@@ -, +, @@
---
java/org/apache/catalina/filters/CorsFilter.java | 6 ++
.../apache/catalina/filters/TestCorsFilter.java | 74 +++++++++++++++++++++-
.../catalina/filters/TesterFilterConfigs.java | 18 ++++++
3 files changed, 96 insertions(+), 2 deletions(-)
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ a/java/org/apache/catalina/filters/CorsFilter.java
@@ -800,6 +800,7 @@ public final class CorsFilter implements Filter {
* Checks if a given origin is valid or not. Criteria:
*
* - If an encoded character is present in origin, it's not valid.
+ * - If origin is "null", it's valid.
* - Origin should be a valid {@link URI}
*
*
@@ -812,6 +813,11 @@ public final class CorsFilter implements Filter {
return false;
}
+ // "null" is a valid origin
+ if ("null".equals(origin)) {
+ return true;
+ }
+
URI originURI;
try {
--- a/test/org/apache/catalina/filters/TestCorsFilter.java
+++ a/test/org/apache/catalina/filters/TestCorsFilter.java
@@ -497,10 +497,10 @@ public class TestCorsFilter {
}
/*
- * Negative test, when a CORS request arrives, with a null origin.
+ * Negative test, when a CORS request arrives, with no origin header.
*/
@Test
- public void testDoFilterNullOrigin() throws IOException, ServletException {
+ public void testDoFilterNoOrigin() throws IOException, ServletException {
TesterHttpServletRequest request = new TesterHttpServletRequest();
request.setMethod("POST");
@@ -536,6 +536,58 @@ public class TestCorsFilter {
response.getStatus());
}
+ /*
+ * A CORS request arrives with a "null" origin which is allowed by default.
+ */
+ @Test
+ public void testDoFilterNullOriginAllowedByDefault() throws IOException,
+ ServletException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+
+ request.setMethod("POST");
+ request.setContentType("text/plain");
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig());
+ CorsFilter.CORSRequestType requestType =
+ corsFilter.checkRequestType(request);
+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
+
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ }
+
+ /*
+ * A CORS request arrives with a "null" origin which is explicitly allowed
+ * by configuration.
+ */
+ @Test
+ public void testDoFilterNullOriginAllowedByConfiguration() throws
+ IOException, ServletException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+
+ request.setMethod("POST");
+ request.setContentType("text/plain");
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(
+ TesterFilterConfigs.getFilterConfigSpecificOriginNullAllowed());
+ CorsFilter.CORSRequestType requestType =
+ corsFilter.checkRequestType(request);
+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
+
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ }
+
@Test(expected = ServletException.class)
public void testDoFilterNullRequestNullResponse() throws IOException,
ServletException {
@@ -1035,6 +1087,24 @@ public class TestCorsFilter {
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
response.getStatus());
}
+
+ /*
+ * Tests for failure, when the 'null' origin is used, and it's not in the
+ * list of allowed origins.
+ */
+ @Test
+ public void testCheckNullOriginNotAllowed() throws ServletException,
+ IOException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
+ request.setMethod("GET");
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(TesterFilterConfigs.getSpecificOriginFilterConfig());
+ corsFilter.doFilter(request, response, filterChain);
+ Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
+ response.getStatus());
+ }
/*
* Tests for failure, when a different sub-domain is used, that's not in the
--- a/test/org/apache/catalina/filters/TesterFilterConfigs.java
+++ a/test/org/apache/catalina/filters/TesterFilterConfigs.java
@@ -106,6 +106,24 @@ public class TesterFilterConfigs {
preflightMaxAge, decorateRequest);
}
+ public static FilterConfig getFilterConfigSpecificOriginNullAllowed() {
+ final String allowedHttpHeaders =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
+ final String allowedOrigins = HTTP_TOMCAT_APACHE_ORG + ",null";
+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
+ final String supportCredentials =
+ CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
+ final String preflightMaxAge =
+ CorsFilter.DEFAULT_PREFLIGHT_MAXAGE;
+ final String decorateRequest = CorsFilter.DEFAULT_DECORATE_REQUEST;
+
+ return generateFilterConfig(allowedHttpHeaders, allowedHttpMethods,
+ allowedOrigins, exposedHeaders, supportCredentials,
+ preflightMaxAge, decorateRequest);
+ }
+
public static FilterConfig getFilterConfigWithExposedHeaders() {
final String allowedHttpHeaders =
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
--