Make DefaultCorsProcessor Servlet 2.5 compliant

This commit adds CORS related headers to HttpHeaders
and update DefaultCorsProcessor implementation to
use ServerHttpRequest and ServerHttpResponse instead
of HttpServletRequest and HttpServletResponse. Usage
of ServerHttpResponse allows to avoid using Servlet 3.0
specific methods in order keep CORS support Servlet 2.5
compliant.

Issue: SPR-12885

spring-web/src/main/java/org/springframework/http/HttpHeaders.java

@@ -86,6 +86,46 @@ public class HttpHeaders implements MultiValueMap<String, String>, Serializable
 	 * @see <a href="http://tools.ietf.org/html/rfc7233#section-2.3">Section 5.3.5 of RFC 7233</a>
 	 */
 	public static final String ACCEPT_RANGES = "Accept-Ranges";
+	/**
+	 * The CORS {@code Access-Control-Allow-Credentials} response header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
+	/**
+	 * The CORS {@code Access-Control-Allow-Headers} response header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
+	/**
+	 * The CORS {@code Access-Control-Allow-Methods} response header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
+	/**
+	 * The CORS {@code Access-Control-Allow-Origin} response header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
+	/**
+	 * The CORS {@code Access-Control-Expose-Headers} response header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
+	/**
+	 * The CORS {@code Access-Control-Max-Age} response header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
+	/**
+	 * The CORS {@code Access-Control-Request-Headers} request header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
+	/**
+	 * The CORS {@code Access-Control-Request-Method} request header field name.
+	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
+	 */
+	public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
 	/**
 	 * The HTTP {@code Age} header field name.
 	 * @see <a href="http://tools.ietf.org/html/rfc7234#section-5.1">Section 5.1 of RFC 7234</a>
@@ -390,6 +430,129 @@ public class HttpHeaders implements MultiValueMap<String, String>, Serializable
 		return result;
 	}
 
+	/**
+	 * Set the (new) value of the {@code Access-Control-Allow-Credentials} response header.
+	 */
+	public void setAccessControlAllowCredentials(boolean allowCredentials) {
+		set(ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.toString(allowCredentials));
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Allow-Credentials} response header.
+	 */
+	public boolean getAccessControlAllowCredentials() {
+		return new Boolean(getFirst(ACCESS_CONTROL_ALLOW_CREDENTIALS));
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Allow-Headers} response header.
+	 */
+	public void setAccessControlAllowHeaders(List<String> allowedHeaders) {
+		set(ACCESS_CONTROL_ALLOW_HEADERS, toCommaDelimitedString(allowedHeaders));
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Allow-Headers} response header.
+	 */
+	public List<String> getAccessControlAllowHeaders() {
+		return getFirstValueAsList(ACCESS_CONTROL_ALLOW_HEADERS);
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Allow-Methods} response header.
+	 */
+	public void setAccessControlAllowMethods(List<HttpMethod> allowedMethods) {
+		set(ACCESS_CONTROL_ALLOW_METHODS, StringUtils.collectionToCommaDelimitedString(allowedMethods));
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Allow-Methods} response header.
+	 */
+	public List<HttpMethod> getAccessControlAllowMethods() {
+		List<HttpMethod> result = new ArrayList<HttpMethod>();
+		String value = getFirst(ACCESS_CONTROL_ALLOW_METHODS);
+		if (value != null) {
+			String[] tokens = value.split(",\\s*");
+			for (String token : tokens) {
+				result.add(HttpMethod.valueOf(token));
+			}
+		}
+		return result;
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Allow-Origin} response header.
+	 */
+	public void setAccessControlAllowOrigin(String allowedOrigin) {
+		set(ACCESS_CONTROL_ALLOW_ORIGIN, allowedOrigin);
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Allow-Origin} response header.
+	 */
+	public String getAccessControlAllowOrigin() {
+		return getFirst(ACCESS_CONTROL_ALLOW_ORIGIN);
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Expose-Headers} response header.
+	 */
+	public void setAccessControlExposeHeaders(List<String> exposedHeaders) {
+		set(ACCESS_CONTROL_EXPOSE_HEADERS, toCommaDelimitedString(exposedHeaders));
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Expose-Headers} response header.
+	 */
+	public List<String> getAccessControlExposeHeaders() {
+		return getFirstValueAsList(ACCESS_CONTROL_EXPOSE_HEADERS);
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Max-Age} response header.
+	 */
+	public void setAccessControlMaxAge(long maxAge) {
+		set(ACCESS_CONTROL_MAX_AGE, Long.toString(maxAge));
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Max-Age} response header.
+	 * <p>Returns -1 when the max age is unknown.
+	 */
+	public long getAccessControlMaxAge() {
+		String value = getFirst(ACCESS_CONTROL_MAX_AGE);
+		return (value != null ? Long.parseLong(value) : -1);
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Request-Headers} request header.
+	 */
+	public void setAccessControlRequestHeaders(List<String> requestHeaders) {
+		set(ACCESS_CONTROL_REQUEST_HEADERS, toCommaDelimitedString(requestHeaders));
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Request-Headers} request header.
+	 */
+	public List<String> getAccessControlRequestHeaders() {
+		return getFirstValueAsList(ACCESS_CONTROL_REQUEST_HEADERS);
+	}
+
+	/**
+	 * Set the (new) value of the {@code Access-Control-Request-Method} request header.
+	 */
+	public void setAccessControlRequestMethod(HttpMethod requestedMethod) {
+		set(ACCESS_CONTROL_REQUEST_METHOD, requestedMethod.name());
+	}
+
+	/**
+	 * Returns the value of the {@code Access-Control-Request-Method} request header.
+	 */
+	public HttpMethod getAccessControlRequestMethod() {
+		String value = getFirst(ACCESS_CONTROL_REQUEST_METHOD);
+		return (value != null ? HttpMethod.valueOf(value) : null);
+	}
+
 	/**
 	 * Set the list of acceptable {@linkplain Charset charsets},
 	 * as specified by the {@code Accept-Charset} header.

