diff --git a/pom.xml b/pom.xml index b4d9c03e7..707a74e77 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-parent - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT pom Spring Data REST diff --git a/spring-data-rest-core/pom.xml b/spring-data-rest-core/pom.xml index e88b8b583..dbde42aab 100644 --- a/spring-data-rest-core/pom.xml +++ b/spring-data-rest-core/pom.xml @@ -11,7 +11,7 @@ org.springframework.data spring-data-rest-parent - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml diff --git a/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java new file mode 100644 index 000000000..fb08dd1e9 --- /dev/null +++ b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryCorsRegistry.java @@ -0,0 +1,39 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.data.rest.core.config; + +import java.util.Map; + +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.servlet.config.annotation.CorsRegistry; + +/** + * Spring Data REST specific {@code CorsRegistry} implementation exposing {@link #getCorsConfigurations()}. Assists with + * the registration of {@link CorsConfiguration} mapped to a path pattern. + * + * @author Mark Paluch + * @since 2.6 + */ +public class RepositoryCorsRegistry extends CorsRegistry { + + /* (non-Javadoc) + * @see org.springframework.web.servlet.config.annotation.CorsRegistry#getCorsConfigurations() + */ + @Override + public Map getCorsConfigurations() { + return super.getCorsConfigurations(); + } +} diff --git a/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java index 406a834fb..d4db3704d 100644 --- a/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java +++ b/spring-data-rest-core/src/main/java/org/springframework/data/rest/core/config/RepositoryRestConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2015 the original author or authors. + * Copyright 2012-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,6 +28,8 @@ import org.springframework.http.MediaType; import org.springframework.util.Assert; import org.springframework.util.StringUtils; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.servlet.config.annotation.CorsRegistration; /** * Spring Data REST configuration options. @@ -36,6 +38,7 @@ * @author Oliver Gierke * @author Jeremy Rickard * @author Greg Turnquist + * @author Mark Paluch */ @SuppressWarnings("deprecation") public class RepositoryRestConfiguration { @@ -58,6 +61,7 @@ public class RepositoryRestConfiguration { private ResourceMappingConfiguration repoMappings = new ResourceMappingConfiguration(); private RepositoryDetectionStrategy repositoryDetectionStrategy = RepositoryDetectionStrategies.DEFAULT; + private final RepositoryCorsRegistry corsRegistry = new RepositoryCorsRegistry(); private final ProjectionDefinitionConfiguration projectionConfiguration; private final MetadataConfiguration metadataConfiguration; private final EntityLookupConfiguration entityLookupConfiguration; @@ -549,6 +553,34 @@ public void setRepositoryDetectionStrategy(RepositoryDetectionStrategy repositor : repositoryDetectionStrategy; } + /** + * Returns the {@link RepositoryCorsRegistry} to configure Cross-origin resource sharing. + * + * @return the {@link RepositoryCorsRegistry}. + * @since 2.6 + * @see RepositoryCorsRegistry + * @see CorsRegistration + */ + public RepositoryCorsRegistry getCorsRegistry() { + return corsRegistry; + } + + /** + * Configures Cross-origin resource sharing given a {@code path}. + * + * @param path path or path pattern, must not be {@literal null} or empty. + * @return the {@link CorsRegistration} to build a CORS configuration. + * @since 2.6 + * @see CorsConfiguration + */ + public CorsRegistration addCorsMapping(String path) { + + Assert.notNull(path, "Path must not be null!"); + Assert.hasText(path, "Path must not be empty!"); + + return corsRegistry.addMapping(path); + } + /** * Returns the {@link EntityLookupRegistrar} to create custom {@link EntityLookup} instances registered in the * configuration. diff --git a/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java b/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java index b0e0b6219..009424997 100644 --- a/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java +++ b/spring-data-rest-core/src/test/java/org/springframework/data/rest/core/RepositoryRestConfigurationUnitTests.java @@ -15,10 +15,12 @@ */ package org.springframework.data.rest.core; -import static org.hamcrest.CoreMatchers.*; +import static org.hamcrest.Matchers.*; import static org.junit.Assert.*; import static org.mockito.Mockito.