GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Allow "*" for Access-Control-Expose-Headers 

Closes gh-26113
pull/26122/head
Rossen Stoyanchev 5 years ago
parent
684e695b08
commit
8c3a05bbcf
6 changed files with 23 additions and 25 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
  2. 12
      spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
  3. 27
      spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
  4. 3
      spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java
  5. 3
      spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java
  6. 1
      spring-webmvc/src/main/resources/org/springframework/web/servlet/config/spring-mvc.xsd

2
spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
Unescape View File

@ -114,6 +114,8 @@ public @interface CrossOrigin { @@ -114,6 +114,8 @@ public @interface CrossOrigin {
* {@code Expires}, {@code Last-Modified}, or {@code Pragma},
* <p>Exposed headers are listed in the {@code Access-Control-Expose-Headers}
* response header of actual CORS requests.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
* <p>By default no headers are listed as exposed.
*/
String[] exposedHeaders() default {};

12
spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
Unescape View File

@ -329,13 +329,11 @@ public class CorsConfiguration { @@ -329,13 +329,11 @@ public class CorsConfiguration {
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
* {@code Expires}, {@code Last-Modified}, or {@code Pragma}) that an
* actual response might have and can be exposed.
* <p>Note that {@code "*"} is not a valid exposed header value.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
* <p>By default this is not set.
*/
public void setExposedHeaders(@Nullable List<String> exposedHeaders) {
if (exposedHeaders != null && exposedHeaders.contains(ALL)) {
throw new IllegalArgumentException("'*' is not a valid exposed header value");
}
this.exposedHeaders = (exposedHeaders != null ? new ArrayList<>(exposedHeaders) : null);
}
@ -351,12 +349,10 @@ public class CorsConfiguration { @@ -351,12 +349,10 @@ public class CorsConfiguration {
/**
* Add a response header to expose.
* <p>Note that {@code "*"} is not a valid exposed header value.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
*/
public void addExposedHeader(String exposedHeader) {
if (ALL.equals(exposedHeader)) {
throw new IllegalArgumentException("'*' is not a valid exposed header value");
}
if (this.exposedHeaders == null) {
this.exposedHeaders = new ArrayList<>(4);
}

