Support for placeholders in @crossorigin attributes

jhoeller · jhoeller · commit 8852a5e1784b · 2016-03-11T15:04:16.000+01:00
Issue: SPR-14010
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -109,7 +109,7 @@ public void setContentNegotiationManager(ContentNegotiationManager contentNegoti
 
 	@Override
 	public void setEmbeddedValueResolver(StringValueResolver resolver) {
-		this.embeddedValueResolver  = resolver;
+		this.embeddedValueResolver = resolver;
 	}
 
 	@Override
@@ -314,33 +314,37 @@ private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation)
 			return;
 		}
 		for (String origin : annotation.origins()) {
-			config.addAllowedOrigin(origin);
+			config.addAllowedOrigin(resolveCorsAnnotationValue(origin));
 		}
 		for (RequestMethod method : annotation.methods()) {
 			config.addAllowedMethod(method.name());
 		}
 		for (String header : annotation.allowedHeaders()) {
-			config.addAllowedHeader(header);
+			config.addAllowedHeader(resolveCorsAnnotationValue(header));
 		}
 		for (String header : annotation.exposedHeaders()) {
-			config.addExposedHeader(header);
+			config.addExposedHeader(resolveCorsAnnotationValue(header));
 		}
 
-		String allowCredentials = annotation.allowCredentials();
+		String allowCredentials = resolveCorsAnnotationValue(annotation.allowCredentials());
 		if ("true".equalsIgnoreCase(allowCredentials)) {
 			config.setAllowCredentials(true);
 		}
 		else if ("false".equalsIgnoreCase(allowCredentials)) {
 			config.setAllowCredentials(false);
 		}
 		else if (!allowCredentials.isEmpty()) {
-			throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", "
-					+ "or an empty string (\"\"); current value is [" + allowCredentials + "].");
+			throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", " +
+					"or an empty string (\"\"): current value is [" + allowCredentials + "]");
 		}
 
 		if (annotation.maxAge() >= 0 && config.getMaxAge() == null) {
 			config.setMaxAge(annotation.maxAge());
 		}
 	}
 
+	private String resolveCorsAnnotationValue(String value) {
+		return (this.embeddedValueResolver != null ? this.embeddedValueResolver.resolveStringValue(value) : value);
+	}
+
 }
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,15 +22,18 @@
 import java.lang.annotation.Target;
 import java.lang.reflect.Method;
 import java.util.Arrays;
+import java.util.Properties;
 
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
 import org.springframework.beans.DirectFieldAccessor;
+import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
 import org.springframework.core.annotation.AnnotatedElementUtils;
 import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.core.env.PropertiesPropertySource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.mock.web.test.MockHttpServletRequest;
 import org.springframework.stereotype.Controller;
@@ -72,9 +75,15 @@ public class CrossOriginTests {
 
 	@Before
 	public void setUp() {
+		StaticWebApplicationContext wac = new StaticWebApplicationContext();
+		Properties props = new Properties();
+		props.setProperty("myOrigin", "http://example.com");
+		wac.getEnvironment().getPropertySources().addFirst(new PropertiesPropertySource("ps", props));
+		wac.registerSingleton("ppc", PropertySourcesPlaceholderConfigurer.class);
+		wac.refresh();
+
 		this.handlerMapping.setRemoveSemicolonContent(false);
-		this.handlerMapping.setApplicationContext(new StaticWebApplicationContext());
-		this.handlerMapping.afterPropertiesSet();
+		wac.getAutowireCapableBeanFactory().initializeBean(this.handlerMapping, "hm");
 
