Skip to content

S
spring-framework

爱吃血肠 / spring-framework

通知 1
Star 0
Fork 0
S
spring-framework

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
WebUtilsTests.java 10.3 KB
Newer Older
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
1 
/*
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
2 
 * Copyright 2002-2018 the original author or authors.
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.web.util;
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
19 
import java.util.Arrays;
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
20 
import java.util.Collections;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
21 
import java.util.HashMap;
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
22 
import java.util.List;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
23 
import java.util.Map;
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
24 
import javax.servlet.http.HttpServletRequest;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
25
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
26 
import org.junit.Test;
J
Consistent formatting of license headers, package javadocs, and import declarations  
Juergen Hoeller 已提交
27
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
28 29 30 
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServletServerHttpRequest;
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
31 
import org.springframework.mock.web.test.MockFilterChain;
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
32 
import org.springframework.mock.web.test.MockHttpServletRequest;
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
33 
import org.springframework.mock.web.test.MockHttpServletResponse;
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
34 
import org.springframework.util.MultiValueMap;
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
35 
import org.springframework.web.filter.ForwardedHeaderFilter;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
36
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
37 
import static org.junit.Assert.*;
J
Consistent formatting of license headers, package javadocs, and import declarations  
Juergen Hoeller 已提交
38
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
39 40 
/**
 * @author Juergen Hoeller
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
41 
 * @author Arjen Poutsma
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
42 
 * @author Rossen Stoyanchev
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
43 
 * @author Sebastien Deleuze
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
44 
 */
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
45 
public class WebUtilsTests {
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
46
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
47 48 
	@Test
	public void findParameterValue() {
S
Explicit type can be replaced by <>  
Stephane Nicoll 已提交
49 
		Map<String, Object> params = new HashMap<>();
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
50 51 52 
		params.put("myKey1", "myValue1");
		params.put("myKey2_myValue2", "xxx");
		params.put("myKey3_myValue3.x", "xxx");
J
Java 5 code style  
Juergen Hoeller 已提交
53 
		params.put("myKey4_myValue4.y", new String[] {"yyy"});
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
54 55 56 57 58 59 60 61 

		assertNull(WebUtils.findParameterValue(params, "myKey0"));
		assertEquals("myValue1", WebUtils.findParameterValue(params, "myKey1"));
		assertEquals("myValue2", WebUtils.findParameterValue(params, "myKey2"));
		assertEquals("myValue3", WebUtils.findParameterValue(params, "myKey3"));
		assertEquals("myValue4", WebUtils.findParameterValue(params, "myKey4"));
	}
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 
	@Test
	public void parseMatrixVariablesString() {
		MultiValueMap<String, String> variables;

		variables = WebUtils.parseMatrixVariables(null);
		assertEquals(0, variables.size());

		variables = WebUtils.parseMatrixVariables("year");
		assertEquals(1, variables.size());
		assertEquals("", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("year=2012");
		assertEquals(1, variables.size());
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("year=2012;colors=red,blue,green");
		assertEquals(2, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables(";year=2012;colors=red,blue,green;");
		assertEquals(2, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("colors=red;colors=blue;colors=green");
		assertEquals(1, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
	}
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
92 
	@Test
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
93 
	public void isValidOrigin() {
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
94 
		List<String> allowed = Collections.emptyList();
S
URL Cleanup  
Spring Operator 已提交
95 96 
		assertTrue(checkValidOrigin("mydomain1.com", -1, "https://mydomain1.com", allowed));
		assertFalse(checkValidOrigin("mydomain1.com", -1, "/QTifZ/", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
97 98 

		allowed = Collections.singletonList("*");
S
URL Cleanup  
Spring Operator 已提交
99 
		assertTrue(checkValidOrigin("mydomain1.com", -1, "/QTifZ/", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
100
S
URL Cleanup  
Spring Operator 已提交
101 102 
		allowed = Collections.singletonList("https://mydomain1.com");
		assertTrue(checkValidOrigin("mydomain2.com", -1, "https://mydomain1.com", allowed));
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
103 
		assertFalse(checkValidOrigin("mydomain2.com", -1, "http://mydomain3.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
104 105 106 
	}

