Skip to content

Commit f5ecdda

Browse files
sdeleuzesdeleuze
committed
Remove duplicated elements in CorsConfiguration#combine()
Issue: SPR-14792
1 parent c2031aa commit f5ecdda

File tree

2 files changed

+27
-3
lines changed

2 files changed

+27
-3
lines changed

spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java

+4-3
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,9 @@
1818

1919
import java.util.ArrayList;
2020
import java.util.Collections;
21+
import java.util.LinkedHashSet;
2122
import java.util.List;
23+
import java.util.Set;
2224

2325
import org.springframework.http.HttpMethod;
2426
import org.springframework.util.CollectionUtils;
@@ -123,12 +125,11 @@ private List<String> combine(List<String> source, List<String> other) {
123125
if (source == null || source.contains(ALL)) {
124126
return other;
125127
}
126-
List<String> combined = new ArrayList<String>(source);
128+
Set<String> combined = new LinkedHashSet<String>(source);
127129
combined.addAll(other);
128-
return combined;
130+
return new ArrayList<String>(combined);
129131
}
130132

131-
132133
/**
133134
* Set the origins to allow, e.g. {@code "http://domain1.com"}.
134135
* <p>The special value {@code "*"} allows all domains.

spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java

+23
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,29 @@ public void combineWithAsteriskWildCard() {
131131
assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
132132
}
133133

134+
@Test // SPR-14792
135+
public void combineWithDuplicatedElements() {
136+
CorsConfiguration config = new CorsConfiguration();
137+
config.addAllowedOrigin("http://domain1.com");
138+
config.addAllowedOrigin("http://domain2.com");
139+
config.addAllowedHeader("header1");
140+
config.addAllowedHeader("header2");
141+
config.addExposedHeader("header3");
142+
config.addExposedHeader("header4");
143+
config.addAllowedMethod(HttpMethod.GET.name());
144+
config.addAllowedMethod(HttpMethod.PUT.name());
145+
CorsConfiguration other = new CorsConfiguration();
146+
other.addAllowedOrigin("http://domain1.com");
147+
other.addAllowedHeader("header1");
148+
other.addExposedHeader("header3");
149+
other.addAllowedMethod(HttpMethod.GET.name());
150+
CorsConfiguration combinedConfig = config.combine(other);
151+
assertEquals(Arrays.asList("http://domain1.com", "http://domain2.com"), combinedConfig.getAllowedOrigins());
152+
assertEquals(Arrays.asList("header1", "header2"), combinedConfig.getAllowedHeaders());
153+
assertEquals(Arrays.asList("header3", "header4"), combinedConfig.getExposedHeaders());
154+
assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
155+
}
156+
134157
@Test
135158
public void combine() {
136159
CorsConfiguration config = new CorsConfiguration();

0 commit comments

Comments
 (0)