Align default values with 5.0.x

Closes gh-25414
6 years ago · 70773468c2
7 changed files with 42 additions and 30 deletions
--- a/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
+++ b/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -28,7 +28,7 @@ import org.springframework.web.cors.CorsConfiguration;
				@@ -28,7 +28,7 @@ import org.springframework.web.cors.CorsConfiguration;
 /**
 * Marks the annotated method or type as permitting cross origin requests.
 *
- * <p>By default all origins and headers are permitted, credentials are allowed,
+ * <p>By default all origins and headers are permitted, credentials are not allowed,
 * and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP
 * methods is set to the methods on the {@code @RequestMapping} if not
 * explicitly set on {@code @CrossOrigin}.
@ -67,7 +67,7 @@ public @interface CrossOrigin {
				@@ -67,7 +67,7 @@ public @interface CrossOrigin {
 	 * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
 	 */
 	@Deprecated
-	boolean DEFAULT_ALLOW_CREDENTIALS = true;
+	boolean DEFAULT_ALLOW_CREDENTIALS = false;

 	/**
 	 * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
@ -133,7 +133,8 @@ public @interface CrossOrigin {
				@@ -133,7 +133,8 @@ public @interface CrossOrigin {
 	 * An empty string ({@code ""}) means <em>undefined</em>.
 	 * {@code "true"} means that the pre-flight response will include the header
 	 * {@code Access-Control-Allow-Credentials=true}.
-	 * <p>If undefined, credentials are allowed.
+	 * <p>If undefined, this is set to {@code "false"} in which case credentials
+	 * are not allowed.
 	 */
 	String allowCredentials() default "";

--- a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -328,9 +328,6 @@ public class CorsConfiguration {
				@@ -328,9 +328,6 @@ public class CorsConfiguration {
 		if (this.allowedHeaders == null) {
 			this.addAllowedHeader(ALL);
 		}
-		if (this.allowCredentials == null) {
-			this.setAllowCredentials(true);
-		}
 		if (this.maxAge == null) {
 			this.setMaxAge(1800L);
 		}
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -122,9 +122,10 @@ public class CorsRegistration {
				@@ -122,9 +122,10 @@ public class CorsRegistration {
 	}

 	/**
-	 * Whether user credentials are supported.
-	 * <p>By default this is set to {@code true} in which case user credentials
-	 * are supported.
+	 * Whether user credentials are supported in which case the browser should
+	 * include any cookies associated with the domain of the request being
+	 * annotated.
+	 * <p>By default this is {@code false} and user credentials are not allowed.
 	 */
 	public CorsRegistration allowCredentials(boolean allowCredentials) {
 		this.config.setAllowCredentials(allowCredentials);
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/config/MvcNamespaceTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/config/MvcNamespaceTests.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -920,13 +920,13 @@ public class MvcNamespaceTests {
				@@ -920,13 +920,13 @@ public class MvcNamespaceTests {
 			assertArrayEquals(new String[]{"GET", "HEAD", "POST"}, config.getAllowedMethods().toArray());
 			assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
 			assertNull(config.getExposedHeaders());
-			assertTrue(config.getAllowCredentials());
+			assertNull(config.getAllowCredentials());
 			assertEquals(new Long(1800), config.getMaxAge());
 		}
 	}

 	@Test
-	public void testCors() throws Exception {
+	public void testCors() {
 		loadBeanDefinitions("mvc-config-cors.xml");

 		String[] beanNames = appContext.getBeanNamesForType(AbstractHandlerMapping.class);
@ -943,14 +943,14 @@ public class MvcNamespaceTests {
				@@ -943,14 +943,14 @@ public class MvcNamespaceTests {
 			assertArrayEquals(new String[]{"GET", "PUT"}, config.getAllowedMethods().toArray());
 			assertArrayEquals(new String[]{"header1", "header2", "header3"}, config.getAllowedHeaders().toArray());
 			assertArrayEquals(new String[]{"header1", "header2"}, config.getExposedHeaders().toArray());
-			assertFalse(config.getAllowCredentials());
+			assertTrue(config.getAllowCredentials());
 			assertEquals(Long.valueOf(123), config.getMaxAge());
 			config = configs.get("/resources/**");
 			assertArrayEquals(new String[]{"https://domain1.com"}, config.getAllowedOrigins().toArray());
 			assertArrayEquals(new String[]{"GET", "HEAD", "POST"}, config.getAllowedMethods().toArray());
 			assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
 			assertNull(config.getExposedHeaders());
-			assertTrue(config.getAllowCredentials());
+			assertNull(config.getAllowCredentials());
 			assertEquals(Long.valueOf(1800), config.getMaxAge());
 		}
 	}
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,7 +21,7 @@ import java.lang.annotation.Retention;
				@@ -21,7 +21,7 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.lang.reflect.Method;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.Properties;

 import org.junit.Before;
@ -53,8 +53,13 @@ import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition;
				@@ -53,8 +53,13 @@ import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition;
 import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
 import org.springframework.web.servlet.mvc.method.RequestMappingInfo;

