Line 0
Link Here
|
|
|
1 |
package org.apache.catalina.filters; |
2 |
|
3 |
import java.io.IOException; |
4 |
import java.util.LinkedHashSet; |
5 |
import java.util.Set; |
6 |
|
7 |
import javax.servlet.FilterChain; |
8 |
import javax.servlet.ServletException; |
9 |
import javax.servlet.http.HttpServletRequest; |
10 |
import javax.servlet.http.HttpServletResponse; |
11 |
|
12 |
import org.junit.Assert; |
13 |
import org.junit.Test; |
14 |
|
15 |
public class TestCORSFilter { |
16 |
private FilterChain filterChain = new MockFilterChain(); |
17 |
|
18 |
/** |
19 |
* Tests if a GET request is treated as simple request. |
20 |
* |
21 |
* @See http://www.w3.org/TR/cors/#simple-method |
22 |
* @throws IOException |
23 |
* @throws ServletException |
24 |
*/ |
25 |
@Test |
26 |
public void testDoFilterSimpleGET() throws IOException, ServletException { |
27 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
28 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
29 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
30 |
request.setMethod("GET"); |
31 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
32 |
|
33 |
CORSFilter corsFilter = new CORSFilter(); |
34 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
35 |
corsFilter.doFilter(request, response, filterChain); |
36 |
|
37 |
Assert.assertTrue(response.getHeader( |
38 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
39 |
"https://www.apache.org")); |
40 |
Assert.assertTrue((Boolean) request |
41 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
42 |
Assert.assertTrue(request.getAttribute( |
43 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
44 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
45 |
Assert.assertTrue(request.getAttribute( |
46 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
47 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
48 |
} |
49 |
|
50 |
/** |
51 |
* Tests if a POST request is treated as simple request. |
52 |
* |
53 |
* @See http://www.w3.org/TR/cors/#simple-method |
54 |
* @throws IOException |
55 |
* @throws ServletException |
56 |
*/ |
57 |
@Test |
58 |
public void testDoFilterSimplePOST() throws IOException, ServletException { |
59 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
60 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
61 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
62 |
request.setContentType("text/plain"); |
63 |
request.setMethod("POST"); |
64 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
65 |
|
66 |
CORSFilter corsFilter = new CORSFilter(); |
67 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
68 |
corsFilter.doFilter(request, response, filterChain); |
69 |
|
70 |
Assert.assertTrue(response.getHeader( |
71 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
72 |
"https://www.apache.org")); |
73 |
Assert.assertTrue((Boolean) request |
74 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
75 |
Assert.assertTrue(request.getAttribute( |
76 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
77 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
78 |
Assert.assertTrue(request.getAttribute( |
79 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
80 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
81 |
} |
82 |
|
83 |
/** |
84 |
* Tests if a HEAD request is treated as simple request. |
85 |
* |
86 |
* @See http://www.w3.org/TR/cors/#simple-method |
87 |
* @throws IOException |
88 |
* @throws ServletException |
89 |
*/ |
90 |
@Test |
91 |
public void testDoFilterSimpleHEAD() throws IOException, ServletException { |
92 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
93 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
94 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
95 |
request.setMethod("HEAD"); |
96 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
97 |
|
98 |
CORSFilter corsFilter = new CORSFilter(); |
99 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
100 |
corsFilter.doFilter(request, response, filterChain); |
101 |
|
102 |
Assert.assertTrue(response.getHeader( |
103 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
104 |
"https://www.apache.org")); |
105 |
Assert.assertTrue((Boolean) request |
106 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
107 |
Assert.assertTrue(request.getAttribute( |
108 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
109 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
110 |
Assert.assertTrue(request.getAttribute( |
111 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
112 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
113 |
} |
114 |
|
115 |
/** |
116 |
* Test the presence of specific origin in response, when '*' is not used. |
117 |
* |
118 |
* @throws IOException |
119 |
* @throws ServletException |
120 |
*/ |
121 |
@Test |
122 |
public void testDoFilterSimpleSpecificHeader() throws IOException, |
123 |
ServletException { |
124 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
125 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
126 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
127 |
request.setMethod("POST"); |
128 |
request.setContentType("text/plain"); |
129 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
130 |
|
131 |
CORSFilter corsFilter = new CORSFilter(); |
132 |
corsFilter.init(MockFilterConfigs.getSpecificOriginFilterConfig()); |
133 |
corsFilter.doFilter(request, response, filterChain); |
134 |
|
135 |
Assert.assertTrue(response.getHeader( |
136 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
137 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
138 |
Assert.assertTrue((Boolean) request |
139 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
140 |
Assert.assertTrue(request.getAttribute( |
141 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
142 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
143 |
Assert.assertTrue(request.getAttribute( |
144 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
145 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
146 |
} |
147 |
|
148 |
/** |
149 |
* Tests the prsence of the origin (and not '*') in the response, when |
150 |
* supports credentials is enabled alongwith any origin, '*'. |
151 |
* |
152 |
* @throws IOException |
153 |
* @throws ServletException |
154 |
*/ |
155 |
@Test |
156 |
public void testDoFilterSimpleAnyOriginAndSupportsCredentials() |
157 |
throws IOException, ServletException { |
158 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
159 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
160 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
161 |
request.setMethod("GET"); |
162 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
163 |
|
164 |
CORSFilter corsFilter = new CORSFilter(); |
165 |
corsFilter.init(MockFilterConfigs |
166 |
.getFilterConfigAnyOriginAndSupportsCredentials()); |
167 |
corsFilter.doFilter(request, response, filterChain); |
168 |
|
169 |
Assert.assertTrue(response.getHeader( |
170 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
171 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
172 |
Assert.assertTrue(response.getHeader( |