27
spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
Unescape View File

@ -61,8 +61,7 @@ public class CorsConfigurationTests { @@ -61,8 +61,7 @@ public class CorsConfigurationTests {
config.addAllowedOriginPattern("http://*.example.com");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
config.addExposedHeader("header1");
config.addExposedHeader("header2");
config.addExposedHeader("*");
config.setAllowCredentials(true);
config.setMaxAge(123L);
@ -70,23 +69,11 @@ public class CorsConfigurationTests { @@ -70,23 +69,11 @@ public class CorsConfigurationTests {
assertThat(config.getAllowedOriginPatterns()).containsExactly("http://*.example.com");
assertThat(config.getAllowedHeaders()).containsExactly("*");
assertThat(config.getAllowedMethods()).containsExactly("*");
assertThat(config.getExposedHeaders()).containsExactly("header1", "header2");
assertThat(config.getExposedHeaders()).containsExactly("*");
assertThat(config.getAllowCredentials()).isTrue();
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
}
@Test
public void asteriskWildCardOnAddExposedHeader() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new CorsConfiguration().addExposedHeader("*"));
}
@Test
public void asteriskWildCardOnSetExposedHeaders() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new CorsConfiguration().setExposedHeaders(Collections.singletonList("*")));
}
@Test
public void combineWithNull() {
CorsConfiguration config = new CorsConfiguration();
@ -133,12 +120,14 @@ public class CorsConfigurationTests { @@ -133,12 +120,14 @@ public class CorsConfigurationTests {
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain.com");
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("header1");
assertThat(combinedConfig.getAllowedMethods()).containsExactly(HttpMethod.PUT.name());
assertThat(combinedConfig.getExposedHeaders()).isEmpty();
combinedConfig = other.combine(config);
assertThat(combinedConfig).isNotNull();
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain.com");
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("header1");
assertThat(combinedConfig.getAllowedMethods()).containsExactly(HttpMethod.PUT.name());
assertThat(combinedConfig.getExposedHeaders()).isEmpty();
combinedConfig = config.combine(new CorsConfiguration());
assertThat(config.getAllowedOrigins()).containsExactly("*");
@ -146,6 +135,7 @@ public class CorsConfigurationTests { @@ -146,6 +135,7 @@ public class CorsConfigurationTests {
assertThat(combinedConfig).isNotNull();
assertThat(combinedConfig.getAllowedMethods())
.containsExactly(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name());
assertThat(combinedConfig.getExposedHeaders()).isEmpty();
combinedConfig = new CorsConfiguration().combine(config);
assertThat(config.getAllowedOrigins()).containsExactly("*");
@ -153,6 +143,7 @@ public class CorsConfigurationTests { @@ -153,6 +143,7 @@ public class CorsConfigurationTests {
assertThat(combinedConfig).isNotNull();
assertThat(combinedConfig.getAllowedMethods())
.containsExactly(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name());
assertThat(combinedConfig.getExposedHeaders()).isEmpty();
}
@Test
@ -196,6 +187,7 @@ public class CorsConfigurationTests { @@ -196,6 +187,7 @@ public class CorsConfigurationTests {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addExposedHeader("*");
config.addAllowedMethod("*");
config.addAllowedOriginPattern("*");
@ -204,6 +196,8 @@ public class CorsConfigurationTests { @@ -204,6 +196,8 @@ public class CorsConfigurationTests {
other.addAllowedOriginPattern("http://*.company.com");
other.addAllowedHeader("header1");
other.addExposedHeader("header2");
other.addAllowedHeader("anotherHeader1");
other.addExposedHeader("anotherHeader2");
other.addAllowedMethod(HttpMethod.PUT.name());
CorsConfiguration combinedConfig = config.combine(other);
@ -211,6 +205,7 @@ public class CorsConfigurationTests { @@ -211,6 +205,7 @@ public class CorsConfigurationTests {
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("*");
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("*");
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
assertThat(combinedConfig.getExposedHeaders()).containsExactly("*");
assertThat(combinedConfig.getAllowedMethods()).containsExactly("*");
combinedConfig = other.combine(config);
@ -218,7 +213,9 @@ public class CorsConfigurationTests { @@ -218,7 +213,9 @@ public class CorsConfigurationTests {
assertThat(combinedConfig.getAllowedOrigins()).containsExactly("*");
assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("*");
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
assertThat(combinedConfig.getExposedHeaders()).containsExactly("*");
assertThat(combinedConfig.getAllowedMethods()).containsExactly("*");
assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
}
@Test // SPR-14792

3
spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java
Unescape View File

@ -98,7 +98,8 @@ public class CorsRegistration { @@ -98,7 +98,8 @@ public class CorsRegistration {
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
* {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an
* actual response might have and can be exposed.
* <p>Note that {@code "*"} is not supported on this property.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
* <p>By default this is not set.
*/
public CorsRegistration exposedHeaders(String... headers) {

3
spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java
Unescape View File

@ -99,7 +99,8 @@ public class CorsRegistration { @@ -99,7 +99,8 @@ public class CorsRegistration {
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
* {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an
* actual response might have and can be exposed.
* <p>Note that {@code "*"} is not supported on this property.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
* <p>By default this is not set.
*/
public CorsRegistration exposedHeaders(String... headers) {

1
spring-webmvc/src/main/resources/org/springframework/web/servlet/config/spring-mvc.xsd
Unescape View File

@ -1400,6 +1400,7 @@ @@ -1400,6 +1400,7 @@
Comma-separated list of response headers other than simple headers (i.e.
Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma) that an
actual response might have and can be exposed.
The special value "*" allows all headers to be exposed for non-credentialed requests.
Empty by default.
]]></xsd:documentation>
</xsd:annotation>

Write Preview
Loading…
Cancel
Save