Skip to content

S
spring-framework

爱吃血肠 / spring-framework

通知 1
Star 0
Fork 0
S
spring-framework

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
WebUtilsTests.java 9.8 KB
Newer Older
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
1 
/*
S
Explicit type can be replaced by <>  
Stephane Nicoll 已提交
2 
 * Copyright 2002-2016 the original author or authors.
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.web.util;
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
19 
import java.util.Arrays;
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
20 
import java.util.Collections;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
21 
import java.util.HashMap;
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
22 
import java.util.List;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
23 24 
import java.util.Map;
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
25 
import org.junit.Test;
J
Consistent formatting of license headers, package javadocs, and import declarations  
Juergen Hoeller 已提交
26
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
27 28 29 30 
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.mock.web.test.MockHttpServletRequest;
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
31 
import org.springframework.util.MultiValueMap;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
32
R
Fix lines over 120 characters  
Rossen Stoyanchev 已提交
33 34 35 36 
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
J
Consistent formatting of license headers, package javadocs, and import declarations  
Juergen Hoeller 已提交
37
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
38 39 
/**
 * @author Juergen Hoeller
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
40 
 * @author Arjen Poutsma
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
41 
 * @author Rossen Stoyanchev
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
42 
 * @author Sebastien Deleuze
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
43 
 */
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
44 
public class WebUtilsTests {
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
45
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
46 47 
	@Test
	public void findParameterValue() {
S
Explicit type can be replaced by <>  
Stephane Nicoll 已提交
48 
		Map<String, Object> params = new HashMap<>();
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
49 50 51 
		params.put("myKey1", "myValue1");
		params.put("myKey2_myValue2", "xxx");
		params.put("myKey3_myValue3.x", "xxx");
J
Java 5 code style  
Juergen Hoeller 已提交
52 
		params.put("myKey4_myValue4.y", new String[] {"yyy"});
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
53 54 55 56 57 58 59 60 

		assertNull(WebUtils.findParameterValue(params, "myKey0"));
		assertEquals("myValue1", WebUtils.findParameterValue(params, "myKey1"));
		assertEquals("myValue2", WebUtils.findParameterValue(params, "myKey2"));
		assertEquals("myValue3", WebUtils.findParameterValue(params, "myKey3"));
		assertEquals("myValue4", WebUtils.findParameterValue(params, "myKey4"));
	}
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 
	@Test
	public void parseMatrixVariablesString() {
		MultiValueMap<String, String> variables;

		variables = WebUtils.parseMatrixVariables(null);
		assertEquals(0, variables.size());

		variables = WebUtils.parseMatrixVariables("year");
		assertEquals(1, variables.size());
		assertEquals("", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("year=2012");
		assertEquals(1, variables.size());
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("year=2012;colors=red,blue,green");
		assertEquals(2, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables(";year=2012;colors=red,blue,green;");
		assertEquals(2, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("colors=red;colors=blue;colors=green");
		assertEquals(1, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
	}
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
91 
	@Test
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
92 
	public void isValidOrigin() {
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
93 
		List<String> allowed = Collections.emptyList();
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
94 95 
		assertTrue(checkValidOrigin("mydomain1.com", -1, "http://mydomain1.com", allowed));
		assertFalse(checkValidOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
96 97 

		allowed = Collections.singletonList("*");
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
98 
		assertTrue(checkValidOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
99 100 

		allowed = Collections.singletonList("http://mydomain1.com");
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
101 102 
		assertTrue(checkValidOrigin("mydomain2.com", -1, "http://mydomain1.com", allowed));
		assertFalse(checkValidOrigin("mydomain2.com", -1, "http://mydomain3.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
103 104 105 
	}

	@Test
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
106 107 108 109 110 111 112 113 114 115 116 117 
	public void isSameOrigin() {
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80"));
		assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com"));
		assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com:443"));
		assertTrue(checkSameOrigin("mydomain1.com", 123, "http://mydomain1.com:123"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "ws://mydomain1.com"));
		assertTrue(checkSameOrigin("mydomain1.com", 443, "wss://mydomain1.com"));

		assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
		assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
		assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
S
Avoid stacktrace for invalid Origin header values  
Sebastien Deleuze 已提交
118 119 120 121 122 123 124 125 126 127 

		// Handling of invalid origins as described in SPR-13478
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
S
Make UriComponentsBuilder.fromOriginHeader() IPv6 compliant  
Sebastien Deleuze 已提交
128 129 130 131 