173 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS) |
174 |
.equals( |
175 |
"true")); |
176 |
Assert.assertTrue((Boolean) request |
177 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
178 |
Assert.assertTrue(request.getAttribute( |
179 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
180 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
181 |
Assert.assertTrue(request.getAttribute( |
182 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
183 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
184 |
} |
185 |
|
186 |
/** |
187 |
* Tests the presence of the origin (and not '*') in the response, when |
188 |
* supports credentials is enabled alongwith any origin, '*'. |
189 |
* |
190 |
* @throws IOException |
191 |
* @throws ServletException |
192 |
*/ |
193 |
@Test |
194 |
public void testDoFilterSimpleAnyOriginAndSupportsCredentialsDisabled() |
195 |
throws IOException, ServletException { |
196 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
197 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
198 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
199 |
request.setMethod("GET"); |
200 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
201 |
|
202 |
CORSFilter corsFilter = new CORSFilter(); |
203 |
corsFilter.init(MockFilterConfigs |
204 |
.getFilterConfigAnyOriginAndSupportsCredentialsDisabled()); |
205 |
corsFilter.doFilter(request, response, filterChain); |
206 |
|
207 |
Assert.assertTrue(response.getHeader( |
208 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
209 |
MockFilterConfigs.ANY_ORIGIN)); |
210 |
Assert.assertNull(response.getHeader( |
211 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS)); |
212 |
Assert.assertTrue((Boolean) request |
213 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
214 |
Assert.assertTrue(request.getAttribute( |
215 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
216 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
217 |
Assert.assertTrue(request.getAttribute( |
218 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
219 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
220 |
} |
221 |
|
222 |
/** |
223 |
* Tests the presence of exposed headers in response, if configured. |
224 |
* |
225 |
* @throws IOException |
226 |
* @throws ServletException |
227 |
*/ |
228 |
@Test |
229 |
public void testDoFilterSimpleWithExposedHeaders() throws IOException, |
230 |
ServletException { |
231 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
232 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
233 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
234 |
request.setMethod("POST"); |
235 |
request.setContentType("text/plain"); |
236 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
237 |
|
238 |
CORSFilter corsFilter = new CORSFilter(); |
239 |
corsFilter.init(MockFilterConfigs |
240 |
.getFilterConfigWithExposedHeaders()); |
241 |
corsFilter.doFilter(request, response, filterChain); |
242 |
|
243 |
Assert.assertTrue(response.getHeader( |
244 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
245 |
"https://www.apache.org")); |
246 |
Assert.assertTrue(response.getHeader( |
247 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS) |
248 |
.equals(MockFilterConfigs.EXPOSED_HEADERS)); |
249 |
Assert.assertTrue((Boolean) request |
250 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
251 |
Assert.assertTrue(request.getAttribute( |
252 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
253 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
254 |
Assert.assertTrue(request.getAttribute( |
255 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
256 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
257 |
} |
258 |
|
259 |
/** |
260 |
* Checks if an OPTIONS request is processed as pre-flight. |
261 |
* |
262 |
* @throws IOException |
263 |
* @throws ServletException |
264 |
*/ |
265 |
@Test |
266 |
public void testDoFilterPreflight() throws IOException, ServletException { |
267 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
268 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
269 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
270 |
request.setHeader( |
271 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
272 |
request.setHeader( |
273 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
274 |
"Content-Type"); |
275 |
request.setMethod("OPTIONS"); |
276 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
277 |
|
278 |
CORSFilter corsFilter = new CORSFilter(); |
279 |
corsFilter.init(MockFilterConfigs |
280 |
.getSpecificOriginFilterConfig()); |
281 |
corsFilter.doFilter(request, response, filterChain); |
282 |
|
283 |
Assert.assertTrue(response.getHeader( |
284 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
285 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
286 |
Assert.assertTrue((Boolean) request |
287 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
288 |
Assert.assertTrue(request.getAttribute( |
289 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
290 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
291 |
Assert.assertTrue(request.getAttribute( |
292 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
293 |
CORSFilter.CORSRequestType.PRE_FLIGHT.name().toLowerCase())); |
294 |
Assert.assertTrue(request.getAttribute( |
295 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS).equals( |
296 |
"Content-Type")); |
297 |
} |
298 |
|
299 |
/** |
300 |
* Checks if an OPTIONS request is processed as pre-flight where any origin |
301 |
* is enabled. |
302 |
* |
303 |
* @throws IOException |
304 |
* @throws ServletException |
305 |
*/ |
306 |
@Test |
307 |
public void testDoFilterPreflightAnyOrigin() throws IOException, |
308 |
ServletException { |
309 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
310 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
311 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
312 |
request.setHeader( |
313 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
314 |
request.setHeader( |
315 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
316 |
"Content-Type"); |
317 |
request.setMethod("OPTIONS"); |
318 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
319 |
|
320 |
CORSFilter corsFilter = new CORSFilter(); |
321 |
corsFilter.init(MockFilterConfigs |
322 |
.getSpecificOriginFilterConfig()); |
323 |
corsFilter.doFilter(request, response, filterChain); |
324 |
|
325 |
Assert.assertTrue(response.getHeader( |
326 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
327 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
328 |
Assert.assertTrue((Boolean) request |
329 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
330 |
Assert.assertTrue(request.getAttribute( |
331 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
332 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
333 |
Assert.assertTrue(request.getAttribute( |
334 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
335 |
CORSFilter.CORSRequestType.PRE_FLIGHT.name().toLowerCase())); |
336 |
Assert.assertTrue(request.getAttribute( |
