001/* 002 * Copyright 2002-2020 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.cors.reactive; 018 019import java.net.URI; 020 021import org.springframework.http.HttpHeaders; 022import org.springframework.http.HttpMethod; 023import org.springframework.http.server.reactive.ServerHttpRequest; 024import org.springframework.lang.Nullable; 025import org.springframework.util.Assert; 026import org.springframework.web.util.UriComponents; 027import org.springframework.web.util.UriComponentsBuilder; 028 029/** 030 * Utility class for CORS reactive request handling based on the 031 * <a href="https://www.w3.org/TR/cors/">CORS W3C recommendation</a>. 032 * 033 * @author Sebastien Deleuze 034 * @since 5.0 035 */ 036public abstract class CorsUtils { 037 038 /** 039 * Returns {@code true} if the request is a valid CORS one by checking {@code Origin} 040 * header presence and ensuring that origins are different via {@link #isSameOrigin}. 041 */ 042 @SuppressWarnings("deprecation") 043 public static boolean isCorsRequest(ServerHttpRequest request) { 044 return request.getHeaders().containsKey(HttpHeaders.ORIGIN) && !isSameOrigin(request); 045 } 046 047 /** 048 * Returns {@code true} if the request is a valid CORS pre-flight one by checking {code OPTIONS} method with 049 * {@code Origin} and {@code Access-Control-Request-Method} headers presence. 050 */ 051 public static boolean isPreFlightRequest(ServerHttpRequest request) { 052 HttpHeaders headers = request.getHeaders(); 053 return (request.getMethod() == HttpMethod.OPTIONS 054 && headers.containsKey(HttpHeaders.ORIGIN) 055 && headers.containsKey(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD)); 056 } 057 058 /** 059 * Check if the request is a same-origin one, based on {@code Origin}, and 060 * {@code Host} headers. 061 * 062 * <p><strong>Note:</strong> as of 5.1 this method ignores 063 * {@code "Forwarded"} and {@code "X-Forwarded-*"} headers that specify the 064 * client-originated address. Consider using the {@code ForwardedHeaderFilter} 065 * to extract and use, or to discard such headers. 066 * 067 * @return {@code true} if the request is a same-origin one, {@code false} in case 068 * of a cross-origin request 069 * @deprecated as of 5.2, same-origin checks are performed directly by {@link #isCorsRequest} 070 */ 071 @Deprecated 072 public static boolean isSameOrigin(ServerHttpRequest request) { 073 String origin = request.getHeaders().getOrigin(); 074 if (origin == null) { 075 return true; 076 } 077 078 URI uri = request.getURI(); 079 String actualScheme = uri.getScheme(); 080 String actualHost = uri.getHost(); 081 int actualPort = getPort(uri.getScheme(), uri.getPort()); 082 Assert.notNull(actualScheme, "Actual request scheme must not be null"); 083 Assert.notNull(actualHost, "Actual request host must not be null"); 084 Assert.isTrue(actualPort != -1, "Actual request port must not be undefined"); 085 086 UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build(); 087 return (actualScheme.equals(originUrl.getScheme()) && 088 actualHost.equals(originUrl.getHost()) && 089 actualPort == getPort(originUrl.getScheme(), originUrl.getPort())); 090 } 091 092 private static int getPort(@Nullable String scheme, int port) { 093 if (port == -1) { 094 if ("http".equals(scheme) || "ws".equals(scheme)) { 095 port = 80; 096 } 097 else if ("https".equals(scheme) || "wss".equals(scheme)) { 098 port = 443; 099 } 100 } 101 return port; 102 } 103 104}