Polishing contribution

rstoyanchev · rstoyanchev · commit 9beca064047b · 2020-11-18T20:25:39.000Z
See gh-26108
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/SockJsServiceRegistration.java b/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/SockJsServiceRegistration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/StompWebSocketEndpointRegistration.java b/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/StompWebSocketEndpointRegistration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -62,9 +62,11 @@ public interface StompWebSocketEndpointRegistration {
 	StompWebSocketEndpointRegistration setAllowedOrigins(String... origins);
 
 	/**
-	 * Configure allowed {@code Origin} header values.
-	 *
-	 * @see org.springframework.web.cors.CorsConfiguration#setAllowedOriginPatterns(java.util.List)
+	 * A variant of {@link #setAllowedOrigins(String...)} that accepts flexible
+	 * domain patterns, e.g. {@code "https://*.domain1.com"}. Furthermore it
+	 * always sets the {@code Access-Control-Allow-Origin} response header to
+	 * the matched origin and never to {@code "*"}, nor to any other pattern.
+	 * @since 5.3.2
 	 */
 	StompWebSocketEndpointRegistration setAllowedOriginPatterns(String... originPatterns);
 
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/WebMvcStompWebSocketEndpointRegistration.java b/spring-websocket/src/main/java/org/springframework/web/socket/config/annotation/WebMvcStompWebSocketEndpointRegistration.java
@@ -132,13 +132,11 @@ public SockJsServiceRegistration withSockJS() {
 	protected HandshakeInterceptor[] getInterceptors() {
 		List<HandshakeInterceptor> interceptors = new ArrayList<>(this.interceptors.size() + 1);
 		interceptors.addAll(this.interceptors);
-		OriginHandshakeInterceptor originHandshakeInterceptor = new OriginHandshakeInterceptor(this.allowedOrigins);
-		interceptors.add(originHandshakeInterceptor);
-
+		OriginHandshakeInterceptor interceptor = new OriginHandshakeInterceptor(this.allowedOrigins);
+		interceptors.add(interceptor);
 		if (!ObjectUtils.isEmpty(this.allowedOriginPatterns)) {
-			originHandshakeInterceptor.setAllowedOriginPatterns(this.allowedOriginPatterns);
+			interceptor.setAllowedOriginPatterns(this.allowedOriginPatterns);
 		}
-
 		return interceptors.toArray(new HandshakeInterceptor[0]);
 	}
 
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java b/spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -82,18 +82,19 @@ public void setAllowedOrigins(Collection<String> allowedOrigins) {
 	/**
 	 * Return the allowed {@code Origin} header values.
 	 * @since 4.1.5
-	 * @see #setAllowedOrigins
 	 */
 	public Collection<String> getAllowedOrigins() {
-		if (this.corsConfiguration.getAllowedOrigins() == null) {
-			return Collections.emptyList();
-		}
-		return Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOrigins()));
+		return (this.corsConfiguration.getAllowedOrigins() != null ?
+				Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOrigins())) :
+				Collections.emptyList());
 	}
 
 	/**
-	 * Configure allowed {@code Origin} pattern header values.
-	 *
+	 * A variant of {@link #setAllowedOrigins(Collection)} that accepts flexible
+	 * domain patterns, e.g. {@code "https://*.domain1.com"}. Furthermore it
+	 * always sets the {@code Access-Control-Allow-Origin} response header to
+	 * the matched origin and never to {@code "*"}, nor to any other pattern.
+	 * @since 5.3.2
 	 * @see CorsConfiguration#setAllowedOriginPatterns(List)
 	 */
 	public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns) {
@@ -108,18 +109,18 @@ public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns) {
 	 * @see CorsConfiguration#getAllowedOriginPatterns()
 	 */
 	public Collection<String> getAllowedOriginPatterns() {
-		if (this.corsConfiguration.getAllowedOriginPatterns() == null) {
-			return Collections.emptyList();
-		}
-		return Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOriginPatterns()));
+		return (this.corsConfiguration.getAllowedOriginPatterns() != null ?
+				Collections.unmodifiableSet(new HashSet<>(this.corsConfiguration.getAllowedOriginPatterns())) :
+				Collections.emptyList());
 	}
 
 
 	@Override
 	public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response,
 			WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception {
 
-		if (!WebUtils.isSameOrigin(request) && this.corsConfiguration.checkOrigin(request.getHeaders().getOrigin()) == null) {
+		if (!WebUtils.isSameOrigin(request) &&
+				this.corsConfiguration.checkOrigin(request.getHeaders().getOrigin()) == null) {
 			response.setStatusCode(HttpStatus.FORBIDDEN);
 			if (logger.isDebugEnabled()) {
 				logger.debug("Handshake request rejected, Origin header value " +
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
@@ -322,9 +322,12 @@ public void setAllowedOrigins(Collection<String> allowedOrigins) {
 	}
 
 	/**
-	 * Configure allowed {@code Origin} header values.
-	 *
-	 * @see org.springframework.web.cors.CorsConfiguration#setAllowedOriginPatterns(java.util.List)
+	 * A variant of {@link #setAllowedOrigins(Collection)} that accepts flexible
+	 * domain patterns, e.g. {@code "https://*.domain1.com"}. Furthermore it
+	 * always sets the {@code Access-Control-Allow-Origin} response header to
+	 * the matched origin and never to {@code "*"}, nor to any other pattern.
+	 * <p>By default this is not set.
+	 * @since 5.2.3
 	 */
 	public void setAllowedOriginPatterns(Collection<String> allowedOriginPatterns) {
 		Assert.notNull(allowedOriginPatterns, "Allowed origin patterns Collection must not be null");

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2018 the original author or authors.`
	`2`	`+ * Copyright 2002-2020 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`