337 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS).equals( |
338 |
"Content-Type")); |
339 |
} |
340 |
|
341 |
/** |
342 |
* Checks if an OPTIONS request is processed as pre-flight. |
343 |
* |
344 |
* @throws IOException |
345 |
* @throws ServletException |
346 |
*/ |
347 |
@Test |
348 |
public void testDoFilterPreflightInvalidOrigin() throws IOException, |
349 |
ServletException { |
350 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
351 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
352 |
"http://www.example.com"); |
353 |
request.setHeader( |
354 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
355 |
request.setHeader( |
356 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
357 |
"Content-Type"); |
358 |
request.setMethod("OPTIONS"); |
359 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
360 |
|
361 |
CORSFilter corsFilter = new CORSFilter(); |
362 |
corsFilter.init(MockFilterConfigs |
363 |
.getSpecificOriginFilterConfig()); |
364 |
corsFilter.doFilter(request, response, filterChain); |
365 |
|
366 |
Assert.assertEquals(response.getStatus(), |
367 |
HttpServletResponse.SC_FORBIDDEN); |
368 |
} |
369 |
|
370 |
@Test |
371 |
public void testDoFilterPreflightNegativeMaxAge() throws IOException, |
372 |
ServletException { |
373 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
374 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
375 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
376 |
request.setHeader( |
377 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
378 |
request.setHeader( |
379 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
380 |
"Content-Type"); |
381 |
request.setMethod("OPTIONS"); |
382 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
383 |
|
384 |
CORSFilter corsFilter = new CORSFilter(); |
385 |
corsFilter.init(MockFilterConfigs |
386 |
.getSpecificOriginFilterConfigNegativeMaxAge()); |
387 |
corsFilter.doFilter(request, response, filterChain); |
388 |
|
389 |
Assert.assertTrue(response.getHeader( |
390 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
391 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
392 |
Assert.assertNull(response.getHeader( |
393 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE)); |
394 |
Assert.assertTrue((Boolean) request |
395 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
396 |
Assert.assertTrue(request.getAttribute( |
397 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
398 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
399 |
Assert.assertTrue(request.getAttribute( |
400 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
401 |
CORSFilter.CORSRequestType.PRE_FLIGHT.name().toLowerCase())); |
402 |
Assert.assertTrue(request.getAttribute( |
403 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS).equals( |
404 |
"Content-Type")); |
405 |
} |
406 |
|
407 |
@Test |
408 |
public void testDoFilterPreflightWithCredentials() throws IOException, |
409 |
ServletException { |
410 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
411 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
412 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
413 |
request.setHeader( |
414 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
415 |
request.setHeader( |
416 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
417 |
"Content-Type"); |
418 |
request.setMethod("OPTIONS"); |
419 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
420 |
|
421 |
CORSFilter corsFilter = new CORSFilter(); |
422 |
corsFilter.init(MockFilterConfigs |
423 |
.getSecureFilterConfig()); |
424 |
corsFilter.doFilter(request, response, filterChain); |
425 |
|
426 |
Assert.assertTrue(response.getHeader( |
427 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
428 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
429 |
Assert.assertTrue(response.getHeader( |
430 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS) |
431 |
.equals("true")); |
432 |
Assert.assertTrue((Boolean) request |
433 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
434 |
Assert.assertTrue(request.getAttribute( |
435 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
436 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
437 |
Assert.assertTrue(request.getAttribute( |
438 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
439 |
CORSFilter.CORSRequestType.PRE_FLIGHT.name().toLowerCase())); |
440 |
Assert.assertTrue(request.getAttribute( |
441 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS).equals( |
442 |
"Content-Type")); |
443 |
} |
444 |
|
445 |
@Test |
446 |
public void testDoFilterPreflightWithoutCredentialsAndSpecificOrigin() |
447 |
throws IOException, |
448 |
ServletException { |
449 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
450 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
451 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
452 |
request.setHeader( |
453 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
454 |
request.setHeader( |
455 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
456 |
"Content-Type"); |
457 |
request.setMethod("OPTIONS"); |
458 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
459 |
|
460 |
CORSFilter corsFilter = new CORSFilter(); |
461 |
corsFilter.init(MockFilterConfigs |
462 |
.getFilterConfigSpecificOriginAndSupportsCredentialsDisabled()); |
463 |
corsFilter.doFilter(request, response, filterChain); |
464 |
|
465 |
Assert.assertTrue(response.getHeader( |
466 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
467 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
468 |
Assert.assertNull(response.getHeader( |
469 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS)); |
470 |
Assert.assertTrue((Boolean) request |
471 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
472 |
Assert.assertTrue(request.getAttribute( |
473 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
474 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
475 |
Assert.assertTrue(request.getAttribute( |
476 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
477 |
CORSFilter.CORSRequestType.PRE_FLIGHT.name().toLowerCase())); |
478 |
Assert.assertTrue(request.getAttribute( |
479 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS).equals( |
480 |
"Content-Type")); |
481 |
} |
482 |
|
483 |
/** |
484 |
* Negative test, when a CORS request arrives, with a null origin. |
485 |
*/ |
486 |
@Test |
487 |
public void testDoFilterNullOrigin() throws IOException, ServletException { |
488 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
489 |
|
490 |
request.setMethod("POST"); |
491 |
request.setContentType("text/plain"); |
492 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
493 |
|
494 |
CORSFilter corsFilter = new CORSFilter(); |
495 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
496 |
CORSFilter.CORSRequestType requestType = |
497 |
corsFilter.checkRequestType(request); |
498 |
Assert.assertEquals(CORSFilter.CORSRequestType.NOT_CORS, requestType); |
499 |
|
500 |
corsFilter.doFilter(request, response, filterChain); |
501 |
|
502 |
Assert.assertFalse((Boolean) request |
503 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
