Attachment #32389 for bug #57178

View | Details | Raw Unified | Return to bug 57178
Collapse All | Expand All

Lines 800-805 public final class CorsFilter implements Filter { Link Here

(-)a/java/org/apache/catalina/filters/CorsFilter.java (+6 lines)
800	* Checks if a given origin is valid or not. Criteria:	800	* Checks if a given origin is valid or not. Criteria:
801	* <ul>	801	* <ul>
802	* <li>If an encoded character is present in origin, it's not valid.</li>	802	* <li>If an encoded character is present in origin, it's not valid.</li>
		803	* <li>If origin is "null", it's valid.</li>
803	* <li>Origin should be a valid {@link URI}</li>	804	* <li>Origin should be a valid {@link URI}</li>
804	* </ul>	805	* </ul>
805	*	806	*
Lines 812-817 public final class CorsFilter implements Filter { Link Here
812	return false;	813	return false;
813	}	814	}
814		815
		816	// "null" is a valid origin
		817	if ("null".equals(origin)) {
		818	return true;
		819	}
		820
815	URI originURI;	821	URI originURI;
816		822
817	try {	823	try {




    }

    /*
     * Negative test, when a CORS request arrives, with no origin header.
     */
    @Test
    public void testDoFilterNoOrigin() throws IOException, ServletException {
        TesterHttpServletRequest request = new TesterHttpServletRequest();

        request.setMethod("POST");

                response.getStatus());
    }

    /*
     * A CORS request arrives with a "null" origin which is allowed by default.
     */
    @Test
    public void testDoFilterNullOriginAllowedByDefault() throws IOException, 
            ServletException {
        TesterHttpServletRequest request = new TesterHttpServletRequest();

        request.setMethod("POST");
        request.setContentType("text/plain");
        request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
        TesterHttpServletResponse response = new TesterHttpServletResponse();

        CorsFilter corsFilter = new CorsFilter();
        corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig());
        CorsFilter.CORSRequestType requestType =
                corsFilter.checkRequestType(request);
        Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);

        corsFilter.doFilter(request, response, filterChain);

        Assert.assertTrue(((Boolean) request.getAttribute(
                CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
    }

    /*
     * A CORS request arrives with a "null" origin which is explicitly allowed 
     * by configuration.
     */
    @Test
    public void testDoFilterNullOriginAllowedByConfiguration() throws 
            IOException, ServletException {
        TesterHttpServletRequest request = new TesterHttpServletRequest();

        request.setMethod("POST");
        request.setContentType("text/plain");
        request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
        TesterHttpServletResponse response = new TesterHttpServletResponse();

        CorsFilter corsFilter = new CorsFilter();
        corsFilter.init(
                TesterFilterConfigs.getFilterConfigSpecificOriginNullAllowed());
        CorsFilter.CORSRequestType requestType =
                corsFilter.checkRequestType(request);
        Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);

        corsFilter.doFilter(request, response, filterChain);

        Assert.assertTrue(((Boolean) request.getAttribute(
                CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
    }

    @Test(expected = ServletException.class)
    public void testDoFilterNullRequestNullResponse() throws IOException,
            ServletException {

        Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
                response.getStatus());
    }
    
    /*
     * Tests for failure, when the 'null' origin is used, and it's not in the
     * list of allowed origins.
     */
    @Test
    public void testCheckNullOriginNotAllowed() throws ServletException, 
            IOException {
        TesterHttpServletRequest request = new TesterHttpServletRequest();
        TesterHttpServletResponse response = new TesterHttpServletResponse();
        request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
        request.setMethod("GET");
        CorsFilter corsFilter = new CorsFilter();
        corsFilter.init(TesterFilterConfigs.getSpecificOriginFilterConfig());
        corsFilter.doFilter(request, response, filterChain);
        Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
                response.getStatus());
    }

    /*
     * Tests for failure, when a different sub-domain is used, that's not in the




                preflightMaxAge, decorateRequest);
    }

    public static FilterConfig getFilterConfigSpecificOriginNullAllowed() {
        final String allowedHttpHeaders =
                CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
        final String allowedHttpMethods =
                CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
        final String allowedOrigins = HTTP_TOMCAT_APACHE_ORG + ",null";
        final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
        final String supportCredentials = 
                CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
        final String preflightMaxAge =
                CorsFilter.DEFAULT_PREFLIGHT_MAXAGE;
        final String decorateRequest = CorsFilter.DEFAULT_DECORATE_REQUEST;

        return generateFilterConfig(allowedHttpHeaders, allowedHttpMethods,
                allowedOrigins, exposedHeaders, supportCredentials,
                preflightMaxAge, decorateRequest);
    }

    public static FilterConfig getFilterConfigWithExposedHeaders() {
        final String allowedHttpHeaders =
                CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
- 

