GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch '6.0.x'

pull/31206/head
Sébastien Deleuze 3 years ago
parent
3099710087 c892ce5537
commit
dfd631e662
8 changed files with 137 additions and 66 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 29
      framework-docs/modules/ROOT/pages/web/webflux-cors.adoc
  2. 29
      framework-docs/modules/ROOT/pages/web/webmvc-cors.adoc
  3. 27
      spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
  4. 58
      spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
  5. 2
      spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java
  6. 2
      spring-web/src/main/java/org/springframework/web/cors/reactive/DefaultCorsProcessor.java
  7. 28
      spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java
  8. 28
      spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java

29
framework-docs/modules/ROOT/pages/web/webflux-cors.adoc
Unescape View File

@ -75,6 +75,35 @@ To learn more from the source or to make advanced customizations, see:
[[webflux-cors-credentialed-requests]]
== Credentialed Requests
[.small]#xref:web/webmvc-cors.adoc#mvc-cors-credentialed-requests[See equivalent in the Servlet stack]#
Using CORS with credentialed requests requires enabling `allowedCredentials`. Be aware that
this option establishes a high level of trust with the configured domains and also increases
the surface of attack of the web application by exposing sensitive user-specific information
such as cookies and CSRF tokens.
Enabling credentials also impacts how the configured `"*"` CORS wildcards are processed:
* Wildcards are not authorized in `allowOrigins`, but alternatively
the `allowOriginPatterns` property may be used to match to a dynamic set of origins.
* When set on `allowedHeaders` or `allowedMethods`, the `Access-Control-Allow-Headers`
and `Access-Control-Allow-Methods` response headers are handled by copying the related
headers and method specified in the CORS preflight request.
* When set on `exposedHeaders`, `Access-Control-Expose-Headers` response header is set
either to the configured list of headers or to the wildcard character. While the CORS spec
does not allow the wildcard character when `Access-Control-Allow-Credentials` is set to
`true`, most browsers support it and the response headers are not all available during the
CORS processing, so as a consequence the wildcard character is the header value used when
specified regardless of the value of the `allowCredentials` property.
WARNING: While such wildcard configuration can be handy, it is recommended when possible to configure
a finite set of values instead to provide a higher level of security.
[[webflux-cors-controller]] [[webflux-cors-controller]]
== `@CrossOrigin` == `@CrossOrigin`
[.small]#xref:web/webmvc-cors.adoc#mvc-cors-controller[See equivalent in the Servlet stack]# [.small]#xref:web/webmvc-cors.adoc#mvc-cors-controller[See equivalent in the Servlet stack]#

29
framework-docs/modules/ROOT/pages/web/webmvc-cors.adoc
Unescape View File

@ -25,6 +25,35 @@ powerful workarounds based on IFRAME or JSONP.
[[mvc-cors-credentialed-requests]]
== Credentialed Requests
[.small]#xref:web/webflux-cors.adoc#webflux-cors-credentialed-requests[See equivalent in the Reactive stack]#
Using CORS with credentialed requests requires enabling `allowedCredentials`. Be aware that
this option establishes a high level of trust with the configured domains and also increases
the surface of attack of the web application by exposing sensitive user-specific information
such as cookies and CSRF tokens.
Enabling credentials also impacts how the configured `"*"` CORS wildcards are processed:
* Wildcards are not authorized in `allowOrigins`, but alternatively
the `allowOriginPatterns` property may be used to match to a dynamic set of origins.
* When set on `allowedHeaders` or `allowedMethods`, the `Access-Control-Allow-Headers`
and `Access-Control-Allow-Methods` response headers are handled by copying the related
headers and method specified in the CORS preflight request.
* When set on `exposedHeaders`, `Access-Control-Expose-Headers` response header is set
either to the configured list of headers or to the wildcard character. While the CORS spec
does not allow the wildcard character when `Access-Control-Allow-Credentials` is set to
`true`, most browsers support it and the response headers are not all available during the
CORS processing, so as a consequence the wildcard character is the header value used when
specified regardless of the value of the `allowCredentials` property.
WARNING: While such wildcard configuration can be handy, it is recommended when possible to configure
a finite set of values instead to provide a higher level of security.
[[mvc-cors-processing]] [[mvc-cors-processing]]
== Processing == Processing
[.small]#xref:web/webflux-cors.adoc#webflux-cors-processing[See equivalent in the Reactive stack]# [.small]#xref:web/webflux-cors.adoc#webflux-cors-processing[See equivalent in the Reactive stack]#

