Avoid registering CorsConfiguration for methods without @crossorigin

sdeleuze · sdeleuze · commit 9a65eec36fdb · 2015-04-20T09:04:38.000+02:00
Issue: SPR-12931
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
@@ -271,13 +271,15 @@ protected String[] resolveEmbeddedValuesInPatterns(String[] patterns) {
 	@Override
 	protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) {
 		HandlerMethod handlerMethod = createHandlerMethod(handler, method);
+		CrossOrigin typeAnnotation = AnnotationUtils.findAnnotation(handlerMethod.getBeanType(), CrossOrigin.class);
+		CrossOrigin methodAnnotation = AnnotationUtils.findAnnotation(method, CrossOrigin.class);
 
-		CorsConfiguration config = new CorsConfiguration();
+		if (typeAnnotation == null && methodAnnotation == null) {
+			return null;
+		}
 
-		CrossOrigin typeAnnotation = AnnotationUtils.findAnnotation(handlerMethod.getBeanType(), CrossOrigin.class);
+		CorsConfiguration config = new CorsConfiguration();
 		applyAnnotation(config, typeAnnotation);
-
-		CrossOrigin methodAnnotation = AnnotationUtils.findAnnotation(method, CrossOrigin.class);
 		applyAnnotation(config, methodAnnotation);
 
 		if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
@@ -66,14 +66,33 @@ public void setUp() {
 	}
 
 	@Test
-	public void noAnnotation() throws Exception {
+	public void noAnnotationWithoutOrigin() throws Exception {
 		this.handlerMapping.registerHandler(new MethodLevelController());
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/no");
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertNull(config);
 	}
 
+	@Test  // SPR-12931
+	public void noAnnotationWithOrigin() throws Exception {
+		this.handlerMapping.registerHandler(new MethodLevelController());
+		this.request.setRequestURI("/no");
+		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+		CorsConfiguration config = getCorsConfiguration(chain, false);
+		assertNull(config);
+	}
+
+	@Test  // SPR-12931
+	public void noAnnotationPostWithOrigin() throws Exception {
+		this.handlerMapping.registerHandler(new MethodLevelController());
+		this.request.setMethod("POST");
+		this.request.setRequestURI("/no");
+		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
+		CorsConfiguration config = getCorsConfiguration(chain, false);
+		assertNull(config);
+	}
+
 	@Test
 	public void defaultAnnotation() throws Exception {
 		this.handlerMapping.registerHandler(new MethodLevelController());
@@ -203,6 +222,10 @@ private static class MethodLevelController {
 		public void noAnnotation() {
 		}
 
+		@RequestMapping(value = "/no", method = RequestMethod.POST)
+		public void noAnnotationPost() {
+		}
+
 		@CrossOrigin
 		@RequestMapping(value = "/default", method = RequestMethod.GET)
 		public void defaultAnnotation() {