*; +import java.util.Map; + import org.junit.Before; import org.junit.Test; import org.springframework.data.rest.core.config.EnumTranslationConfiguration; @@ -28,11 +30,13 @@ import org.springframework.data.rest.core.domain.Profile; import org.springframework.data.rest.core.domain.ProfileRepository; import org.springframework.http.MediaType; +import org.springframework.web.cors.CorsConfiguration; /** * Unit tests for {@link RepositoryRestConfiguration}. * * @author Oliver Gierke + * @author Mark Paluch * @soundtrack Adam F - Circles (Colors) */ public class RepositoryRestConfigurationUnitTests { @@ -132,10 +136,25 @@ public void returnsBodyForCreateIfExplicitlyActivated() { * @see DATAREST-776 */ @Test - public void consideresDomainTypeOfValueRepositoryLookupTypes() { + public void considersDomainTypeOfValueRepositoryLookupTypes() { configuration.withEntityLookup().forLookupRepository(ProfileRepository.class); assertThat(configuration.isLookupType(Profile.class), is(true)); } + + /** + * @see DATAREST-573 + */ + @Test + public void configuresCorsProcessing() { + + configuration.addCorsMapping("/hello").maxAge(1234); + + Map corsConfigurations = configuration.getCorsRegistry().getCorsConfigurations(); + assertThat(corsConfigurations, hasKey("/hello")); + + CorsConfiguration corsConfiguration = corsConfigurations.get("/hello"); + assertThat(corsConfiguration.getMaxAge(), is(1234L)); + } } diff --git a/spring-data-rest-distribution/pom.xml b/spring-data-rest-distribution/pom.xml index 848042713..ee882a7a6 100644 --- a/spring-data-rest-distribution/pom.xml +++ b/spring-data-rest-distribution/pom.xml @@ -13,7 +13,7 @@ org.springframework.data spring-data-rest-parent - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml diff --git a/spring-data-rest-hal-browser/pom.xml b/spring-data-rest-hal-browser/pom.xml index 4e769cfe2..786af06d0 100644 --- a/spring-data-rest-hal-browser/pom.xml +++ b/spring-data-rest-hal-browser/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-parent - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT spring-data-rest-hal-browser diff --git a/spring-data-rest-tests/pom.xml b/spring-data-rest-tests/pom.xml index ef7461361..14d34e74c 100644 --- a/spring-data-rest-tests/pom.xml +++ b/spring-data-rest-tests/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-parent - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml diff --git a/spring-data-rest-tests/spring-data-rest-tests-core/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-core/pom.xml index 3d2b89bac..e89062f46 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-core/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-core/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml @@ -17,7 +17,7 @@ org.springframework.data spring-data-rest-webmvc - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT diff --git a/spring-data-rest-tests/spring-data-rest-tests-gemfire/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-gemfire/pom.xml index 5b3afdfb5..ec454955b 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-gemfire/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-gemfire/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml @@ -17,7 +17,7 @@ org.springframework.data spring-data-rest-tests-core - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT test-jar diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-jpa/pom.xml index 9f3ca1b29..0d272f9e4 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-jpa/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml @@ -21,7 +21,7 @@ org.springframework.data spring-data-rest-tests-core - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT test-jar diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java index 3be066136..d2c57c4c2 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/AuthorRepository.java @@ -16,10 +16,13 @@ package org.springframework.data.rest.webmvc.jpa; import org.springframework.data.repository.CrudRepository; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.RequestMethod; /** * @author Oliver Gierke + * @author Mark Paluch */ -public interface AuthorRepository extends CrudRepository { - -} +@CrossOrigin(origins = "http://not.so.far.away", allowCredentials = "true", + methods = { RequestMethod.GET, RequestMethod.PATCH }, maxAge = 1234) +public interface AuthorRepository extends CrudRepository {} diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java index 15dbc9676..59eb9dc90 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/main/java/org/springframework/data/rest/webmvc/jpa/ItemRepository.java @@ -16,10 +16,13 @@ package org.springframework.data.rest.webmvc.jpa; import