Introduce test for invalid @CrossOrigin.allowCredentials()

72b44af8 · Sam Brannen · 891d41c0 · 72b44af8 · 72b44af8
2 changed file
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
@@ -328,15 +328,17 @@ public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMappi
 		for (String header : annotation.exposedHeaders()) {
 			config.addExposedHeader(header);
 		}
-		if (annotation.allowCredentials().equalsIgnoreCase("true")) {
+
+		String allowCredentials = annotation.allowCredentials();
+		if ("true".equalsIgnoreCase(allowCredentials)) {
 			config.setAllowCredentials(true);
 		}
-		else if (annotation.allowCredentials().equalsIgnoreCase("false")) {
+		else if ("false".equalsIgnoreCase(allowCredentials)) {
 			config.setAllowCredentials(false);
 		}
-		else if (!annotation.allowCredentials().isEmpty()) {
-			throw new IllegalStateException("AllowCredentials value must be \"true\", \"false\" " +
-					"or \"\" (empty string), current value is " + annotation.allowCredentials());
+		else if (!allowCredentials.isEmpty()) {
+			throw new IllegalStateException("@CrossOrigin's allowCredentials value must be \"true\", \"false\", "
+					+ "or an empty string (\"\"); current value is [" + allowCredentials + "].");
 		}
 		if (annotation.maxAge() != -1 && config.getMaxAge() == null) {
 			config.setMaxAge(annotation.maxAge());

--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java
@@ -18,21 +18,22 @@ package org.springframework.web.servlet.mvc.method.annotation;

 import java.lang.reflect.Method;

-import static org.junit.Assert.*;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;

 import org.springframework.beans.DirectFieldAccessor;
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.http.HttpHeaders;
-import org.springframework.util.CollectionUtils;
-import org.springframework.web.context.support.StaticWebApplicationContext;
-import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.mock.web.test.MockHttpServletRequest;
 import org.springframework.stereotype.Controller;
+import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.context.support.StaticWebApplicationContext;
+import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.servlet.HandlerExecutionChain;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
@@ -43,17 +44,24 @@ import org.springframework.web.servlet.mvc.condition.ProducesRequestCondition;
 import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
 import org.springframework.web.servlet.mvc.method.RequestMappingInfo;

+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.*;
+
 /**
 * Test fixture for {@link CrossOrigin @CrossOrigin} annotated methods.
 *
 * @author Sebastien Deleuze
+ * @author Sam Brannen
 */
-@SuppressWarnings("unchecked")
 public class CrossOriginTests {

 	private TestRequestMappingInfoHandlerMapping handlerMapping;
 	private MockHttpServletRequest request;

+	@Rule
+	public ExpectedException exception = ExpectedException.none();
+
+
 	@Before
 	public void setUp() {
 		this.handlerMapping = new TestRequestMappingInfoHandlerMapping();
@@ -123,6 +131,14 @@ public class CrossOriginTests {
 		assertEquals(false, config.getAllowCredentials());
 	}

+	@Test
+	public void bogusAllowCredentialsValue() throws Exception {
+		exception.expect(IllegalStateException.class);
+		exception.expectMessage(containsString("@CrossOrigin's allowCredentials"));
+		exception.expectMessage(containsString("current value is [bogus]"));
+		this.handlerMapping.registerHandler(new MethodLevelControllerWithBogusAllowCredentialsValue());
+	}
+
 	@Test
 	public void classLevel() throws Exception {
 		this.handlerMapping.registerHandler(new ClassLevelController());
@@ -218,59 +234,67 @@ public class CrossOriginTests {
 	@Controller
 	private static class MethodLevelController {

-		@RequestMapping(value = "/no", method = RequestMethod.GET)
+		@RequestMapping(path = "/no", method = RequestMethod.GET)
 		public void noAnnotation() {
 		}

-		@RequestMapping(value = "/no", method = RequestMethod.POST)
+		@RequestMapping(path = "/no", method = RequestMethod.POST)
 		public void noAnnotationPost() {
 		}

 		@CrossOrigin
-		@RequestMapping(value = "/default", method = RequestMethod.GET)
+		@RequestMapping(path = "/default", method = RequestMethod.GET)
 		public void defaultAnnotation() {
 		}

 		@CrossOrigin
-		@RequestMapping(value = "/default", method = RequestMethod.GET, params = "q")
+		@RequestMapping(path = "/default", method = RequestMethod.GET, params = "q")
 		public void defaultAnnotationWithParams() {
 		}

 		@CrossOrigin
-		@RequestMapping(value = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=a")
+		@RequestMapping(path = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=a")
 		public void ambigousHeader1a() {
 		}

 		@CrossOrigin
-		@RequestMapping(value = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=b")
+		@RequestMapping(path = "/ambiguous-header", method = RequestMethod.GET, headers = "header1=b")
 		public void ambigousHeader1b() {
 		}

 		@CrossOrigin
-		@RequestMapping(value = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/xml")
+		@RequestMapping(path = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/xml")
 		public String ambigousProducesXml() {
 			return "<a></a>";
 		}

 		@CrossOrigin
-		@RequestMapping(value = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/json")
+		@RequestMapping(path = "/ambiguous-produces", method = RequestMethod.GET, produces = "application/json")
 		public String ambigousProducesJson() {
 			return "{}";
 		}

 		@CrossOrigin(origin = { "http://site1.com", "http://site2.com" }, allowedHeaders = { "header1", "header2" },
 				exposedHeaders = { "header3", "header4" }, method = RequestMethod.DELETE, maxAge = 123, allowCredentials = "false")
-		@RequestMapping(value = "/customized", method = { RequestMethod.GET, RequestMethod.POST } )
+		@RequestMapping(path = "/customized", method = { RequestMethod.GET, RequestMethod.POST })
 		public void customized() {
 		}
+	}
+
+	@Controller
+	private static class MethodLevelControllerWithBogusAllowCredentialsValue {

+		@CrossOrigin(allowCredentials = "bogus")
+		@RequestMapping("/bogus")
+		public void bogusAllowCredentialsValue() {
+		}
 	}

 	@Controller
 	@CrossOrigin
 	private static class ClassLevelController {

-		@RequestMapping(value = "/foo", method = RequestMethod.GET)
+		@RequestMapping(path = "/foo", method = RequestMethod.GET)
 		public void foo() {
 		}
 	}