DATAREST-573 Add support for Spring Web MVC CORS configuration mechanisms. #233
Conversation
…oduced in Spring 4.2. Prepare issue branch.
| String repositoryLookupPath = new BaseUri(configuration.getBaseUri()).getRepositoryLookupPath(lookupPath); | ||
|
|
||
| // Repository root resource | ||
| if (StringUtils.hasText(repositoryLookupPath) && repositories != null) { |
There was a problem hiding this comment.
Can we invert the conditions to be able to use early returns and thus avoid the nesting?
| */ | ||
| CorsConfigurationAccessor(ResourceMappings mappings, Repositories repositories, | ||
| StringValueResolver embeddedValueResolver) { | ||
| this.mappings = mappings; |
| CorsConfiguration findCorsConfiguration(String lookupPath) { | ||
|
|
||
| ResourceMetadata resource = getResourceMetadata(getRepositoryBasePath(lookupPath)); | ||
| if (resource != null) { |
| } | ||
|
|
||
| String allowCredentials = resolveCorsAnnotationValue(annotation.allowCredentials()); | ||
| if ("true".equalsIgnoreCase(allowCredentials)) { |
| * The {@link HandlerMapping} to delegate requests to Spring Data REST controllers. Sets up a | ||
| * {@link DelegatingHandlerMapping} to make sure manually implemented {@link BasePathAwareController} instances that | ||
| * register custom handlers for certain media types don't cause the {@link RepositoryRestHandlerMapping} to be | ||
| * omitted. | ||
| * |
| @RunWith(MockitoJUnitRunner.class) | ||
| public class CorsConfigurationAccessorUnitTests { | ||
|
|
||
| private CorsConfigurationAccessor accessor; |
There was a problem hiding this comment.
Fields don't need to be private in tests.
| } | ||
| } | ||
|
|
||
| @RepositoryRestController |
There was a problem hiding this comment.
Let's move those classes under the test methods so that we stay consistent to other tests. Configuration can stay here.
| /** | ||
| * Creates a new {@link RepositoryCorsRegistry}. | ||
| */ | ||
| public RepositoryCorsRegistry() {} |
There was a problem hiding this comment.
I don't think we need the default constructor, do we?
| * @author Mark Paluch | ||
| * @since 2.6 | ||
| */ | ||
| public class RepositoryCorsRegistry extends CorsRegistry { |
There was a problem hiding this comment.
What's the reason we need this dedicated class? It seems we could just get away with using CorsRegistry, right?
There was a problem hiding this comment.
CorsRegistry's getCorsConfigurations method is protected so we need to make it usable for us. Didn't want to rely on reflection.
| * | ||
| * @param mappings must not be {@literal null}. | ||
| * @param config must not be {@literal null}. | ||
| * @param repositories must not be {@literal null}. |
There was a problem hiding this comment.
Looks like repositories can in fact be null.
|
|
||
| == Repository interface CORS configuration | ||
|
|
||
| You can add a `@CrossOrigin` annotation to your repository interfaces to enable CORS for the whole repository. By default `@CrossOrigin` allows origins and `HEAD` and `GET` HTTP methods: |
There was a problem hiding this comment.
As mentioned here, the current behaviour with Spring Data REST + @CrossOrigin is to allow GET and HEAD HTTP methods (default for the low level CorsConfiguration class).
In Spring MVC, the default behaviour for @CrossOrigin annotations without any method specified is to use methods of the related @RequestMapping annotation. I am wondering if by default in Spring Data REST, we could not just allow HTTP methods of the related REST endpoint, in order to avoid surprising the user when for example his repository methods exposed with a POST HTTP method will not work by default. Any thoughts?
There was a problem hiding this comment.
GET and HEAD are in sync with Spring MVC (initially it's the same behavior) and to not allow any methods that change data by default.
We check the allowed methods on collection/item level inside the particular controllers – we could derive the allowed methods from there but the CORS configuration would be required to mirror the logic that is already present inside the controllers.
There was a problem hiding this comment.
After discussing with @sdeleuze, @CrossOrigin on a repository will enable all HTTP methods by default. This default can be overridden. We can evaluate in a later step how we can provide the enabled repository methods to expose only the allowed CORS methods on a resource.
…oduced in Spring 4.2. We now support CORS configuration mechanisms introduced in Spring 4.2. CORS can be configured on multiple levels: Repository interface, Repository REST controller and global level. Spring Data REST CORS configuration is isolated so Spring Web MVC'S CORS configuration does not apply to Spring Data REST resources. Multiple configuration sources are merged so different aspects of CORS can be configured in separate locations. @crossorigin interface PersonRepository extends CrudRepository<Person, Long> {} @RepositoryRestController @RequestMapping("/person") public class PersonController { @crossorigin(maxAge = 3600) @RequestMapping(method = RequestMethod.GET, "/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE) public Person retrieve(@PathVariable Long id) { // ... } } @component public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter { @OverRide public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) { config.addCorsMapping("/person/**") .allowedOrigins("http://domain2.com") .allowedMethods("PUT", "DELETE") .allowedHeaders("header1", "header2", "header3") .exposedHeaders("header1", "header2") .allowCredentials(false).maxAge(3600); } }
mp911de
force-pushed
the
issue/DATAREST-573
branch
from
b223a2e to
273dac7
Compare
Removed RepositoryRestConfiguration.addCorsMapping(…) as we currently don't have any other shortcut methods for configuration like this. Tweaked the setup of (now Repository)CorsConfigurationAccessor to be created earlier so that we avoid recreation for every lookup. Introduced a NoOpStringValueResolver to be used by default so that we don't need to deal with the case of the resolver being null at the end of the call chain. Replaced constructor of RepositoryCorsConfigurationAccessor with corresponding Lombok annotation. Updated reference documentation accordingly. Original pull request: #233.
|
That's been merged a while ago. |
|
So, which version has actually this new feature and how can I use it? |
|
The referenced ticket has all the information. |
We now support CORS configuration mechanisms introduced in Spring 4.2. CORS can be configured on multiple levels: Repository interface, Repository REST controller and global level. Spring Data REST CORS configuration is isolated so Spring Web MVC'S CORS configuration does not apply to Spring Data REST resources.
Multiple configuration sources are merged so different aspects of CORS can be configured in separate locations.