Polish reactive CORS support

Author: rstoyanchev

spring-web-reactive/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java

@@ -24,20 +24,16 @@
 import org.springframework.web.cors.CorsConfiguration;
 
 /**
- * {@code CorsRegistration} assists with the creation of a
- * {@link CorsConfiguration} instance mapped to a path pattern.
+ * Assists with the creation of a {@link CorsConfiguration} instance mapped to
+ * a path pattern.
  *
- * <p>If no path pattern is specified, cross-origin request handling is
- * mapped to {@code "/**"}.
- *
- * <p>By default, all origins, all headers, credentials and {@code GET},
- * {@code HEAD}, and {@code POST} methods are allowed, and the max age is
- * set to 30 minutes.
+ * <p>If no path pattern is specified, by default cross-origin request handling
+ * is mapped to {@code "/**"}. Also by default, all origins, headers,
+ * credentials and {@code GET}, {@code HEAD}, and {@code POST} methods are
+ * allowed, while the max age is set to 30 minutes.
  *
  * @author Sebastien Deleuze
- * @author Sam Brannen
  * @since 5.0
- * @see CorsConfiguration
  * @see CorsRegistry
  */
 public class CorsRegistration {

spring-web-reactive/src/main/java/org/springframework/web/reactive/config/CorsRegistry.java

@@ -58,4 +58,5 @@ protected Map<String, CorsConfiguration> getCorsConfigurations() {
 		}
 		return configs;
 	}
+
 }

spring-web-reactive/src/main/java/org/springframework/web/reactive/config/WebReactiveConfiguration.java

@@ -45,6 +45,8 @@
 import org.springframework.http.codec.EncoderHttpMessageWriter;
 import org.springframework.http.codec.HttpMessageReader;
 import org.springframework.http.codec.HttpMessageWriter;
+import org.springframework.http.codec.Jackson2ServerHttpMessageReader;
+import org.springframework.http.codec.Jackson2ServerHttpMessageWriter;
 import org.springframework.http.codec.ResourceHttpMessageWriter;
 import org.springframework.http.codec.ServerSentEventHttpMessageWriter;
 import org.springframework.http.codec.json.Jackson2JsonDecoder;
@@ -61,8 +63,6 @@
 import org.springframework.web.reactive.handler.AbstractHandlerMapping;
 import org.springframework.web.reactive.result.SimpleHandlerAdapter;
 import org.springframework.web.reactive.result.method.HandlerMethodArgumentResolver;
-import org.springframework.http.codec.Jackson2ServerHttpMessageReader;
-import org.springframework.http.codec.Jackson2ServerHttpMessageWriter;
 import org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerAdapter;
 import org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerMapping;
 import org.springframework.web.reactive.result.method.annotation.ResponseBodyResultHandler;
@@ -90,14 +90,14 @@ public class WebReactiveConfiguration implements ApplicationContextAware {
 			ClassUtils.isPresent("javax.xml.bind.Binder", WebReactiveConfiguration.class.getClassLoader());
 
 
+	private Map<String, CorsConfiguration> corsConfigurations;
+
 	private PathMatchConfigurer pathMatchConfigurer;
 
 	private List<HttpMessageReader<?>> messageReaders;
 
 	private List<HttpMessageWriter<?>> messageWriters;
 
-	private Map<String, CorsConfiguration> corsConfigurations;
-
 	private ApplicationContext applicationContext;
 
 
@@ -171,6 +171,26 @@ protected Map<String, MediaType> getDefaultMediaTypeMappings() {
 	protected void configureRequestedContentTypeResolver(RequestedContentTypeResolverBuilder builder) {
 	}
 
+	/**
+	 * Callback for building the global CORS configuration. This method is final.
+	 * Use {@link #addCorsMappings(CorsRegistry)} to customize the CORS conifg.
+	 */
+	protected final Map<String, CorsConfiguration> getCorsConfigurations() {
+		if (this.corsConfigurations == null) {
+			CorsRegistry registry = new CorsRegistry();
+			addCorsMappings(registry);
+			this.corsConfigurations = registry.getCorsConfigurations();
+		}
+		return this.corsConfigurations;
+	}
+
+	/**
+	 * Override this method to configure cross origin requests processing.
+	 * @see CorsRegistry
+	 */
+	protected void addCorsMappings(CorsRegistry registry) {
+	}
+
 	/**
 	 * Callback for building the {@link PathMatchConfigurer}. This method is
 	 * final, use {@link #configurePathMatching} to customize path matching.
@@ -209,6 +229,7 @@ public HandlerMapping resourceHandlerMapping() {
 			if (pathMatchConfigurer.getPathHelper() != null) {
 				handlerMapping.setPathHelper(pathMatchConfigurer.getPathHelper());
 			}
+
 		}
 		else {
 			handlerMapping = new EmptyHandlerMapping();
@@ -444,22 +465,6 @@ public ViewResolutionResultHandler viewResolutionResultHandler() {
 	protected void configureViewResolvers(ViewResolverRegistry registry) {
 	}
 
