DefaultCorsProcessor checks for existing CORS response before attempting to compare origin

jhoeller · jhoeller · commit a19be754c8f1 · 2016-03-24T17:17:04.000+01:00
Issue: SPR-14080 (cherry picked from commit abe7345)
diff --git a/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java b/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -58,6 +58,7 @@ public class DefaultCorsProcessor implements CorsProcessor {
 
 
 	@Override
+	@SuppressWarnings("resource")
 	public boolean processRequest(CorsConfiguration config, HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
 
@@ -66,14 +67,14 @@ public boolean processRequest(CorsConfiguration config, HttpServletRequest reque
 		}
 
 		ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
-		ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
-
-		if (WebUtils.isSameOrigin(serverRequest)) {
-			logger.debug("Skip CORS processing, request is a same-origin one");
+		if (responseHasCors(serverResponse)) {
+			logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
 			return true;
 		}
-		if (responseHasCors(serverResponse)) {
-			logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header");
+
+		ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
+		if (WebUtils.isSameOrigin(serverRequest)) {
+			logger.debug("Skip CORS processing: request is from same origin");
 			return true;
 		}
 
@@ -92,14 +93,13 @@ public boolean processRequest(CorsConfiguration config, HttpServletRequest reque
 	}
 
 	private boolean responseHasCors(ServerHttpResponse response) {
-		boolean hasAllowOrigin = false;
 		try {
-			hasAllowOrigin = (response.getHeaders().getAccessControlAllowOrigin() != null);
+			return (response.getHeaders().getAccessControlAllowOrigin() != null);
 		}
 		catch (NullPointerException npe) {
 			// SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
+			return false;
 		}
-		return hasAllowOrigin;
 	}
 
 	/**
@@ -163,7 +163,7 @@ protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse r
 	/**
 	 * Check the origin and determine the origin for the response. The default
 	 * implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 		return config.checkOrigin(requestOrigin);
@@ -172,7 +172,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 	/**
 	 * Check the HTTP method and determine the methods for the response of a
 	 * pre-flight request. The default implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected List<HttpMethod> checkMethods(CorsConfiguration config, HttpMethod requestMethod) {
 		return config.checkHttpMethod(requestMethod);
@@ -185,7 +185,7 @@ private HttpMethod getMethodToUse(ServerHttpRequest request, boolean isPreFlight
 	/**
 	 * Check the headers and determine the headers for the response of a
 	 * pre-flight request. The default implementation simply delegates to
-	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}
+	 * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}.
 	 */
 	protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) {
 		return config.checkHeaders(requestHeaders);