org.springframework.data.repository.CrudRepository; +import org.springframework.web.bind.annotation.CrossOrigin; /** * @author Greg Turnquist * @author Oliver Gierke + * @author Mark Paluch * @see DATAREST-463 */ +@CrossOrigin public interface ItemRepository extends CrudRepository {} diff --git a/spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java new file mode 100644 index 000000000..a8f5788ec --- /dev/null +++ b/spring-data-rest-tests/spring-data-rest-tests-jpa/src/test/java/org/springframework/data/rest/webmvc/jpa/CorsIntegrationTests.java @@ -0,0 +1,204 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.data.rest.webmvc.jpa; + +import static org.hamcrest.Matchers.containsString; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +import org.junit.Test; +import org.springframework.context.annotation.Bean; +import org.springframework.data.rest.core.config.RepositoryRestConfiguration; +import org.springframework.data.rest.tests.AbstractWebIntegrationTests; +import org.springframework.data.rest.webmvc.BasePathAwareController; +import org.springframework.data.rest.webmvc.RepositoryRestController; +import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer; +import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurerAdapter; +import org.springframework.hateoas.Link; +import org.springframework.http.HttpHeaders; +import org.springframework.http.MediaType; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +/** + * Web integration tests specific to Cross-origin resource sharing. + * + * @author Mark Paluch + * @soundtrack 2 Unlimited - No Limit + */ +@ContextConfiguration +public class CorsIntegrationTests extends AbstractWebIntegrationTests { + + static class CorsConfig extends JpaRepositoryConfig { + + @Bean + RepositoryRestConfigurer repositoryRestConfigurer() { + + return new RepositoryRestConfigurerAdapter() { + + @Override + public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) { + + config.addCorsMapping("/books/**") // + .allowedMethods("GET", "PUT", "POST") // + .allowedOrigins("http://far.far.away"); + } + }; + } + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesSelectiveDefaultCorsConfiguration() throws Exception { + + Link findItems = client.discoverUnique("items"); + + // Preflight request + mvc.perform(options(findItems.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS,TRACE")); + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesGlobalCorsConfiguration() throws Exception { + + Link findBooks = client.discoverUnique("books"); + + // Preflight request + mvc.perform(options(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PUT,POST")); + + // CORS request + mvc.perform(get(findBooks.expand().getHref()).header(HttpHeaders.ORIGIN, "http://far.far.away")) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")); + } + + /** + * @see DATAREST-573 + * @see BooksXmlController + */ + @Test + public void appliesCorsConfigurationOnCustomControllers() throws Exception { + + // Preflight request + mvc.perform(options("/books/xml/1234") // + .header(HttpHeaders.ORIGIN, "http://far.far.away") // + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 77123)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + // See https://jira.spring.io/browse/SPR-14792 + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST"))); + + // CORS request + mvc.perform(get("/books/xml/1234") // + .header(HttpHeaders.ORIGIN, "http://far.far.away") // + .accept(MediaType.APPLICATION_XML)) // + .andExpect(status().isOk()) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")); + } + + /** + * @see DATAREST-573 + * @see BooksPdfController + */ + @Test + public void appliesCorsConfigurationOnCustomControllerMethod() throws Exception { + + // Preflight request + mvc.perform(options("/books/pdf/1234").header(HttpHeaders.ORIGIN, "http://far.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 4711)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://far.far.away")) // + // See https://jira.spring.io/browse/SPR-14792 + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET,PUT,POST"))); + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesCorsConfigurationOnRepository() throws Exception { + + Link authorsLink = client.discoverUnique("authors"); + + // Preflight request + mvc.perform(options(authorsLink.expand().getHref()).header(HttpHeaders.ORIGIN, "http://not.so.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH")); + } + + /** + * @see DATAREST-573 + */ + @Test + public void appliesCorsConfigurationOnRepositoryToCustomControllers() throws Exception { + + // Preflight request + mvc.perform(options("/authors/pdf/1234").header(HttpHeaders.ORIGIN, "http://not.so.far.away") + .