-	protected final Map<String, CorsConfiguration> getCorsConfigurations() {
-		if (this.corsConfigurations == null) {
-			CorsRegistry registry = new CorsRegistry();
-			addCorsMappings(registry);
-			this.corsConfigurations = registry.getCorsConfigurations();
-		}
-		return this.corsConfigurations;
-	}
-
-	/**
-	 * Override this method to configure cross origin requests processing.
-	 * @see CorsRegistry
-	 */
-	protected void addCorsMappings(CorsRegistry registry) {
-	}
-
 
 	private static final class EmptyHandlerMapping extends AbstractHandlerMapping {
 

spring-web-reactive/src/main/java/org/springframework/web/reactive/handler/AbstractHandlerMapping.java

@@ -51,9 +51,10 @@ public abstract class AbstractHandlerMapping extends ApplicationObjectSupport
 
 	private PathMatcher pathMatcher = new AntPathMatcher();
 
-	protected CorsProcessor corsProcessor = new DefaultCorsProcessor();
+	private final UrlBasedCorsConfigurationSource globalCorsConfigSource = new UrlBasedCorsConfigurationSource();
+
+	private CorsProcessor corsProcessor = new DefaultCorsProcessor();
 
-	protected final UrlBasedCorsConfigurationSource corsConfigSource = new UrlBasedCorsConfigurationSource();
 
 	/**
 	 * Specify the order value for this HandlerMapping bean.
@@ -104,7 +105,7 @@ public HttpRequestPathHelper getPathHelper() {
 	public void setPathMatcher(PathMatcher pathMatcher) {
 		Assert.notNull(pathMatcher, "PathMatcher must not be null");
 		this.pathMatcher = pathMatcher;
-		this.corsConfigSource.setPathMatcher(pathMatcher);
+		this.globalCorsConfigSource.setPathMatcher(pathMatcher);
 	}
 
 	/**
@@ -115,9 +116,26 @@ public PathMatcher getPathMatcher() {
 		return this.pathMatcher;
 	}
 
+	/**
+	 * Set "global" CORS configuration based on URL patterns. By default the
+	 * first matching URL pattern is combined with handler-level CORS
+	 * configuration if any.
+	 */
+	public void setCorsConfigurations(Map<String, CorsConfiguration> corsConfigurations) {
+		this.globalCorsConfigSource.setCorsConfigurations(corsConfigurations);
+	}
+
+	/**
+	 * Return the "global" CORS configuration.
+	 */
+	public Map<String, CorsConfiguration> getCorsConfigurations() {
+		return this.globalCorsConfigSource.getCorsConfigurations();
+	}
+
 	/**
 	 * Configure a custom {@link CorsProcessor} to use to apply the matched
-	 * {@link CorsConfiguration} for a request. By default {@link DefaultCorsProcessor} is used.
+	 * {@link CorsConfiguration} for a request.
+	 * <p>By default an instance of {@link DefaultCorsProcessor} is used.
 	 */
 	public void setCorsProcessor(CorsProcessor corsProcessor) {
 		Assert.notNull(corsProcessor, "CorsProcessor must not be null");
@@ -131,46 +149,35 @@ public CorsProcessor getCorsProcessor() {
 		return this.corsProcessor;
 	}
 
-	/**
-	 * Set "global" CORS configuration based on URL patterns. By default the first
-	 * matching URL pattern is combined with the CORS configuration for the
-	 * handler, if any.
-	 */
-	public void setCorsConfigurations(Map<String, CorsConfiguration> corsConfigurations) {
-		this.corsConfigSource.setCorsConfigurations(corsConfigurations);
+
+	protected Object processCorsRequest(ServerWebExchange exchange, Object handler) {
+		if (CorsUtils.isCorsRequest(exchange.getRequest())) {
+			CorsConfiguration configA = this.globalCorsConfigSource.getCorsConfiguration(exchange);
+			CorsConfiguration configB = getCorsConfiguration(handler, exchange);
+			CorsConfiguration config = (configA != null ? configA.combine(configB) : configB);
+
+			if (!getCorsProcessor().processRequest(config, exchange) ||
+					CorsUtils.isPreFlightRequest(exchange.getRequest())) {
+				return REQUEST_HANDLED_HANDLER;
+			}
+		}
+		return handler;
 	}
 
 	/**
-	 * Get the CORS configuration.
+	 * Retrieve the CORS configuration for the given handler.
+	 * @param handler the handler to check (never {@code null}).
+	 * @param exchange the current exchange
+	 * @return the CORS configuration for the handler or {@code null}.
 	 */
-	public Map<String, CorsConfiguration> getCorsConfigurations() {
-		return this.corsConfigSource.getCorsConfigurations();
-	}
-
 	protected CorsConfiguration getCorsConfiguration(Object handler, ServerWebExchange exchange) {
 		if (handler != null && handler instanceof CorsConfigurationSource) {
 			return ((CorsConfigurationSource) handler).getCorsConfiguration(exchange);
 		}
 		return null;
 	}
 
