Commit fb7c84ff authored by Matija Obreza's avatar Matija Obreza
Browse files

Using same-origin CorsProcessor implementation

parent 4aa85cab
......@@ -22,7 +22,6 @@ import javax.servlet.http.HttpServletResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.RandomUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
......
package org.genesys2.spring.config;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.server.ServerHttpResponse;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsUtils;
import org.springframework.web.cors.DefaultCorsProcessor;
/**
* Cloudfront forwards request to our servers, but {@link DefaultCorsProcessor}
* does not handle CORS request because it's considered to be "same-origin" (see
* their Javadoc).
*
* Copied from superclass, commented out the offending section.
*/
public class SameOriginCorsProcessor extends DefaultCorsProcessor {
public static final Logger LOG = LoggerFactory.getLogger(ApplicationConfig.class);
@Override
@SuppressWarnings("resource")
public boolean processRequest(CorsConfiguration config, HttpServletRequest request, HttpServletResponse response) throws IOException {
if (!CorsUtils.isCorsRequest(request)) {
return true;
}
ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
if (responseHasCors(serverResponse)) {
LOG.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
return true;
}
ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
/**
* This is the bit that messes things up for us when trying to use Cloudfront
*/
// if (WebUtils.isSameOrigin(serverRequest)) {
// LOG.debug("Skip CORS processing: request is from same origin");
// return true;
// }
boolean preFlightRequest = CorsUtils.isPreFlightRequest(request);
if (config == null) {
if (preFlightRequest) {
rejectRequest(serverResponse);
return false;
} else {
return true;
}
}
return handleInternal(serverRequest, serverResponse, config, preFlightRequest);
}
private boolean responseHasCors(ServerHttpResponse response) {
try {
return (response.getHeaders().getAccessControlAllowOrigin() != null);
} catch (NullPointerException npe) {
// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
return false;
}
}
}
......@@ -32,8 +32,10 @@ import org.genesys2.spring.AddStuffInterceptor;
import org.genesys2.spring.RequestAttributeLocaleResolver;
import org.genesys2.spring.RequestTrackingInterceptor;
import org.genesys2.spring.validation.oval.spring.SpringOvalValidator;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
......@@ -45,6 +47,7 @@ import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.StringHttpMessageConverter;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.validation.Validator;
import org.springframework.web.cors.CorsProcessor;
import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
......@@ -54,6 +57,7 @@ import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.ViewResolverRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import org.springframework.web.servlet.theme.CookieThemeResolver;
import org.springframework.web.servlet.theme.ThemeChangeInterceptor;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
......@@ -176,6 +180,32 @@ public class WebConfiguration extends WebMvcConfigurerAdapter {
registry.addMapping("/html/**").allowCredentials(false).allowedMethods("GET", "OPTIONS", "HEAD").allowedOrigins(baseUrl).maxAge(3600);
}
@Bean
public CorsProcessor corsProcessor() {
return new SameOriginCorsProcessor();
}
/**
* This bean post-processor sets our {@link #corsProcessor()} on all AbstractHandlerMapping beans
*/
@Bean
public BeanPostProcessor useCustomCorsProcessor() {
return new BeanPostProcessor() {
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof AbstractHandlerMapping) {
((AbstractHandlerMapping)bean).setCorsProcessor(corsProcessor());
}
return bean;
}
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
return bean;
}
};
}
public MappingJackson2HttpMessageConverter jacksonMessageConverter() {
final MappingJackson2HttpMessageConverter messageConverter = new MappingJackson2HttpMessageConverter();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment