DATAREST-573 - Add support for new CORS configuration mechanisms introduced in Spring 4.2.

We now support CORS configuration mechanisms introduced in Spring 4.2. CORS can be configured on multiple levels: Repository interface, Repository REST controller and global level. Spring Data REST CORS configuration is isolated so Spring Web MVC'S CORS configuration does not apply to Spring Data REST resources.

 Multiple configuration sources are merged so different aspects of CORS can be configured in separate locations.

@crossorigin
interface PersonRepository extends CrudRepository<Person, Long> {}

@RepositoryRestController
@RequestMapping("/person")
public class PersonController {

	@crossorigin(maxAge = 3600)
	@RequestMapping(method = RequestMethod.GET, "/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE)
	public Person retrieve(@PathVariable Long id) {
		// ...
	}
}

@component
public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter {

  @OverRide
  public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {

    config.addCorsMapping("/person/**")
        .allowedOrigins("http://domain2.com")
        .allowedMethods("PUT", "DELETE")
        .allowedHeaders("header1", "header2", "header3")
        .exposedHeaders("header1", "header2")
        .allowCredentials(false).maxAge(3600);
  }
}

Author: mp911de

spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.data.rest.core.config;
+
+import java.util.Map;
+
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+
+/**
+ * Spring Data REST specific {@code CorsRegistry} implementation exposing {@link #getCorsConfigurations()}. Assists with
+ * the registration of {@link CorsConfiguration} mapped to a path pattern.
+ *
+ * @author Mark Paluch
+ * @since 2.6
+ */
+public class RepositoryCorsRegistry extends CorsRegistry {
+
+	/* (non-Javadoc)
+	 * @see org.springframework.web.servlet.config.annotation.CorsRegistry#getCorsConfigurations()
+	 */
+	@Override
+	public Map<String, CorsConfiguration> getCorsConfigurations() {
+		return super.getCorsConfigurations();
+	}
+}

spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2015 the original author or authors.
+ * Copyright 2012-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@
 import org.springframework.http.MediaType;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.servlet.config.annotation.CorsRegistration;
 
 /**
  * Spring Data REST configuration options.
@@ -36,6 +38,7 @@
  * @author Oliver Gierke
  * @author Jeremy Rickard
  * @author Greg Turnquist
+ * @author Mark Paluch
  */
 @SuppressWarnings("deprecation")
 public class RepositoryRestConfiguration {
@@ -58,6 +61,7 @@ public class RepositoryRestConfiguration {
 	private ResourceMappingConfiguration repoMappings = new ResourceMappingConfiguration();
 	private RepositoryDetectionStrategy repositoryDetectionStrategy = RepositoryDetectionStrategies.DEFAULT;
 
+	private final RepositoryCorsRegistry corsRegistry = new RepositoryCorsRegistry();
 	private final ProjectionDefinitionConfiguration projectionConfiguration;
 	private final MetadataConfiguration metadataConfiguration;
 	private final EntityLookupConfiguration entityLookupConfiguration;
@@ -549,6 +553,34 @@ public void setRepositoryDetectionStrategy(RepositoryDetectionStrategy repositor
 				: repositoryDetectionStrategy;
 	}
 
+	/**
+	 * Returns the {@link RepositoryCorsRegistry} to configure Cross-origin resource sharing.
+	 *
+	 * @return the {@link RepositoryCorsRegistry}.
+	 * @since 2.6
+	 * @see RepositoryCorsRegistry
+	 * @see CorsRegistration
+	 */
+	public RepositoryCorsRegistry getCorsRegistry() {
+		return corsRegistry;
+	}
+
+	/**
+	 * Configures Cross-origin resource sharing given a {@code path}.
+	 *
+	 * @param path path or path pattern, must not be {@literal null} or empty.
+	 * @return the {@link CorsRegistration} to build a CORS configuration.
+	 * @since 2.6
+	 * @see CorsConfiguration
+	 */
+	public CorsRegistration addCorsMapping(String path) {
+
+		Assert.notNull(path, "Path must not be null!");
+		Assert.hasText(path, "Path must not be empty!");
+
+		return corsRegistry.addMapping(path);
+	}
+
 	/**
 	 * Returns the {@link EntityLookupRegistrar} to create custom {@link EntityLookup} instances registered in the
 	 * configuration.

spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java

@@ -15,10 +15,12 @@
  */
 package org.springframework.data.rest.core;
 
-import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 
+import java.util.Map;
+
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.data.rest.core.config.EnumTranslationConfiguration;
@@ -28,11 +30,13 @@
 import org.springframework.data.rest.core.domain.Profile;
 import org.springframework.data.rest.core.domain.ProfileRepository;
 import org.springframework.http.MediaType;
+import org.springframework.web.cors.CorsConfiguration;
 
 /**
  * Unit tests for {@link RepositoryRestConfiguration}.
  * 
  * @author Oliver Gierke
+ * @author Mark Paluch
  * @soundtrack Adam F - Circles (Colors)
  */
 public class RepositoryRestConfigurationUnitTests {
@@ -132,10 +136,25 @@ public void returnsBodyForCreateIfExplicitlyActivated() {
 	 * @see DATAREST-776
 	 */
 	@Test
-	public void consideresDomainTypeOfValueRepositoryLookupTypes() {
+	public void considersDomainTypeOfValueRepositoryLookupTypes() {
 
 		configuration.withEntityLookup().forLookupRepository(ProfileRepository.class);
 
 		assertThat(configuration.isLookupType(Profile.class), is(true));
 	}
+
+	/**
+	 * @see DATAREST-573
+	 */
+	@Test
+	public void configuresCorsProcessing() {
+
+		configuration.addCorsMapping("/hello").maxAge(1234);
+
+		Map<String, CorsConfiguration> corsConfigurations = configuration.getCorsRegistry().getCorsConfigurations();
+		assertThat(corsConfigurations, hasKey("/hello"));
+
+		CorsConfiguration corsConfiguration = corsConfigurations.get("/hello");
+		assertThat(corsConfiguration.getMaxAge(), is(1234L));
+	}
 }

spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java

@@ -16,10 +16,13 @@
 package org.springframework.data.rest.webmvc.jpa;
 
 import org.springframework.data.repository.CrudRepository;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 /**
  * @author Oliver Gierke
+ * @author Mark Paluch
  */
-public interface AuthorRepository extends CrudRepository<Author, Long> {
-
-}
+@CrossOrigin(origins = "http://not.so.far.away", allowCredentials = "true",
+		methods = { RequestMethod.GET, RequestMethod.PATCH }, maxAge = 1234)
+public interface AuthorRepository extends CrudRepository<Author, Long> {}

spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java

@@ -16,10 +16,13 @@
 package org.springframework.data.rest.webmvc.jpa;
 
 import org.springframework.data.repository.CrudRepository;
+import org.springframework.web.bind.annotation.CrossOrigin;
 
 /**
  * @author Greg Turnquist
  * @author Oliver Gierke
+ * @author Mark Paluch
  * @see DATAREST-463
  */
+@CrossOrigin
 public interface ItemRepository extends CrudRepository<Item, Long> {}

spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java

@@ -0,0 +1,204 @@
+/*
+ * Copyright 2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.data.rest.webmvc.jpa;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.junit.Test;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.rest.core.config.RepositoryRestConfiguration;
+import org.springframework.data.rest.tests.AbstractWebIntegrationTests;
+import org.springframework.data.rest.webmvc.BasePathAwareController;
+import org.springframework.data.rest.webmvc.RepositoryRestController;
+import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer;
+import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurerAdapter;
+import org.springframework.hateoas.Link;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+/**
+ * Web integration tests specific to Cross-origin resource sharing.
+ * 
+ * @author Mark Paluch
+ * @soundtrack 2 Unlimited - No Limit
+ */
+@ContextConfiguration
+public class CorsIntegrationTests extends AbstractWebIntegrationTests {
+
+	static class CorsConfig extends JpaRepositoryConfig {
+
+		@Bean
+		RepositoryRestConfigurer repositoryRestConfigurer() {
+
+			return new RepositoryRestConfigurerAdapter() {
+
+				@Override
+				public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
+
+					config.addCorsMapping("/books/**") //
+							.allowedMethods("GET", "PUT", "POST") //
+							.allowedOrigins("http://far.far.away");
+				}
+			};
+		}
+	}
+
+	/**
+	 * @see DATAREST-573
+	 */
+	@Test
+	public void appliesSelectiveDefaultCorsConfiguration() throws Exception {
+
+		Link findItems = client.discoverUnique("items");
+
+		// Preflight request
+		mvc.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")
+				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS,TRACE"));
+	}
+
+	/**
+	 * @see DATAREST-573
+	 */
+	@Test
+	public void appliesGlobalCorsConfiguration() throws Exception {
+
+		Link findBooks = client.discoverUnique("books");
+
+		// Preflight request
+		mvc.perform(options(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")
+				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PUT,POST"));
+
+		// CORS request
+		mvc.perform(get(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away"));
+	}
+
+	/**
+	 * @see DATAREST-573
+	 * @see BooksXmlController
+	 */
+	@Test
+	public void appliesCorsConfigurationOnCustomControllers() throws Exception {
+
+		// Preflight request
+		mvc.perform(options("/books/xml/1234") //
+				.header(HttpHeaders.ORIGIN, "http://far.far.away") //
+				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 77123)) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
+				// See https://jira.spring.io/browse/SPR-14792
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST")));
+
+		// CORS request
+		mvc.perform(get("/books/xml/1234") //
+				.header(HttpHeaders.ORIGIN, "http://far.far.away") //
+				.accept(MediaType.APPLICATION_XML)) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away"));
+	}
+
+	/**
+	 * @see DATAREST-573
+	 * @see BooksPdfController
+	 */
+	@Test
+	public void appliesCorsConfigurationOnCustomControllerMethod() throws Exception {
+
+		// Preflight request
+		mvc.perform(options("/books/pdf/1234").header(HttpHeaders.ORIGIN, "http://far.far.away")
+				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 4711)) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) //
+				// See https://jira.spring.io/browse/SPR-14792
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST")));
+	}
+
+	/**
+	 * @see DATAREST-573
+	 */
+	@Test
+	public void appliesCorsConfigurationOnRepository() throws Exception {
+
+		Link authorsLink = client.discoverUnique("authors");
+
+		// Preflight request
+		mvc.perform(options(authorsLink.expand().getHref()).header(HttpHeaders.ORIGIN, "http://not.so.far.away")
+				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH"));
+	}
+
+	/**
+	 * @see DATAREST-573
+	 */
+	@Test
+	public void appliesCorsConfigurationOnRepositoryToCustomControllers() throws Exception {
+
+		// Preflight request
+		mvc.perform(options("/authors/pdf/1234").header(HttpHeaders.ORIGIN, "http://not.so.far.away")
+				.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) //
+				.andExpect(status().isOk()) //
+				.andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) //
+				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH"));
+	}
+
+	@RepositoryRestController
+	static class AuthorsPdfController {
+
+		@RequestMapping(method = RequestMethod.GET, path = "/authors/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE)
+		void authorToPdf() {}
+	}
+
+	@RepositoryRestController
+	static class BooksPdfController {
+
+		@RequestMapping(method = RequestMethod.GET, path = "/books/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE)
+		@CrossOrigin(maxAge = 4711)
+		void bookToPdf() {}
+	}
+
+	@BasePathAwareController
+	static class BooksXmlController {
+
+		@GetMapping(value = "/books/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE)
+		@CrossOrigin(maxAge = 77123)
+		void bookToXml(@PathVariable String id) {}
+	}
+}