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")) // + .andExpect(status().isOk()) // + .andExpect(header().longValue(HttpHeaders.ACCESS_CONTROL_MAX_AGE, 1234)) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "http://not.so.far.away")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")) // + .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,PATCH")); + } + + @RepositoryRestController + static class AuthorsPdfController { + + @RequestMapping(method = RequestMethod.GET, path = "/authors/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE) + void authorToPdf() {} + } + + @RepositoryRestController + static class BooksPdfController { + + @RequestMapping(method = RequestMethod.GET, path = "/books/pdf/1234", produces = MediaType.APPLICATION_PDF_VALUE) + @CrossOrigin(maxAge = 4711) + void bookToPdf() {} + } + + @BasePathAwareController + static class BooksXmlController { + + @GetMapping(value = "/books/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE) + @CrossOrigin(maxAge = 77123) + void bookToXml(@PathVariable String id) {} + } +} diff --git a/spring-data-rest-tests/spring-data-rest-tests-mongodb/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-mongodb/pom.xml index 389381ff5..6bcca3b6a 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-mongodb/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-mongodb/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml @@ -17,7 +17,7 @@ org.springframework.data spring-data-rest-tests-core - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT test-jar diff --git a/spring-data-rest-tests/spring-data-rest-tests-security/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-security/pom.xml index a56b53786..a9436b38e 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-security/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-security/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml @@ -21,7 +21,7 @@ org.springframework.data spring-data-rest-tests-core - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT test-jar diff --git a/spring-data-rest-tests/spring-data-rest-tests-shop/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-shop/pom.xml index 703dece1c..19574346d 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-shop/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-shop/pom.xml @@ -5,7 +5,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT Spring Data REST Tests - Shop diff --git a/spring-data-rest-tests/spring-data-rest-tests-solr/pom.xml b/spring-data-rest-tests/spring-data-rest-tests-solr/pom.xml index 48779968d..484cbd5cf 100644 --- a/spring-data-rest-tests/spring-data-rest-tests-solr/pom.xml +++ b/spring-data-rest-tests/spring-data-rest-tests-solr/pom.xml @@ -4,7 +4,7 @@ org.springframework.data spring-data-rest-tests - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT Spring Data REST Tests - Solr @@ -15,7 +15,7 @@ org.springframework.data spring-data-rest-tests-core - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT test-jar diff --git a/spring-data-rest-webmvc/pom.xml b/spring-data-rest-webmvc/pom.xml index 452876350..1f70ae1fc 100644 --- a/spring-data-rest-webmvc/pom.xml +++ b/spring-data-rest-webmvc/pom.xml @@ -12,7 +12,7 @@ org.springframework.data spring-data-rest-parent - 2.6.0.BUILD-SNAPSHOT + 2.6.0.DATAREST-573-SNAPSHOT ../pom.xml diff --git a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java index 7e669eaa6..f9fa7f3c4 100644 --- a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java +++ b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/RepositoryRestHandlerMapping.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2015 the original author or authors. + * Copyright 2012-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,6 +15,7 @@ */ package org.springframework.data.rest.webmvc; +import java.util.Arrays; import java.util.HashSet; import java.util.LinkedHashSet; import java.util.List; @@ -23,15 +24,24 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; +import org.springframework.core.annotation.AnnotatedElementUtils; import org.springframework.core.annotation.AnnotationUtils; +import org.springframework.data.repository.support.Repositories; import org.springframework.data.rest.core.config.RepositoryRestConfiguration; import org.springframework.data.rest.core.mapping.ResourceMappings; +import org.springframework.data.rest.core.mapping.ResourceMetadata; import org.springframework.data.rest.webmvc.support.JpaHelper; +import org.springframework.http.HttpMethod; import org.springframework.http.MediaType; import