 		this.request.setMethod("GET");
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain.com/");
@@ -112,10 +121,10 @@ public void defaultAnnotation() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
 		assertTrue(config.getAllowCredentials());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
 		assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
 		assertEquals(new Long(1800), config.getMaxAge());
 	}
@@ -127,10 +136,10 @@ public void customized() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"DELETE"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"http://site1.com", "http://site2.com"}, config.getAllowedOrigins().toArray());
-		assertArrayEquals(new String[]{"header1", "header2"}, config.getAllowedHeaders().toArray());
-		assertArrayEquals(new String[]{"header3", "header4"}, config.getExposedHeaders().toArray());
+		assertArrayEquals(new String[] {"DELETE"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"http://site1.com", "http://site2.com"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"header1", "header2"}, config.getAllowedHeaders().toArray());
+		assertArrayEquals(new String[] {"header3", "header4"}, config.getExposedHeaders().toArray());
 		assertEquals(new Long(123), config.getMaxAge());
 		assertFalse(config.getAllowCredentials());
 	}
@@ -146,6 +155,17 @@ public void customOriginDefinedViaValueAttribute() throws Exception {
 		assertTrue(config.getAllowCredentials());
 	}
 
+	@Test
+	public void customOriginDefinedViaPlaceholder() throws Exception {
+		this.handlerMapping.registerHandler(new MethodLevelController());
+		this.request.setRequestURI("/someOrigin");
+		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+		CorsConfiguration config = getCorsConfiguration(chain, false);
+		assertNotNull(config);
+		assertEquals(Arrays.asList("http://example.com"), config.getAllowedOrigins());
+		assertTrue(config.getAllowCredentials());
+	}
+
 	@Test
 	public void bogusAllowCredentialsValue() throws Exception {
 		exception.expect(IllegalStateException.class);
@@ -162,24 +182,24 @@ public void classLevel() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
 		assertFalse(config.getAllowCredentials());
 
 		this.request.setRequestURI("/bar");
 		chain = this.handlerMapping.getHandler(request);
 		config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
 		assertFalse(config.getAllowCredentials());
 
 		this.request.setRequestURI("/baz");
 		chain = this.handlerMapping.getHandler(request);
 		config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
 		assertTrue(config.getAllowCredentials());
 	}
 
@@ -191,8 +211,8 @@ public void classLevelComposedAnnotation() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"http://foo.com"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"http://foo.com"}, config.getAllowedOrigins().toArray());
 		assertTrue(config.getAllowCredentials());
 	}
 
@@ -204,8 +224,8 @@ public void methodLevelComposedAnnotation() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"http://foo.com"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"http://foo.com"}, config.getAllowedOrigins().toArray());
 		assertTrue(config.getAllowCredentials());
 	}
 
@@ -218,10 +238,10 @@ public void preFlightRequest() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, true);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"GET"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"GET"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
 		assertTrue(config.getAllowCredentials());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
 		assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
 		assertEquals(new Long(1800), config.getMaxAge());
 	}
@@ -236,9 +256,9 @@ public void ambiguousHeaderPreFlightRequest() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, true);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"*"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
 		assertTrue(config.getAllowCredentials());
 		assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
 		assertNull(config.getMaxAge());
@@ -253,9 +273,9 @@ public void ambiguousProducesPreFlightRequest() throws Exception {
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, true);
 		assertNotNull(config);
-		assertArrayEquals(new String[]{"*"}, config.getAllowedMethods().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedOrigins().toArray());
-		assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedMethods().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedOrigins().toArray());
+		assertArrayEquals(new String[] {"*"}, config.getAllowedHeaders().toArray());
 		assertTrue(config.getAllowCredentials());
 		assertTrue(CollectionUtils.isEmpty(config.getExposedHeaders()));
 		assertNull(config.getMaxAge());
@@ -343,8 +363,14 @@ public void customized() {
 		@RequestMapping("/customOrigin")
 		public void customOriginDefinedViaValueAttribute() {
 		}
+
+		@CrossOrigin("${myOrigin}")
+		@RequestMapping("/someOrigin")
+		public void customOriginDefinedViaPlaceholder() {
+		}
 	}
 
+
 	@Controller
 	private static class MethodLevelControllerWithBogusAllowCredentialsValue {
 