spring-web/src/main/java/org/springframework/web/cors/CorsProcessor.java

@@ -36,6 +36,7 @@ public interface CorsProcessor {
 	 * comply with the configuration it should be rejected.
 	 * If the request is valid and complies with the configuration, CORS headers
 	 * should be added to the response.
+	 * @return {@code false} if the request is rejected, else {@code true}.
 	 */
 	boolean processPreFlightRequest(CorsConfiguration conf, HttpServletRequest request,
 			HttpServletResponse response) throws IOException;
@@ -46,6 +47,7 @@ public interface CorsProcessor {
 	 * not comply with the configuration, it should be rejected.
 	 * If the request is valid and comply with the configuration, this method adds the related
 	 * CORS headers to the response.
+	 * @return {@code false} if the request is rejected, else {@code true}.
 	 */
 	boolean processActualRequest(CorsConfiguration conf, HttpServletRequest request,
 			HttpServletResponse response) throws IOException;

spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java

@@ -16,14 +16,10 @@
 
 package org.springframework.web.cors;
 
-import java.util.Arrays;
-import java.util.List;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
-import org.springframework.util.CollectionUtils;
 
 /**
  * Utility class for CORS request handling based on the
@@ -34,48 +30,6 @@ import org.springframework.util.CollectionUtils;
  */
 public class CorsUtils {
 
-	/**
-	 * The CORS {@code Access-Control-Request-Headers} request header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
-	/**
-	 * The CORS {@code Access-Control-Request-Method} request header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
-	/**
-	 * The CORS {@code Access-Control-Allow-Origin} response header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
-	/**
-	 * The CORS {@code Access-Control-Allow-Headers} response header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
-	/**
-	 * The CORS {@code Access-Control-Allow-Methods} response header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
-	/**
-	 * The CORS {@code Access-Control-Max-Age} response header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
-	/**
-	 * The CORS {@code Access-Control-Allow-Credentials} response header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
-	/**
-	 * The CORS {@code Access-Control-Expose-Headers} response header field name.
-	 * @see <a href="http://www.w3.org/TR/cors/">CORS W3C recommandation</a>
-	 */
-	public static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
-
-
 	/**
 	 * Returns {@code true} if the request is a valid CORS one.
 	 */

spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java

@@ -17,11 +17,11 @@
 package org.springframework.web.cors;
 
 import java.io.IOException;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
 import java.util.List;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -30,9 +30,12 @@ import org.apache.commons.logging.LogFactory;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.http.server.ServletServerHttpRequest;
+import org.springframework.http.server.ServletServerHttpResponse;
 import org.springframework.util.Assert;
-import org.springframework.util.CollectionUtils;
-import org.springframework.util.StringUtils;
 
 /**
  * Default implementation of {@link CorsProcessor}, as defined by the
@@ -43,6 +46,9 @@ import org.springframework.util.StringUtils;
  */
 public class DefaultCorsProcessor implements CorsProcessor {
 
+	private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
+
+
 	protected final Log logger = LogFactory.getLog(getClass());
 
 
@@ -50,53 +56,74 @@ public class DefaultCorsProcessor implements CorsProcessor {
 	public boolean processPreFlightRequest(CorsConfiguration config, HttpServletRequest request,
 			HttpServletResponse response) throws IOException {
 