504 |
} |
505 |
|
506 |
@Test |
507 |
public void testDoFilterInvalidCORSOriginNotAllowed() throws IOException, |
508 |
ServletException { |
509 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
510 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
511 |
"www.google.com"); |
512 |
request.setMethod("POST"); |
513 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
514 |
|
515 |
CORSFilter corsFilter = new CORSFilter(); |
516 |
corsFilter.init(MockFilterConfigs.getSpecificOriginFilterConfig()); |
517 |
corsFilter.doFilter(request, response, filterChain); |
518 |
|
519 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
520 |
response.getStatus()); |
521 |
} |
522 |
|
523 |
@Test(expected = ServletException.class) |
524 |
public void testDoFilterNullRequestNullResponse() throws IOException, |
525 |
ServletException { |
526 |
CORSFilter corsFilter = new CORSFilter(); |
527 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
528 |
corsFilter.doFilter(null, null, filterChain); |
529 |
} |
530 |
|
531 |
@Test(expected = ServletException.class) |
532 |
public void testDoFilterNullRequestResponse() throws IOException, |
533 |
ServletException { |
534 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
535 |
CORSFilter corsFilter = new CORSFilter(); |
536 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
537 |
corsFilter.doFilter(null, response, filterChain); |
538 |
} |
539 |
|
540 |
@Test(expected = ServletException.class) |
541 |
public void testDoFilterRequestNullResponse() throws IOException, |
542 |
ServletException { |
543 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
544 |
CORSFilter corsFilter = new CORSFilter(); |
545 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
546 |
corsFilter.doFilter(request, null, filterChain); |
547 |
} |
548 |
|
549 |
@Test |
550 |
public void testInitDefaultFilterConfig() throws IOException, |
551 |
ServletException { |
552 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
553 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
554 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
555 |
request.setMethod("GET"); |
556 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
557 |
|
558 |
CORSFilter corsFilter = new CORSFilter(); |
559 |
corsFilter.init(null); |
560 |
corsFilter.doFilter(request, response, filterChain); |
561 |
|
562 |
Assert.assertTrue(response.getHeader( |
563 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
564 |
"https://www.apache.org")); |
565 |
Assert.assertTrue((Boolean) request |
566 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
567 |
Assert.assertTrue(request.getAttribute( |
568 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals( |
569 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG)); |
570 |
Assert.assertTrue(request.getAttribute( |
571 |
CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals( |
572 |
CORSFilter.CORSRequestType.SIMPLE.name().toLowerCase())); |
573 |
} |
574 |
|
575 |
@Test(expected = ServletException.class) |
576 |
public void testInitInvalidFilterConfig() throws IOException, |
577 |
ServletException { |
578 |
CORSFilter corsFilter = new CORSFilter(); |
579 |
corsFilter.init(MockFilterConfigs.getFilterConfigInvalidMaxPreflightAge()); |
580 |
// If we don't get an exception at this point, then all mocked objects |
581 |
// worked as expected. |
582 |
} |
583 |
|
584 |
/** |
585 |
* Tests if a non-simple request is given to simple request handler. |
586 |
* |
587 |
* @throws IOException |
588 |
* @throws ServletException |
589 |
*/ |
590 |
@Test(expected = IllegalArgumentException.class) |
591 |
public void testNotSimple() throws IOException, ServletException { |
592 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
593 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
594 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
595 |
request.setHeader( |
596 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, "PUT"); |
597 |
request.setHeader( |
598 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
599 |
"Content-Type"); |
600 |
request.setMethod("OPTIONS"); |
601 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
602 |
|
603 |
CORSFilter corsFilter = new CORSFilter(); |
604 |
corsFilter.init(MockFilterConfigs |
605 |
.getDefaultFilterConfig()); |
606 |
corsFilter.handleSimpleCORS(request, response, filterChain); |
607 |
} |
608 |
|
609 |
/** |
610 |
* When a non-preflight request is given to a pre-flight requets handler. |
611 |
* |
612 |
* @throws IOException |
613 |
* @throws ServletException |
614 |
*/ |
615 |
@Test(expected = IllegalArgumentException.class) |
616 |
public void testNotPreflight() throws IOException, ServletException { |
617 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
618 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
619 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
620 |
request.setMethod("GET"); |
621 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
622 |
|
623 |
CORSFilter corsFilter = new CORSFilter(); |
624 |
corsFilter.init(MockFilterConfigs.getDefaultFilterConfig()); |
625 |
corsFilter.handlePreflightCORS(request, response, filterChain); |
626 |
} |
627 |
|
628 |
@Test(expected = IllegalArgumentException.class) |
629 |
public void testDecorateCORSPropertiesNullRequestNullCORSRequestType() { |
630 |
CORSFilter.decorateCORSProperties(null, null); |
631 |
} |
632 |
|
633 |
@Test(expected = IllegalArgumentException.class) |
634 |
public void testDecorateCORSPropertiesNullRequestValidCORSRequestType() { |
635 |
CORSFilter.decorateCORSProperties(null, |
636 |
CORSFilter.CORSRequestType.SIMPLE); |
637 |
} |
638 |
|
639 |
@Test(expected = IllegalArgumentException.class) |
640 |
public void testDecorateCORSPropertiesValidRequestNullRequestType() { |
641 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
642 |
CORSFilter.decorateCORSProperties(request, null); |
643 |
} |
644 |
|
645 |
@Test |
646 |
public void testDecorateCORSPropertiesCORSRequestTypeNotCORS() { |
647 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
648 |
CORSFilter.decorateCORSProperties(request, |
649 |
CORSFilter.CORSRequestType.NOT_CORS); |
650 |
Assert.assertFalse((Boolean) request |
651 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
652 |
} |
653 |
|
654 |
@Test |
655 |
public void testDecorateCORSPropertiesCORSRequestTypeInvalidCORS() { |
656 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
657 |
CORSFilter |
658 |
.decorateCORSProperties(request, |
659 |
CORSFilter.CORSRequestType.INVALID_CORS); |
660 |
Assert.assertNull(request |
661 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
662 |
} |
663 |
|
664 |
@Test |
665 |
public void testCheckSimpleRequestTypeAnyOrigin() throws ServletException { |
666 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
667 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
668 |
"http://www.w3.org"); |
669 |
request.setMethod("GET"); |
670 |
CORSFilter corsFilter = new CORSFilter(); |
671 |
corsFilter.init(MockFilterConfigs |
672 |
.getDefaultFilterConfig()); |
673 |