	@Test
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
107 
	public void isSameOrigin() {
S
URL Cleanup  
Spring Operator 已提交
108 109 
		assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com"));
		assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "https://www.mydomain1.com/"));
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
110 111 
		assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com"));
		assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com:443"));
S
URL Cleanup  
Spring Operator 已提交
112 
		assertTrue(checkSameOrigin("http", "mydomain1.com", 123, "https://mydomain1.com:123"));
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
113 114 115 
		assertTrue(checkSameOrigin("ws", "mydomain1.com", -1, "ws://mydomain1.com"));
		assertTrue(checkSameOrigin("wss", "mydomain1.com", 443, "wss://mydomain1.com"));
S
URL Cleanup  
Spring Operator 已提交
116 
		assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "/QTifZ/"));
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
117 118 
		assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com"));
		assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "invalid-origin"));
S
URL Cleanup  
Spring Operator 已提交
119 
		assertFalse(checkSameOrigin("https", "mydomain1.com", -1, "https://mydomain1.com"));
S
Avoid stacktrace for invalid Origin header values  
Sebastien Deleuze 已提交
120 121 

		// Handling of invalid origins as described in SPR-13478
S
URL Cleanup  
Spring Operator 已提交
122 123 124 125 126 127 128 129 
		assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com/"));
		assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "https://www.mydomain1.com/"));
		assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com/path"));
		assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "https://www.mydomain1.com/path"));
		assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "https://mydomain1.com/"));
		assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "https://www.mydomain1.com/"));
		assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "https://mydomain1.com/path"));
		assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "https://www.mydomain1.com/path"));
S
Make UriComponentsBuilder.fromOriginHeader() IPv6 compliant  
Sebastien Deleuze 已提交
130 131 

		// Handling of IPv6 hosts as described in SPR-13525
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
132 133 134 
		assertTrue(checkSameOrigin("http", "[::1]", -1, "http://[::1]"));
		assertTrue(checkSameOrigin("http", "[::1]", 8080, "http://[::1]:8080"));
		assertTrue(checkSameOrigin("http",
R
Fix lines over 120 characters  
Rossen Stoyanchev 已提交
135 136 
				"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", -1,
				"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"));
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
137 
		assertTrue(checkSameOrigin("http",
R
Fix lines over 120 characters  
Rossen Stoyanchev 已提交
138 139 
				"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", 8080,
				"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
140 141 
		assertFalse(checkSameOrigin("http", "[::1]", -1, "http://[::1]:8080"));
		assertFalse(checkSameOrigin("http", "[::1]", 8080,
R
Fix lines over 120 characters  
Rossen Stoyanchev 已提交
142 
				"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
143 
	}
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
144
S
Refine forwarded protocol support  
sdeleuze 已提交
145 
	@Test  // SPR-16262
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
146 147 148 149 150 151 152 153 
	public void isSameOriginWithXForwardedHeaders() throws Exception {
		String server = "mydomain1.com";
		testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.com");
		testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.com");
		testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", -1, "https://mydomain2.com");
		testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", -1, "https://mydomain2.com");
		testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
		testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
S
Refine forwarded protocol support  
sdeleuze 已提交
154 155 156 
	}

