diff --git a/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java b/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java index 72445bb11cf..3a564f80826 100644 --- a/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java +++ b/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,6 +58,7 @@ public class DefaultCorsProcessor implements CorsProcessor { @Override + @SuppressWarnings("resource") public boolean processRequest(CorsConfiguration config, HttpServletRequest request, HttpServletResponse response) throws IOException { @@ -66,14 +67,14 @@ public class DefaultCorsProcessor implements CorsProcessor { } ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response); - ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request); - - if (WebUtils.isSameOrigin(serverRequest)) { - logger.debug("Skip CORS processing, request is a same-origin one"); + if (responseHasCors(serverResponse)) { + logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header"); return true; } - if (responseHasCors(serverResponse)) { - logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header"); + + ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request); + if (WebUtils.isSameOrigin(serverRequest)) { + logger.debug("Skip CORS processing: request is from same origin"); return true; } @@ -92,14 +93,13 @@ public class DefaultCorsProcessor implements CorsProcessor { } private boolean responseHasCors(ServerHttpResponse response) { - boolean hasAllowOrigin = false; try { - hasAllowOrigin = (response.getHeaders().getAccessControlAllowOrigin() != null); + return (response.getHeaders().getAccessControlAllowOrigin() != null); } catch (NullPointerException npe) { // SPR-11919 and https://issues.jboss.org/browse/WFLY-3474 + return false; } - return hasAllowOrigin; } /** @@ -163,7 +163,7 @@ public class DefaultCorsProcessor implements CorsProcessor { /** * Check the origin and determine the origin for the response. The default * implementation simply delegates to - * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)} + * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}. */ protected String checkOrigin(CorsConfiguration config, String requestOrigin) { return config.checkOrigin(requestOrigin); @@ -172,7 +172,7 @@ public class DefaultCorsProcessor implements CorsProcessor { /** * Check the HTTP method and determine the methods for the response of a * pre-flight request. The default implementation simply delegates to - * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)} + * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}. */ protected List checkMethods(CorsConfiguration config, HttpMethod requestMethod) { return config.checkHttpMethod(requestMethod); @@ -185,7 +185,7 @@ public class DefaultCorsProcessor implements CorsProcessor { /** * Check the headers and determine the headers for the response of a * pre-flight request. The default implementation simply delegates to - * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)} + * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}. */ protected List checkHeaders(CorsConfiguration config, List requestHeaders) { return config.checkHeaders(requestHeaders);