CORSFilter.CORSRequestType requestType = |
674 |
corsFilter.checkRequestType(request); |
675 |
Assert.assertEquals(CORSFilter.CORSRequestType.SIMPLE, requestType); |
676 |
} |
677 |
|
678 |
/** |
679 |
* Happy path test, when a valid CORS Simple request arrives. |
680 |
* |
681 |
* @throws ServletException |
682 |
*/ |
683 |
@Test |
684 |
public void testCheckSimpleRequestType() throws ServletException { |
685 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
686 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
687 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
688 |
request.setMethod("GET"); |
689 |
CORSFilter corsFilter = new CORSFilter(); |
690 |
corsFilter.init(MockFilterConfigs |
691 |
.getDefaultFilterConfig()); |
692 |
CORSFilter.CORSRequestType requestType = |
693 |
corsFilter.checkRequestType(request); |
694 |
Assert.assertEquals(CORSFilter.CORSRequestType.SIMPLE, requestType); |
695 |
} |
696 |
|
697 |
/** |
698 |
* Happy path test, when a valid CORS Simple request arrives. |
699 |
* |
700 |
* @throws ServletException |
701 |
*/ |
702 |
@Test |
703 |
public void testCheckActualRequestType() throws ServletException { |
704 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
705 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
706 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
707 |
request.setMethod("PUT"); |
708 |
CORSFilter corsFilter = new CORSFilter(); |
709 |
corsFilter.init(MockFilterConfigs |
710 |
.getDefaultFilterConfig()); |
711 |
CORSFilter.CORSRequestType requestType = |
712 |
corsFilter.checkRequestType(request); |
713 |
Assert.assertEquals(CORSFilter.CORSRequestType.ACTUAL, requestType); |
714 |
} |
715 |
|
716 |
/** |
717 |
* Happy path test, when a valid CORS Simple request arrives. |
718 |
* |
719 |
* @throws ServletException |
720 |
*/ |
721 |
@Test |
722 |
public void testCheckActualRequestTypeMethodPOSTNotSimpleHeaders() |
723 |
throws ServletException { |
724 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
725 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
726 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
727 |
request.setMethod("POST"); |
728 |
request.setContentType("application/json"); |
729 |
CORSFilter corsFilter = new CORSFilter(); |
730 |
corsFilter.init(MockFilterConfigs |
731 |
.getDefaultFilterConfig()); |
732 |
CORSFilter.CORSRequestType requestType = |
733 |
corsFilter.checkRequestType(request); |
734 |
Assert.assertEquals(CORSFilter.CORSRequestType.ACTUAL, requestType); |
735 |
} |
736 |
|
737 |
/** |
738 |
* Happy path test, when a valid CORS Pre-flight request arrives. |
739 |
* |
740 |
* @throws ServletException |
741 |
*/ |
742 |
@Test |
743 |
public void testCheckPreFlightRequestType() throws ServletException { |
744 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
745 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
746 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
747 |
request.setHeader( |
748 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
749 |
"PUT"); |
750 |
request.setHeader( |
751 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
752 |
"Content-Type"); |
753 |
request.setMethod("OPTIONS"); |
754 |
CORSFilter corsFilter = new CORSFilter(); |
755 |
corsFilter.init(MockFilterConfigs |
756 |
.getDefaultFilterConfig()); |
757 |
CORSFilter.CORSRequestType requestType = |
758 |
corsFilter.checkRequestType(request); |
759 |
Assert.assertEquals(CORSFilter.CORSRequestType.PRE_FLIGHT, requestType); |
760 |
} |
761 |
|
762 |
/** |
763 |
* when a valid CORS Pre-flight request arrives, with no |
764 |
* Access-Control-Request-Method |
765 |
* |
766 |
* @throws ServletException |
767 |
* @throws IOException |
768 |
*/ |
769 |
@Test |
770 |
public void testCheckPreFlightRequestTypeNoACRM() throws ServletException, |
771 |
IOException { |
772 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
773 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
774 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
775 |
|
776 |
request.setMethod("OPTIONS"); |
777 |
CORSFilter corsFilter = new CORSFilter(); |
778 |
corsFilter.init(MockFilterConfigs |
779 |
.getDefaultFilterConfig()); |
780 |
CORSFilter.CORSRequestType requestType = |
781 |
corsFilter.checkRequestType(request); |
782 |
Assert.assertEquals(CORSFilter.CORSRequestType.ACTUAL, requestType); |
783 |
} |
784 |
|
785 |
/** |
786 |
* when a valid CORS Pre-flight request arrives, with empty |
787 |
* Access-Control-Request-Method |
788 |
* |
789 |
* @throws ServletException |
790 |
* @throws IOException |
791 |
*/ |
792 |
@Test |
793 |
public void testCheckPreFlightRequestTypeEmptyACRM() |
794 |
throws ServletException, IOException { |
795 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
796 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
797 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
798 |
request.setHeader( |
799 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
800 |
""); |
801 |
request.setMethod("OPTIONS"); |
802 |
CORSFilter corsFilter = new CORSFilter(); |
803 |
corsFilter.init(MockFilterConfigs |
804 |
.getDefaultFilterConfig()); |
805 |
CORSFilter.CORSRequestType requestType = |
806 |
corsFilter.checkRequestType(request); |
807 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
808 |
requestType); |
809 |
} |
810 |
|
811 |
/** |
812 |
* Happy path test, when a valid CORS Pre-flight request arrives. |
813 |
* |
814 |
* @throws ServletException |
815 |
*/ |
816 |
@Test |
817 |
public void testCheckPreFlightRequestTypeNoHeaders() |
818 |
throws ServletException { |
819 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
820 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
821 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
822 |
request.setHeader( |
823 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
824 |
"PUT"); |
825 |
request.setMethod("OPTIONS"); |
826 |
CORSFilter corsFilter = new CORSFilter(); |
827 |
corsFilter.init(MockFilterConfigs |
828 |
.getDefaultFilterConfig()); |
829 |
CORSFilter.CORSRequestType requestType = |
830 |
corsFilter.checkRequestType(request); |
831 |
Assert.assertEquals(CORSFilter.CORSRequestType.PRE_FLIGHT, requestType); |
832 |
} |
833 |
|
834 |
/** |
835 |
* Section 6.2.3 |
836 |
* |
837 |
* @throws ServletException |
838 |
* @throws IOException |
839 |
*/ |
840 |
@Test |
841 |
public void testCheckPreFlightRequestTypeInvalidRequestMethod() |
842 |
throws ServletException, IOException { |
843 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
844 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
845 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
846 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
847 |
request.setHeader( |
848 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
849 |
"POLITE"); |
850 |
request.setMethod("OPTIONS"); |
851 |
CORSFilter corsFilter = new CORSFilter(); |
852 |
corsFilter.init(MockFilterConfigs |
853 |
.getDefaultFilterConfig()); |
854 |
corsFilter.doFilter(request, response, filterChain); |
855 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
856 |
response.getStatus()); |