org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter; import org.springframework.orm.jpa.support.OpenEntityManagerInViewInterceptor; import org.springframework.util.Assert; +import org.springframework.util.CollectionUtils; import org.springframework.util.StringUtils; +import org.springframework.util.StringValueResolver; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition; import org.springframework.web.servlet.mvc.method.RequestMappingInfo; @@ -45,6 +55,7 @@ * * @author Jon Brisbin * @author Oliver Gierke + * @author Mark Paluch */ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { @@ -53,7 +64,9 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { private final ResourceMappings mappings; private final RepositoryRestConfiguration configuration; + private final Repositories repositories; + private StringValueResolver embeddedValueResolver; private JpaHelper jpaHelper; /** @@ -64,6 +77,19 @@ public class RepositoryRestHandlerMapping extends BasePathAwareHandlerMapping { * @param config must not be {@literal null}. */ public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestConfiguration config) { + this(mappings, config, null); + } + + /** + * Creates a new {@link RepositoryRestHandlerMapping} for the given {@link ResourceMappings} + * {@link RepositoryRestConfiguration} and {@link Repositories}. + * + * @param mappings must not be {@literal null}. + * @param config must not be {@literal null}. + * @param repositories can be {@literal null} if {@link CrossOrigin} resolution is not required. + */ + public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestConfiguration config, + Repositories repositories) { super(config); @@ -72,6 +98,7 @@ public RepositoryRestHandlerMapping(ResourceMappings mappings, RepositoryRestCon this.mappings = mappings; this.configuration = config; + this.repositories = repositories; } /** @@ -81,7 +108,17 @@ public void setJpaHelper(JpaHelper jpaHelper) { this.jpaHelper = jpaHelper; } - /* + /* (non-Javadoc) + * @see org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping#setEmbeddedValueResolver(org.springframework.util.StringValueResolver) + */ + @Override + public void setEmbeddedValueResolver(StringValueResolver resolver) { + + embeddedValueResolver = resolver; + super.setEmbeddedValueResolver(resolver); + } + + /* * (non-Javadoc) * @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod(java.lang.String, javax.servlet.http.HttpServletRequest) */ @@ -155,6 +192,32 @@ protected ProducesRequestCondition customize(ProducesRequestCondition condition) return new ProducesRequestCondition(mediaTypes.toArray(new String[mediaTypes.size()])); } + /* (non-Javadoc) + * @see org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#getCorsConfiguration(java.lang.Object, javax.servlet.http.HttpServletRequest) + */ + @Override + protected CorsConfiguration getCorsConfiguration(Object handler, HttpServletRequest request) { + + CorsConfiguration corsConfiguration = super.getCorsConfiguration(handler, request); + String lookupPath = getUrlPathHelper().getLookupPathForRequest(request); + + String repositoryLookupPath = new BaseUri(configuration.getBaseUri()).getRepositoryLookupPath(lookupPath); + + if (!StringUtils.hasText(repositoryLookupPath) || repositories == null) { + return corsConfiguration; + } + + // Repository root resource + CorsConfiguration repositoryConfiguration = new CorsConfigurationAccessor(mappings, repositories, + embeddedValueResolver).findCorsConfiguration(lookupPath); + + if (repositoryConfiguration != null) { + return corsConfiguration != null ? corsConfiguration.combine(repositoryConfiguration) : repositoryConfiguration; + } + + return corsConfiguration; + } + /** * Returns the first segment of the given repository lookup path. * @@ -166,4 +229,140 @@ private static String getRepositoryBasePath(String repositoryLookupPath) { int secondSlashIndex = repositoryLookupPath.indexOf('/', repositoryLookupPath.startsWith("/") ? 1 : 0); return secondSlashIndex == -1 ? repositoryLookupPath : repositoryLookupPath.substring(0, secondSlashIndex); } + + /** + * Accessor to obtain {@link CorsConfiguration} for exposed repositories. + *

