/src/main/java/org/springframework/web/servlet/handler/AbstractHandlerMapping.java

@@ -64,8 +64,7 @@ import org.springframework.web.util.UrlPathHelper;
  * @see #setInterceptors
  * @see org.springframework.web.servlet.HandlerInterceptor
  */
-public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
-		implements HandlerMapping, Ordered {
+public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport implements HandlerMapping, Ordered {
 
 	private int order = Integer.MAX_VALUE;  // default: same as non-Ordered
 
@@ -236,6 +235,7 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
 		return this.corsConfigSource.getCorsConfigurations();
 	}
 
+
 	/**
 	 * Initializes the interceptors.
 	 * @see #extendInterceptors(java.util.List)
@@ -339,6 +339,7 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
 		return (count > 0 ? mappedInterceptors.toArray(new MappedInterceptor[count]) : null);
 	}
 
+
 	/**
 	 * Look up a handler for the given request, falling back to the default
 	 * handler if no specific one is found.
@@ -480,9 +481,7 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
 		}
 
 		@Override
-		public void handleRequest(HttpServletRequest request, HttpServletResponse response)
-				throws IOException {
-
+		public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
 			corsProcessor.processRequest(this.config, request, response);
 		}
 	}
@@ -497,8 +496,8 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
 		}
 
 		@Override
-		public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
-				Object handler) throws Exception {
+		public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+				throws Exception {
 
 			return corsProcessor.processRequest(this.config, request, response);
 		}