857 |
} |
858 |
|
859 |
/** |
860 |
* Section Section 6.2.5 |
861 |
* |
862 |
* @throws ServletException |
863 |
* @throws IOException |
864 |
*/ |
865 |
@Test |
866 |
public void testCheckPreFlightRequestTypeUnsupportedRequestMethod() |
867 |
throws ServletException, IOException { |
868 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
869 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
870 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
871 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
872 |
request.setHeader( |
873 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
874 |
"TRACE"); |
875 |
request.setMethod("OPTIONS"); |
876 |
CORSFilter corsFilter = new CORSFilter(); |
877 |
corsFilter.init(MockFilterConfigs |
878 |
.getDefaultFilterConfig()); |
879 |
corsFilter.doFilter(request, response, filterChain); |
880 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
881 |
response.getStatus()); |
882 |
} |
883 |
|
884 |
/** |
885 |
* Section Section 6.2.6 |
886 |
* |
887 |
* @throws ServletException |
888 |
* @throws IOException |
889 |
*/ |
890 |
@Test |
891 |
public void testCheckPreFlightRequestTypeUnsupportedRequestHeaders() |
892 |
throws ServletException, IOException { |
893 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
894 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
895 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
896 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
897 |
request.setHeader( |
898 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
899 |
"PUT"); |
900 |
request.setHeader( |
901 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
902 |
"X-ANSWER"); |
903 |
request.setMethod("OPTIONS"); |
904 |
CORSFilter corsFilter = new CORSFilter(); |
905 |
corsFilter.init(MockFilterConfigs |
906 |
.getSecureFilterConfig()); |
907 |
corsFilter.doFilter(request, response, filterChain); |
908 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
909 |
response.getStatus()); |
910 |
} |
911 |
|
912 |
/** |
913 |
* Section Section 6.2.7 |
914 |
* |
915 |
* @throws ServletException |
916 |
* @throws IOException |
917 |
*/ |
918 |
@Test |
919 |
public void testCheckPreFlightRequestTypeAnyOriginNoWithCredentials() |
920 |
throws ServletException, IOException { |
921 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
922 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
923 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
924 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
925 |
request.setHeader( |
926 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
927 |
"PUT"); |
928 |
request.setHeader( |
929 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
930 |
"Origin"); |
931 |
request.setMethod("OPTIONS"); |
932 |
CORSFilter corsFilter = new CORSFilter(); |
933 |
corsFilter.init(MockFilterConfigs |
934 |
.getFilterConfigAnyOriginAndSupportsCredentialsDisabled()); |
935 |
corsFilter.doFilter(request, response, filterChain); |
936 |
Assert.assertTrue(response.getHeader( |
937 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
938 |
"*")); |
939 |
Assert.assertNull(response |
940 |
.getHeader(CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS)); |
941 |
} |
942 |
|
943 |
@Test |
944 |
public void testCheckPreFlightRequestTypeOriginNotAllowed() |
945 |
throws ServletException, IOException { |
946 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
947 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
948 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
949 |
"www.ebay.com"); |
950 |
request.setHeader( |
951 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
952 |
"PUT"); |
953 |
request.setMethod("OPTIONS"); |
954 |
CORSFilter corsFilter = new CORSFilter(); |
955 |
corsFilter.init(MockFilterConfigs |
956 |
.getSecureFilterConfig()); |
957 |
corsFilter.doFilter(request, response, filterChain); |
958 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
959 |
response.getStatus()); |
960 |
} |
961 |
|
962 |
/** |
963 |
* Happy path test, when a valid CORS Pre-flight request arrives. |
964 |
* |
965 |
* @throws ServletException |
966 |
*/ |
967 |
@Test |
968 |
public void testCheckPreFlightRequestTypeEmptyHeaders() |
969 |
throws ServletException { |
970 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
971 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
972 |
MockFilterConfigs.HTTP_TOMCAT_APACHE_ORG); |
973 |
request.setHeader( |
974 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD, |
975 |
"PUT"); |
976 |
request.setHeader( |
977 |
CORSFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS, |
978 |
""); |
979 |
request.setMethod("OPTIONS"); |
980 |
CORSFilter corsFilter = new CORSFilter(); |
981 |
corsFilter.init(MockFilterConfigs |
982 |
.getDefaultFilterConfig()); |
983 |
CORSFilter.CORSRequestType requestType = |
984 |
corsFilter.checkRequestType(request); |
985 |
Assert.assertEquals(CORSFilter.CORSRequestType.PRE_FLIGHT, requestType); |
986 |
} |
987 |
|
988 |
/** |
989 |
* Negative test, when a CORS request arrives, with an empty origin. |
990 |
* |
991 |
* @throws ServletException |
992 |
*/ |
993 |
@Test |
994 |
public void testCheckNotCORSRequestTypeEmptyOrigin() |
995 |
throws ServletException { |
996 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
997 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
998 |
""); |
999 |
request.setMethod("GET"); |
1000 |
CORSFilter corsFilter = new CORSFilter(); |
1001 |
corsFilter.init(MockFilterConfigs |
1002 |
.getDefaultFilterConfig()); |
1003 |
CORSFilter.CORSRequestType requestType = |
1004 |
corsFilter.checkRequestType(request); |
1005 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1006 |
requestType); |
1007 |
} |
1008 |
|
1009 |
/** |
1010 |
* Tests for failure, when a different domain is used, that's not in the |
1011 |
* allowed list of origins. |
1012 |
* |
1013 |
* @throws ServletException |
1014 |
* @throws IOException |
1015 |
*/ |
1016 |
@Test |
1017 |
public void testCheckInvalidOrigin() throws ServletException, IOException { |
1018 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1019 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
1020 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1021 |
"www.example.com"); |
1022 |
request.setMethod("GET"); |
1023 |
CORSFilter corsFilter = new CORSFilter(); |
1024 |
corsFilter.init(MockFilterConfigs |
1025 |
.getSpecificOriginFilterConfig()); |
1026 |
corsFilter.doFilter(request, response, filterChain); |
1027 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
1028 |
response.getStatus()); |
1029 |
} |
1030 |
|
1031 |
/** |
1032 |
* Tests for failure, when a different sub-domain is used, that's not in the |
1033 |
* allowed list of origins. |
1034 |
* |
1035 |
* @throws ServletException |
1036 |
* @throws IOException |
1037 |
*/ |
1038 |
@Test |
1039 |
public void testCheckInvalidOriginNotAllowedSubdomain() |
1040 |
throws ServletException, IOException { |
1041 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1042 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