-		Assert.isTrue(CorsUtils.isPreFlightRequest(request));
+		ServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
+		ServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
+		boolean isPreFlight = CorsUtils.isPreFlightRequest(request);
+		Assert.isTrue(isPreFlight);
+		if (skip(serverResponse)) {
+			return true;
+		}
 
-		if (check(request, response, config)) {
-			setAllowOrigin(request, response, config.getAllowedOrigins(), config.isAllowCredentials());
-			setAllowCredentials(response, config.isAllowCredentials());
-			setAllowMethods(request, response, config.getAllowedMethods());
-			setAllowHeadersHeader(request, response, config.getAllowedHeaders());
-			setMaxAgeHeader(response, config.getMaxAge());
+		if (check(serverRequest, serverResponse, config, isPreFlight)) {
+			setAllowOrigin(serverRequest, serverResponse, config.getAllowedOrigins(), config.isAllowCredentials());
+			setAllowCredentials(serverResponse, config.isAllowCredentials());
+			setAllowMethods(serverRequest, serverResponse, config.getAllowedMethods());
+			setAllowHeadersHeader(serverRequest, serverResponse, config.getAllowedHeaders());
+			setMaxAgeHeader(serverResponse, config.getMaxAge());
+			serverResponse.close();
+			return true;
 		}
-		return true;
+		return false;
 	}
 
 	@Override
 	public boolean processActualRequest(CorsConfiguration config, HttpServletRequest request,
 			HttpServletResponse response) throws IOException {
 
-		Assert.isTrue(CorsUtils.isCorsRequest(request) && !CorsUtils.isPreFlightRequest(request));
+		ServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
+		ServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
+		boolean isPreFlight = CorsUtils.isPreFlightRequest(request);
+		Assert.isTrue(CorsUtils.isCorsRequest(request) && !isPreFlight);
+		if (skip(serverResponse)) {
+			return true;
+		}
 
-		if (check(request, response, config)) {
-			setAllowOrigin(request, response, config.getAllowedOrigins(), config.isAllowCredentials());
-			setAllowCredentials(response, config.isAllowCredentials());
-			setExposeHeadersHeader(response, config.getExposedHeaders());
+		if (check(serverRequest, serverResponse, config, isPreFlight)) {
+			setAllowOrigin(serverRequest, serverResponse, config.getAllowedOrigins(), config.isAllowCredentials());
+			setAllowCredentials(serverResponse, config.isAllowCredentials());
+			setExposeHeadersHeader(serverResponse, config.getExposedHeaders());
+			serverResponse.close();
+			return true;
 		}
-		return true;
+		return false;
 	}
 
-	private boolean check(HttpServletRequest request, HttpServletResponse response,
-			CorsConfiguration config) throws IOException {
-
+	private boolean skip(ServerHttpResponse response) {
 		if (hasAllowOriginHeader(response)) {
 			logger.debug("Skip adding CORS headers, response already contains \"Access-Control-Allow-Origin\"");
-			return false;
+			return true;
 		}
-		if (!checkOrigin(request, config.getAllowedOrigins()) || !checkMethod(request, config.getAllowedMethods()) ||
-				!checkHeaders(request, config.getAllowedHeaders())) {
-			response.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid CORS request");
+		return false;
+	}
+
+	private boolean check(ServerHttpRequest request, ServerHttpResponse response,
+			CorsConfiguration config, boolean isPreFlight) throws IOException {
+
+		if (!checkOrigin(request, config.getAllowedOrigins()) ||
+				!checkMethod(request, config.getAllowedMethods(), isPreFlight) ||
+				!checkHeaders(request, config.getAllowedHeaders(), isPreFlight)) {
+			response.setStatusCode(HttpStatus.FORBIDDEN);
+			response.getBody().write("Invalid CORS request".getBytes(UTF8_CHARSET));
 			return false;
 		}
 		return true;
 	}
 
-	private boolean hasAllowOriginHeader(HttpServletResponse response) {
+	private boolean hasAllowOriginHeader(ServerHttpResponse response) {
 		boolean hasCorsResponseHeaders = false;
 		try {
 			// Perhaps a CORS Filter has already added this?
-			Collection<String> headers = response.getHeaders(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN);
-			hasCorsResponseHeaders = !CollectionUtils.isEmpty(headers);
+			hasCorsResponseHeaders = response.getHeaders().getAccessControlAllowOrigin() != null;
 		}
 		catch (NullPointerException npe) {
 			// See SPR-11919 and https://issues.jboss.org/browse/WFLY-3474
@@ -104,8 +131,8 @@ public class DefaultCorsProcessor implements CorsProcessor {
 		return hasCorsResponseHeaders;
 	}
 