+ * Exported Repository classes can be annotated with {@link CrossOrigin} to configure CORS for a specific repository. + * + * @author Mark Paluch + * @since 2.6 + */ + static class CorsConfigurationAccessor { + + private final ResourceMappings mappings; + private final Repositories repositories; + private final StringValueResolver embeddedValueResolver; + + /** + * Creates a new {@link CorsConfigurationAccessor} given {@link ResourceMappings}, {@link Repositories} and + * {@link StringValueResolver}. + * + * @param mappings must not be {@literal null}. + * @param repositories must not be {@literal null}. + * @param embeddedValueResolver may be {@literal null} if not present. + */ + CorsConfigurationAccessor(ResourceMappings mappings, Repositories repositories, + StringValueResolver embeddedValueResolver) { + + Assert.notNull(mappings, "ResourceMappings must not be null!"); + Assert.notNull(repositories, "Repositories must not be null!"); + + this.mappings = mappings; + this.repositories = repositories; + this.embeddedValueResolver = embeddedValueResolver; + } + + CorsConfiguration findCorsConfiguration(String lookupPath) { + + ResourceMetadata resource = getResourceMetadata(getRepositoryBasePath(lookupPath)); + + return resource != null ? createConfiguration( + repositories.getRepositoryInformationFor(resource.getDomainType()).getRepositoryInterface()) : null; + } + + private ResourceMetadata getResourceMetadata(String basePath) { + + if (mappings.exportsTopLevelResourceFor(basePath)) { + + for (ResourceMetadata metadata : mappings) { + if (metadata.getPath().matches(basePath) && metadata.isExported()) { + return metadata; + } + } + } + + return null; + } + + /** + * Creates {@link CorsConfiguration} from a repository interface. + * + * @param repositoryInterface the repository interface + * @return {@link CorsConfiguration} or {@literal null}. + */ + protected CorsConfiguration createConfiguration(Class repositoryInterface) { + + CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(repositoryInterface, CrossOrigin.class); + + if (typeAnnotation == null) { + return null; + } + + CorsConfiguration config = new CorsConfiguration(); + updateCorsConfig(config, typeAnnotation); + + if (CollectionUtils.isEmpty(config.getAllowedOrigins())) { + config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS)); + } + + if (CollectionUtils.isEmpty(config.getAllowedMethods())) { + for (HttpMethod httpMethod : HttpMethod.values()) { + config.addAllowedMethod(httpMethod); + } + } + + if (CollectionUtils.isEmpty(config.getAllowedHeaders())) { + config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS)); + } + + if (config.getAllowCredentials() == null) { + config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS); + } + + if (config.getMaxAge() == null) { + config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE); + } + + return config; + } + + private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation) { + + for (String origin : annotation.origins()) { + config.addAllowedOrigin(resolveCorsAnnotationValue(origin)); + } + + for (RequestMethod method : annotation.methods()) { + config.addAllowedMethod(method.name()); + } + + for (String header : annotation.allowedHeaders()) { + config.addAllowedHeader(resolveCorsAnnotationValue(header)); + } + + for (String header : annotation.exposedHeaders()) { + config.addExposedHeader(resolveCorsAnnotationValue(header)); + } + + String allowCredentials = resolveCorsAnnotationValue(annotation.allowCredentials()); + + if ("true".equalsIgnoreCase(allowCredentials)) { + config.setAllowCredentials(true); + } else if ("false".equalsIgnoreCase(allowCredentials)) { + config.setAllowCredentials(false); + } else if (!allowCredentials.isEmpty()) { + throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", " + + "or an empty string (\"\"): current value is [" + allowCredentials + "]"); + } + + if (annotation.maxAge() >= 0 && config.getMaxAge() == null) { + config.setMaxAge(annotation.maxAge()); + } + } + + private String resolveCorsAnnotationValue(String value) { + return (this.embeddedValueResolver != null ? this.embeddedValueResolver.resolveStringValue(value) : value); + } + } } diff --git a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java index d861ddbdc..28a8955ca 100644 --- a/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java +++ b/spring-data-rest-webmvc/src/main/java/org/springframework/data/rest/webmvc/config/RepositoryRestMvcConfiguration.java @@ -21,6 +21,7 @@ import java.util.Collections; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; import org.springframework.beans.factory.BeanCreationException; @@ -139,9 +140,11 @@ import org.springframework.plugin.core.PluginRegistry; import org.springframework.util.ClassUtils; import org.springframework.web.bind.support.ConfigurableWebBindingInitializer; +import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.method.support.HandlerMethodArgumentResolver; import org.springframework.web.servlet.HandlerMapping; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; +import