1043 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1044 |
"http://commons.apache.org"); |
1045 |
request.setMethod("GET"); |
1046 |
CORSFilter corsFilter = new CORSFilter(); |
1047 |
corsFilter.init(MockFilterConfigs |
1048 |
.getSpecificOriginFilterConfig()); |
1049 |
corsFilter.doFilter(request, response, filterChain); |
1050 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
1051 |
response.getStatus()); |
1052 |
} |
1053 |
|
1054 |
/** |
1055 |
* PUT is not an allowed request method. |
1056 |
* |
1057 |
* @throws ServletException |
1058 |
* @throws IOException |
1059 |
*/ |
1060 |
@Test |
1061 |
public void testCheckInvalidRequestMethod() throws ServletException, |
1062 |
IOException { |
1063 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1064 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
1065 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1066 |
"http://tomcat.apache.org"); |
1067 |
request.setMethod("PUT"); |
1068 |
CORSFilter corsFilter = new CORSFilter(); |
1069 |
corsFilter.init(MockFilterConfigs |
1070 |
.getDefaultFilterConfig()); |
1071 |
corsFilter.doFilter(request, response, filterChain); |
1072 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
1073 |
response.getStatus()); |
1074 |
} |
1075 |
|
1076 |
/** |
1077 |
* When requestMethod is null |
1078 |
* |
1079 |
* @throws ServletException |
1080 |
*/ |
1081 |
@Test |
1082 |
public void testCheckNullRequestMethod() throws ServletException { |
1083 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1084 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1085 |
"http://tomcat.apache.org"); |
1086 |
request.setMethod(null); |
1087 |
CORSFilter corsFilter = new CORSFilter(); |
1088 |
corsFilter.init(MockFilterConfigs |
1089 |
.getSpecificOriginFilterConfig()); |
1090 |
CORSFilter.CORSRequestType requestType = |
1091 |
corsFilter.checkRequestType(request); |
1092 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1093 |
requestType); |
1094 |
} |
1095 |
|
1096 |
/** |
1097 |
* "http://tomcat.apache.org" is an allowed origin and |
1098 |
* "https://tomcat.apache.org" is not, because scheme doesn't match |
1099 |
* |
1100 |
* @throws ServletException |
1101 |
*/ |
1102 |
@Test |
1103 |
public void testCheckForSchemeVariance() throws ServletException { |
1104 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1105 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1106 |
"https://tomcat.apache.org"); |
1107 |
request.setMethod("POST"); |
1108 |
CORSFilter corsFilter = new CORSFilter(); |
1109 |
corsFilter.init(MockFilterConfigs |
1110 |
.getSpecificOriginFilterConfig()); |
1111 |
CORSFilter.CORSRequestType requestType = |
1112 |
corsFilter.checkRequestType(request); |
1113 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1114 |
requestType); |
1115 |
} |
1116 |
|
1117 |
/** |
1118 |
* "http://tomcat.apache.org" is an allowed origin and |
1119 |
* "http://tomcat.apache.org:8080" is not, because ports doesn't match |
1120 |
* |
1121 |
* @throws ServletException |
1122 |
* @throws IOException |
1123 |
*/ |
1124 |
@Test |
1125 |
public void testCheckForPortVariance() throws ServletException, IOException { |
1126 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1127 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
1128 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1129 |
"http://tomcat.apache.org:8080"); |
1130 |
request.setMethod("GET"); |
1131 |
CORSFilter corsFilter = new CORSFilter(); |
1132 |
corsFilter.init(MockFilterConfigs |
1133 |
.getSpecificOriginFilterConfig()); |
1134 |
corsFilter.doFilter(request, response, filterChain); |
1135 |
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, |
1136 |
response.getStatus()); |
1137 |
} |
1138 |
|
1139 |
/** |
1140 |
* Tests for failure, when an invalid {@link HttpServletRequest} is |
1141 |
* encountered. |
1142 |
* |
1143 |
* @throws ServletException |
1144 |
*/ |
1145 |
@Test(expected = IllegalArgumentException.class) |
1146 |
public void testCheckRequestTypeNull() throws ServletException { |
1147 |
HttpServletRequest request = null; |
1148 |
CORSFilter corsFilter = new CORSFilter(); |
1149 |
corsFilter.checkRequestType(request); |
1150 |
} |
1151 |
|
1152 |
@Test |
1153 |
public void testJoin() { |
1154 |
Set<String> elements = new LinkedHashSet<String>(); |
1155 |
String separator = ","; |
1156 |
elements.add("world"); |
1157 |
elements.add("peace"); |
1158 |
String join = CORSFilter.join(elements, separator); |
1159 |
Assert.assertTrue("world,peace".equals(join)); |
1160 |
} |
1161 |
|
1162 |
@Test |
1163 |
public void testJoinSingleElement() { |
1164 |
Set<String> elements = new LinkedHashSet<String>(); |
1165 |
String separator = ","; |
1166 |
elements.add("world"); |
1167 |
String join = CORSFilter.join(elements, separator); |
1168 |
Assert.assertTrue("world".equals(join)); |
1169 |
} |
1170 |
|
1171 |
@Test |
1172 |
public void testJoinSepNull() { |
1173 |
Set<String> elements = new LinkedHashSet<String>(); |
1174 |
String separator = null; |
1175 |
elements.add("world"); |
1176 |
elements.add("peace"); |
1177 |
String join = CORSFilter.join(elements, separator); |
1178 |
Assert.assertTrue("world,peace".equals(join)); |
1179 |
} |
1180 |
|
1181 |
@Test |
1182 |
public void testJoinElementsNull() { |
1183 |
Set<String> elements = null; |
1184 |
String separator = ","; |
1185 |
String join = CORSFilter.join(elements, separator); |
1186 |
|
1187 |
Assert.assertNull(join); |
1188 |
} |
1189 |
|
1190 |
@Test |
1191 |
public void testJoinOneNullElement() { |
1192 |
Set<String> elements = new LinkedHashSet<String>(); |
1193 |
String separator = ","; |
1194 |
elements.add(null); |
1195 |
elements.add("peace"); |
1196 |
String join = CORSFilter.join(elements, separator); |
1197 |
Assert.assertTrue(",peace".equals(join)); |
1198 |
} |
1199 |
|
1200 |
@Test |
1201 |
public void testJoinAllNullElements() { |
1202 |
Set<String> elements = new LinkedHashSet<String>(); |
1203 |
String separator = ","; |
1204 |
elements.add(null); |
1205 |
elements.add(null); |
1206 |
String join = CORSFilter.join(elements, separator); |
1207 |
Assert.assertTrue("".equals(join)); |
1208 |
} |
1209 |
|
1210 |
@Test |
1211 |
public void testJoinAllEmptyElements() { |
1212 |
Set<String> elements = new LinkedHashSet<String>(); |
1213 |
String separator = ","; |
1214 |
elements.add(""); |
1215 |
elements.add(""); |
1216 |
String join = CORSFilter.join(elements, separator); |
1217 |
Assert.assertTrue("".equals(join)); |
1218 |
} |
1219 |
|
1220 |
@Test |
1221 |
public void testJoinPipeSeparator() { |
1222 |
Set<String> elements = new LinkedHashSet<String>(); |
1223 |
String separator = "|"; |
1224 |
elements.add("world"); |
1225 |
elements.add("peace"); |
1226 |
String join = CORSFilter.join(elements, separator); |
1227 |
Assert.assertTrue("world|peace".equals(join)); |
1228 |
} |
1229 |
|
1230 |
@Test |
1231 |
public void testWithFilterConfig() throws ServletException { |
1232 |
CORSFilter corsFilter = new CORSFilter(); |
1233 |
corsFilter.init(MockFilterConfigs |
1234 |
.getDefaultFilterConfig()); |
1235 |