@@ -354,6 +380,7 @@ public void bogusAllowCredentialsValue() {
 		}
 	}
 
+
 	@Controller
 	@CrossOrigin(allowCredentials = "false")
 	private static class ClassLevelController {
@@ -374,14 +401,18 @@ public void baz() {
 
 	}
 
+
 	@Target({ElementType.METHOD, ElementType.TYPE})
 	@Retention(RetentionPolicy.RUNTIME)
 	@CrossOrigin
 	private @interface ComposedCrossOrigin {
+
 		String[] origins() default {};
+
 		String allowCredentials() default "";
 	}
 
+
 	@Controller
 	@ComposedCrossOrigin(origins = "http://foo.com", allowCredentials = "true")
 	private static class ClassLevelMappingWithComposedAnnotation {
@@ -401,6 +432,7 @@ public void foo() {
 		}
 	}
 
+
 	private static class TestRequestMappingInfoHandlerMapping extends RequestMappingHandlerMapping {
 
 		public void registerHandler(Object handler) {

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2015 the original author or authors.`
	`2`	`+ * Copyright 2002-2016 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -109,7 +109,7 @@ public void setContentNegotiationManager(ContentNegotiationManager contentNegoti`
`109`	`109`
`110`	`110`	`@Override`
`111`	`111`	`public void setEmbeddedValueResolver(StringValueResolver resolver) {`
`112`		`- this.embeddedValueResolver = resolver;`
	`112`	`+ this.embeddedValueResolver = resolver;`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`@Override`
`@@ -314,33 +314,37 @@ private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation)`
`314`	`314`	`return;`
`315`	`315`	`}`
`316`	`316`	`for (String origin : annotation.origins()) {`
`317`		`- config.addAllowedOrigin(origin);`
	`317`	`+ config.addAllowedOrigin(resolveCorsAnnotationValue(origin));`
`318`	`318`	`}`
`319`	`319`	`for (RequestMethod method : annotation.methods()) {`
`320`	`320`	`config.addAllowedMethod(method.name());`
`321`	`321`	`}`
`322`	`322`	`for (String header : annotation.allowedHeaders()) {`
`323`		`- config.addAllowedHeader(header);`
	`323`	`+ config.addAllowedHeader(resolveCorsAnnotationValue(header));`
`324`	`324`	`}`
`325`	`325`	`for (String header : annotation.exposedHeaders()) {`
`326`		`- config.addExposedHeader(header);`
	`326`	`+ config.addExposedHeader(resolveCorsAnnotationValue(header));`
`327`	`327`	`}`
`328`	`328`
`329`		`- String allowCredentials = annotation.allowCredentials();`
	`329`	`+ String allowCredentials = resolveCorsAnnotationValue(annotation.allowCredentials());`
`330`	`330`	`if ("true".equalsIgnoreCase(allowCredentials)) {`
`331`	`331`	`config.setAllowCredentials(true);`
`332`	`332`	`}`
`333`	`333`	`else if ("false".equalsIgnoreCase(allowCredentials)) {`
`334`	`334`	`config.setAllowCredentials(false);`
`335`	`335`	`}`
`336`	`336`	`else if (!allowCredentials.isEmpty()) {`
`337`		`- throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", "`
`338`		`- + "or an empty string (\"\"); current value is [" + allowCredentials + "].");`
	`337`	`+ throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", " +`
	`338`	`+ "or an empty string (\"\"): current value is [" + allowCredentials + "]");`
`339`	`339`	`}`
`340`	`340`
`341`	`341`	`if (annotation.maxAge() >= 0 && config.getMaxAge() == null) {`
`342`	`342`	`config.setMaxAge(annotation.maxAge());`
`343`	`343`	`}`
`344`	`344`	`}`
`345`	`345`
	`346`	`+ private String resolveCorsAnnotationValue(String value) {`
	`347`	`+ return (this.embeddedValueResolver != null ? this.embeddedValueResolver.resolveStringValue(value) : value);`
	`348`	`+ }`
	`349`	`+`
`346`	`350`	`}`