Add global CORS configuration capabilities

This commit adds JavaConfig based global CORS configuration
capabilities to Spring MVC. It is now possible to specify
multiple CORS configurations, each mapped on a path pattern,
by overriding
WebMvcConfigurerAdapter#configureCrossOrigin(CrossOriginConfigurer).

It is also possible to combine global and @crossorigin based
CORS configuration.

Issue: SPR-12933

Author: sdeleuze

spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java

@@ -53,6 +53,55 @@ public class CorsConfiguration {
 	public CorsConfiguration() {
 	}
 
+	/**
+	 * Copy constructor.
+	 */
+	public CorsConfiguration(CorsConfiguration other) {
+		this.allowedOrigins = other.allowedOrigins;
+		this.allowedMethods = other.allowedMethods;
+		this.allowedHeaders = other.allowedHeaders;
+		this.exposedHeaders = other.exposedHeaders;
+		this.allowCredentials = other.allowCredentials;
+		this.maxAge = other.maxAge;
+	}
+
+	/**
+	 * Combine the specified {@link CorsConfiguration} with this one.
+	 * Properties of this configuration are overridden only by non-null properties
+	 * of the provided one.
+	 * @return the combined {@link CorsConfiguration}
+	 */
+	public CorsConfiguration combine(CorsConfiguration other) {
+		if (other == null) {
+			return this;
+		}
+		CorsConfiguration config = new CorsConfiguration(this);
+		config.setAllowedOrigins(combine(this.getAllowedOrigins(), other.getAllowedOrigins()));
+		config.setAllowedMethods(combine(this.getAllowedMethods(), other.getAllowedMethods()));
+		config.setAllowedHeaders(combine(this.getAllowedHeaders(), other.getAllowedHeaders()));
+		config.setExposedHeaders(combine(this.getExposedHeaders(), other.getExposedHeaders()));
+		Boolean allowCredentials = other.getAllowCredentials();
+		if (allowCredentials != null) {
+			config.setAllowCredentials(allowCredentials);
+		}
+		Long maxAge = other.getMaxAge();
+		if (maxAge != null) {
+			config.setMaxAge(maxAge);
+		}
+		return config;
+	}
+
+	private List<String> combine(List<String> source, List<String> other) {
+		if (other == null) {
+			return source;
+		}
+		if (source == null || source.contains("*")) {
+			return other;
+		}
+		List<String> combined = new ArrayList<String>(source);
+		combined.addAll(other);
+		return combined;
+	} 
 
 	/**
 	 * Configure origins to allow, e.g. "http://domain1.com". The special value
@@ -142,13 +191,19 @@ public List<String> getAllowedHeaders() {
 	 * <p>By default this is not set.
 	 */
 	public void setExposedHeaders(List<String> exposedHeaders) {
+		if (exposedHeaders != null && exposedHeaders.contains("*")) {
+			throw new IllegalArgumentException("'*' is not a valid exposed header value");
+		}
 		this.exposedHeaders = exposedHeaders;
 	}
 
 	/**
 	 * Add a single response header to expose.
 	 */
 	public void addExposedHeader(String exposedHeader) {
+		if ("*".equals(exposedHeader)) {
+			throw new IllegalArgumentException("'*' is not a valid exposed header value");
+		}
 		if (this.exposedHeaders == null) {
 			this.exposedHeaders = new ArrayList<String>();
 		}

spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java

@@ -20,8 +20,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
+import static org.junit.Assert.*;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -40,6 +39,115 @@ public class CorsConfigurationTests {
 	public void setup() {
 		config = new CorsConfiguration();
 	}
+	
+	@Test
+	public void setNullValues() {
+		config.setAllowedOrigins(null);
+		assertNull(config.getAllowedOrigins());
+		config.setAllowedHeaders(null);
+		assertNull(config.getAllowedHeaders());
+		config.setAllowedMethods(null);
+		assertNull(config.getAllowedMethods());
+		config.setExposedHeaders(null);
+		assertNull(config.getExposedHeaders());
+		config.setAllowCredentials(null);
+		assertNull(config.getAllowCredentials());
+		config.setMaxAge(null);
+		assertNull(config.getMaxAge());
+	}
+	
+	@Test
+	public void setValues() {
+		config.addAllowedOrigin("*");
+		assertEquals(Arrays.asList("*"), config.getAllowedOrigins());
+		config.addAllowedHeader("*");
+		assertEquals(Arrays.asList("*"), config.getAllowedHeaders());
+		config.addAllowedMethod("*");
+		assertEquals(Arrays.asList("*"), config.getAllowedMethods());
+		config.addExposedHeader("header1");
+		config.addExposedHeader("header2");
+		assertEquals(Arrays.asList("header1", "header2"), config.getExposedHeaders());
+		config.setAllowCredentials(true);
+		assertTrue(config.getAllowCredentials());
+		config.setMaxAge(123L);
+		assertEquals(new Long(123), config.getMaxAge());
+	}
+	
+	@Test(expected = IllegalArgumentException.class)
+	public void asteriskWildCardOnAddExposedHeader() {
+		config.addExposedHeader("*");
+	}
+	
+	@Test(expected = IllegalArgumentException.class)
+	public void asteriskWildCardOnSetExposedHeaders() {
+		config.setExposedHeaders(Arrays.asList("*"));
+	}
+	
+	@Test
+	public void combineWithNull() {
+		config.setAllowedOrigins(Arrays.asList("*"));
+		config.combine(null);
+		assertEquals(Arrays.asList("*"), config.getAllowedOrigins());
+	}
+	
+	@Test
+	public void combineWithNullProperties() {
+		config.addAllowedOrigin("*");
+		config.addAllowedHeader("header1");
+		config.addExposedHeader("header3");
+		config.addAllowedMethod(HttpMethod.GET.name());
+		config.setMaxAge(123L);
+		config.setAllowCredentials(true);
+		CorsConfiguration other = new CorsConfiguration();
+		config = config.combine(other);
+		assertEquals(Arrays.asList("*"), config.getAllowedOrigins());
+		assertEquals(Arrays.asList("header1"), config.getAllowedHeaders());
+		assertEquals(Arrays.asList("header3"), config.getExposedHeaders());
+		assertEquals(Arrays.asList(HttpMethod.GET.name()), config.getAllowedMethods());
+		assertEquals(new Long(123), config.getMaxAge());
+		assertTrue(config.getAllowCredentials());
+	}
+	
+	@Test
+	public void combineWithAsteriskWildCard() {
+		config.addAllowedOrigin("*");
+		config.addAllowedHeader("*");
+		config.addAllowedMethod("*");
+		CorsConfiguration other = new CorsConfiguration();
+		other.addAllowedOrigin("http://domain.com");
+		other.addAllowedHeader("header1");
+		other.addExposedHeader("header2");
+		other.addAllowedMethod(HttpMethod.PUT.name());
+		config = config.combine(other);
+		assertEquals(Arrays.asList("http://domain.com"), config.getAllowedOrigins());
+		assertEquals(Arrays.asList("header1"), config.getAllowedHeaders());
+		assertEquals(Arrays.asList("header2"), config.getExposedHeaders());
+		assertEquals(Arrays.asList(HttpMethod.PUT.name()), config.getAllowedMethods());
+	}
+	
+	@Test
+	public void combine() {
+		config.addAllowedOrigin("http://domain1.com");
+		config.addAllowedHeader("header1");
+		config.addExposedHeader("header3");
+		config.addAllowedMethod(HttpMethod.GET.name());
+		config.setMaxAge(123L);
+		config.setAllowCredentials(true);
+		CorsConfiguration other = new CorsConfiguration();
+		other.addAllowedOrigin("http://domain2.com");
+		other.addAllowedHeader("header2");
+		other.addExposedHeader("header4");
+		other.addAllowedMethod(HttpMethod.PUT.name());
+		other.setMaxAge(456L);
+		other.setAllowCredentials(false);
+		config = config.combine(other);
+		assertEquals(Arrays.asList("http://domain1.com", "http://domain2.com"), config.getAllowedOrigins());
+		assertEquals(Arrays.asList("header1", "header2"), config.getAllowedHeaders());
+		assertEquals(Arrays.asList("header3", "header4"), config.getExposedHeaders());
+		assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()), config.getAllowedMethods());
+		assertEquals(new Long(456), config.getMaxAge());
+		assertFalse(config.getAllowCredentials());
+	}
 