-	private boolean checkOrigin(HttpServletRequest request, List<String> allowedOrigins) {
-		String originHeader = request.getHeader(HttpHeaders.ORIGIN);
+	private boolean checkOrigin(ServerHttpRequest request, List<String> allowedOrigins) {
+		String originHeader = request.getHeaders().getOrigin();
 		if (originHeader == null || allowedOrigins == null) {
 			return false;
 		}
@@ -120,9 +147,10 @@ public class DefaultCorsProcessor implements CorsProcessor {
 		return false;
 	}
 
-	private boolean checkMethod(HttpServletRequest request, List<String> allowedMethods) {
-		String requestMethod = CorsUtils.isPreFlightRequest(request) ?
-				request.getHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD) : request.getMethod();
+	private boolean checkMethod(ServerHttpRequest request, List<String> allowedMethods, boolean isPreFlight) {
+		HttpMethod requestMethod = isPreFlight ?
+				request.getHeaders().getAccessControlRequestMethod() :
+				request.getMethod();
 		if (allowedMethods == null) {
 			allowedMethods = Arrays.asList(HttpMethod.GET.name());
 		}
@@ -130,18 +158,16 @@ public class DefaultCorsProcessor implements CorsProcessor {
 			return true;
 		}
 		for (String allowedMethod : allowedMethods) {
-			if (allowedMethod.equalsIgnoreCase(requestMethod)) {
+			if (allowedMethod.equalsIgnoreCase(requestMethod.name())) {
 				return true;
 			}
 		}
 		return false;
 	}
 
-	private boolean checkHeaders(HttpServletRequest request, List<String> allowedHeaders) {
-		String headerValue = request.getHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS);
-		String[] requestHeaders = CorsUtils.isPreFlightRequest(request) ?
-				StringUtils.commaDelimitedListToStringArray(headerValue) :
-				Collections.list(request.getHeaderNames()).toArray(new String[0]);
+	private boolean checkHeaders(ServerHttpRequest request, List<String> allowedHeaders, boolean isPreFlight) {
+		List<String> requestHeaders = isPreFlight ? request.getHeaders().getAccessControlRequestHeaders() :
+				new ArrayList<String>(request.getHeaders().keySet());
 		if ((allowedHeaders != null) && allowedHeaders.contains("*")) {
 			return true;
 		}
@@ -165,38 +191,41 @@ public class DefaultCorsProcessor implements CorsProcessor {
 		return true;
 	}
 
-	private void setAllowOrigin(HttpServletRequest request, HttpServletResponse response,
+	private void setAllowOrigin(ServerHttpRequest request, ServerHttpResponse response,
 			List<String> allowedOrigins, Boolean allowCredentials) {
 
-		String origin = request.getHeader(HttpHeaders.ORIGIN);
+		String origin = request.getHeaders().getOrigin();
 		if (allowedOrigins.contains("*") && (allowCredentials == null || !allowCredentials)) {
-			response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
+			response.getHeaders().setAccessControlAllowOrigin("*");
 			return;
 		}
-		response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
-		response.addHeader(HttpHeaders.VARY, HttpHeaders.ORIGIN);
+		response.getHeaders().setAccessControlAllowOrigin(origin);
+		response.getHeaders().add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
 	}
 
-	private void setAllowMethods(HttpServletRequest request, HttpServletResponse response,
+	private void setAllowMethods(ServerHttpRequest request, ServerHttpResponse response,
 			List<String> allowedMethods) {
 
 		if (allowedMethods == null) {
 			allowedMethods = Arrays.asList(HttpMethod.GET.name());
 		}
 		if (allowedMethods.contains("*")) {
-			String headerValue = request.getHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD);
-			response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS, headerValue);
+			HttpMethod method = request.getHeaders().getAccessControlRequestMethod();
+			response.getHeaders().setAccessControlAllowMethods(Arrays.asList(method));
 		}
 		else {
-			String headerValue = StringUtils.collectionToCommaDelimitedString(allowedMethods);
-			response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS, headerValue);
+			List<HttpMethod> methods = new ArrayList<HttpMethod>();
+			for (String method : allowedMethods) {
+				methods.add(HttpMethod.valueOf(method));
+			}
+			response.getHeaders().setAccessControlAllowMethods(methods);
 		}
 	}
 