-	protected Object processCorsRequest(ServerWebExchange exchange, Object handler) {
-		if (CorsUtils.isCorsRequest(exchange.getRequest())) {
-			CorsConfiguration globalConfig = this.corsConfigSource.getCorsConfiguration(exchange);
-			CorsConfiguration handlerConfig = getCorsConfiguration(handler, exchange);
-			CorsConfiguration config = (globalConfig != null ? globalConfig.combine(handlerConfig) : handlerConfig);
-			if (!corsProcessor.processRequest(config, exchange) || CorsUtils.isPreFlightRequest(exchange.getRequest())) {
-				return new NoOpHandler();
-			}
-		}
-		return handler;
-	}
 
-	private class NoOpHandler implements WebHandler {
-		@Override
-		public Mono<Void> handle(ServerWebExchange exchange) {
-			return Mono.empty();
-		}
-	}
+	private static final WebHandler REQUEST_HANDLED_HANDLER = exchange -> Mono.empty();
 
-}
+}

spring-web-reactive/src/main/java/org/springframework/web/reactive/handler/AbstractUrlHandlerMapping.java

@@ -98,7 +98,7 @@ public final Map<String, Object> getHandlerMap() {
 	@Override
 	public Mono<Object> getHandler(ServerWebExchange exchange) {
 		String lookupPath = getPathHelper().getLookupPathForRequest(exchange);
-		Object handler = null;
+		Object handler;
 		try {
 			handler = lookupHandler(lookupPath, exchange);
 			handler = processCorsRequest(exchange, handler);

spring-web-reactive/src/main/java/org/springframework/web/reactive/result/method/AbstractHandlerMethodMapping.java

@@ -29,14 +29,11 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
-import javax.servlet.http.HttpServletRequest;
-
 import reactor.core.publisher.Mono;
 
 import org.springframework.aop.support.AopUtils;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.core.MethodIntrospector;
-import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 import org.springframework.util.LinkedMultiValueMap;
@@ -75,8 +72,13 @@ public abstract class AbstractHandlerMethodMapping<T> extends AbstractHandlerMap
 	 */
 	private static final String SCOPED_TARGET_NAME_PREFIX = "scopedTarget.";
 
+	/**
+	 * HandlerMethod to return on a pre-flight request match when the request
+	 * mappings are more nuanced than the access control headers.
+	 */
 	private static final HandlerMethod PREFLIGHT_AMBIGUOUS_MATCH =
-			new HandlerMethod(new EmptyHandler(), ClassUtils.getMethod(EmptyHandler.class, "handle"));
+			new HandlerMethod(new PreFlightAmbiguousMatchHandler(),
+					ClassUtils.getMethod(PreFlightAmbiguousMatchHandler.class, "handle"));
 
 	private static final CorsConfiguration ALLOW_CORS_CONFIG = new CorsConfiguration();
 
@@ -372,12 +374,10 @@ protected CorsConfiguration getCorsConfiguration(Object handler, ServerWebExchan
 		if (handler instanceof HandlerMethod) {
 			HandlerMethod handlerMethod = (HandlerMethod) handler;
 			if (handlerMethod.equals(PREFLIGHT_AMBIGUOUS_MATCH)) {
-				return AbstractHandlerMethodMapping.ALLOW_CORS_CONFIG;
-			}
-			else {
-				CorsConfiguration corsConfigFromMethod = this.mappingRegistry.getCorsConfiguration(handlerMethod);
-				corsConfig = (corsConfig != null ? corsConfig.combine(corsConfigFromMethod) : corsConfigFromMethod);
+				return ALLOW_CORS_CONFIG;
 			}
+			CorsConfiguration methodConfig = this.mappingRegistry.getCorsConfiguration(handlerMethod);
+			corsConfig = (corsConfig != null ? corsConfig.combine(methodConfig) : methodConfig);
 		}
 		return corsConfig;
 	}
@@ -625,7 +625,7 @@ public int compare(Match match1, Match match2) {
 		}
 	}
 
-	private static class EmptyHandler {
+	private static class PreFlightAmbiguousMatchHandler {
 
 		public void handle() {
 			throw new UnsupportedOperationException("not implemented");

spring-web-reactive/src/main/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMapping.java

@@ -282,7 +282,8 @@ protected String[] resolveEmbeddedValuesInPatterns(String[] patterns) {
 	@Override
 	protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) {
 		HandlerMethod handlerMethod = createHandlerMethod(handler, method);
-		CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(handlerMethod.getBeanType(), CrossOrigin.class);
+		Class<?> beanType = handlerMethod.getBeanType();
+		CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(beanType, CrossOrigin.class);
 		CrossOrigin methodAnnotation = AnnotatedElementUtils.findMergedAnnotation(method, CrossOrigin.class);
 
 		if (typeAnnotation == null && methodAnnotation == null) {
@@ -310,6 +311,7 @@ protected CorsConfiguration initCorsConfiguration(Object handler, Method method,
 		if (config.getMaxAge() == null) {
 			config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
 		}
+
 		return config;
 	}