27
spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -80,31 +80,23 @@ public @interface CrossOrigin {
/** /**
* The list of request headers that are permitted in actual requests, * The list of request headers that are permitted in actual requests,
* possibly {@code "*"} to allow all headers. * possibly {@code "*"} to allow all headers. Please, see
* <p>Allowed headers are listed in the {@code Access-Control-Allow-Headers} * {@link CorsConfiguration#setAllowedHeaders(List)} for details.
* response header of preflight requests.
* <p>A header name is not required to be listed if it is one of:
* {@code Cache-Control}, {@code Content-Language}, {@code Expires},
* {@code Last-Modified}, or {@code Pragma} as per the CORS spec.
* <p>By default all requested headers are allowed. * <p>By default all requested headers are allowed.
*/ */
String[] allowedHeaders() default {}; String[] allowedHeaders() default {};
/** /**
* The List of response headers that the user-agent will allow the client * The List of response headers that the user-agent will allow the client
* to access on an actual response, other than "simple" headers, i.e. * to access on an actual response, possibly {@code "*"} to expose all headers.
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, * Please, see {@link CorsConfiguration#setExposedHeaders(List)} for details.
* {@code Expires}, {@code Last-Modified}, or {@code Pragma},
* <p>Exposed headers are listed in the {@code Access-Control-Expose-Headers}
* response header of actual CORS requests.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
* <p>By default no headers are listed as exposed. * <p>By default no headers are listed as exposed.
*/ */
String[] exposedHeaders() default {}; String[] exposedHeaders() default {};
/** /**
* The list of supported HTTP request methods. * The list of supported HTTP request methods. Please, see
* {@link CorsConfiguration#setAllowedMethods(List)} for details.
* <p>By default the supported methods are the same as the ones to which a * <p>By default the supported methods are the same as the ones to which a
* controller method is mapped. * controller method is mapped.
*/ */
@ -112,9 +104,8 @@ public @interface CrossOrigin {
/** /**
* Whether the browser should send credentials, such as cookies along with * Whether the browser should send credentials, such as cookies along with
* cross domain requests, to the annotated endpoint. The configured value is * cross domain requests, to the annotated endpoint. Please, see
* set on the {@code Access-Control-Allow-Credentials} response header of * {@link CorsConfiguration#setAllowCredentials(Boolean)} for details.
* preflight requests.
* <p><strong>NOTE:</strong> Be aware that this option establishes a high * <p><strong>NOTE:</strong> Be aware that this option establishes a high
* level of trust with the configured domains and also increases the surface * level of trust with the configured domains and also increases the surface
* attack of the web application by exposing sensitive user-specific * attack of the web application by exposing sensitive user-specific