-	private void setAllowHeadersHeader(HttpServletRequest request, HttpServletResponse response, List<String> allowedHeaders) {
+	private void setAllowHeadersHeader(ServerHttpRequest request, ServerHttpResponse response,
+			List<String> allowedHeaders) {
 		if ((allowedHeaders != null) && !allowedHeaders.isEmpty()) {
-			String headerValue = request.getHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS);
-			String[] requestHeaders = StringUtils.commaDelimitedListToStringArray(headerValue);
+			List<String> requestHeaders = request.getHeaders().getAccessControlRequestHeaders();
 			boolean matchAll = allowedHeaders.contains("*");
 			List<String> matchingHeaders = new ArrayList<String>();
 			for (String requestHeader : requestHeaders) {
@@ -209,28 +238,26 @@ public class DefaultCorsProcessor implements CorsProcessor {
 				}
 			}
 			if (!matchingHeaders.isEmpty()) {
-				response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS,
-						StringUtils.collectionToCommaDelimitedString(matchingHeaders));
+				response.getHeaders().setAccessControlAllowHeaders(matchingHeaders);
 			}
 		}
 	}
 
-	private void setExposeHeadersHeader(HttpServletResponse response, List<String> exposedHeaders) {
+	private void setExposeHeadersHeader(ServerHttpResponse response, List<String> exposedHeaders) {
 		if ((exposedHeaders != null) && !exposedHeaders.isEmpty()) {
-			response.addHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS,
-					StringUtils.collectionToCommaDelimitedString(exposedHeaders));
+			response.getHeaders().setAccessControlExposeHeaders(exposedHeaders);
 		}
 	}
 
-	private void setAllowCredentials(HttpServletResponse response, Boolean allowCredentials) {
+	private void setAllowCredentials(ServerHttpResponse response, Boolean allowCredentials) {
 		if ((allowCredentials != null) && allowCredentials) {
-			response.addHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
+			response.getHeaders().setAccessControlAllowCredentials(allowCredentials);
 		}
 	}
 
-	private void setMaxAgeHeader(HttpServletResponse response, Long maxAge) {
+	private void setMaxAgeHeader(ServerHttpResponse response, Long maxAge) {
 		if (maxAge != null) {
-			response.addHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE, maxAge.toString());
+			response.getHeaders().setAccessControlMaxAge(maxAge);
 		}
 	}
 

spring-web/src/test/java/org/springframework/http/HttpHeadersTests.java

@@ -32,12 +32,16 @@ import java.util.TimeZone;
 import org.hamcrest.Matchers;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
 import org.junit.Before;
 import org.junit.Test;
 
 /**
  * Unit tests for {@link org.springframework.http.HttpHeaders}.
  * @author Arjen Poutsma
+ * @author Sebastien Deleuze
  */
 public class HttpHeadersTests {
 
@@ -267,4 +271,70 @@ public class HttpHeadersTests {
 		assertThat(headers.getAllow(), Matchers.emptyCollectionOf(HttpMethod.class));
 	}
 
+	@Test
+	public void accessControlAllowCredentials() {
+		assertFalse(headers.getAccessControlAllowCredentials());
+		headers.setAccessControlAllowCredentials(false);
+		assertFalse(headers.getAccessControlAllowCredentials());
+		headers.setAccessControlAllowCredentials(true);
+		assertTrue(headers.getAccessControlAllowCredentials());
+	}
+
+	@Test
+	public void accessControlAllowHeaders() {
+		List<String> allowedHeaders = headers.getAccessControlAllowHeaders();
+		assertThat(allowedHeaders, Matchers.emptyCollectionOf(String.class));
+		headers.setAccessControlAllowHeaders(Arrays.asList("header1", "header2"));
+		allowedHeaders = headers.getAccessControlAllowHeaders();
+		assertEquals(allowedHeaders, Arrays.asList("header1", "header2"));
+	}
+
+	@Test
+	public void accessControlAllowMethods() {
+		List<HttpMethod> allowedMethods = headers.getAccessControlAllowMethods();
+		assertThat(allowedMethods, Matchers.emptyCollectionOf(HttpMethod.class));
+		headers.setAccessControlAllowMethods(Arrays.asList(HttpMethod.GET, HttpMethod.POST));
+		allowedMethods = headers.getAccessControlAllowMethods();
+		assertEquals(allowedMethods, Arrays.asList(HttpMethod.GET, HttpMethod.POST));
+	}
+
+	@Test
+	public void accessControlAllowOrigin() {
+		assertNull(headers.getAccessControlAllowOrigin());
+		headers.setAccessControlAllowOrigin("*");
+		assertEquals("*", headers.getAccessControlAllowOrigin());
+	}
+
+	@Test
+	public void accessControlExposeHeaders() {
+		List<String> exposedHeaders = headers.getAccessControlExposeHeaders();
+		assertThat(exposedHeaders, Matchers.emptyCollectionOf(String.class));
+		headers.setAccessControlExposeHeaders(Arrays.asList("header1", "header2"));
+		exposedHeaders = headers.getAccessControlExposeHeaders();
+		assertEquals(exposedHeaders, Arrays.asList("header1", "header2"));
+	}
+
+	@Test
+	public void accessControlMaxAge() {
+		assertEquals(-1, headers.getAccessControlMaxAge());
+		headers.setAccessControlMaxAge(3600);
+		assertEquals(3600, headers.getAccessControlMaxAge());
+	}
+
+	@Test
+	public void accessControlRequestHeaders() {
+		List<String> requestHeaders = headers.getAccessControlRequestHeaders();
+		assertThat(requestHeaders, Matchers.emptyCollectionOf(String.class));
+		headers.setAccessControlRequestHeaders(Arrays.asList("header1", "header2"));
+		requestHeaders = headers.getAccessControlRequestHeaders();
+		assertEquals(requestHeaders, Arrays.asList("header1", "header2"));
+	}
+
+	@Test
+	public void accessControlRequestMethod() {
+		assertNull(headers.getAccessControlRequestMethod());
+		headers.setAccessControlRequestMethod(HttpMethod.POST);
+		assertEquals(HttpMethod.POST, headers.getAccessControlRequestMethod());
+	}
+
 }