		// Handling of IPv6 hosts as described in SPR-13525
		assertTrue(checkSameOrigin("[::1]", -1, "http://[::1]"));
		assertTrue(checkSameOrigin("[::1]", 8080, "http://[::1]:8080"));
R
Fix lines over 120 characters  
Rossen Stoyanchev 已提交
132 133 134 135 136 137 
		assertTrue(checkSameOrigin(
				"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", -1,
				"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"));
		assertTrue(checkSameOrigin(
				"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", 8080,
				"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
S
Make UriComponentsBuilder.fromOriginHeader() IPv6 compliant  
Sebastien Deleuze 已提交
138 
		assertFalse(checkSameOrigin("[::1]", -1, "http://[::1]:8080"));
R
Fix lines over 120 characters  
Rossen Stoyanchev 已提交
139 140 
		assertFalse(checkSameOrigin("[::1]", 8080,
				"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
141 
	}
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
142
S
Refine forwarded protocol support  
sdeleuze 已提交
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 
	@Test  // SPR-16262
	public void isSameOriginWithXForwardedHeaders() {
		assertTrue(checkSameOriginWithXForwardedHeaders("mydomain1.com", -1, "https", null, -1, "https://mydomain1.com"));
		assertTrue(checkSameOriginWithXForwardedHeaders("mydomain1.com", 123, "https", null, -1, "https://mydomain1.com"));
		assertTrue(checkSameOriginWithXForwardedHeaders("mydomain1.com", -1, "https", "mydomain2.com", -1, "https://mydomain2.com"));
		assertTrue(checkSameOriginWithXForwardedHeaders("mydomain1.com", 123, "https", "mydomain2.com", -1, "https://mydomain2.com"));
		assertTrue(checkSameOriginWithXForwardedHeaders("mydomain1.com", -1, "https", "mydomain2.com", 456, "https://mydomain2.com:456"));
		assertTrue(checkSameOriginWithXForwardedHeaders("mydomain1.com", 123, "https", "mydomain2.com", 456, "https://mydomain2.com:456"));
	}

	@Test  // SPR-16262
	public void isSameOriginWithForwardedHeader() {
		assertTrue(checkSameOriginWithForwardedHeader("mydomain1.com", -1, "proto=https", "https://mydomain1.com"));
		assertTrue(checkSameOriginWithForwardedHeader("mydomain1.com", 123, "proto=https", "https://mydomain1.com"));
		assertTrue(checkSameOriginWithForwardedHeader("mydomain1.com", -1, "proto=https; host=mydomain2.com", "https://mydomain2.com"));
		assertTrue(checkSameOriginWithForwardedHeader("mydomain1.com", 123, "proto=https; host=mydomain2.com", "https://mydomain2.com"));
		assertTrue(checkSameOriginWithForwardedHeader("mydomain1.com", -1, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456"));
		assertTrue(checkSameOriginWithForwardedHeader("mydomain1.com", 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456"));
	}
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
163
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
164 165 166 167 168 169 170 171 172 
	private boolean checkValidOrigin(String serverName, int port, String originHeader, List<String> allowed) {
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
		return WebUtils.isValidOrigin(request, allowed);
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
173 174 
	}
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
175 
	private boolean checkSameOrigin(String serverName, int port, String originHeader) {
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
176 177 
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
178 179 180 181 182 
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
183 
		return WebUtils.isSameOrigin(request);
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
184 185 
	}
S
Refine forwarded protocol support  
sdeleuze 已提交
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 
	private boolean checkSameOriginWithXForwardedHeaders(String serverName, int port, String forwardedProto, String forwardedHost, int forwardedPort, String originHeader) {
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
		if (forwardedProto != null) {
			request.getHeaders().set("X-Forwarded-Proto", forwardedProto);
		}
		if (forwardedHost != null) {
			request.getHeaders().set("X-Forwarded-Host", forwardedHost);
		}
		if (forwardedPort != -1) {
			request.getHeaders().set("X-Forwarded-Port", String.valueOf(forwardedPort));
		}
		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
		return WebUtils.isSameOrigin(request);
	}

	private boolean checkSameOriginWithForwardedHeader(String serverName, int port, String forwardedHeader, String originHeader) {
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
		request.getHeaders().set("Forwarded", forwardedHeader);
		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
		return WebUtils.isSameOrigin(request);
	}
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
218 
}