58
spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
Unescape View File

@ -280,8 +280,12 @@ public class CorsConfiguration {
/** /**
* Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, * Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"},
* {@code "PUT"}, etc. * {@code "PUT"}, etc. The special value {@code "*"} allows all methods.
* <p>The special value {@code "*"} allows all methods. * <p>{@code Access-Control-Allow-Methods} response header is set either
* to the configured method or to {@code "*"}. Keep in mind however that the
* CORS spec does not allow {@code "*"} when {@link #setAllowCredentials
* allowCredentials} is set to {@code true}, that combination is handled
* by copying the method specified in the CORS preflight request.
* <p>If not set, only {@code "GET"} and {@code "HEAD"} are allowed. * <p>If not set, only {@code "GET"} and {@code "HEAD"} are allowed.
* <p>By default this is not set. * <p>By default this is not set.
* <p><strong>Note:</strong> CORS checks use values from "Forwarded" * <p><strong>Note:</strong> CORS checks use values from "Forwarded"
@ -312,9 +316,9 @@ public class CorsConfiguration {
/** /**
* Return the allowed HTTP methods, or {@code null} in which case * Return the allowed HTTP methods, or {@code null} in which case
* only {@code "GET"} and {@code "HEAD"} allowed. * only {@code "GET"} and {@code "HEAD"} allowed.
* @see #setAllowedMethods(List)
* @see #addAllowedMethod(HttpMethod) * @see #addAllowedMethod(HttpMethod)
* @see #addAllowedMethod(String) * @see #addAllowedMethod(String)
* @see #setAllowedMethods(List)
*/ */
@Nullable @Nullable
public List<String> getAllowedMethods() { public List<String> getAllowedMethods() {
@ -322,14 +326,14 @@ public class CorsConfiguration {
} }
/** /**
* Add an HTTP method to allow. * Variant of {@link #setAllowedMethods} for adding one allowed method at a time.
*/ */
public void addAllowedMethod(HttpMethod method) { public void addAllowedMethod(HttpMethod method) {
addAllowedMethod(method.name()); addAllowedMethod(method.name());
} }
/** /**
* Add an HTTP method to allow. * Variant of {@link #setAllowedMethods} for adding one allowed method at a time.
*/ */
public void addAllowedMethod(String method) { public void addAllowedMethod(String method) {
if (StringUtils.hasText(method)) { if (StringUtils.hasText(method)) {
@ -352,9 +356,13 @@ public class CorsConfiguration {
/** /**
* Set the list of headers that a pre-flight request can list as allowed * Set the list of headers that a pre-flight request can list as allowed
* for use during an actual request. * for use during an actual request. The special value {@code "*"} allows
* <p>The special value {@code "*"} allows actual requests to send any * actual requests to send any header.
* header. * <p>{@code Access-Control-Allow-Headers} response header is set either
* to the configured list of headers or to {@code "*"}. Keep in mind however
* that the CORS spec does not allow {@code "*"} when {@link #setAllowCredentials
* allowCredentials} is set to {@code true}, that combination is handled by
* copying the headers specified in the CORS preflight request.
* <p>A header name is not required to be listed if it is one of: * <p>A header name is not required to be listed if it is one of:
* {@code Cache-Control}, {@code Content-Language}, {@code Expires}, * {@code Cache-Control}, {@code Content-Language}, {@code Expires},