Return to bug 57178

Lines 497-506 public class TestCorsFilter { Link Here

(-)a/test/org/apache/catalina/filters/TestCorsFilter.java (-2 / +72 lines)
497	}	497	}
498		498
499	/*	499	/*
500	* Negative test, when a CORS request arrives, with a null origin.	500	* Negative test, when a CORS request arrives, with no origin header.
501	*/	501	*/
502	@Test	502	@Test
503	public void testDoFilterNullOrigin() throws IOException, ServletException {	503	public void testDoFilterNoOrigin() throws IOException, ServletException {
504	TesterHttpServletRequest request = new TesterHttpServletRequest();	504	TesterHttpServletRequest request = new TesterHttpServletRequest();
505		505
506	request.setMethod("POST");	506	request.setMethod("POST");
Lines 536-541 public class TestCorsFilter { Link Here
536	response.getStatus());	536	response.getStatus());
537	}	537	}
538		538
		539	/*
		540	* A CORS request arrives with a "null" origin which is allowed by default.
		541	*/
		542	@Test
		543	public void testDoFilterNullOriginAllowedByDefault() throws IOException,
		544	ServletException {
		545	TesterHttpServletRequest request = new TesterHttpServletRequest();
		546
		547	request.setMethod("POST");
		548	request.setContentType("text/plain");
		549	request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
		550	TesterHttpServletResponse response = new TesterHttpServletResponse();
		551
		552	CorsFilter corsFilter = new CorsFilter();
		553	corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig());
		554	CorsFilter.CORSRequestType requestType =
		555	corsFilter.checkRequestType(request);
		556	Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
		557
		558	corsFilter.doFilter(request, response, filterChain);
		559
		560	Assert.assertTrue(((Boolean) request.getAttribute(
		561	CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
		562	}
		563
		564	/*
		565	* A CORS request arrives with a "null" origin which is explicitly allowed
		566	* by configuration.
		567	*/
		568	@Test
		569	public void testDoFilterNullOriginAllowedByConfiguration() throws
		570	IOException, ServletException {
		571	TesterHttpServletRequest request = new TesterHttpServletRequest();
		572
		573	request.setMethod("POST");
		574	request.setContentType("text/plain");
		575	request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
		576	TesterHttpServletResponse response = new TesterHttpServletResponse();
		577
		578	CorsFilter corsFilter = new CorsFilter();
		579	corsFilter.init(
		580	TesterFilterConfigs.getFilterConfigSpecificOriginNullAllowed());
		581	CorsFilter.CORSRequestType requestType =
		582	corsFilter.checkRequestType(request);
		583	Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
		584
		585	corsFilter.doFilter(request, response, filterChain);
		586
		587	Assert.assertTrue(((Boolean) request.getAttribute(
		588	CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
		589	}
		590
539	@Test(expected = ServletException.class)	591	@Test(expected = ServletException.class)
540	public void testDoFilterNullRequestNullResponse() throws IOException,	592	public void testDoFilterNullRequestNullResponse() throws IOException,
541	ServletException {	593	ServletException {
Lines 1035-1040 public class TestCorsFilter { Link Here
1035	Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,	1087	Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
1036	response.getStatus());	1088	response.getStatus());
1037	}	1089	}
		1090
		1091	/*
		1092	* Tests for failure, when the 'null' origin is used, and it's not in the
		1093	* list of allowed origins.
		1094	*/
		1095	@Test
		1096	public void testCheckNullOriginNotAllowed() throws ServletException,
		1097	IOException {
		1098	TesterHttpServletRequest request = new TesterHttpServletRequest();
		1099	TesterHttpServletResponse response = new TesterHttpServletResponse();
		1100	request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
		1101	request.setMethod("GET");
		1102	CorsFilter corsFilter = new CorsFilter();
		1103	corsFilter.init(TesterFilterConfigs.getSpecificOriginFilterConfig());
		1104	corsFilter.doFilter(request, response, filterChain);
		1105	Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
		1106	response.getStatus());
		1107	}
1038		1108
1039	/*	1109	/*
1040	* Tests for failure, when a different sub-domain is used, that's not in the	1110	* Tests for failure, when a different sub-domain is used, that's not in the

Lines 106-111 public class TesterFilterConfigs { Link Here

(-)a/test/org/apache/catalina/filters/TesterFilterConfigs.java (-1 / +18 lines)
106	preflightMaxAge, decorateRequest);	106	preflightMaxAge, decorateRequest);
107	}	107	}
108		108
		109	public static FilterConfig getFilterConfigSpecificOriginNullAllowed() {
		110	final String allowedHttpHeaders =
		111	CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
		112	final String allowedHttpMethods =
		113	CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
		114	final String allowedOrigins = HTTP_TOMCAT_APACHE_ORG + ",null";
		115	final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
		116	final String supportCredentials =
		117	CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
		118	final String preflightMaxAge =
		119	CorsFilter.DEFAULT_PREFLIGHT_MAXAGE;
		120	final String decorateRequest = CorsFilter.DEFAULT_DECORATE_REQUEST;
		121
		122	return generateFilterConfig(allowedHttpHeaders, allowedHttpMethods,
		123	allowedOrigins, exposedHeaders, supportCredentials,
		124	preflightMaxAge, decorateRequest);
		125	}
		126
109	public static FilterConfig getFilterConfigWithExposedHeaders() {	127	public static FilterConfig getFilterConfigWithExposedHeaders() {
110	final String allowedHttpHeaders =	128	final String allowedHttpHeaders =
111	CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;	129	CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
112	-