 	@Test
 	public void checkOriginAllowed() {

spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CrossOriginConfigurer.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.servlet.config.annotation;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.web.cors.CorsConfiguration;
+
+/**
+ * Assist with the registration of {@link CorsConfiguration} mapped to one or more path patterns.
+ * @author Sebastien Deleuze
+ * 
+ * @since 4.2
+ * @see CrossOriginRegistration
+ */
+public class CrossOriginConfigurer {
+	
+	private final List<CrossOriginRegistration> registrations = new ArrayList<CrossOriginRegistration>();
+
+	/**
+	 * Enable cross origin requests on the specified path patterns. If no path pattern is specified,
+	 * cross-origin request handling is mapped on "/**" .
+	 * 
+	 * <p>By default, all origins, all headers and credentials are allowed. Max age is set to 30 minutes.</p>
+	 */
+	public CrossOriginRegistration enableCrossOrigin(String... pathPatterns) {
+		CrossOriginRegistration registration = new CrossOriginRegistration(pathPatterns);
+		this.registrations.add(registration);
+		return registration;
+	}
+	
+	protected Map<String, CorsConfiguration> getCorsConfigurations() {
+		Map<String, CorsConfiguration> configs = new HashMap<String, CorsConfiguration>();
+		for (CrossOriginRegistration registration : this.registrations) {
+			for (String pathPattern : registration.getPathPatterns()) {
+				configs.put(pathPattern, registration.getCorsConfiguration());
+			}
+		}
+		return configs;
+	}
+
+}

spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CrossOriginRegistration.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.servlet.config.annotation;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.web.cors.CorsConfiguration;
+
+/**
+ * Assists with the creation of a {@link CorsConfiguration} mapped to one or more path patterns.
+ * If no path pattern is specified, cross-origin request handling is mapped on "/**" .
+ * 
+ * <p>By default, all origins, all headers, credentials and GET, HEAD, POST methods are allowed.
+ * Max age is set to 30 minutes.</p>
+ * 
+ * @author Sebastien Deleuze
+ * @since 4.2
+ */
+public class CrossOriginRegistration {
+	
+	private final String[] pathPatterns;
+	
+	private final CorsConfiguration config;
+	
+	public CrossOriginRegistration(String... pathPatterns) {
+		this.pathPatterns = (pathPatterns.length == 0 ? new String[]{ "/**" } : pathPatterns);
+		// Same default values than @CrossOrigin annotation + allows simple methods
+		this.config = new CorsConfiguration();
+		this.config.addAllowedOrigin("*");
+		this.config.addAllowedMethod(HttpMethod.GET.name());
+		this.config.addAllowedMethod(HttpMethod.HEAD.name());
+		this.config.addAllowedMethod(HttpMethod.POST.name());
+		this.config.addAllowedHeader("*");
+		this.config.setAllowCredentials(true);
+		this.config.setMaxAge(1800L);
+	}
+	
+	public CrossOriginRegistration allowedOrigins(String... origins) {
+		this.config.setAllowedOrigins(new ArrayList<String>(Arrays.asList(origins)));
+		return this;
+	}
+	
+	public CrossOriginRegistration allowedMethods(String... methods) {
+		this.config.setAllowedMethods(new ArrayList<String>(Arrays.asList(methods)));
+		return this;
+	}
+	
+	public CrossOriginRegistration allowedHeaders(String... headers) {
+		this.config.setAllowedHeaders(new ArrayList<String>(Arrays.asList(headers)));
+		return this;
+	}
+	
+	public CrossOriginRegistration exposedHeaders(String... headers) {
+		this.config.setExposedHeaders(new ArrayList<String>(Arrays.asList(headers)));
+		return this;
+	}
+	
+	public CrossOriginRegistration maxAge(long maxAge) {
+		this.config.setMaxAge(maxAge);
+		return this;
+	}
+	
+	public CrossOriginRegistration allowCredentials(boolean allowCredentials) {
+		this.config.setAllowCredentials(allowCredentials);
+		return this;
+	}
+	
+	protected String[] getPathPatterns() {
+		return this.pathPatterns;
+	}
+	
+	protected CorsConfiguration getCorsConfiguration() {
+		return this.config;
+	}
+	
+}

spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/DelegatingWebMvcConfiguration.java

@@ -132,4 +132,9 @@ protected void configureHandlerExceptionResolvers(List<HandlerExceptionResolver>
 		this.configurers.configureHandlerExceptionResolvers(exceptionResolvers);
 	}
 
+	@Override
+	protected void configureCrossOrigin(CrossOriginConfigurer configurer) {
+		this.configurers.configureCrossOrigin(configurer);
+	}
+	
 }