* {@code Last-Modified}, or {@code Pragma}. * {@code Last-Modified}, or {@code Pragma}.
@ -375,7 +383,7 @@ public class CorsConfiguration {
} }
/** /**
* Add an actual request header to allow. * Variant of {@link #setAllowedHeaders(List)} for adding one allowed header at a time.
*/ */
public void addAllowedHeader(String allowedHeader) { public void addAllowedHeader(String allowedHeader) {
if (this.allowedHeaders == null) { if (this.allowedHeaders == null) {
@ -388,12 +396,19 @@ public class CorsConfiguration {
} }
/** /**
* Set the list of response headers other than simple headers (i.e. * Set the list of response headers that an actual response might have
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, * and can be exposed to the client. The special value {@code "*"}
* {@code Expires}, {@code Last-Modified}, or {@code Pragma}) that an * allows all headers to be exposed.
* actual response might have and can be exposed. * <p>{@code Access-Control-Expose-Headers} response header is set either
* <p>The special value {@code "*"} allows all headers to be exposed for * to the configured list of headers or to {@code "*"}. While the CORS
* non-credentialed requests. * spec does not allow {@code "*"} when {@code Access-Control-Allow-Credentials}
* is set to {@code true}, most browsers support it and
* the response headers are not all available during the CORS processing,
* so as a consequence {@code "*"} is the header value used when specified
* regardless of the value of the `allowCredentials` property.
* <p>A header name is not required to be listed if it is one of:
* {@code Cache-Control}, {@code Content-Language}, {@code Expires},
* {@code Last-Modified}, or {@code Pragma}.
* <p>By default this is not set. * <p>By default this is not set.
*/ */
public void setExposedHeaders(@Nullable List<String> exposedHeaders) { public void setExposedHeaders(@Nullable List<String> exposedHeaders) {
@ -411,9 +426,7 @@ public class CorsConfiguration {
} }
/** /**
* Add a response header to expose. * Variant of {@link #setExposedHeaders} for adding one exposed header at a time.
* <p>The special value {@code "*"} allows all headers to be exposed for
* non-credentialed requests.
*/ */
public void addExposedHeader(String exposedHeader) { public void addExposedHeader(String exposedHeader) {
if (this.exposedHeaders == null) { if (this.exposedHeaders == null) {
@ -424,6 +437,15 @@ public class CorsConfiguration {
/** /**
* Whether user credentials are supported. * Whether user credentials are supported.
* <p>Setting this property has an impact on how {@link #setAllowedOrigins(List)
* origins}, {@link #setAllowedOriginPatterns(List) originPatterns},
* {@link #setAllowedMethods(List) allowedMethods} and
* {@link #setAllowedHeaders(List) allowedHeaders} are processed, see related
* API documentation for more details.
* <p><strong>NOTE:</strong> Be aware that this option establishes a high
* level of trust with the configured domains and also increases the surface
* attack of the web application by exposing sensitive user-specific
* information such as cookies and CSRF tokens.
* <p>By default this is not set (i.e. user credentials are not supported). * <p>By default this is not set (i.e. user credentials are not supported).
*/ */
public void setAllowCredentials(@Nullable Boolean allowCredentials) { public void setAllowCredentials(@Nullable Boolean allowCredentials) {