spring-web/src/test/java/org/springframework/web/cors/CorsUtilsTests.java

@@ -48,7 +48,7 @@ public class CorsUtilsTests {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setMethod("OPTIONS");
 		request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
-		request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		assertTrue(CorsUtils.isPreFlightRequest(request));
 	}
 
@@ -62,7 +62,7 @@ public class CorsUtilsTests {
 		assertFalse(CorsUtils.isPreFlightRequest(request));
 
 		request = new MockHttpServletRequest();
-		request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		assertFalse(CorsUtils.isPreFlightRequest(request));
 	}
 

spring-web/src/test/java/org/springframework/web/cors/DefaultCorsProcessorTests.java

@@ -62,7 +62,7 @@ public class DefaultCorsProcessorTests {
 		this.request.setMethod(HttpMethod.GET.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
 		this.processor.processActualRequest(this.conf, request, response);
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
 	}
 
@@ -72,10 +72,10 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
 		this.conf.addAllowedOrigin("*");
 		this.processor.processActualRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("*", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE));
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -88,10 +88,10 @@ public class DefaultCorsProcessorTests {
 		this.conf.addAllowedOrigin("http://domain2.com/logout.html");
 		this.conf.setAllowCredentials(true);
 		this.processor.processActualRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -102,10 +102,10 @@ public class DefaultCorsProcessorTests {
 		this.conf.addAllowedOrigin("*");
 		this.conf.setAllowCredentials(true);
 		this.processor.processActualRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -115,7 +115,7 @@ public class DefaultCorsProcessorTests {
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
 		this.conf.addAllowedOrigin("http://domain2.com/TEST.html");
 		this.processor.processActualRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -127,11 +127,11 @@ public class DefaultCorsProcessorTests {
 		this.conf.addExposedHeader("header2");
 		this.conf.addAllowedOrigin("http://domain2.com/test.html");
 		this.processor.processActualRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS));
-		assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
-		assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
+		assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
+		assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -139,7 +139,7 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestAllOriginsAllowed() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("*");
 		this.processor.processPreFlightRequest(this.conf, request, response);
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
@@ -149,7 +149,7 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestWrongAllowedMethod() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "DELETE");
 		this.conf.addAllowedOrigin("*");
 		this.processor.processPreFlightRequest(this.conf, request, response);
 		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
@@ -159,17 +159,17 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestMatchedAllowedMethod() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("*");
 		this.processor.processPreFlightRequest(this.conf, request, response);
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
-		assertEquals("GET", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
+		assertEquals("GET", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
 	}
 
 	@Test(expected = IllegalArgumentException.class)
 	public void preflightRequestWithoutOriginHeader() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.processor.processPreFlightRequest(this.conf, request, response);
 	}
 
@@ -178,7 +178,7 @@ public class DefaultCorsProcessorTests {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
 	}
 
@@ -186,9 +186,9 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestWithoutRequestMethod() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
 	}
 