	@Test  // SPR-16262
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
157 158 159 160 161 162 163 164 
	public void isSameOriginWithForwardedHeader() throws Exception {
		String server = "mydomain1.com";
		testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.com");
		testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.com");
		testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com", "https://mydomain2.com");
		testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com", "https://mydomain2.com");
		testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
		testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
S
Refine forwarded protocol support  
sdeleuze 已提交
165 166 
	}
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
167
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
168 169 170 171 172 173 174 
	private boolean checkValidOrigin(String serverName, int port, String originHeader, List<String> allowed) {
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
S
Polishing  
sdeleuze 已提交
175 
		servletRequest.addHeader(HttpHeaders.ORIGIN, originHeader);
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
176 
		return WebUtils.isValidOrigin(request, allowed);
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
177 178 
	}
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
179 
	private boolean checkSameOrigin(String scheme, String serverName, int port, String originHeader) {
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
180 181 
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
S
Check scheme in (WebUtils|CorsUtils)#isSameOrigin  
Sebastien Deleuze 已提交
182 
		servletRequest.setScheme(scheme);
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
183 184 185 186 
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
S
Polishing  
sdeleuze 已提交
187 
		servletRequest.addHeader(HttpHeaders.ORIGIN, originHeader);
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
188 
		return WebUtils.isSameOrigin(request);
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
189 190 
	}
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
191 192 193 194 195 
	private void testWithXForwardedHeaders(String serverName, int port, String forwardedProto,
			String forwardedHost, int forwardedPort, String originHeader) throws Exception {

		MockHttpServletRequest request = new MockHttpServletRequest();
		request.setServerName(serverName);
S
Refine forwarded protocol support  
sdeleuze 已提交
196 
		if (port != -1) {
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
197 
			request.setServerPort(port);
S
Refine forwarded protocol support  
sdeleuze 已提交
198 199 
		}
		if (forwardedProto != null) {
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
200 
			request.addHeader("X-Forwarded-Proto", forwardedProto);
S
Refine forwarded protocol support  
sdeleuze 已提交
201 202 
		}
		if (forwardedHost != null) {
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
203 
			request.addHeader("X-Forwarded-Host", forwardedHost);
S
Refine forwarded protocol support  
sdeleuze 已提交
204 205 
		}
		if (forwardedPort != -1) {
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
206 
			request.addHeader("X-Forwarded-Port", String.valueOf(forwardedPort));
S
Refine forwarded protocol support  
sdeleuze 已提交
207 
		}
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
208 209 210 211 212 213 
		request.addHeader(HttpHeaders.ORIGIN, originHeader);

		HttpServletRequest requestToUse = adaptFromForwardedHeaders(request);
		ServerHttpRequest httpRequest = new ServletServerHttpRequest(requestToUse);

		assertTrue(WebUtils.isSameOrigin(httpRequest));
S
Refine forwarded protocol support  
sdeleuze 已提交
214 215 
	}
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
216 217 218 219 220 
	private void testWithForwardedHeader(String serverName, int port, String forwardedHeader,
			String originHeader) throws Exception {

		MockHttpServletRequest request = new MockHttpServletRequest();
		request.setServerName(serverName);
S
Refine forwarded protocol support  
sdeleuze 已提交
221 
		if (port != -1) {
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
222 
			request.setServerPort(port);
S
Refine forwarded protocol support  
sdeleuze 已提交
223 
		}
R
Remove individual detection of forwarded headers  
Rossen Stoyanchev 已提交
224 225 226 227 228 229 230 231 232 233 234 235 236 237 
		request.addHeader("Forwarded", forwardedHeader);
		request.addHeader(HttpHeaders.ORIGIN, originHeader);

		HttpServletRequest requestToUse = adaptFromForwardedHeaders(request);
		ServerHttpRequest httpRequest = new ServletServerHttpRequest(requestToUse);

		assertTrue(WebUtils.isSameOrigin(httpRequest));
	}

	// SPR-16668
	private HttpServletRequest adaptFromForwardedHeaders(HttpServletRequest request) throws Exception {
		MockFilterChain chain = new MockFilterChain();
		new ForwardedHeaderFilter().doFilter(request, new MockHttpServletResponse(), chain);
		return (HttpServletRequest) chain.getRequest();
S
Refine forwarded protocol support  
sdeleuze 已提交
238 239 
	}
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
240 
}