org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter; import org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver; import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter; import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice; @@ -570,6 +573,16 @@ public RequestMappingHandlerAdapter repositoryExporterHandlerAdapter() { return handlerAdapter; } + /** + * {@link HttpRequestHandlerAdapter} to handle CORS preflight requests. + * + * @return + */ + @Bean + public HttpRequestHandlerAdapter httpRequestHandlerAdapter() { + return new HttpRequestHandlerAdapter(); + } + /** * The {@link HandlerMapping} to delegate requests to Spring Data REST controllers. Sets up a * {@link DelegatingHandlerMapping} to make sure manually implemented {@link BasePathAwareController} instances that @@ -582,13 +595,18 @@ public RequestMappingHandlerAdapter repositoryExporterHandlerAdapter() { @Bean public DelegatingHandlerMapping restHandlerMapping() { - RepositoryRestHandlerMapping repositoryMapping = new RepositoryRestHandlerMapping(resourceMappings(), config()); + Map corsConfigurations = config().getCorsRegistry().getCorsConfigurations(); + + RepositoryRestHandlerMapping repositoryMapping = new RepositoryRestHandlerMapping(resourceMappings(), config(), + repositories()); repositoryMapping.setJpaHelper(jpaHelper()); repositoryMapping.setApplicationContext(applicationContext); + repositoryMapping.setCorsConfigurations(corsConfigurations); repositoryMapping.afterPropertiesSet(); BasePathAwareHandlerMapping basePathMapping = new BasePathAwareHandlerMapping(config()); basePathMapping.setApplicationContext(applicationContext); + basePathMapping.setCorsConfigurations(corsConfigurations); basePathMapping.afterPropertiesSet(); List mappings = new ArrayList(); @@ -980,4 +998,5 @@ protected void configureHttpMessageConverters(List> mess */ @Deprecated protected void configureJacksonObjectMapper(ObjectMapper objectMapper) {} + } diff --git a/spring-data-rest-webmvc/src/test/java/org/springframework/data/rest/webmvc/CorsConfigurationAccessorUnitTests.java b/spring-data-rest-webmvc/src/test/java/org/springframework/data/rest/webmvc/CorsConfigurationAccessorUnitTests.java new file mode 100644 index 000000000..c41f2a34a --- /dev/null +++ b/spring-data-rest-webmvc/src/test/java/org/springframework/data/rest/webmvc/CorsConfigurationAccessorUnitTests.java @@ -0,0 +1,96 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.data.rest.webmvc; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.*; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.data.repository.support.Repositories; +import org.springframework.data.rest.core.mapping.ResourceMappings; +import org.springframework.data.rest.webmvc.RepositoryRestHandlerMapping.CorsConfigurationAccessor; +import org.springframework.web.bind.annotation.CrossOrigin; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.cors.CorsConfiguration; + +/** + * Unit tests for {@link CorsConfigurationAccessor}. + * + * @author Mark Paluch + * @soundtrack Aso Mamiko - Drive Me Crazy (Club Mix) + */ +@RunWith(MockitoJUnitRunner.class) +public class CorsConfigurationAccessorUnitTests { + + CorsConfigurationAccessor accessor; + + @Mock ResourceMappings mappings; + @Mock Repositories repositories; + + @Before + public void before() throws Exception { + accessor = new CorsConfigurationAccessor(mappings, repositories, null); + } + + /** + * @see DATAREST-573 + */ + @Test + public void createConfigurationShouldConstructCorsConfiguration() { + + CorsConfiguration configuration = accessor.createConfiguration(AnnotatedRepository.class); + + assertThat(configuration, is(notNullValue())); + assertThat(configuration.getAllowCredentials(), is(true)); + assertThat(configuration.getAllowedHeaders(), hasItem("*")); + assertThat(configuration.getAllowedOrigins(), hasItem("*")); + assertThat(configuration.getAllowedMethods(), + hasItems("OPTIONS", "HEAD", "GET", "PATCH", "POST", "PUT", "DELETE", "TRACE")); + assertThat(configuration.getMaxAge(), is(1800L)); + } + + /** + * @see DATAREST-573 + */ + @Test + public void createConfigurationShouldConstructFullCorsConfiguration() { + + CorsConfiguration configuration = accessor.createConfiguration(FullyConfiguredCorsRepository.class); + + assertThat(configuration, is(notNullValue())); + assertThat(configuration.getAllowCredentials(), is(true)); + assertThat(configuration.getAllowedHeaders(), hasItem("Content-type")); + assertThat(configuration.getExposedHeaders(), hasItem("Accept")); + assertThat(configuration.getAllowedOrigins(), hasItem("http://far.far.away")); + assertThat(configuration.getAllowedMethods(), hasItem("PATCH")); + assertThat(configuration.getAllowedMethods(), not(hasItem("DELETE"))); + assertThat(configuration.getAllowCredentials(), is(true)); + assertThat(configuration.getMaxAge(), is(1234L)); + } + + interface