@@ -196,10 +196,10 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
 	}
 
@@ -207,19 +207,19 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestValidRequestAndConfig() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("*");
 		this.conf.addAllowedMethod("GET");
 		this.conf.addAllowedMethod("PUT");
 		this.conf.addAllowedHeader("header1");
 		this.conf.addAllowedHeader("header2");
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("*", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
-		assertEquals("GET,PUT", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_METHODS));
-		assertFalse(response.containsHeader(CorsUtils.ACCESS_CONTROL_MAX_AGE));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("*", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
+		assertEquals("GET,PUT", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
+		assertFalse(response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -227,18 +227,18 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestCrendentials() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("http://domain2.com/home.html");
 		this.conf.addAllowedOrigin("http://domain2.com/test.html");
 		this.conf.addAllowedOrigin("http://domain2.com/logout.html");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.setAllowCredentials(true);
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
-		assertEquals("true", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -246,16 +246,16 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestCrendentialsWithOriginWildcard() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedOrigin("http://domain2.com/home.html");
 		this.conf.addAllowedOrigin("*");
 		this.conf.addAllowedOrigin("http://domain2.com/logout.html");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.setAllowCredentials(true);
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertEquals("http://domain2.com/test.html", response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("http://domain2.com/test.html", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -263,18 +263,18 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestAllowedHeaders() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedHeader("Header1");
 		this.conf.addAllowedHeader("Header2");
 		this.conf.addAllowedHeader("Header3");
 		this.conf.addAllowedOrigin("http://domain2.com/test.html");
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS));
-		assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
-		assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
-		assertFalse(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
+		assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
+		assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
+		assertFalse(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 
@@ -282,16 +282,16 @@ public class DefaultCorsProcessorTests {
 	public void preflightRequestAllowsAllHeaders() throws Exception {
 		this.request.setMethod(HttpMethod.OPTIONS.name());
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.conf.addAllowedHeader("*");
 		this.conf.addAllowedOrigin("http://domain2.com/test.html");
 		this.processor.processPreFlightRequest(this.conf, request, response);
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertTrue(response.containsHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS));
-		assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
-		assertTrue(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
-		assertFalse(response.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertTrue(response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
+		assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
+		assertTrue(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
+		assertFalse(response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
 		assertEquals(HttpServletResponse.SC_OK, response.getStatus());
 	}
 

spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfo.java

@@ -20,6 +20,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.http.HttpHeaders;
 import org.springframework.util.PathMatcher;
 import org.springframework.util.StringUtils;
 import org.springframework.web.accept.ContentNegotiationManager;
@@ -245,7 +246,7 @@ public final class RequestMappingInfo implements RequestCondition<RequestMapping
 	 * HTTP method specified in a CORS pre-flight request.
 	 */
 	private RequestMethodsRequestCondition getAccessControlRequestMethodCondition(HttpServletRequest request) {
-		String expectedMethod = request.getHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD);
+		String expectedMethod = request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD);
 		if (StringUtils.hasText(expectedMethod)) {
 			for (RequestMethod method : getMethodsCondition().getMethods()) {
 				if (expectedMethod.equalsIgnoreCase(method.name())) {

spring-webmvc/src/test/java/org/springframework/web/servlet/handler/CorsAbstractHandlerMappingTests.java

@@ -66,7 +66,7 @@ public class CorsAbstractHandlerMappingTests {
 		this.request.setMethod(RequestMethod.GET.name());
 		this.request.setRequestURI("/notcors");
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
 		assertTrue(chain.getHandler() instanceof SimpleHandler);
 	}
@@ -76,7 +76,7 @@ public class CorsAbstractHandlerMappingTests {
 		this.request.setMethod(RequestMethod.OPTIONS.name());
 		this.request.setRequestURI("/notcors");
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
 		assertTrue(chain.getHandler() instanceof SimpleHandler);
 	}
@@ -86,7 +86,7 @@ public class CorsAbstractHandlerMappingTests {
 		this.request.setMethod(RequestMethod.GET.name());
 		this.request.setRequestURI("/cors");
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
 		assertTrue(chain.getHandler() instanceof CorsAwareHandler);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
@@ -99,7 +99,7 @@ public class CorsAbstractHandlerMappingTests {
 		this.request.setMethod(RequestMethod.OPTIONS.name());
 		this.request.setRequestURI("/cors");
 		this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com/test.html");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		HandlerExecutionChain chain = handlerMapping.getHandler(this.request);
 		assertNotNull(chain.getHandler());
 		assertTrue(chain.getHandler().getClass().getSimpleName().equals("PreFlightHandler"));

spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoTests.java

@@ -25,7 +25,6 @@ import org.junit.Test;
 import org.springframework.http.HttpHeaders;
 import org.springframework.mock.web.test.MockHttpServletRequest;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
 import org.springframework.web.servlet.mvc.condition.HeadersRequestCondition;
 import org.springframework.web.servlet.mvc.condition.ParamsRequestCondition;
@@ -321,7 +320,7 @@ public class RequestMappingInfoTests {
 	public void preFlightRequest() {
 		MockHttpServletRequest request = new MockHttpServletRequest("OPTIONS", "/foo");
 		request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
-		request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "POST");
+		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST");
 