Assert.assertTrue(corsFilter.getAllowedHttpHeaders().size() == 6); |
1236 |
Assert.assertTrue(corsFilter.getAllowedHttpMethods().size() == 4); |
1237 |
Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0); |
1238 |
Assert.assertTrue(corsFilter.isAnyOriginAllowed()); |
1239 |
Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0); |
1240 |
Assert.assertTrue(corsFilter.isSupportsCredentials()); |
1241 |
Assert.assertTrue(corsFilter.getPreflightMaxAge() == 1800); |
1242 |
Assert.assertTrue(!corsFilter.isLoggingEnabled()); |
1243 |
} |
1244 |
|
1245 |
@Test(expected = ServletException.class) |
1246 |
public void testWithFilterConfigInvalidPreflightAge() |
1247 |
throws ServletException { |
1248 |
CORSFilter corsFilter = new CORSFilter(); |
1249 |
corsFilter.init(MockFilterConfigs |
1250 |
.getFilterConfigInvalidMaxPreflightAge()); |
1251 |
} |
1252 |
|
1253 |
@Test |
1254 |
public void testWithStringParserEmpty() throws ServletException { |
1255 |
CORSFilter corsFilter = new CORSFilter(); |
1256 |
corsFilter.init(MockFilterConfigs.getEmptyFilterConfig()); |
1257 |
Assert.assertTrue(corsFilter.getAllowedHttpHeaders().size() == 0); |
1258 |
Assert.assertTrue(corsFilter.getAllowedHttpMethods().size() == 0); |
1259 |
Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0); |
1260 |
Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0); |
1261 |
Assert.assertFalse(corsFilter.isSupportsCredentials()); |
1262 |
Assert.assertTrue(corsFilter.getPreflightMaxAge() == 0); |
1263 |
Assert.assertTrue(!corsFilter.isLoggingEnabled()); |
1264 |
} |
1265 |
|
1266 |
/** |
1267 |
* If an init param is null, it's default value will be used. |
1268 |
* |
1269 |
* @throws ServletException |
1270 |
*/ |
1271 |
@Test |
1272 |
public void testWithStringParserNull() throws ServletException { |
1273 |
CORSFilter corsFilter = new CORSFilter(); |
1274 |
corsFilter.init(MockFilterConfigs.getNullFilterConfig()); |
1275 |
Assert.assertTrue(corsFilter.getAllowedHttpHeaders().size() == 6); |
1276 |
Assert.assertTrue(corsFilter.getAllowedHttpMethods().size() == 4); |
1277 |
Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0); |
1278 |
Assert.assertTrue(corsFilter.isAnyOriginAllowed()); |
1279 |
Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0); |
1280 |
Assert.assertTrue(corsFilter.isSupportsCredentials()); |
1281 |
Assert.assertTrue(corsFilter.getPreflightMaxAge() == 1800); |
1282 |
Assert.assertTrue(!corsFilter.isLoggingEnabled()); |
1283 |
} |
1284 |
|
1285 |
@Test |
1286 |
public void testValidOrigin() { |
1287 |
Assert.assertTrue(CORSFilter.isValidOrigin("http://www.w3.org")); |
1288 |
} |
1289 |
|
1290 |
@Test |
1291 |
public void testInValidOriginCRLF() { |
1292 |
Assert.assertFalse(CORSFilter.isValidOrigin("http://www.w3.org\r\n")); |
1293 |
} |
1294 |
|
1295 |
@Test |
1296 |
public void testInValidOriginEncodedCRLF1() { |
1297 |
Assert.assertFalse(CORSFilter.isValidOrigin("http://www.w3.org%0d%0a")); |
1298 |
} |
1299 |
|
1300 |
@Test |
1301 |
public void testInValidOriginEncodedCRLF2() { |
1302 |
Assert.assertFalse(CORSFilter.isValidOrigin("http://www.w3.org%0D%0A")); |
1303 |
} |
1304 |
|
1305 |
@Test |
1306 |
public void testInValidOriginEncodedCRLF3() { |
1307 |
Assert.assertFalse(CORSFilter |
1308 |
.isValidOrigin("http://www.w3.org%0%0d%0ad%0%0d%0aa")); |
1309 |
} |
1310 |
|
1311 |
@Test |
1312 |
public void testCheckInvalidCRLF1() throws ServletException { |
1313 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1314 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1315 |
"http://www.w3.org\r\n"); |
1316 |
request.setMethod("GET"); |
1317 |
CORSFilter corsFilter = new CORSFilter(); |
1318 |
corsFilter.init(MockFilterConfigs |
1319 |
.getDefaultFilterConfig()); |
1320 |
CORSFilter.CORSRequestType requestType = |
1321 |
corsFilter.checkRequestType(request); |
1322 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1323 |
requestType); |
1324 |
} |
1325 |
|
1326 |
@Test |
1327 |
public void testCheckInvalidCRLF2() throws ServletException { |
1328 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1329 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1330 |
"http://www.w3.org\r\n"); |
1331 |
request.setMethod("GET"); |
1332 |
CORSFilter corsFilter = new CORSFilter(); |
1333 |
corsFilter.init(MockFilterConfigs |
1334 |
.getDefaultFilterConfig()); |
1335 |
CORSFilter.CORSRequestType requestType = |
1336 |
corsFilter.checkRequestType(request); |
1337 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1338 |
requestType); |
1339 |
} |
1340 |
|
1341 |
@Test |
1342 |
public void testCheckInvalidCRLF3() throws ServletException { |
1343 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1344 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1345 |
"http://www.w3.org%0d%0a"); |
1346 |
request.setMethod("GET"); |
1347 |
CORSFilter corsFilter = new CORSFilter(); |
1348 |
corsFilter.init(MockFilterConfigs |
1349 |
.getDefaultFilterConfig()); |
1350 |
CORSFilter.CORSRequestType requestType = |
1351 |
corsFilter.checkRequestType(request); |
1352 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1353 |
requestType); |
1354 |
} |
1355 |
|
1356 |
@Test |
1357 |
public void testCheckInvalidCRLF4() throws ServletException { |
1358 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1359 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1360 |
"http://www.w3.org%0D%0A"); |
1361 |
request.setMethod("GET"); |
1362 |
CORSFilter corsFilter = new CORSFilter(); |
1363 |
corsFilter.init(MockFilterConfigs |
1364 |
.getDefaultFilterConfig()); |
1365 |
CORSFilter.CORSRequestType requestType = |
1366 |
corsFilter.checkRequestType(request); |
1367 |
Assert.assertEquals(CORSFilter.CORSRequestType.INVALID_CORS, |
1368 |
requestType); |
1369 |
} |
1370 |
|
1371 |
@Test |
1372 |
public void testDecorateRequestDisabled() throws IOException, |
1373 |
ServletException { |
1374 |
MockHttpServletRequest request = new MockHttpServletRequest(); |
1375 |
request.setHeader(CORSFilter.REQUEST_HEADER_ORIGIN, |
1376 |
MockFilterConfigs.HTTPS_WWW_APACHE_ORG); |
1377 |
request.setMethod("GET"); |
1378 |
MockHttpServletResponse response = new MockHttpServletResponse(); |
1379 |
|
1380 |
CORSFilter corsFilter = new CORSFilter(); |
1381 |
corsFilter.init(MockFilterConfigs.getFilterConfigDecorateRequestDisabled()); |
1382 |
corsFilter.doFilter(request, response, filterChain); |
1383 |
|
1384 |
Assert.assertTrue(response.getHeader( |
1385 |
CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals( |
1386 |
"https://www.apache.org")); |
1387 |
Assert.assertNull(request |
1388 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)); |
1389 |
Assert.assertNull(request |
1390 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN)); |
1391 |
Assert.assertNull(request |
1392 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS)); |
1393 |
Assert.assertNull(request |
1394 |
.getAttribute(CORSFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE)); |
1395 |
} |
1396 |
|
1397 |
@Test |
1398 |
public void testDestroy() { |
1399 |
// Nothing to test. |
1400 |
// NO-OP |
1401 |
} |
1402 |
} |
0 |
+ native |
1403 |
+ native |