PlainRepository {} + + @CrossOrigin + interface AnnotatedRepository {} + + @CrossOrigin(origins = "http://far.far.away", allowedHeaders = "Content-type", maxAge = 1234, + exposedHeaders = "Accept", methods = RequestMethod.PATCH, allowCredentials = "true") + interface FullyConfiguredCorsRepository {} +} diff --git a/src/main/asciidoc/configuring-cors.adoc b/src/main/asciidoc/configuring-cors.adoc new file mode 100644 index 000000000..9b18096b4 --- /dev/null +++ b/src/main/asciidoc/configuring-cors.adoc @@ -0,0 +1,73 @@ +[[customizing-sdr.configuring-cors]] += Configuring CORS + +For security reasons, browsers prohibit AJAX calls to resources residing outside the current origin. When working with client-side HTTP requests issued by a browser you want to enable specific HTTP resources to be accessible. + +Spring Data REST supports as of 2.6 http://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing] (CORS) through http://docs.spring.io/spring/docs/{version}/spring-framework-reference/html/cors.html[Spring's CORS] support. + + +== Repository interface CORS configuration + +You can add a `@CrossOrigin` annotation to your repository interfaces to enable CORS for the whole repository. By default `@CrossOrigin` allows all origins and HTTP methods: + +[source, java] +---- +@CrossOrigin +interface PersonRepository extends CrudRepository {} +---- + +In the above example CORS support is enabled for the whole `PersonRepository`. `@CrossOrigin` provides attributes to configure CORS support. + +[source, java] +---- +@CrossOrigin(origins = "http://domain2.com", + methods = { RequestMethod.GET, RequestMethod.POST, RequestMethod.DELETE }, maxAge = 3600) +interface PersonRepository extends CrudRepository {} +---- + +This example enables CORS support for the whole `PersonRepository` providing one origin, restricted to `GET`, `POST` and `DELETE` methods with a max age of 3600 seconds. + +== Repository REST Controller method CORS configuration + +Spring Data REST fully supports http://docs.spring.io/spring/docs/current/spring-framework-reference/html/cors.html#_controller_method_cors_configuration[Spring Web MVC's Controller method configuration] on custom REST Controllers sharing repository base paths. + +[source, java] +---- +@RepositoryRestController +@RequestMapping("/person") +public class PersonController { + + @CrossOrigin(maxAge = 3600) + @RequestMapping(method = RequestMethod.GET, "/xml/{id}", produces = MediaType.APPLICATION_XML_VALUE) + public Person retrieve(@PathVariable Long id) { + // ... + } +} +---- + +NOTE: Controllers annotated with `@RepositoryRestController` inherit `@CrossOrigin` configuration from their associated repositories. + +== Global CORS configuration + +In addition to fine-grained, annotation-based configuration you’ll probably want to define some global CORS configuration as well. This is similar to Spring Web MVC'S CORS configuration but can be declared within Spring Data REST and combined with fine-grained `@CrossOrigin` configuration. By default all origins and `GET`, `HEAD`, and `POST` methods are allowed. + +NOTE: Existing Spring Web MVC CORS configuration is not applied to Spring Data REST. + +[source, java] +---- +@Component +public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter { + + @Override + public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) { + + config.addCorsMapping("/person/**") + .allowedOrigins("http://domain2.com") + .allowedMethods("PUT", "DELETE") + .allowedHeaders("header1", "header2", "header3") + .exposedHeaders("header1", "header2") + .allowCredentials(false).maxAge(3600); + } +} +---- + diff --git a/src/main/asciidoc/customizing-sdr.adoc b/src/main/asciidoc/customizing-sdr.adoc index f376c7569..61b4ff29b 100644 --- a/src/main/asciidoc/customizing-sdr.adoc +++ b/src/main/asciidoc/customizing-sdr.adoc @@ -64,4 +64,5 @@ include::configuring-the-rest-url-path.adoc[leveloffset=+1] include::adding-sdr-to-spring-mvc-app.adoc[leveloffset=+1] include::overriding-sdr-response-handlers.adoc[leveloffset=+1] include::customizing-json-output.adoc[leveloffset=+1] -include::custom-jackson-deserialization.adoc[leveloffset=+1] \ No newline at end of file +include::custom-jackson-deserialization.adoc[leveloffset=+1] +include::configuring-cors.adoc[leveloffset=+1]