-import static org.hamcrest.CoreMatchers.*;
-import static org.junit.Assert.*;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;

 /**
 * Test fixture for {@link CrossOrigin @CrossOrigin} annotated methods.
@ -123,7 +128,7 @@ public class CrossOriginTests {
				@@ -123,7 +128,7 @@ public class CrossOriginTests {
 		assertNotNull(config);
 		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
 		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
-		assertTrue(config.getAllowCredentials());
+		assertNull(config.getAllowCredentials());
 		assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
 		assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
 		assertEquals(new Long(1800), config.getMaxAge());
@ -151,8 +156,8 @@ public class CrossOriginTests {
				@@ -151,8 +156,8 @@ public class CrossOriginTests {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertEquals(Arrays.asList("https://example.com"), config.getAllowedOrigins());
-		assertTrue(config.getAllowCredentials());
+		assertEquals(Collections.singletonList("https://example.com"), config.getAllowedOrigins());
+		assertNull(config.getAllowCredentials());
 	}

 	@Test
@ -162,8 +167,8 @@ public class CrossOriginTests {
				@@ -162,8 +167,8 @@ public class CrossOriginTests {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertEquals(Arrays.asList("https://example.com"), config.getAllowedOrigins());
-		assertTrue(config.getAllowCredentials());
+		assertEquals(Collections.singletonList("https://example.com"), config.getAllowedOrigins());
+		assertNull(config.getAllowCredentials());
 	}

 	@Test
@ -240,7 +245,7 @@ public class CrossOriginTests {
				@@ -240,7 +245,7 @@ public class CrossOriginTests {
 		assertNotNull(config);
 		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
 		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
-		assertTrue(config.getAllowCredentials());
+		assertNull(config.getAllowCredentials());
 		assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
 		assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
 		assertEquals(new Long(1800), config.getMaxAge());
--- a/spring-webmvc/src/test/resources/org/springframework/web/servlet/config/mvc-config-cors.xml
+++ b/spring-webmvc/src/test/resources/org/springframework/web/servlet/config/mvc-config-cors.xml
@ -11,7 +11,7 @@
				@@ -11,7 +11,7 @@

 		<mvc:mapping path="/api/**" allowed-origins="https://domain1.com, https://domain2.com"
 					 allowed-methods="GET, PUT" allowed-headers="header1, header2, header3"
-					 exposed-headers="header1, header2" allow-credentials="false" max-age="123" />
+					 exposed-headers="header1, header2" allow-credentials="true" max-age="123" />

 		<mvc:mapping path="/resources/**" allowed-origins="https://domain1.com" />

--- a/src/asciidoc/web-cors.adoc
+++ b/src/asciidoc/web-cors.adoc
@ -24,6 +24,13 @@ implementation (https://github.com/spring-projects/spring-framework/blob/master/
				@@ -24,6 +24,13 @@ implementation (https://github.com/spring-projects/spring-framework/blob/master/
 by default) in order to add the relevant CORS response headers (like `Access-Control-Allow-Origin`)
 based on the CORS configuration you have provided.

+[NOTE]
+====
+Be aware that cookies are not allowed by default to avoid increasing the surface attack of
+the web application (for example via exposing sensitive user-specific information like
+CSRF tokens). Set `allowedCredentials` property to `true` in order to allow them.
+====
+
 [NOTE]
 ====
 Since CORS requests are automatically dispatched, you *do not need* to change the
@ -151,7 +158,8 @@ public class WebConfig extends WebMvcConfigurerAdapter {
				@@ -151,7 +158,8 @@ public class WebConfig extends WebMvcConfigurerAdapter {
 			.allowedMethods("PUT", "DELETE")
 			.allowedHeaders("header1", "header2", "header3")
 			.exposedHeaders("header1", "header2")
-			.allowCredentials(false).maxAge(3600);
+			.allowCredentials(true)
+			.maxAge(3600);
 	}
 }
 ----
@ -180,7 +188,7 @@ It is also possible to declare several CORS mappings with customized properties:
				@@ -180,7 +188,7 @@ It is also possible to declare several CORS mappings with customized properties:
 		allowed-origins="https://domain1.com, https://domain2.com"
 		allowed-methods="GET, PUT"
 		allowed-headers="header1, header2, header3"
-		exposed-headers="header1, header2" allow-credentials="false"
+		exposed-headers="header1, header2"
 		max-age="123" />

 	<mvc:mapping path="/resources/**"