DefaultCorsProcessor checks for existing CORS response before attempting to compare origin

Issue: SPR-14080

spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -67,14 +67,14 @@ public class DefaultCorsProcessor implements CorsProcessor {
 		}
 
 		ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
-		ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
+		if (responseHasCors(serverResponse)) {
-
+			logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
-		if (WebUtils.isSameOrigin(serverRequest)) {
-			logger.debug("Skip CORS processing, request is a same-origin one");
 			return true;
 		}
-		if (responseHasCors(serverResponse)) {
+
-			logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header");
+		ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
+		if (WebUtils.isSameOrigin(serverRequest)) {
+			logger.debug("Skip CORS processing: request is from same origin");
 			return true;
 		}
 
@@ -93,14 +93,13 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	}
 
 	private boolean responseHasCors(ServerHttpResponse response) {
-		boolean hasAllowOrigin = false;
 		try {
-			hasAllowOrigin = (response.getHeaders().getAccessControlAllowOrigin() != null);
+			return (response.getHeaders().getAccessControlAllowOrigin() != null);
 		}
 		catch (NullPointerException npe) {
 			// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
+			return false;
 		}
-		return hasAllowOrigin;
 	}
 
 	/**
@@ -164,7 +163,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	/**
 	 * Check the origin and determine the origin for the response. The default
 	 * implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 		return config.checkOrigin(requestOrigin);
@@ -173,7 +172,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	/**
 	 * Check the HTTP method and determine the methods for the response of a
 	 * pre-flight request. The default implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) {
 		return config.checkHttpMethod(requestMethod);
@@ -186,7 +185,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	/**
 	 * Check the headers and determine the headers for the response of a
 	 * pre-flight request. The default implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {
 		return config.checkHeaders(requestHeaders);