 		RequestMappingInfo info = new RequestMappingInfo(
 				new PatternsRequestCondition("/foo"), new RequestMethodsRequestCondition(RequestMethod.POST), null,

spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java

@@ -32,7 +32,6 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.servlet.HandlerExecutionChain;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition;
@@ -138,7 +137,7 @@ public class CrossOriginTests {
 	public void preFlightRequest() throws Exception {
 		this.handlerMapping.registerHandler(new MethodLevelController());
 		this.request.setMethod("OPTIONS");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.request.setRequestURI("/default");
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, true);
@@ -155,8 +154,8 @@ public class CrossOriginTests {
 	public void ambiguousHeaderPreFlightRequest() throws Exception {
 		this.handlerMapping.registerHandler(new MethodLevelController());
 		this.request.setMethod("OPTIONS");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "header1");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "header1");
 		this.request.setRequestURI("/ambiguous-header");
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, true);
@@ -173,7 +172,7 @@ public class CrossOriginTests {
 	public void ambiguousProducesPreFlightRequest() throws Exception {
 		this.handlerMapping.registerHandler(new MethodLevelController());
 		this.request.setMethod("OPTIONS");
-		this.request.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		this.request.setRequestURI("/ambiguous-produces");
 		HandlerExecutionChain chain = this.handlerMapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, true);

spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java

@@ -33,7 +33,6 @@ import org.springframework.http.server.ServerHttpResponse;
 import org.springframework.http.server.ServletServerHttpResponse;
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
-import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.socket.AbstractHttpRequestTests;
 import org.springframework.web.socket.WebSocketHandler;
 import org.springframework.web.socket.sockjs.SockJsException;
@@ -87,8 +86,8 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 
 		assertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
 		assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL));
-		assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 		assertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
 
 		String body = this.servletResponse.getContentAsString();
@@ -106,8 +105,8 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 
 		this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
 		resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
-		assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 		assertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
 	}
 
@@ -137,11 +136,11 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 	public void handleInfoGetCorsFilter() throws Exception {
 
 		// Simulate scenario where Filter would have already set CORS headers
-		this.servletResponse.setHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN, "foobar:123");
+		this.servletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "foobar:123");
 
 		handleRequest("GET", "/echo/info", HttpStatus.OK);
 
-		assertEquals("foobar:123", this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertEquals("foobar:123", this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
 	}
 
 	@Test  // SPR-11919
@@ -149,7 +148,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 	public void handleInfoGetWildflyNPE() throws Exception {
 		HttpServletResponse mockResponse = mock(HttpServletResponse.class);
 		ServletOutputStream ous = mock(ServletOutputStream.class);
-		given(mockResponse.getHeaders(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN)).willThrow(NullPointerException.class);
+		given(mockResponse.getHeaders(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).willThrow(NullPointerException.class);
 		given(mockResponse.getOutputStream()).willReturn(ous);
 		this.response = new ServletServerHttpResponse(mockResponse);
 
@@ -160,7 +159,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 
 	@Test  // SPR-12660
 	public void handleInfoOptions() throws Exception {
-		this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
+		this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
 		resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
 		assertNull(this.service.getCorsConfiguration(this.servletRequest));
 
@@ -173,8 +172,8 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 	public void handleInfoOptionsWithOrigin() throws Exception {
 		this.servletRequest.setServerName("mydomain2.com");
 		this.servletRequest.addHeader(HttpHeaders.ORIGIN, "http://mydomain2.com");
-		this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_METHOD, "GET");
-		this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
+		this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
 		resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
 		assertNotNull(this.service.getCorsConfiguration(this.servletRequest));
 
@@ -196,7 +195,7 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
 		this.service.setAllowedOrigins(Arrays.asList("*"));
 		this.service.setSuppressCors(true);
 
-		this.servletRequest.addHeader(CorsUtils.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
+		this.servletRequest.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Last-Modified");
 		resetResponseAndHandleRequest("OPTIONS", "/echo/info", HttpStatus.NO_CONTENT);
 		assertNull(this.service.getCorsConfiguration(this.servletRequest));
 

spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java

@@ -31,7 +31,6 @@ import org.mockito.MockitoAnnotations;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.scheduling.TaskScheduler;
-import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.socket.AbstractHttpRequestTests;
 import org.springframework.web.socket.WebSocketHandler;
 import org.springframework.web.socket.handler.TestPrincipal;
@@ -149,8 +148,8 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
 		verify(taskScheduler).scheduleAtFixedRate(any(Runnable.class), eq(service.getDisconnectDelay()));
 
 		assertEquals("no-store, no-cache, must-revalidate, max-age=0", this.response.getHeaders().getCacheControl());
-		assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_ORIGIN));
-		assertNull(this.servletResponse.getHeader(CorsUtils.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+		assertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
+		assertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 	}
 
 	@Test  // SPR-12226