2
spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java
Unescape View File

@ -191,7 +191,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
/** /**
* Check the headers and determine the headers for the response of a * Check the headers and determine the headers for the response of a
* pre-flight request. The default implementation simply delegates to * pre-flight request. The default implementation simply delegates to
* {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}. * {@link org.springframework.web.cors.CorsConfiguration#checkHeaders(List)}.
*/ */
@Nullable @Nullable
protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) { protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {

2
spring-web/src/main/java/org/springframework/web/cors/reactive/DefaultCorsProcessor.java
Unescape View File

@ -188,7 +188,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
/** /**
* Check the headers and determine the headers for the response of a * Check the headers and determine the headers for the response of a
* pre-flight request. The default implementation simply delegates to * pre-flight request. The default implementation simply delegates to
* {@link CorsConfiguration#checkOrigin(String)}. * {@link CorsConfiguration#checkHeaders(List)}.
*/ */
@Nullable @Nullable
protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) { protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {

28
spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -76,9 +76,11 @@ public class CorsRegistration {
/** /**
* Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc. * Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc.
* <p>The special value {@code "*"} allows all methods. * The special value {@code "*"} allows all methods. By default,
* <p>By default "simple" methods {@code GET}, {@code HEAD}, and {@code POST} * "simple" methods {@code GET}, {@code HEAD}, and {@code POST}
* are allowed. * are allowed.
* <p>Please, see {@link CorsConfiguration#setAllowedMethods(List)} for
* details.
*/ */
public CorsRegistration allowedMethods(String... methods) { public CorsRegistration allowedMethods(String... methods) {
this.config.setAllowedMethods(Arrays.asList(methods)); this.config.setAllowedMethods(Arrays.asList(methods));
@ -87,11 +89,10 @@ public class CorsRegistration {
/** /**
* Set the list of headers that a pre-flight request can list as allowed * Set the list of headers that a pre-flight request can list as allowed
* for use during an actual request. * for use during an actual request. The special value {@code "*"}
* <p>The special value {@code "*"} may be used to allow all headers. * may be used to allow all headers.
* <p>A header name is not required to be listed if it is one of: * <p>Please, see {@link CorsConfiguration#setAllowedHeaders(List)} for
* {@code Cache-Control}, {@code Content-Language}, {@code Expires}, * details.
* {@code Last-Modified}, or {@code Pragma} as per the CORS spec.
* <p>By default all headers are allowed. * <p>By default all headers are allowed.
*/ */
public CorsRegistration allowedHeaders(String... headers) { public CorsRegistration allowedHeaders(String... headers) {
@ -100,12 +101,11 @@ public class CorsRegistration {
} }
/** /**
* Set the list of response headers other than "simple" headers, i.e. * Set the list of response headers that an actual response might have and
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, * can be exposed. The special value {@code "*"} allows all headers to be
* {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an * exposed.
* actual response might have and can be exposed. * <p>Please, see {@link CorsConfiguration#setExposedHeaders(List)} for
* <p>The special value {@code "*"} allows all headers to be exposed for * details.
* non-credentialed requests.
* <p>By default this is not set. * <p>By default this is not set.
*/ */
public CorsRegistration exposedHeaders(String... headers) { public CorsRegistration exposedHeaders(String... headers) {

28
spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -77,9 +77,11 @@ public class CorsRegistration {
/** /**
* Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc. * Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc.
* <p>The special value {@code "*"} allows all methods. * The special value {@code "*"} allows all methods. By default,
* <p>By default "simple" methods {@code GET}, {@code HEAD}, and {@code POST} * "simple" methods {@code GET}, {@code HEAD}, and {@code POST}
* are allowed. * are allowed.
* <p>Please, see {@link CorsConfiguration#setAllowedMethods(List)} for
* details.
*/ */
public CorsRegistration allowedMethods(String... methods) { public CorsRegistration allowedMethods(String... methods) {
this.config.setAllowedMethods(Arrays.asList(methods)); this.config.setAllowedMethods(Arrays.asList(methods));
@ -88,11 +90,10 @@ public class CorsRegistration {
/** /**
* Set the list of headers that a pre-flight request can list as allowed * Set the list of headers that a pre-flight request can list as allowed
* for use during an actual request. * for use during an actual request. The special value {@code "*"}
* <p>The special value {@code "*"} may be used to allow all headers. * may be used to allow all headers.
* <p>A header name is not required to be listed if it is one of: * <p>Please, see {@link CorsConfiguration#setAllowedHeaders(List)} for
* {@code Cache-Control}, {@code Content-Language}, {@code Expires}, * details.
* {@code Last-Modified}, or {@code Pragma} as per the CORS spec.
* <p>By default all headers are allowed. * <p>By default all headers are allowed.
*/ */
public CorsRegistration allowedHeaders(String... headers) { public CorsRegistration allowedHeaders(String... headers) {
@ -101,12 +102,11 @@ public class CorsRegistration {
} }
/** /**
* Set the list of response headers other than "simple" headers, i.e. * Set the list of response headers that an actual response might have and
* {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, * can be exposed. The special value {@code "*"} allows all headers to be
* {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an * exposed.
* actual response might have and can be exposed. * <p>Please, see {@link CorsConfiguration#setExposedHeaders(List)} for
* <p>The special value {@code "*"} allows all headers to be exposed for * details.
* non-credentialed requests.
* <p>By default this is not set. * <p>By default this is not set.
*/ */
public CorsRegistration exposedHeaders(String... headers) { public CorsRegistration exposedHeaders(String... headers) {

Write Preview
Loading…
Cancel
Save